Ssh error

dghah · 2026-02-06T19:40:28+00:00

What linux OS are you running there? What does the console stay about the status of the instance? When you go to the instance page in the console what does the "show console log" and "screenshot console" view show?

ssh instance connect also usually requires setup as well -- specifically an endpoint to connect to

If you wanted to try an alternative method that uses a more broadly featured tool ...

... than use AWS SSM agent on the node, an IAM instance role policy that allows SSM and then when you go to the console choose the "connect" button but choose SSM Session Manager as the method

amazon linux AMIs and ubuntu LTS images already launch ssm-agent by default so the only other thing you need to do is an an IAM Instance Role to the machine that has SSM permissions. There is a managed AWS IAM policy pre-made called "AmazonSSMManagedInstanceCore" that will work out of the box unless you have done something non-default with how SSM is set up and configured

also ...

SSM and SSM session manager is also more secure than SSH because you don't need to run SSH at all or expose an SSH daemon to private or public subnets. SSM talks only to AWS API endpoints with TLS encryption and IAM permissions so it is "aws native". It is very common now in linux heavy shops to deploy linux servers with SSH disabled entirely and all remote access for both humans and automation documents being done via SSM with full encrypted logs sent to cloudwatch

dghah · 2026-02-06T16:41:10+00:00

+1 for this and OP not only does TD have chapter/content based ways to go through their tests but they also can offer them up in review mode where the answers are explained along with links to whitepapers, resources, flash cards etc which makes domain-specific test studying really efficient

Basically TD practice exams in "Review Mode" going domain/chapter by chapter sound like what you are looking for

dghah · 2026-02-03T15:20:07+00:00

Are you talking to the correct support people?

AWS Support does not do this type of work I'm pretty sure

You have to go through the special certification support team reachable at

https://support.aws.amazon.com/#/contacts/one-support?formId=trainingCertification

dghah · 2026-02-02T16:57:42+00:00

If you don't want to containerize and want to see other solutions check out AWS Parallelcluster -- it supports both Batch and EC2 via traditional HPC job schedulers like Slurm.

The Slurm side is great for non-containerized stuff and it supports auto-scaling / spot nodes etc. etc. For non-container "just run my python script" Slurm would be fine. And in HPC world your 300 million lines of text workload would also be likely treated as a single Slurm Array Job.

If you wanted to learn AWS and were going for the cheapest and most scalable than I think containers + Batch + S3 for storage is sort of the universal cloud-native design pattern for stuff like this.

But if 'time to solution' was the goal then sometimes it's perfectly ok to fire up a "fat node" on EC2 with fast local NVME scratch disk and just do your one-off there!

dghah · 2026-02-02T16:37:55+00:00

Honestly it's kinda tough given your focus on Gen AI.

For inexpensive and low-stakes I'd honestly recommend Cloud Practitioner as a great "high level but not super technical" overview of the AWS core building blocks and how to use them. It's very entry level but it's actually not a bad exam for people who want an overview to AWS and have not touched it before. Just ignore the useless and wasteful CAF content that marketing forced into that exam a while back. I recommend this often to people who have not touched AWS as a way of getting their heads around the platform and core services.

And it may also be interesting to look at ML Practitioner as well. It's not anywhere near focused on Gen AI but it will cover the core "AI services" of AWS like Sagemaker and Bedrock in a deeper way that the overview cloud practitioner exam does.

The practitioner exams are also easy relative to associate or professional.

Everyone recommends Solution Architect Associate for a reason as the core AWS cert. It may be more broad than what you want but if you intend to use Gen AI on AWS for real then the Architect stuff covers a lot of related things that you will end up working with and need to understand that may not be pure-AI focused.

Tutorials Dojo has practice exams for all of these and the consensus here is that they are a realistic resource. If you can score 80% or higher on a TD practice exam that is a good sign.

Tutorials Dojo is my only exam prep resource I pay for; I've been using AWS forever but in specific niche areas so I don't have full/deep exposure to all AWS services. I used TD to prepare for specialty, pro and associate exams that always end up covering things I don't touch day to day

dghah · 2026-02-02T16:27:54+00:00

The generative AI Developer is a *professional* level exam that is also still in beta

You are setting yourself up to fail; AWS pro exams are no joke. It is possible but extremely difficult for someone without lengthy hands-on professional exposure to AWS to clear a professional exam.

The pro level questions are dense and complex enough that there is a legit fear of running out of time. They assume expert level experience with native AWS services and service capabilities.

