AWS CloudTrail Monitors S3 Express One Zone Data Events

AWS CloudTrail

AWS CloudTrail is used to keep track of data events that occur in the Amazon S3 Express One Zone.

AWS introduced you to Amazon S3 Express One Zone, a single-Availability Zone (AZ) storage class designed to provide constant single-digit millisecond data access for your most frequently accessed data and latency-sensitive applications. It is intended to provide up to ten times higher performance than S3 Standard and is ideally suited for demanding applications. S3 directory buckets are used by S3 Express One Zone to store items in a single AZ.

In addition to bucket-level activities like CreateBucket and DeleteBucket that were previously supported, S3 Express One Zone now supports AWS CloudTrail data event logging, enabling you to monitor all object-level operations like PutObject, GetObject, and DeleteObject. In addition to allowing you to benefit from S3 Express One Zone’s 50% cheaper request costs than the S3 Standard storage class, this also enables auditing for governance and compliance.

This new feature allows you to easily identify the source of the API calls and immediately ascertain which S3 Express One Zone items were created, read, updated, or removed. You can immediately take steps to block access if you find evidence of unauthorised S3 Express One Zone object access. Moreover, rule-based processes that are activated by data events can be created using the CloudTrail connection with Amazon EventBridge.

S3 Express One Zone data events logging with CloudTrail

You open the Amazon S3 console first. You will make an S3 bucket by following the instructions for creating a directory bucket, selecting Directory as the bucket type and apne1-az4 as the availability zone. You can type s3express-one-zone-cloudtrail in the Base Name field, and the Availability Zone ID of the Availability Zone is automatically appended as a suffix to produce the final name. Lastly, you click Create bucket and tick the box indicating that data is kept in a single availability zone.

Now you open the CloudTrail console and enable data event tracking for S3 Express One Zone. You put in the name and start the CloudTrail trail that monitors my S3 directory bucket’s activities.

You can choose Data events with Advanced event pickers enabled under Step 2: Choose log events.

S3 Express is the data event type you have selected. To manage data events for every S3 directory bucket, you can select Log all events as my log selector template.

But you just want events for my S3 directory bucket, s3express-one-zone-cloudtrail–apne1-az4–x-s3, to be logged by the event data store. Here, you specify the ARN of my directory bucket and pick Custom as the log selection template.

Complete Step 3 by reviewing and creating. You currently have CloudTrail configured for logging.

S3 Express One Zone data event tracking with CloudTrail in action

You retrieve and upload files to my S3 directory bucket using the S3 interface

Log files are published by CloudTrail to an S3 bucket in a gzip archive, where they are arranged in a hierarchical structure according to the bucket name, account ID, region, and date. You list the bucket connected to my Trail and get the log files for the test date using the AWS CLI.

Let’s look over these files for the PutObject event. You can see the PutObject event type when you open the first file. As you remember, you only uploaded twice: once through the CLI and once through the S3 console in a web browser. This event relates to my upload using the S3 console because the userAgent property, which indicates the type of source that made the API call, points to a browser.

Upon examining the third file pertaining to the event that corresponds to the PutObject command issued through the AWS CLI, I have noticed a slight variation in the userAgent attribute. It alludes to the AWS CLI in this instance.

Let’s now examine the GetObject event found in file number two. This event appears to be related to my download via the S3 console, as you can see that the event type is GetObject and the userAgent relates to a browser.

Let me now demonstrate the event in the fourth file, including specifics about the GetObject command you issued using the AWS CLI. The eventName and userAgent appear to be as intended.

Important information

Starting out The CloudTrail console, CLI, or SDKs can be used to setup CloudTrail data event tracking for S3 Express One Zone.

Regions: All AWS Regions with current availability for S3 Express One Zone can use CloudTrail data event logging.

Activity tracking: You may record object-level actions like Put, Get, and Delete objects as well as bucket-level actions like CreateBucket and DeleteBucket using CloudTrail data event logging for S3 Express One Zone.

CloudTrail pricing

Cost: Just like other S3 storage classes, the amount you pay for S3 Express One Zone data event logging in CloudTrail is determined by how many events you log and how long you keep the logs. Visit the AWS CloudTrail Pricing page to learn more.

For S3 Express One Zone, you may activate CloudTrail data event logging to streamline governance and compliance for your high-performance storage.

Read more on Govindhtech.com

"6 Ways to Trigger AWS Step Functions Workflows: A Comprehensive Guide"

To trigger an AWS Step Functions workflow, you have several options depending on your use case and requirements:

AWS Management Console: You can trigger a Step Functions workflow manually from the AWS Management Console by navigating to the Step Functions service, selecting your state machine, and then clicking on the "Start execution" button.

AWS SDKs: You can use AWS SDKs (Software Development Kits) available for various programming languages such as Python, JavaScript, Java, etc., to trigger Step Functions programmatically. These SDKs provide APIs to start executions of your state machine.

