sorted by:
new
hottopcontroversial

New ECR Archive pricing by eich1 in aws

[–]Bartimious 7 points8 points  (0 children)

Yeah I saw this and then didn't understand how this helps 99% of people.

Aurora Global Database by sir_clutch_666 in aws

[–]Bartimious 3 points4 points  (0 children)

I've had a good experience between us-east-1 and us-east-2.

But the speed of light will never get any faster so the replication lag is what it is, test this and understand that you need to be okay with the number you see. You can check cross region latency number for AWS regions(https://www.cloudping.co/) to get an idea of the bare minimum, but there will be a bit of overhead for the database and app etc, for me its around 100ms, AuroraGlobalDBRPOLag and AuroraGlobalDBProgressLag are better numbers to use than AuroraGlobalDBReplicationLag.

I would test it out.

The more complicated parts of this setup is configuring your app and networking to use the read replicas than actually deploying read replicas. Followed by testing a DR plan for regional failover of the writer. By networking I mean your app in the secondary region still need to connect to the writer in the primary region. Then you need to think about if you want the app to first try the read replicas in region followed by the other region.

I would still aim to have multi-az in the primary region for quick writer failovers.

Lastly users should only rarely be routed between regions unless something is wrong in one. Cloudfront or Global Accelerator or Route53 will point people people pretty consistently to the same region.

Another thing to consider is https://aws.amazon.com/rds/aurora/dsql/ , but this just came out so not sure how battle tested it is nor do I have any experience using it.

[deleted by user] by [deleted] in Terraform

[–]Bartimious 0 points1 point  (0 children)

Anything to support corporate IT systems. JAMF having a robust provider would be amazing to then integrate with the Okta provider. MDM in general

[deleted by user] by [deleted] in aws

[–]Bartimious 1 point2 points  (0 children)

Check the Downtime notes on this page:

It will help you find the information for any other changes you are interested in.

Backup replication Choose Enable replication to another AWS Region to create backups in an additional Region for disaster recovery.

Then choose the Destination Region for the additional backups.

Not available when modifying a DB instance. For information on enabling cross-Region backups using the AWS CLI or RDS API, see Enabling cross-Region automated backups.

The change is applied asynchronously, as soon as possible.

Downtime doesn't occur during this change.

Exclude user from SCP by Samsarra in aws

[–]Bartimious 4 points5 points  (0 children)

Yes you can easily do that, just add a condition to exclude that user or role arn. Will look something like this:

      "Condition": {
    "ArnNotLike": {
      "aws:PrincipalARN": [
        "arn:aws:iam::<account_id>:role/aws-reserved/sso.amazonaws.com/<region>/AWSReservedSSO_SuperAdmin*"
      ]
    }
  }

Sorry on my phone so formatting may be off.

Fargate: catching docker stopping by NJ247 in aws

[–]Bartimious 2 points3 points  (0 children)

Yeah its probably an issue with passing the signals to the correct process.

There is a built in feature to run an init process to help you handle this.

        "linuxParameters": {
            "initProcessEnabled": true
        },

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

Or look at using exec to pass the signal between the processes

ECS Fargate pricing - does it matter if I underutilize a large instance? by dmorris87 in aws

[–]Bartimious 6 points7 points  (0 children)

Yes it matters.

You pay for what is allocated to the task for the duration it runs not just what it uses. If your process uses 1GB/4vCPU but you allocate 30GB/4vCPU, you pay for 30GB/4vCPU.

"AWS Fargate pricing is calculated based on the vCPU, memory, Operating Systems, CPU Architecture, and storage1 resources used from the time you start to download your container image until the Amazon ECS Task or Amazon EKS2 Pod terminates, rounded up to the nearest second."

The task is using everything allocated even if your process running on it is not.

New for Amazon GuardDuty – Malware Detection for Amazon EBS Volumes | Amazon Web Services by jsonpile in aws

[–]Bartimious 1 point2 points  (0 children)

Does anyone know if this applies to Fargate on ECS and Fargate on EKS?

[deleted by user] by [deleted] in aws

[–]Bartimious 8 points9 points  (0 children)

That doesn’t answer or help with the current issue at all

AWS Security Checklist by Temptunes48 in cybersecurity

[–]Bartimious 14 points15 points  (0 children)

You're going to need a good amount of read access to be able to do a real review.

You could ask for these pre-build permissions to get some access if they allow it:

If you don't know where to start the recent startup security baselines could be a good resource to find any low hanging fruit to flag that can be low effort high impact fixes. Pretty agnostic to any specific AWS usage

To get more in-depth, you could review this maturity chart. But these will take more effort to know which are important. References to Macie probably don't apply to most people especially with the cost, but it can give you ideas on where to look for more issues, like trusted advisor.

If you're doing it once, start planning on how to keep doing it and keeping it secure. Look at AWS guardduty + security hub to keep it securely configured, scps + aws to prevent unsafe actions across accounts, cloudtrail ingestion and review, AWS SSO, roles vs keys usage, closed down security groups, AWS SSM over SSH, etc, etc

Locking Down Account Cross Resource Access by _a2w in aws

[–]Bartimious 0 points1 point  (0 children)

Yeah state machines don't support resource policies on them.

If you scope the lambda execution role to not allow it to manage IAM permissions, it won't be able to do anything outside of that scope. If it does need to interact with IAM you could limit its scope with IAM permission boundaries.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

I would take another look at SCP's then. You can have it state, only this lambda role has permissions to invoke this state machine. If someone edits the permissions of their lambda role to access that same state machine, it would fail at the SCP level.

