#aws (2018-11)

aws Discussion related to Amazon Web Services (AWS)

aws Discussion related to Amazon Web Services (AWS) Archive: https://archive.sweetops.com/aws/

2018-11-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:10:49 PM

@Erik Osterman (Cloud Posse) set the channel purpose: aws Discussion related to Amazon Web Services (AWS)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:34:35 PM

@Erik Osterman (Cloud Posse) set the channel topic: aws Discussion related to Amazon Web Services (AWS)

2018-11-28

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
New – Amazon CloudWatch Logs Insights – Fast, Interactive Log Analytics | Amazon Web Services attachment image

Many AWS services create logs. Off the top of my head there are VPC Flow Logs, Route 53 Logs, Lambda Logs, CloudTrail Logs (for AWS API calls), RDS Logs, IoT Logs, ECS Logs, API Gateway Logs, and S3 Server Access Logs, EC2 Instance Logs (via the CloudWatch Agent), to name a few. The services that […]

joshmyers avatar
joshmyers

@Andriy Knysh (Cloud Posse) that looks super sweet!

2018-11-27

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Everything you need to know about AWS re:Invent 2018 attachment image

Amazon Web Services is rolling out new services at a rapid clip, highlighting custom ARM processors and adding to its suite of Internet of things tools.

2
:--1:1

2018-11-26

Nikola Velkovski avatar
Nikola Velkovski
New Service: AWS Transfer for SFTP, a fully managed SFTP service for Amazon S3

Introducing AWS Transfer for SFTP, a fully managed SFTP service for Amazon S3. AWS Transfer for SFTP enables you to easily move your file transfer workloads that use the Secure Shell File Transfer Protocol (SFTP) to AWS without needing to modify your applications or manage any SFTP servers.

:--1:1
Nikola Velkovski avatar
Nikola Velkovski

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
New Service: AWS Transfer for SFTP, a fully managed SFTP service for Amazon S3

Introducing AWS Transfer for SFTP, a fully managed SFTP service for Amazon S3. AWS Transfer for SFTP enables you to easily move your file transfer workloads that use the Secure Shell File Transfer Protocol (SFTP) to AWS without needing to modify your applications or manage any SFTP servers.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Andriy Knysh (Cloud Posse) duplicate (see above)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

do you have the link to mongodb announcement

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

ah yes

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)

it’s not announcement yet, just speculations, but prob will happen https://seekingalpha.com/news/3410999-aws-develops-new-services-amid-open-source-pushback

AWS develops new services amid open-source pushback

Amazon (AMZN -4.3%) continues to use open-source software to build out AWS despite tensions with the open-source community, according to The Information.AWS is reportedly developing two new cloud serv

2
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Any recommendations for sites summarizing all announcements from reinvent?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
r/aws

r/aws: News, articles and tools covering Amazon Web Services (AWS), including S3, EC2, SQS, RDS, DynamoDB, IAM, CloudFormation, Route 53, CloudFront, Lambda, VPC, Cloudwatch, Glacier and more.

2018-11-23

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
New AWS Resource Access Manager – Cross-Account Resource Sharing | Amazon Web Services attachment image

As I have discussed in the past, our customers use multiple AWS accounts for many different reasons. Some of them use accounts to create administrative and billing boundaries; others use them to control the blast radius around any mistakes that they make. Even though all of this isolation is a net positive for our customers, […]

2018-11-22

joshmyers avatar
joshmyers

Fits nicely with geodesic

pecigonzalo avatar
pecigonzalo

NIce

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s awesome!

joshmyers avatar
joshmyers

I note that it isn’t yet supported in Terraform, would be a small PR. The vendored version of aws-sdk supports it too. Maybe interesting in terms of geodesic. What could that mean for the audit account? That would need to be the org master account

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Audit account is just the sink. I presume you enable it in the master but ship it to the sink.