AWS CLI (Command Line Interface): AWS CLI provides a command-line interface to AWS services. You can use the start-execution command to trigger a Step Functions workflow from the command line.

AWS CloudWatch Events: You can use CloudWatch Events to schedule and trigger Step Functions workflows based on a schedule or specific events within your AWS environment. For example, you can trigger a workflow based on a time-based schedule or in response to changes in other AWS services.

AWS Lambda: You can integrate Step Functions with AWS Lambda functions. You can trigger a Step Functions workflow from a Lambda function, allowing you to orchestrate complex workflows in response to events or triggers handled by Lambda functions.

Amazon API Gateway: If you want to trigger a Step Functions workflow via HTTP requests, you can use Amazon API Gateway to create RESTful APIs. You can then configure API Gateway to trigger your Step Functions workflow when it receives an HTTP request.

These are some of the common methods for triggering AWS Step Functions workflows. The choice of method depends on your specific requirements, such as whether you need manual triggering, event-based triggering, or integration with other AWS services.

Mastering AWS on Windows: Configure Multiple Accounts with Ease | AWS Tutorial for Beginners by TutorialsFor #ManagingMultipleAWSAccounts #DevOpsOnAWS #ManagingMultipleAWSAccounts Mastering AWS on Windows: Configure Multiple Accounts with Ease | AWS Tutorial for Beginners https://ift.tt/JpyRaw3 As a developer or DevOps engineer, managing multiple AWS accounts is a common scenario. You may have separate accounts for development, testing, and production environments or for different projects. When working with Terraform, a popular infrastructure-as-code tool, configuring AWS credentials on your Windows machine is essential. In this article, we will explore how to configure AWS on Windows for two accounts. Understanding AWS Credentials Before diving into the configuration process, it's crucial to understand AWS credentials. AWS uses access keys to authenticate and authorize API requests. Each account has a unique access key ID and secret access key. You can create multiple access keys for an account, but it's recommended to use a single key per account. Configuring AWS CLI on Windows To configure AWS on Windows, you'll use the AWS Command Line Interface (CLI). The AWS CLI is a unified tool that allows you to manage your AWS resources from the command line. Open the Command Prompt or PowerShell as an administrator. Run aws configure --profile account1 to set up your first AWS account. Enter your access key ID, secret access key, region, and output format. Configuring Additional AWS Accounts To configure additional AWS accounts, you'll use the --profile option with aws configure. This option allows you to create separate profiles for each account. Run aws configure --profile account2 to set up your second AWS account. Enter your access key ID, secret access key, region, and output format. Verifying Profiles To verify your profiles, run aws configure list. This command displays a list of all configured profiles. Name Value Type Location ---- ----- ---- -------- profile account1 manual ~/.aws/credentials profile account2 manual ~/.aws/credentials Switching Between Accounts To switch between accounts, set the AWS_PROFILE environment variable. This variable tells the AWS CLI which profile to use. Use set AWS_PROFILE=account1 to switch to your first account. Use set AWS_PROFILE=account2 to switch to your second account. Note: Make sure to replace ACCESS_KEY_ID_1, SECRET_ACCESS_KEY_1, ACCESS_KEY_ID_2, and SECRET_ACCESS_KEY_2 with your actual AWS access keys. By following these steps, you can configure AWS on your Windows machine for two accounts. #AWS #AWSTutorial #Windows #CloudComputing #DevOps #AWSCredentials #AWSCLI #MultipleAccounts #AWSConfiguration #CloudSecurity #AWSBestPractices #DevOpsTools #CloudEngineering #AWSSolutions #CloudComputingTutorial #ConfiguringAWSonWindows #ManagingMultipleAWSAccounts #AWSCredentialsManagement #CloudComputingForBeginners #DevOpsOnAWS https://www.youtube.com/watch?v=z-UwWhwiB3o