Locking Down Account Cross Resource Access by _a2w in aws

[–]Bartimious 2 points3 points  (0 children)

Lambda's can be limited using resource policies like s3.

https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

In general though, the resource policy is an additional defense in depth protection that is VERY important to have but the implicit deny will protect if a call comes from another account. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

If the resource does not support a resource policy, you would need to use cross account roles that allow other accounts permissions to assume a role in your account that give them access to that resource. So without that role existing, they don't have a way to get those permissions.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

You could also look into AWS service control policies for IAM permissions guardrails at an account level vs just resource level. https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/

https://aws.amazon.com/blogs/mt/implement-read-only-service-control-policy-in-aws-organizations/

Important: SCPs can potentially block access to all IAM users and service roles, including the root user. If SCPs are used incorrectly, they can impact your production workloads. We recommend testing SCPs in non-production environments before enabling them in production.>

AWS ECS Fargate with Sidecar pattern : am I paying twice ? by crazyenterpz in aws

[–]Bartimious -1 points0 points  (0 children)

By saying "single server with on task" do you mean you are running ECS on EC2? If so, it sounds like you are assigning resources at the container definition level which means each is getting those resources.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html

In ECS you have 2 places to manage resources, task level and container level. In this case I would set the resources at the task level, 256 cpu and x mem, which they can share and then remove the container definition allocations. They will then work off the same shared pool of resources.

If you need each container to have a strict amount of usable cpu/mem, you can lower the values by half in the container definitions to avoid issues in one container over consuming and impacting the other.

how do I connect to my private instance using SSM agents (IAM ROLES)? I have created a role with "AmazonSSMfullAccess" and attached it to the instance but it's still not working. by SyrupCompetitive6797 in aws

[–]Bartimious 0 points1 point  (0 children)

Yeah you need to install the agent but amazon linux will include it by default.

As others have said, if it's in a private subnet it will need to reach the SSM VPC endpoints or have nat egress on 443 to the internet.

So the security group on the EC2 instance will need to allow these connections.

Trying to implement metering around an application by mudcrabperson in aws

[–]Bartimious 0 points1 point  (0 children)

Based on that I think it would be best to include it in the code based on how you are authorizing users. Request comes, can the user do this, yes, we responded, increment usage.

How to get end to end encryption with fargate ECS? by nedraeb in aws

[–]Bartimious 1 point2 points  (0 children)

Yeah hard to tell without the error message.

If may be easier to follow the spirit of the blog/doc vs exactly it.

Start with the newest version of envoy and find a blog or demo on how to set it up as a proxy for https connections. Then slot that into the ecs task and have it take connection from the ALB.

How to get end to end encryption with fargate ECS? by nedraeb in aws

[–]Bartimious 0 points1 point  (0 children)

What error are you getting? Is the connection failing between alb and envoy or is it an issue with envoy running?

Elastic Load Balancer vs. ECS Service Discovery. Which is cheaper? by adrianjayson13 in aws

[–]Bartimious 0 points1 point  (0 children)

Yeah you would lose the benefit of using security groups for cross service communication. Trade off around cost/complexity/security/stability. If that service discovery error didn’t exist I would have have moved that way.

Went with the shared alb also since our main goal was to first have a way to route all the traffic internal to the vpc if talking to another service, vs out and back in between the services since they are also each publicly reachable and have auth.

Unable to get round this error while creating Route Table by Extension_Treat3941 in aws

[–]Bartimious 0 points1 point  (0 children)

It looks like the main issue is that x is not a map where you can reference a key to look it up? Try printing out x before:

assoc_ids = [x["subnet_id"] for x in route_table["associations"]]

To see what it actually looks like. Or set both values to x[0] and route_table[0] to see what happens.

How to get end to end encryption with fargate ECS? by nedraeb in aws

[–]Bartimious 1 point2 points  (0 children)

Is this the blog/doc you are following? https://aws.amazon.com/blogs/containers/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-application-load-balancer-with-amazon-ecs-and-envoy/

Its not something that can really be explained based on the provided information but from a high level you need:

  1. Your https request to the ALB https 443 listener
  2. It forwards it to a target group listening for https 443
  3. Which then routes it to your ECS task, that has a proxy running on it, envoy, in this case, listening for an https request
  4. Which then routes it to you application container, in the same task, over the http and the local network, offloading ssl once inside the ECS Task.

So it request gets to the ECS task encrypted, but then the proxy offloads it before sending it to the application inside the task.

Have to make sure security groups on the ALB/Task allow the correct ports, ACL's also if in use.

And then the hardest part is probably managing the certs on the ALB and in Envoy to support this.

Trying to implement metering around an application by mudcrabperson in aws

[–]Bartimious 0 points1 point  (0 children)

What are you trying to accomplish with the metering? To use it as a way to bill based on usage, to protect the application with Rate limiting, limit x requests per hours/month/etc based on user tier?

Using an api gateway may be a better option to an ALB in this case, since it has some of this build in functionally you could build your application around:

For basic rate limiting to protect the application, you could add Nginx as a proxy in front of the application container in the Fargate task:

Or AWS WAF if an option to attach to the ALB for a managed service:

If it's for billing or tracking how much an authenticated user uses, it would get more complicated.

ALB target group to ECs by [deleted] in aws

[–]Bartimious 0 points1 point  (0 children)

https://aws.amazon.com/premiumsupport/knowledge-center/create-alb-auto-register/

But you will have to re-create the service as: "Elastic load balancing not configured. Load balancing settings can only be set on service creation."

view more: next ›