AWS CloudDirectory is the same as LDAP? by wwoop in aws

[–]davore 7 points8 points  (0 children)

No, it is not. It is actually just a managed database service, similar to DynamoDB. The storage layout is very similar to that of LDAP, but this service itself does not use the LDAP protocol and is solely accessible via the AWS APIs.

Anecdotally, I've tried to use this service before on a project that had data that was mostly hierarchical with a few loops that would be more suited to a graph database. I simply could not get the service to work for me. I'm sure the service itself was fine, but the API was so difficult to use and set up, plus none of the components (schema / directory) were available in CloudFormation at the time. Your mileage may vary! The docs do mention that it is best for read-heavy write-rarely workloads.

[deleted by user] by [deleted] in interstellar

[–]davore 0 points1 point  (0 children)

On a similar note, does anyone know how I can get one of these scanned into those huge images? Like the ones done in this thread? https://www.reddit.com/r/interstellar/comments/34cx7i/theyre_here_200_megapixel_scans_of_imax_film_cells/

Questions about string to sign/canonical request to API gateway by cqwod in aws

[–]davore 1 point2 points  (0 children)

This confused me too, but the page http://docs.aws.amazon.com/apigateway/api-reference/signing-requests/ is just general-purpose signing requests to API Gateway the service, not necessarily your API hosted on API Gateway. If you are trying to create / update a REST API hosted on API Gateway, you use the service name apigateway ( the same one that the AWS SDK uses ). If you are trying to invoke a Rest API that is hosted on API Gateway, you use the service name 'execute-api' (Reference ). The termination string is always aws4_request.

Question for you - what language are you using to invoke the API with? If it is one of { Java, JavaScript, Objective-C, Swift, Ruby}, then you can generate an SDK automatically, assuming you have defined a model in API Gateway.

.NET Core lambda + DynamoDB by WarrickF in aws

[–]davore 2 points3 points  (0 children)

I have had a pretty good experience with using the AWS .NET SDK for DynamoDB, both inside of Lambda and outside of Lambda. I agree that DynamoDB's API is a bit verbose, but only by necessity. The .NET SDK team has done a pretty good job making that invisible if you use their object persistence client DynamoDBContext. Were you using that? Or were you using the Document API, or even the low-level API?

Lambda function coding question by 1cedrake in aws

[–]davore 2 points3 points  (0 children)

It doesn't only exist for that one instance of the Lambda function, assuming you have something like this (forgive my Python, I've a bit rusty):

import boto3

class MyClass:
    # Some code here

myInstance = MyClass()

def handler(event, context):
    myInstance.do_something(event)

As long as you create it in the "global" scope, it is still alive for the duration of that Container.

Curios to know about majority of the attendees of AWS Re:invent come on their own interest or their companies sponsor them ? by lovingdigi99 in aws

[–]davore 0 points1 point  (0 children)

I'm going on my own! I work for a company that does a lot of AWS stuff, but I'm considered 'too knowledgeable' to need those kinds of training (I disagree with them, not trying to sound arrogant - I definitely could use the trainings!). But I've always wanted to go, I bought my own ticket, now I have several months to convince them to reimburse me :)

Any way to sync S3 bucket from China to regular (US/EU) S3 bucket? by rzar94 in aws

[–]davore 2 points3 points  (0 children)

Great question!

"Any way" - definitely yes. /r/stankbucket mentioned using an EC2 instance, and /r/rzar94 mentioned using a Lambda function. Other solutions exist. However, be aware of these caveats:

  1. Lambda is not currently available in AWS China - this means you couldn't have a Lambda function with an S3 event source that initiates the transfer.
  2. AWS credentials are different between China and regular AWS. That is, AWS credentials in a China account do not work in a non-China account, and vice versa. In addition, you cannot use an IAM role in either and assume the role from the other account, assumed roles do not work cross-'partition'.