2018-11-20

2018-11-19

pecigonzalo avatar
pecigonzalo

@Tee we do something just like this. Client-> VPN -> AWS

We just have 2 unbound recursive servers running that FW->AWS DNS and only send *.ourdomain or *.internal.whatever and *.awsinternaldomains to them

joshmyers avatar
joshmyers

Does it need to be a VPN? If you want auth in front of a static website you could use CloudFront/Lambda/S3 and have it serverless.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Tee, similar to @joshmyers point, the Identity-Aware Proxy (IAP) approach is advantageous over the VPN approach. It’s like having a point-to-point VPN whereby exactly one service is exposed and behind auth.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

This is the “BeyondCorp” model pioneered at Google. I can share more if it sounds interesting.

Tee avatar

It interesting @Erik Osterman (Cloud Posse) but our company is more likely want to stay away from Google services as much as they can. Is beyondcorp opensourced

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s more of a concept than a technology

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s not owned by google

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

There are open source implementations

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

As well as SaaS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

CloudFlare Argo

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

duo access

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Google IAP

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

AWS ALBs support cognito now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It was coined at Google because they have a large intranet. So large that if they used a VPN it would be indistinguishable from the public internet. As such, it made it impractical to use VPNs to provide secure, remote access with limited scope

pecigonzalo avatar
pecigonzalo

:–1: to this approach, we do it that way with IAP or similar as much as we can

pecigonzalo avatar
pecigonzalo

we only have the VPN to host a legacy system

Tee avatar

Thanks

2018-11-18

maarten avatar
maarten

I think that should be possible. Openvpn can push a DNS option to the vpn client. So either you push the AWS DNS server as an option and push a route for that IP. Or you host a DNSMASQ daemon on your VPN instance and push that IP as DNS to your clients.

Not AWS but similar: https://superuser.com/questions/1090216/internal-domain-on-openvpn-with-dnsmasq

Internal Domain on OpenVPN with Dnsmasq

I’m trying to get dnsmaq and OpenVPN working together on DigitalOcean. I want to create a VPN that forwards the requests that end with *.local to the droplet and the others to be resolved by Google…

Tee avatar

I can create wild card ssl certs *.internal.domain.com> and renew them even year manually so it looks like <https://something.internal.domain.com as its private hosted route53 domain attached to vpcs. Its not resolved outside vpcs. Right now i can ping inside vpc on ec2 instances but not in web browser

Tee avatar

Do you think this is possible @maarten

maarten avatar
maarten

What exactly ?

Tee avatar

The above @maarten

Tee avatar

Right now i can ping internal domain names from ec2 instances with in vpc

maarten avatar
maarten

I think I did answer that question already, haven’t I ?

Tee avatar

But the same link is not resolved or webpage is not shown in chrome

Tee avatar

When connected to vpn

maarten avatar
maarten

Yes, but did you read what I mentioned regarding DNS & VPN ?

Tee avatar

It tried that but let me try with the link you sent

Tee avatar

Thanks

Tee avatar

Thanks @maarten

Steven avatar
Steven

For a private domain there is no need for anything public or even any normal domain root. In the past I’ve used <env>.<company>.aws for private domains and issue our own SSL certs with any length of life that is desired. Depending on service, have ranged between 1 and 20 years for service certs as well as using a wildcard one.

maarten avatar
maarten

What you can also do is just use a public visible domain btw, not sure what the security context is but that will work too.

1

2018-11-17

Tee avatar

Hey guys i have a question. Is it possible to create a private dns route 53 address and resolve it as static website in web browser internally behind vpn

Tee avatar

with added alb or without alb

2018-11-07

Andriy Knysh (Cloud Posse) avatar
Andriy Knysh (Cloud Posse)
New Lower-Cost, AMD-Powered M5a and R5a EC2 Instances | Amazon Web Services attachment image

From the start, AWS has focused on choice and economy. Driven by a never-ending torrent of customer requests that power our well-known Virtuous Cycle, I think we have delivered on both over the years: Choice – AWS gives you choices in a wide range of dimensions including locations (18 operational geographic regions, 4 more in […]

2018-11-04

2018-11-01

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:16:34 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Just saw this… with the new Amazon AMEX, get 5% cashback AWS

1
markmutti avatar
markmutti

@Erik Osterman (Cloud Posse) Whoa, good looking out!

    keyboard_arrow_up