#aws (2018-12)

anyone have any good alternatives to https://github.com/tmobile/pacbot ? I’ve tried getting pacbot setup numerous times and no luck.

@Gabe not really asset mgmt, but CVE complaince checking - have used https://github.com/future-architect/vuls before which was pretty nice

and re compliance for AWS account stuff - https://github.com/alphagov/pay-aws-compliance

Vuls runs on every node for CVE aggregation and dumps reports to S3. pay-aws-compliance runs as a scheduled lambda function against an AWS account and pulling these reports and emails operators if something is not in compliance.

awesome thanks @joshmyers i’ll check them out

It doesn’t look as pretty as pacbot

haha but i’m sure it works better

i’ve tried once a week every week to install pacbot and every time i get an error

https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-virtual-private-clouds-can-now-be-shared-with-other-aws-accounts/

https://aws.amazon.com/dms/

@daveyu

@daveyu has joined the channel

TIL don’t try to use the s3 bucket url (even though AWS only auto completes this) in a Cloudfront distribution pointing to a s3 website… be sure to use the s3 website endpoint url!

It’s easy to know you are doing it wrong… you will be greeted with an Access Denied XML page on your cloudfront distribution url if you did the former

@Erik Osterman (Cloud Posse) have you setup an EC2 health check feed into slack before?

yes - quite easily done

or wait, i thought you mean the status page for EC2

(rss)

… if that’s the case, just use the /feed command to add the RSS feed (after adding the app)

we do something like this for #releases

No, instance health/status

Looking for any tips before we dive in

so that would be SNS notifications, no?

Yes, and presumably a lambda to post

cloudwatch -> sns -> lambda

ya

I was hoping you would say: absolutely, heres our a proven TF module

https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack

so we’ve used this module to send SNS alarms to slack

so now, you just gotta whip up the cloudwatch part

we have some examples for that. sec.

@sarkis wrote them

https://github.com/cloudposse/terraform-aws-alb-target-group-cloudwatch-sns-alarms/blob/master/alarms.tf

EC2 health check

hrm…

yes, one sec

https://github.com/cloudposse/terraform-aws-ec2-instance/blob/master/cloud_watch_alarm.tf

this implements one for StatusCheckFailed_Instance

now need to glue the parts together. maybe someone else has written a module though… haven’t looked

(check the registry)

ya, thats my next step

do let me know what you find

it would be sweet to get those notices into slack

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html

Finally

apparently it’s openvpn behind the scenes

They promised to deliver it before holidays during this re:invent. Looks promising! $108 per single user full-day connection at least. Not sure how comparable it is to existing OpenVPN setup which has to be maintained.

lol, that’s scary expensive

A good Openvpn module is missing, but they have an okish commercial byol and it would suck for them to have something free competing.

we use the pfsense ami in aws that uses the openvpn client

its not a bad setup

and theres an aws vpn integration piece

If I understand correctly you pay per time you actually use VPN per user, so it should be cheaper on week-ends, for example. Still expensive?

I have not used VPN on AWS for the last 3 years Last time I used it in Russia where linkedin was blocked

https://aws.amazon.com/marketplace/pp/B076TCMRWJ?qid=1545317976838&sr=0-1&ref_=srh_res_product_title

you pay for the instance and then pay for the software/hr depending on instance size

If you use it together with a few alarms it’s probably totally ok. What you don’t want is that johnny and his team forget about the vpn connections and just add the office manager’s salary to the monthly bill

pfsense’s one cost $288 in total per month, which is $0,34/hour

the caveat to this, is that im sure you pay for the internet traffic hitting the vpn etc. but thats where you would want to use a split tunnel

t2.medium $0.08 $0.046 $0.126

But wait,, this means tha tif the instance is down then the vpn is down as well ?

yea so y ou want to try to setup HA with it

exactly, as typical service you have to manage…

truue

I’ll be waiting for lambda vpn

pfsense also comes with other stuff liek a FW and whatnot

not just manage but, it can become a bottleneck due to network limit per instance type.

I wishlisted AWS Lambda with GPU support, didn’t happen…

so It doens’t really sound like a cool thing to have to route all the traffic through one instance.

yea i guess it depends on your budget cause im sure the aws service isnt cheap

where the link for the lamda vpn thing

it was a joke

that is what we are trying to compare now $288 for manage it yourself for unlimited users vs $108 per single user, no management requried.

i guess you could also look at https://www.netgate.com/support/

probably talk them down in price

hmmm then , taking into consideration the management costs and possible incidents should be taken into account.

and that is hard to convert into money usually

yes, true, for such critical piece as VPN tend to be

When updating the Launch Configuration on an AutoScaling group, it seems like the only way to complete the deployment is to change the min instances to double the size, wait for the new ones to spin up, and then change the min back to what’s expected. Is there a better way to accomplish this?

Looks like CloudFormation has support for that

Yes, I don’t believe there’s a way to use launch configurations to trigger a rebuild of an ASG.

Change ASG name to be recreated every time new LC is created… see var.recreate_asg_when_lc_changes - https://github.com/terraform-aws-modules/terraform-aws-autoscaling/blob/master/main.tf#L34

Would someone be interested to do a project together on the ASG Launch Configuration update. Thinking of a module with a Lambda / Step functions. A full ASG recreate is just too heavy sometimes.

That would be pretty neat @maarten .

Have you seen our latest terraform external artifact module? Makes it easy to distribute and deploy complex lambdas without baking zips into git

Novice question. Why do the ephemeral ports on an inbound ACL rule for a private subnet need to have a source of 0.0.0.0/0, when the traffic is coming from a NAT Gateway that should be running within the same VPC on a public subnet? Setting the source to the VPC CIDR doesn’t seem to work.

@Igor is your question related to a specific module or in general ?

general question

Ah ok, are you talking NACL or Security Group now btw. For both I don’t have an answer tbh, would love to replicate your issue however.

I do know that a NLB will most likely send the traffic through as if it would originate from the source. So for NLB I see the point.

But I was under the impression that one can change the rules the way they want them, without limitations, so I’d like to know what’s going on .

I’m talking about NACLs. I was stuck on an issue with my config, and setting the source to 0.0.0.0/0 on private subnet NACL fixed the issue for me. I referred to https://docs.aws.amazon.com/vpc/latest/userguide/vpc-recommended-nacl-rules.html and sure enough, it recommends this configuration as well

Hardening with NACLs is tricky, and I personally would never start working on them unless someone is really requesting me to do so. Even when I had AWS consultants over auditing multiple times, NACLS were never part of the audit.

What is the reason you want to use them ?

Security, but I am also trying to make sense of how the AWS NAT Gateway works.

I’m pretty sure things are locked down regardless of ACL rules given that there is no route to the IGW from the private subnet

is the nat gw working for you now ?

Yup, got it to work by changing the source of the NACL rule for ephemeral ports.

I don’t think NAT is being translated both ways normally.

so you would still receive from an outside IP and you would need to allow traffic from it in your private subnet

Makes sense