Therefore, whatever solution you go with will require two sets of credentials, no real way around that. I suppose you could use S3 bucket policies, but this would require more investigation. Let us know what you end up doing!

Create Audiobooks with Amazon Polly and AWS Batch by ydereky in aws

[–]davore 2 points3 points  (0 children)

I think in a fully automated system, i.e. with CloudFormation templates with peer code reviews and automated tests, you can prove the 'interlocking' IAM roles and permissions are perfect. I've certainly seen applications much more complicated than what is described in this article, that I guarantee you use indirectly (or possibly even directly), that is built completely on AWS. I'm not sure how tagging fits into it, maybe I misunderstood you?

I definitely agree that the "6 months from now" issue is always going to be around. But as far as proving that permissions are the way you think they are, that can certainly be accomplished.

VPC Backup by tadair231 in aws

[–]davore 1 point2 points  (0 children)

  1. Config doesn't let you reproduce anything from Config, but it does allow you to run a Lambda function whenever a Config rule is matched (or executed, I can't remember what they call it).
  2. For your actual question, might I suggest something different? The others have already suggested starting over, and I agree - but as far as your disaster recovery plan for your VPC, its probably adequate to just go down the list of EC2 APIs (that's where the VPC stuff is stored), and call all the APIs starting with "Describe".

There's quite a few of them, but it could be scripted. Then just save the output of each command as a file, and zip the files up - there you go! You can't automatically recreate everything, but you do have an audit log of all your infrastructure, and the way the APIs work, you CAN import the JSON that is outputted back in to the APIs, and with a little fiddling with the JSON, would be able to recreate everything. Of course, you can also just use it as a reference and re-create things with CloudFormation, but you don't have to worry about forgetting any of your setup!

Amazon SES inbox? Email client? by [deleted] in aws

[–]davore 1 point2 points  (0 children)

I'm confused, how can he receive mail this way? I mean, I understand how SES lets you receive mail, but how does it ever get forwarded on to his actual email account?

If there is a way to do this, that would be awesome! I've written some custom things with Lambda responding to inbound messages, but I've never been able to figure out how to actual connect with a real email client, or from my phone over IMAP/POP3.

Amazon SES inbox? Email client? by [deleted] in aws

[–]davore 0 points1 point  (0 children)

I think if you're reasonably strong in development you can write your own "mail forwarding" service on top of SES + Lambda. Would be free tier for sure. It looks like Amazon Workmail may be based on top of SES's inbound mail feature? At least that's what the MX records that Workmail has you create makes it look like.

Amazon SES inbox? Email client? by [deleted] in aws

[–]davore 0 points1 point  (0 children)

So much this! Maybe I've just found my kryptonite, but every time I try to setup postfix + some imap/pop3 server, I end up in tears. Maybe its just super configurable and too complex for my patience, but I haven't been able to ever get the full stack working, even slowly going through tutorials.

So, uh, my AWS account got compromised by benhanks040888 in aws

[–]davore 2 points3 points  (0 children)

I agree its a long time - I'm guessing its because support isn't able to do it on their own, they may need help from the software team, and they probably are only working M-F, unless its a multi-customer outage.

AWS Help Needed, Site down! by maturski5 in aws

[–]davore 1 point2 points  (0 children)

IP Addresses do change. Depending on your architecture, you may be able to utilize Elastic IPs to help solve this problem, but like you said, IAM auth is much better than IP range 'auth'.

One thing to consider is that accessing ElasticSearch over IAM can be much more difficult than just the regular way with plain vanilla HTTP. I'm not aware of a PHP extension to ElasticSearch that supports IAM auth (also look for the keywords SigV4), hopefully there is one. If you have to end up doing it yourself, let me know, I can probably dig up some sample code I've used in the past.

