#aws (2023-04)

Any nginx experts here ??

re: Customer managed KMS Keys – i know they cost $1/key/month. If i rotate a key every year or ## of months, am i charged $1/month for every prior version? assuming yearly rotation:

• year 1 = 1 key = $12

• year 2 = 2 keys = $24

• year 3 = 3 keys = $36

• year 4 = 4 keys = $48

• etc. ?

Hi everyone! I’m using parameter store for storing secret, but I found that adding each secret to the policy for each role is quite tiring, so I wonder how does everyone setup their ACL? Do you recommend using ABAC https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html?

TIL about document history in the AWS Docs.

Examples below. Hope it helps!

https://docs.aws.amazon.com/AmazonS3/latest/userguide/WhatsNew.html https://docs.aws.amazon.com/eks/latest/userguide/doc-history.html

Hi all, We are facing some authentication issue while login the linux server, we are using AD credentials to login, I’m able to login other server without any issues but i having only issue with one server, while checking the logs i could see the account is expired, since the server integrated with AD , I’m not able to modify the user password and all. If i change the password in the server , does it change entire AD password?? Or can anyone give some suggestions about activating the expired account !!

Hello, Instances are not communicating with elasticbeanstalk, i have the same setup which is working good for other application, for new deployment its not.. getting the below error. expecting help on this.

The EC2 instances failed to communicate with AWS Elastic Beanstalk, either because of configuration problems with the VPC or a failed EC2 instance. Check your VPC configuration and try launching the environment again.

but i verified the network configurations are good, as the same is working for another deployment. there is no change in that..

Hi folks, dealing with some permission issues with AWS Organizations. I wonder if someone could share some insights. My current organizational structure: root (r-123) / sandbox_ou (ou_123abc) / developer_ou (ou_321abc) / dev_aws_account I’m getting permission errors when I try to create OUs or accounts within the developer_ou from the dev_aws_account. In terms of policies, I only have “FullAWSAccess” in “Service control policies” which is attached to Root. Any input would be appreciated. Thanks!

Hi is there a way to see raw Prometheus metrics on AWS managed Prometheus?

i want to access AMP’s dashboard but i can’t

but i want to have access to Raw metrics

I am not sure about AWS Managed Grafana

Hi! im trying to create somre rds with this module cloudposse/rds/aws from a snapshot, this snapshot was replicated from another region. The problem is the original snapshot contains backup_retention_period = 1 (for replicate the snapshot in the terraform-test region). I dont need backups in the terraform-test region (expensive) If i try to put backup_retention_period to 0 terraform tries to set the retention period to 1 again, i want to ignore changes in backup_retention_period… so i tryied to modify the module and making a PR but “dynamic lifecycle ignore_chances” is not way posible, any ideas to work around this?

Hello! I’d love to get feedback from the channel on our open source launch. We’re launching IAMbic (IAM, but in code), it’s a multi-cloud control plane that simplifies IAM management in a GitOps workflow. It’s like Terraform for Cloud IAM, but designed to be way easier and support cool features like delegated temporary access/permissions, dynamic AWS permissions for a multi-account AWS role depending on the account, and other features. Right now we’re supporting AWS IAM, Identity Center, Okta, Azure AD, and Google Workspace. Here’s the GitHub. Would you use it?

Anyone have any opinions they care to share about AWS’ Black Belt program?

Hi all!

I’m currently working on integrating Amazon Cognito with my application and I’m attempting to send custom emails after specific user events occur. However, I have run into an issue while trying to trigger the CustomEmailSender function after using the adminCreateUser API call in the pre-signup lambda. The lambda never executes and I am trying to figure out why. Note that the same lambda is executed and the confirmation code is sent successfully if I fire an forgot password event with the following aws-cli command: aws cognito-idp forgot-password --client-id myClientId --username [[email protected]](mailto:[email protected])

This is the block I use in the pre signup lambda to create a user:

    const cognitoIdp = new CognitoIdentityServiceProvider();
    return cognitoIdp.adminCreateUser(params).promise();

Sharing my CustomEmailSender lambda code below:

const base64 = require('base64-js');
const sendgrid = require('@sendgrid/mail');
const encryptionSDK = require('@aws-crypto/client-node');
const { getSecretValue, getParameterValue } = require('./helpers');

const { decrypt } = encryptionSDK.buildClient(
  encryptionSDK.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT
);

const generatorKeyId = process.env.KEY_ALIAS;
const keyIds = [process.env.KEY_ARN];
const keyring = new encryptionSDK.KmsKeyringNode({ generatorKeyId, keyIds });


const sendEmail = async (to, code, SendGridAPIKey, locale) => {
  // Other locales should come here.
  let parameterStorePath;
  if (locale === 'he') {
    parameterStorePath = process.env.SENDGRID_FORGOT_PASSWORD_HE_TEMPLATE_ID_PARAMETER_PATH;
  } else {
    parameterStorePath = process.env.SENDGRID_FORGOT_PASSWORD_EN_TEMPLATE_ID_PARAMETER_PATH;
  }

  const templateName = encodeURIComponent(parameterStorePath);
  const templateId = await getParameterValue(templateName);

  const email = {
    to: to,
    from: '[email protected]',
    templateId: templateId,
    dynamicTemplateData: {
      password_reset_link: code,
    },
    subject: 'Cognito Identity Provider registration completed',
  };
  try {
    sendgrid.setApiKey(SendGridAPIKey);
    await sendgrid.send(email);
    console.log(`Email sent to ${to}`);
  } catch (err) {
    console.error(`Error sending email to ${to}: ${err}`);
    throw err;
  }
};


exports.lambdaHandler = async (event) => {
  console.info(`userPoolId: ${event.userPoolId}`)
  console.info(`triggerSource: ${event.triggerSource}`)
  console.info(`event: ${JSON.stringify(event)}`)
  console.info(`request: ${JSON.stringify(event.request)}`)

  if (event.triggerSource === 'CustomEmailSender_ForgotPassword') {
      await handleForgotPassword(event.request)
  } else {
      console.error(`Unsupported triggerSource: ${event.triggerSource}`)
  }

  return event;
};

  const handleForgotPassword = async (request) => {
    const sendGridSecretName = process.env.SENDGRID_API_KEY_SECRET_NAME
    const sendGridApiKey = await getSecretValue(sendGridSecretName);

    // decrypt confirmation code
    let confirmationCode
    if (request.code) {
        const { plaintext } = await decrypt(
            keyring,
            base64.toByteArray(request.code)
        )
        confirmationCode = plaintext
    }
    if (!confirmationCode) {
        console.error('failed to decrypt confirmation code')
        return
    }

    // send email by SendGrid
    await sendEmail(
        request.userAttributes.email,
        Buffer.from(confirmationCode).toString('utf-8'),
        sendGridApiKey,
        request.userAttributes.locale
    )
}

anyone use twingate to grant access to AWS resources?

Hi all, is there any lampda available for deleting the old snapshots in our repo??

hello all, for aws site to site vpn do I still need static IP or can I set it with dynamic ?

we had 8 mins outage on rds aurora serverless v1. I see only this in log:

Your Aurora Serverless DB cluster has automatically recovered.

any advice to prevent this in future?

Hey friends, I wanted to share a quick tip for anyone looking to extract permissions after an AWS installation. I created a Python script and wrote an article on Medium that explains how to easily find the permissions using CloudTrail. If you’re in need of something like this, here’s the link. https://medium.com/@diego_maia/discovering-used-permissions-creating-dynamic-aws-iam-policies-with-python-27e089097b81

in organization suspended an account. when it will vanish from the list ? How can I delete it totally ?