Docker is a software tool created to enable users create, deploy and manage applications using containers. The concept of containers has witnessed tremendous adoption in the past couple of years. As a developer, containers allows you to package up applications with all of its dependencies which include libraries and deploy it as one package. This guide will show you how to install and use Docker CE on Amazon Linux 2. Applications packaged as containers can run on any other Linux machine regardless of the environment, distribution type or customizations which distinguish source machine and the destination server where containers are run. We will update the OS, install some few dependencies then install Docker CE on Amazon Linux 2 server. Install Docker CE on Amazon Linux 2 Before we start the update, let’s ensure our system is updated. sudo yum -y update Once the update has been done, reboot your system. sudo systemctl reboot Wait for reboot to be completed then login back and continue with the installation of Docker CE on Amazon Linux 2. $ ssh username@amazonlinuxip __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ Install Docker Dependencies on Amazon Linux 2 Install the basic dependencies required for running Docker on Amazon Linux 2. sudo yum install -y yum-utils device-mapper-persistent-data lvm2 If running on actual AWS Cloud and not Developer machine install other tools that ensure integration with other AWS services is seemless. sudo yum -y install curl wget unzip awscli aws-cfn-bootstrap nfs-utils chrony conntrack jq ec2-instance-connect socat If the ec2-net-utils package is installed remove it as it interferes with the route setup on the instance. if yum list installed | grep ec2-net-utils; then sudo yum remove ec2-net-utils -y -q; fi Set correct system timezone and Clock. sudo yum -y install chrony sudo systemctl enable --now chronyd sudo timedatectl set-timezone Africa/Nairobi Sync NTP time. $ sudo chronyc sources 210 Number of sources = 8 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? 169.254.169.123 0 4 0 - +0ns[ +0ns] +/- 0ns ^+ time.cloudflare.com 3 6 277 39 -239us[ -637us] +/- 184ms ^+ time.cloudflare.com 3 6 377 39 -1526us[-1923us] +/- 185ms ^* ntp2.icolo.io 2 6 377 37 -1522us[-1920us] +/- 83ms ^? time.cloudflare.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? time.cloudflare.com 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp1.icolo.io 0 6 0 - +0ns[ +0ns] +/- 0ns ^? ntp0.icolo.io 0 6 0 - +0ns[ +0ns] +/- 0ns Install Docker CE on Amazon Linux 2 With the dependencies installed we can now install Docker CE on Amazon Linux 2. Ensure the amazon-linux-extras repository is enabled on your system. sudo amazon-linux-extras enable docker Install Docker on Amazon Linux. sudo yum -y install docker The command above will install the latest stable version of Docker on Amazon Linux 2. If you want a specific version provide the version number. See example below. DOCKER_VERSION="19.03.6ce-4.amzn2" sudo yum install -y docker-$DOCKER_VERSION* Make your user part of the docker group. sudo usermod -aG docker $USER newgrp docker Create Docker json configuration file. sudo tee /etc/docker/daemon.json

Autoprompt

#Autoprompt code

#Autoprompt license

10:31:19,694 - MainThread - botocore.hooks - DEBUG - Event -input-yaml: calling handler 10:31:19,694 - MainThread - botocore.hooks - DEBUG - Event -input-json: calling handler 10:31:19,694 - MainThread - awscli.arguments - DEBUG - Unpacked value of for parameter "target_group_arns": 10:31:19,694 - MainThread - botocore.hooks - DEBUG - Event -group-arns: calling handler 10:31:19,694 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'awseb-e-txwhwjxk75-stack-AWSEBAutoScalingGroup-14CH3JZ6DNIPT' for parameter "auto_scaling_group_name": 'awseb-e-txwhwjxk75-stack-AWSEBAutoScalingGroup-14CH3JZ6DNIPT' 10:31:19,694 - MainThread - botocore.hooks - DEBUG - Event -load-balancer-target-groups: calling handler 10:31:19,693 - MainThread - botocore.hooks - DEBUG - Event -scaling-group-name: calling handler 10:31:19,687 - MainThread - botocore.hooks - DEBUG - Event -load-balancer-target-groups: calling handler > 10:31:19,687 - MainThread - botocore.hooks - DEBUG - Event -load-balancer-target-groups: calling handler 10:31:19,686 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.0.10/dist/botocore/data/autoscaling//paginators-1.json 10:31:19,680 - MainThread - botocore.hooks - DEBUG - Event -load-balancer-target-groups: calling handler 10:31:19,680 - MainThread - awscli.clidriver - DEBUG - OrderedDict() 10:31:19,673 - MainThread - botocore.hooks - DEBUG - Event toscaling: calling handler 10:31:19,662 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/v2/2.0.10/dist/botocore/data/autoscaling//service-2.json 10:31:19,646 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 10:31:19,644 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 10:31:19,642 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 10:31:19,641 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler 10:31:19,641 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: Aws cli version - aws-cli/1.18.52 Python/3.6.9 Linux/5.3.0-51-generic botocore/1.16.2Īws-cli/2.0.10 Python/3.7.3 Linux/5.3.0-51-generic aws -debug autoscaling attach-load-balancer-target-groups -auto-scaling-group-name awseb-e-txwhwjxk75-stack-AWSEBAutoScalingGroup-14CH3JZ6DNIPT -target-group-arns arn:aws:elasticloadbalancing:eu-central-1:063129209410:targetgroup/aifit-cc-qa/d9d8c7a85f2ea7df getLogger (_name_ ) 33 34 35 36 def loggers_handler_switcher (): 37 old_handlers = ' ) 232 return shlex. logger import PromptToolkitHandler 30 31 32 LOG = logging. factory import PromptToolkitFactory 29 from awscli. output import OutputGetter 28 from awscli. autocomplete import parser 25 from awscli. logger import LOG_FORMAT, disable_crt_logging 24 from awscli. document import Document 22 23 from awscli. completion import Completion 21 from prompt_toolkit. completion import Completer, ThreadedCompleter 20 from prompt_toolkit. application import Application 19 from prompt_toolkit. 13 import logging 14 import shlex 15 import sys 16 from contextlib import nullcontext, contextmanager 17 18 from prompt_toolkit.

