Saturday, May 20, 2017

AWS Powershell Tools Snippets: S3 Multipart Upload Cleanup

My company does quite a bit with AWS S3. We use it to store static files and images, we push backups to it, we use it to deliver application artifacts, and the list goes on.

When you push a significant amount of data to and from S3, you're bound to experience some network interruptions that could stop an upload. Most of the time S3 clients will recover on their own, but there are some cases where it might struggle.

Saturday, May 13, 2017

WannaCry: Finding where SMB is allowed in AWS

WannaCry is the latest ransomware to sweep the internet and cause lots of excitement. As occasionally happens with well publicized security events like this I got to hear a former firewall admins favorite words: "Can you please take away a bunch of network access?" What fun!

I love blocking traffic as much as the next guy, but it's not a great idea to just change firewall rules willy nilly. You should always spend a little time thinking about the impacting and looking at what access it's prudent to remove. In this post I'll list a couple of the commands I used to poke around our AWS Security groups and find where SMB was allowed.

Thursday, May 11, 2017

Auditing AWS IAM Users

Like any other company with sensitive data we go through audits pretty regularly. The latest one included some questions about accounts that have access to sensitive data, and the number of auth factors required to log into them.

As usual I started digging around in the AWS Powershell Tools to find a way to make this job easier than just manually looking through accounts, and I quickly found Request-IAMCredentialReport and Get-IAMCredentialReport.

Saturday, April 15, 2017

AWS Powershell Tools Snippets: Powershell Pipes

I'm on another AWS Powershell tools rant. Hopefully after reading this blog post you'll share my appreciation for how useful they are.

Powershell takes the idea of piping commands together (sending that output of one command directly to the input of another) to a whole new level of useful. If you aren't familiar with the concept, it's a great way to make your commands dynamic and intricate. Let's walk through an example.

Saturday, April 8, 2017

Building a Docker container for easy SSH into Opsworks Stacks

Part of the concept behind Opsworks is the ability to create and destroy instances dynamically. If your instances are configured by Chef recipes all the way from AMI to processing production workload, this is probably something you do pretty regularly.

But this probably means that the IP addresses behind your instances change regularly. At some point you might get tired of constantly going back to the Opsworks console to get an IP address, I know I did.

Sunday, March 26, 2017

AWS Codepipeline: Alert on Stage Failure

We've been using AWS Codepipeline for some time now and for the most part it's a great managed service. Easy to get started with and pretty simple to use.

That being said, it does lack some features out of the box that most CICD systems have ready for you. The one I'll be tackling today is alerting on a stage failure.

Saturday, March 18, 2017

Building CodePipelines with Cloudformation: What's my configuration?

My company started using AWS Codepipeline as a somewhat reluctant PoC. It's not a full featured CICD service, but it is incredibly cost effective and easy to get started with. Amazon's recent release of invoking Lambda functions makes it much more flexible.

We've been using Codepipeline for several months now, and with it starting to look like a longer term solution for us some of the AWS Console limitations are becoming prohibitive. For example you can't move an action around in a stage in the console. Your only option it to delete and recreate the action where you wanted it to be.

Fortunately, most of these struggles are solved by creating your Pipelines in Cloudformation!

Sunday, March 12, 2017

AWS CLI: Table Output

Earlier today I stumbled on an AWS CLI feature I hadn't noticed before, the "output" flag.

The default value of this flag is json, which is probably what you want most of the time. It makes it pretty easy to manipulate and pull out the data you need.

Saturday, March 4, 2017

AWS Powershell Tools Snippets: CodeBuild Cloudwatch Logs

We've been using AWS CodeBuild to run java maven builds almost since it came out. It's great when it works, but when Maven has a problem it can pretty pretty difficult to sift through logs in the Cloudwatch console.

Saturday, February 11, 2017

AWS Powershell Tools: Where's the rest of the information?

If you haven't noticed, I'm a proponent of using AWS Powershell tools for managing your AWS resources. There's a bit of a learning curve if you're not already familiar with Powershell or .NET, but Amazon has put a significant amount of time into developing the .NET class structure behind the Tools, which creates a pretty rich tool set.

Saturday, February 4, 2017

Where are my Codepipeline artifacts?

AWS Codepipeline is a CICD service that lets automate running changes through a "pipeline" and performing different actions at different stages. Getting started with it through the GUI was relatively simple, but after a few months of using it I wondered what it was doing behind the scenes.

Saturday, January 28, 2017

AWS Serverless Application Model: Here we go!

AWS Serverless Application Model (SAM) was released a couple months ago. The punch line of this new release in my mind is the ability to version your lambda function code and your cloudformation template next to each other. The idea being to have completely packaged serverless application that deploy from a single repository.

Saturday, January 21, 2017

Getting an AWS IAM Certificate ARN

I was recently working on a cloudformation template that needed an ELB with an HTTPS listener. My company already has a wildcard cert uploaded to IAM for use in staging environments, so I wanted to use that cert rather than create a new one.

The classic load balancer and the newer Application Load Balancer look a little different for creating HTTPS listeners, but both require you to include the certificate ARN in your template.