Saturday, May 20, 2017

AWS Powershell Tools Snippets: S3 Multipart Upload Cleanup

My company does quite a bit with AWS S3. We use it to store static files and images, we push backups to it, we use it to deliver application artifacts, and the list goes on.

When you push a significant amount of data to and from S3, you're bound to experience some network interruptions that could stop an upload. Most of the time S3 clients will recover on their own, but there are some cases where it might struggle.

Saturday, May 13, 2017

WannaCry: Finding where SMB is allowed in AWS

WannaCry is the latest ransomware to sweep the internet and cause lots of excitement. As occasionally happens with well publicized security events like this I got to hear a former firewall admins favorite words: "Can you please take away a bunch of network access?" What fun!

I love blocking traffic as much as the next guy, but it's not a great idea to just change firewall rules willy nilly. You should always spend a little time thinking about the impacting and looking at what access it's prudent to remove. In this post I'll list a couple of the commands I used to poke around our AWS Security groups and find where SMB was allowed.

Thursday, May 11, 2017

Auditing AWS IAM Users

Like any other company with sensitive data we go through audits pretty regularly. The latest one included some questions about accounts that have access to sensitive data, and the number of auth factors required to log into them.

As usual I started digging around in the AWS Powershell Tools to find a way to make this job easier than just manually looking through accounts, and I quickly found Request-IAMCredentialReport and Get-IAMCredentialReport.

Saturday, April 15, 2017

AWS Powershell Tools Snippets: Powershell Pipes

I'm on another AWS Powershell tools rant. Hopefully after reading this blog post you'll share my appreciation for how useful they are.

Powershell takes the idea of piping commands together (sending that output of one command directly to the input of another) to a whole new level of useful. If you aren't familiar with the concept, it's a great way to make your commands dynamic and intricate. Let's walk through an example.

Saturday, April 8, 2017

Building a Docker container for easy SSH into Opsworks Stacks

Part of the concept behind Opsworks is the ability to create and destroy instances dynamically. If your instances are configured by Chef recipes all the way from AMI to processing production workload, this is probably something you do pretty regularly.

But this probably means that the IP addresses behind your instances change regularly. At some point you might get tired of constantly going back to the Opsworks console to get an IP address, I know I did.

Sunday, March 26, 2017

AWS Codepipeline: Alert on Stage Failure

We've been using AWS Codepipeline for some time now and for the most part it's a great managed service. Easy to get started with and pretty simple to use.

That being said, it does lack some features out of the box that most CICD systems have ready for you. The one I'll be tackling today is alerting on a stage failure.

Saturday, March 18, 2017

Building CodePipelines with Cloudformation: What's my configuration?

My company started using AWS Codepipeline as a somewhat reluctant PoC. It's not a full featured CICD service, but it is incredibly cost effective and easy to get started with. Amazon's recent release of invoking Lambda functions makes it much more flexible.

We've been using Codepipeline for several months now, and with it starting to look like a longer term solution for us some of the AWS Console limitations are becoming prohibitive. For example you can't move an action around in a stage in the console. Your only option it to delete and recreate the action where you wanted it to be.

Fortunately, most of these struggles are solved by creating your Pipelines in Cloudformation!