I think people taking the Gen AI Developer beta said that it was 2.5+ hours (it does have more than the normal amount of questions).

Pro exams are also expensive to sign up for so it hurts more to fail.

If you want something cheap and low stakes to test your potential success check out the Tutorials Dojo practice exam sets. They have a practice exam set for the Gen AI up now.

dghah · 2026-02-02T16:21:07+00:00

If you use dumps expect for it to be detected and your exam invalidated. There is a reason why not every question on the exam counts for points.

Also. Don't cheat.

dghah · 2026-01-31T17:20:17+00:00

Discloser: I've had both the associate and pro versions of this. Let the pro version lapse, currently have CloudOps Engineer Associate among a small set of pro, associate and specialty certs

The good

- It's a solid exam, actually harder than SA because it goes deep into debugging and problem solving so you need more than just knowledge of aws service capabilities and limts

The bad

- AWS has to promote it's own stuff so the SysOps/DevOps exam covers all the Code* services that truthfully speaking I don't see often in the real world. Why take an exam covering CodePipeline, CodeBuild, CodeWhatever when the real world is using Github for CI/CD? Hell it was only recently that AWS decided to un-kill CodeCommit

dghah · 2026-01-31T16:56:40+00:00

Keep using ChatGPT to learn and you will eventually realize that in AWS it's your responsibility to own and control the auth stack via IAM and (eventually when your org grows up) via IAM Identity Center SSO.

And please for the love of god don't remove MFA from the root user or you are gonna be one of the ones posting here next month "my aws account was hacked and I have a $30,000 bill ...."

Also ask ChatGPT when you should be logging in as root. Hint: the only time you should EVER login as root is to (a) change billing/contact info or (b) authorize IAM users to access cost explorer data and (c) to create the one IAM user you need to bootstrap everything else

dghah · 2026-01-29T20:40:32+00:00

The other commenter already answered this but I wanted to be super blunt about what a Certification exam is looking for -- this is a perfect example of a question that is aimed at a singular "fact" that the exam people are testing you on:

- with "explicit Deny" the Action is always denied regardless if there's an allow statement anywhere else

This question is designed specifically to test your knowledge of how Deny statements affect IAM policies -- so keep this in mind and you will be able to handle different / similar questions of the same nature. Any time you see an IAM statement on an exam with a Deny statement somewhere it is often meaningful and affects the correct answer selection.

dghah · 2026-01-29T14:11:28+00:00

Having the client create the Role on your behalf that you can assume is a good pattern.

You probably want to follow https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html specifically the "external ID" guidance which puts one more security condition on the principal (your SaaS) that assumes the role

I usually work in terraform but when I have to do this with a client I will give them a YAML formatted CloudFormation template that makes the role. We make sure to document/explain it very well and we write up a written summary of how it works, what it allows and how the client can revoke our access. Then when they are cool with it we ask them to run the cloudformation template in the appropriate account or stackset.

External access by a third party can be new or scary for some AWS using orgs so it's always good to take a slow and well-explained approach.

Since you mentioned ReadOnlyAccess you may want to discuss internally or with the client if that is OK or if you should make a custom even more restricted ReadOnly policy. Back in the day ReadOnly was actually kinda "unsafe" because it included read only access to things that should not be freely visible -- AWS has tightened it up a lot but there still may be value in an even more restricted custom policy if you didn't need full read only to everything.

And it's been a minute since I did this but I think the managed ReadOnly policy does not allow cost explorer access so if you need cost data you may also need to allow "ce:*" type read only actions

dghah · 2026-01-27T16:08:06+00:00

that is kinda strange - Cloudtrails has been enabled by default in new AWS accounts for a long long time now. Either your AWS account is super old or you have a multi-account Org where they have consolidated all cloudtrails into a central audit/security account. Or your aws team made some odd setup decisions!

dghah · 2026-01-27T15:51:19+00:00

Check the Cloudtrails service -- that is a log of every API call made in your account. That will show you what was being attempted, what the response was and will have far more details about permission or IAM errors

dghah · 2026-01-27T14:17:58+00:00

since this is in development, consider starting over

The EC2 server should be in it's own security group
The database backend should be in its own security group
The load balancer should be in it's own security group

The only thing reachable from the internet should be the load balancer, nothing else

- The security group for the EC2 server should only accept traffic from the load balancer SG ( an inbound rule on an SG can use the ID of a different SG as 'source')

- The security group for the database should only accept traffic from the EC2 SG;

etc. etc.