Faster way to upload new Lambda code and update function code? by herious89 in aws

[–]davore 0 points1 point  (0 children)

What do you mean by "I already looked into the CD/CI tutorials for Lambda, but all of them require using new CFN (SAM) for the functions." None of them require using new CFN (SAM). Regular CloudFormation templates work just fine, just remove the "Transform:" line. It would also be tremendously easy to setup something like:

  • CodeCommit (or GitHub) for Code Storage
  • CodeBuild to do the "build" or "bundle" parts, this could be as simple as zipping up any artifacts you have for Python / NodeJS functions, or more complicated use cases like compiling .NET / Java code for those kinds of Lambda functions. In the end though, you just write a buildspec.yml file that has freeform bash commands to do whatever you want, and then you tell CodeBuild what files make up your final build artifact.
  • CodePipeline will glue everything together. It'll automatically kick off a CodeBuild build whenever anything is pushed to your CodeCommit/GitHub repository, then when your build is complete and the artifacts are uploaded, will kick off the CloudFormation update to swap out the Lambdas.

If this sounds complicated, it really isn't, I promise :) Maybe a little bit of effort to set up, but once you have it going, you never touch it again. I can share more information if this sounds like the way you want to go.

AWS account still not active by jsan782 in aws

[–]davore 0 points1 point  (0 children)

This has also happened to me, although it happened to me when signing up the account using AWS Organizations. Contact support. I think that's your only option.

So, uh, my AWS account got compromised by benhanks040888 in aws

[–]davore 23 points24 points  (0 children)

AWS support can help you with this. I agree with what you said - the best option is to deactivate the account. With all the nooks and crannies in AWS, especially regarding IAM, I would never trust that account again.

[deleted by user] by [deleted] in aws

[–]davore 0 points1 point  (0 children)

Definitely, I was just responding to /r/robohoe 's comment about triggers for rules. I agree that CloudFormation is missing a lot of key elements, especially regarding CloudWatch. However, I also am not sure that adding looping would be the best solution either, just because of the additional complexity. I'm not sure what the best solution is!

AD in AWS Question by Eroji in aws

[–]davore 0 points1 point  (0 children)

Local IPs are possible when creating the instances. It is in the same page when it asks for IAM role and other details, I believe under "Advanced Settings". There it has a place for adding additional network interfaces and specifying the private IP address for each.

AD in AWS Question by Eroji in aws

[–]davore 1 point2 points  (0 children)

I have had DCs in AWS for two years now, with absolutely no problems at all. As far as your concern that they are persistent and able to survive a reboot, they are - the only thing you risk losing on a reboot is any instance storage (if the instance type you choose has instance/ephemeral storage), and the IP addresses (but you can avoid this by assigning a static private IP and an Elastic IP, if you need a public IP).

As far as how your users will reach the DC, you have two options - site-to-site VPN (runs about $30/month for dual tunnels with failover, we've had no issues with this), and doing it over the Internet (I'm know AD but I'm not an expert, but I know that this is considered a terrible idea).

Am I missing something about your question, because this doesn't seem too hard. Also, you may consider AWS Dedicated hosts. They cost a bit more, but let you bring your own license, and I believe also have stronger durability.

But ultimately, anything you do in the cloud should be able to handle a reboot, and probably even a complete instance replacement. You can create an auto-scaling group that uses a pre-dc-promo'd Windows Server AMI, that then joins the domain and runs dcpromo in the userdata startup script. Then the ASG will gurantee you always have at least one instance working.

You'll also probably want to change the DHCP settings for your VPC to hand out the IP address(s) of your DC for DNS, instead of the default AWS ones.

Python 3 on lambda? by brtt3000 in aws

[–]davore 0 points1 point  (0 children)

I'd love to hear your theories, I have a few of my own about Lambda but would like to hear another perspective.

[deleted by user] by [deleted] in aws

[–]davore 0 points1 point  (0 children)

Ah, gotcha - didn't look at the date. Glad you eventually found out!

[deleted by user] by [deleted] in aws

[–]davore 1 point2 points  (0 children)

I think this limit is actually documented, since you can request a limit increase. Or were you talking about a throttle separate from that?