AWS Notes

2022-01-28 15:36:00 Python While Loop. Открыть/Комментировать

2022-01-28 15:28:46 https://anchor.fm/aws-na-russkom/episodes/005------Amazon-S3-e1dhtou Открыть/Комментировать

2022-01-28 11:25:25 ​​S3 console — generating a presigned URL:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html#ShareObjectPreSignedURLConsole

The credentials that you can use to create a presigned URL include:

IAM instance profile: Valid up to 6 hours

STS: Valid up to 36 hours when signed with permanent credentials, such as the credentials of the AWS account root user or an IAM user

IAM user: Valid up to 7 days when using AWS Signature Version 4

#S3 #AWS_Console Открыть/Комментировать

2022-01-27 20:45:54 ​​Gitlab Runner on EC2

https://aws.amazon.com/blogs/devops/deploy-and-manage-gitlab-runners-on-amazon-ec2/

This article demonstrated how to utilize IaC to efficiently conduct various administrative tasks associated with a Gitlab Runner.
We deployed Gitlab Runner consistently and quickly across multiple accounts.
We utilized IaC to enforce guardrails and best practices, such as tracking Gitlab Runner configuration changes, terminating the Gitlab Runner gracefully, and autoscaling the Gitlab Runner to ensure best performance and minimum cost.

#Gitlab Открыть/Комментировать

2022-01-26 10:41:43 ​​EFS Replication:

https://aws.amazon.com/blogs/aws/new-replication-for-amazon-elastic-file-system-efs/

Once configured, replication begins immediately. All replication traffic stays on the AWS global backbone, and most changes are replicated within a minute, with an overall Recovery Point Objective (RPO) of 15 minutes for most file systems. Replication does not consume any burst credits and it does not count against the provisioned throughput of the file system.

EFS tracks modifications to the blocks (currently 4 MB) that are used to store files and metadata, and replicates the changes at a rate of up to 300 MB per second. Because replication is block-based, it is not crash-consistent; if you need crash-consistency you may want to take a look at AWS Backup.

You pay the usual storage fees for the original and replica file systems and any applicable cross-region or intra-region data transfer charges.

#EFS Открыть/Комментировать

2022-01-25 14:55:58 Zero-day уязвимости в AWS CloudFormation и AWS Glue.

В середние января Orca Security (израильский стартап в области облачной кибербезопасности с офисом разработке в Минске) опубликовал отчёты о двух найденных критических уязвимостях в инфраструктуре AWS:

1. Ability to gain control plane access to a CloudFormation host and retrieve its AWS credentials:
https://orca.security/resources/blog/aws-cloudformation-vulnerability/

2. Cross-account access via AWS Glue:
https://orca.security/resources/blog/aws-glue-vulnerability/

Обе уязвимости были полностью устранены через несколько дней после сообщения.

Позже были опубликованы Security Bulletins:
https://aws.amazon.com/security/security-bulletins/AWS-2022-001/
https://aws.amazon.com/security/security-bulletins/AWS-2022-002/ Открыть/Комментировать

2022-01-25 10:55:49 https://sysdig.com/blog/exploit-mitigate-aws-lambdas-mitre/ Открыть/Комментировать

2022-01-24 22:05:57 ​​Build an observability solution using managed AWS services and the OpenTelemetry standard:

https://aws.amazon.com/blogs/mt/build-an-observability-solution-using-managed-aws-services-and-the-opentelemetry-standard/

We centralized the metrics, traces, and logs collected from workloads running in various AWS accounts using:
ADOT (AWS Distro for OpenTelemetry)
Amazon Managed Grafana
Amazon Managed Service for Prometheus
Amazon OpenSearch Service.
To visualize these metrics, traces, logs, and to show correlation, we setup:
OpenSearch dashboard
Grafana workspace with Amazon Managed Grafana.
This provided us with a native integration with Amazon Managed Service for Prometheus.
We also leveraged a hub-and-spoke architecture for solution scalability.

#observability Открыть/Комментировать

2022-01-24 18:51:03 ​​Using Amazon Cognito to Authenticate Players for a Game Backend Service:

https://aws.amazon.com/blogs/gametech/using-amazon-cognito-to-authenticate-players-for-a-game-backend-service/

A: Game client make REST API call to unauthenticated endpoint to invoke Login Lambda function with username and password in JSON body.
B: Login Lambda function uses username and password to authenticate with Amazon Cognito user pool and obtains IdToken.
C: Login Lambda function sends IdToken back to game client through the API Gateway.
D: Game client makes a REST API call to Amazon API Gateway which will validate the IdToken with the Cognito authorizer. API Gateway will then invoke the backend service Lambda function.

#Cognito Открыть/Комментировать

2022-01-23 10:45:51 New AWS white paper with guidance for implementing WAF

#aws #security Открыть/Комментировать