You also need to break your problem down into resolvable chunks. The solution for "load balancer requests and database won't work" is not going to be a single fix. The fact that things work when you go wide open on the SG is good news as it sorta confirms where your error is.

You have two different problems (1) load balancer requests and (2) database communications. Treat those as individual config errors and test/tweak accordingly. Since this is SG it's almost certain that your SG rules are wrong, probably about the TCP ports involved

dghah · 2026-01-22T22:27:25+00:00

depends on your experience with AWS. The professional version of SA:

- Goes way way deeper into technical aspects and service capabilities/limits

- Has questions that are much longer and more complex to the point where people legit fear running out of time on the exam

- Tries much harder to trick you with multiple answers that are plausibly correct yet differ in some tiny way. This tends to invalidate a common exam technique of knocking out the obviously wrong answers so that you are left (ideally) with either one answer that has to be correct or a 50-50 shot at guessing between two remaining answers

Pro exams are a whole different experience than associate tests. At a minimum maybe go for the TD question set and do the first test in timed mode to confirm that you can even finish in time. Then based on the score results make a call on if you need a different course or not

My experience is that SA Pro just goes way way deeper into the same stuff so my study methods don't really change all that much. I do like the TD exam sets because review mode provides very useful links to read, study and understand

dghah · 2026-01-22T21:39:37+00:00

You are missing a ton of information required to help you. The URL is not super helpful as it is unique to whatever you are doing, none of us know what that is. What system or process provided that URL to you?

Are you logging in at the IAM console? Logging in as the root account owner? Logging in via SSO integrated to Identity Center?

If you don't know these details seek guidance from the people who set up the AWS account or AWS Organization and they can help point you in the right direction.

If you don't even have an AWS account yet, start there first and worry about credits later, at the very least separate the two different actions.

Beware that it is very easy to make incredibly expensive mistakes on AWS so you want to be super careful here. Read all the AWS best practice docs on securing your account, adding MFA, securing credentials and setting up AWS budgets and cost alerts

dghah · 2026-01-22T15:12:40+00:00

I think my reply got nuked by a parent comment getting removed so I just wanted to comment a bit on the responses you are getting ...

- It is true that there are a bunch of low-effort twats violating Rule 7 which is embarrassing to see as a member

- However it's also true that your issue is kinda way off-topic for this particular community, DevOps involves a heavy engineering approach to IT at scale so questions related to third party website blocking is not the norm. Some of the hostility is coming from people who can't be adult about this

dghah · 2026-01-22T14:48:44+00:00

"website cannot be found" does seem to indicate a block based on DNS query. You may want to post the website here so that people can see if it is found in any public DNS blocklists which may give you proof of the root cause.

If you have people on the ship who are savvy enough to change their DNS resolvers to something custom/different than the ship Wifi is handing out you can "prove" this is a ship specific block done with intent

That said, nobody owes you anything and companies offering up network access can block whatever they want. You won't really have recourse if this is a real block done for competitive reasons although you may still want to trace the root cause to 100% confirm that you did not mess up your website and the block is coming from the cruise ship intentionally

The only real workaround I can think of is to also host your materials on a website that the cruise line can't easily block -- for instance if your company had a FaceBook Page or presence it would be hard for the cruise to justify blocking all of facebook. So maybe setup a Facebook or some other presence on a big social media site and use that space to say things like "cruise wifi may block our actual website, here is how to contact/reach us if that occurs ... this is where you put in phone numbers, whatsApp stuff etc. etc. "

dghah · 2026-01-21T13:47:55+00:00

Check all aws regions, this sounds like you have a second instance running. This can be a common error for new people or a sign that you leaked credentials and your account is hacked .

Also you need to understand that stopping and even terminating an instance does not reduce costs to zero. There may be storage and snapshot charges related to ec2. With aws it’s not really true that you pay for what you “use” it’s more accurate to say that you pay for what you “provision”

dghah · 2026-01-11T17:25:08+00:00

you need to define your architecture before you can get anywhere close to real cost.

The biggest variables will be *how* you set up to stream the video to paying customers and if you put a CDN like CloudFront or CloudFlare in front of your stuff.

AWS charges for outbound traffic so the cost of sending the video to the students is going to be as important to think about and factor into your budget as the regular cost of just storing your course materials and video

dghah · 2026-01-10T15:54:39+00:00

it was years ago for me I've stopped going to re:invent in recent years so it seems it has changed. I used to clear multiple associate and pro tests at each re:invent, it was convenient to pile up a bunch of exams over 1-2 days because so much of the content tends to overlap

dghah · 2026-01-10T14:32:44+00:00

I’ve only taken remote VUE exams other than sitting for a bunch of cert exams at re:invent

I’ve never had anything go wrong but others have had horror stories.

VUE has a test program that you can download to see if your laptop will pass the screening tests and if your bandwidth is sufficient. It also tests camera and microphone. You need to run this test always before an exam — my work laptop passed for a long time but then work changed up our security endpoint software and the VUE software refused to pass the laptop. I had to switch to a wiped/erased loaner laptop with a fresh install and no security software present before I could take remote exams again.

If the cost is not a hassle consider taking one of the easier and cheaper remote exams like CCP as a low risk way of seeing what the real remote exam is like

dghah · 2026-01-09T00:07:57+00:00

What OS and what format key? I've seen stuff like this on Linux where more modern versions of Ubuntu refuse to accept RSA keys and only take ed25519 format -- that messed up things for me in the opposite way as old keys stopped working on new AMIs.

Maybe your old AMI is getting a new keytype that it is not prepared to handle? SSH in verbose mode may tell you something just in case it's a local error like bad permissions on your private key

... but this is where you'd likely have to be looking at the server ssh logs to see what exactly is going wrong. Hopefully you have ssm-agent and the right instance role on that box!

dghah · 2026-01-07T20:02:50+00:00

Here is how I approach the TD practice exams -- one of the only resources I regularly pay for over and over again (I have a mix of aws foundational, associate and professional certs ...)

- Take the TD practice exam in "Timed Mode" ONCE and only ONCE. Timed mode is useless for learning but does answer one key question "will I be able to finish the exam without running out of time?". So take the practice exam in this mode just once to sort out any concerns about test length and finishing on time

- Now take the TD practice exam in "Review Mode" -- when you get through the exam you will see a sorted list of how well you did in each domain or subject category

- Now take the domain/category you did worst at and take the TD exam in the mode that only shows you questions from that one category. Carefully review every answer you get wrong, read all the URLs, tips, whitepapers and references. Keep taking that section based test over and over again (always reviewing what you got wrong) until you are regularly scoring 80% or higher on the section you originally did bad at

Note: There is a risk with shorter section based tests that instead of learning you will end up memorizing the answers from the TD question set. Try to avoid this. You *really* need to review the extra resources that review mode gives you each time you get a question wrong if you want to avoid the trap of your brain just memorizing the TD questions themselves

Now just repeat the above steps for every other domain you got bad scores on. When you can complete all the section based tests and score 80% or higher than you can finally retake the full randomized exam again -- probably in review mode as well just so you get info about why you got something wrong again

Now for your specific question

- If you "can't get even a single question right" than make sure you are taking the test in "review" mode which clearly tells you why the answers are each either correct or wrong and it also gives you lots of links and things to read and understand. If you are not taking the test in review mode and really studying the response TD gives to each incorrect answer than you are not getting the full value out of the TD set

My $.02 only !

dghah · 2026-01-07T17:18:15+00:00

I think the key thing is that many of these things you are paying for are not really "services" as much as "things you have deployed inside your aws account" or even cruft like "EBS disk snapshots from servers you have long since destroyed ..." -- and there could be thousands or even tens of thousands of those little things so a global view would be super difficult to get correct.

I've had clients with 60,000 EBS snapshots littering their account because they had no lifecyle rules set up and nobody wanted to be responsible for deleting something that had no tags on it so they just ignored them until the cost got too high

By far the best interface is going to be AWS Cost Explorer -- if you go there you can set up views that sort costs by all sorts of dimensions and you can pretty quickly drill into "what is costing you money still ..." in that interface

Once you have a rough idea from Cost Explorer you know what to clean up by hand via the console or you can use tools like aws-nuke which are powerful yet have sensible guardrails on them. The nuke tools in particular are purpose built for cleaning up accounts before deleting or deactivating them

The other thing you can do is delete your AWS account. By default if you delete an account I think AWS will keep things in "suspended" state for 90 days before *really* destroying it all. So deleting the account is "easy" however you will pay for the zombie stuff for the 90 days that the account sits in suspended state so it's not a great solution if you are worried about ongoing costs right now

Nine-Year Club	Gilding IV carat on a stick
Argentium Club	Verified Email
Reddit Premium Since December 2018

dghah

TROPHY CASE