#Autoprompt license

See the License for the specific 12 # language governing permissions and limitations under the License. This file is 10 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF 11 # ANY KIND, either express or implied. A copy of 5 # the License is located at 6 # 7 # 8 # 9 # or in the "license" file accompanying this file. You 4 # may not use this file except in compliance with the License. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License").

#Autoprompt code

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers.Īlternatively you can here view or download the uninterpreted source code file.įor more information about "prompttoolkit.py" see the Fossies "Dox" file reference documentation.ġ # Copyright 2019, Inc.

Command line python text editor

As the developer of a Python script, you will decide which arguments to provide to the caller and what they do. Keep in mind that both the name and the meaning of an argument are specific to a program - there is no general definition, other than a few common conventions like -help for further information on the usage of the tool. Note: In this article we'll solely be focusing on the Unix-like format of - and. The single dash notation is mostly used with single letter options, while double dashes present a more readable options list, which is particularly useful for complex options that need to be more explicit. Many programs on Unix-like systems support both the single and double dash notation. These different approaches exist due to historical reasons. Windows: / followed by either a letter, or word, like /help.Unix-like: - followed by a letter, like -h, or - followed by a word, like -help.In general, arguments are passed to CLI tools differently, depending on your operating system: For example, these options could tell the tool to output additional information, read data from a specified source, or send output to a certain location. These tools can range from simple CLI apps to those that are more complex, like AWS' awscli tool.Ĭomplex tools like this are typically controlled by the user via command line arguments, which allows the user to use specific commands, set options, and more. With Python being such a popular programming language, as well as having support for most operating systems, it's become widely used to create command line tools for many purposes.

How to install AWS-CLI on Linux? https://www.devopscheetah.com/how-to-install-aws-cli-on-linux/?feed_id=949&_unique_id=60e6ca20273ca

How to Copy Multiple Files From Local to AWS S3 Bucket Using AWS CLI?

Introduction

Amazon Simple Storage Service(S3) is one of the most used object storage services, and it is because of scalability, security, performance, and data availability. That means customers of any size or industries such as websites, mobile apps, IoT devices, enterprise applications, and IoT devices can use it to store any volume of data.

Amazon S3 provides easy-to-use management features so you can appropriately organize your data to fulfill your business requirements.

Many of us are using AWS s3 bucket on a daily basis; one of the most common challenges that are faced while working with cloud storage is syncing or uploading multiple objects at once. Yes, we can drag and drop or upload on a direct bucket page. Like the below image.

But the problem with this approach is if you’re uploading large objects over an unstable network if network errors occur you must have to restart uploading from the beginning.

Suppose you are uploading 2000+ files and you come to know that upload fails and your uploading these files from the last 1 hour, re-uploading has become a time-consuming process. So, to overcome this problem we have two solutions that we will discuss in the next sections.

Prerequisites

AWS Account

Installed AWS CLI

Upload Objects Using Multipart Upload API

Multipart upload opens the gate to upload a single object as a set of parts. Considering that it is possible to upload object parts independently and in any order.

In case the transmission fails in any section, it is possible to retransmit that section without affecting any other sections. So, it’s a good practice to use multipart uploads instead of uploading the object in a single operation.

Advantages of Using multipart upload:

Improved throughput – improve uploading speed

Fast recovery from any network issues: no need to re-upload from beginning

Resume and pause object uploads

It is possible to upload any object as you are creating it.

We can use multipart file uploading API with different technologies SDK or REST API for more details visit

Read more to Copy Files to AWS S3 Bucket using AWS S3 CLI

How To Provisioning RDS Instances using Terraform

Amazon Route 53 Advanced Features for Global Traffic

What is Amazon Route 53

A dependable and economical method of connecting end users to Internet applications

Sharing and then assigning numerous DNS resources to each Amazon Virtual Private Cloud (Amazon VPC) can be quite time-consuming if you are managing numerous accounts and Amazon VPC resources. You may have even gone so far as to create your own orchestration layers in order to distribute DNS configuration throughout your accounts and VPCs, but you frequently run into limitations with sharing and association.

Amazon Route 53 Resolver DNS firewall

With great pleasure, AWS now provide Amazon Route 53 Profiles, which enable you to centrally manage DNS for all accounts and VPCs in your company. Using Route 53 Profiles, you may apply a standard DNS configuration to several VPCs in the same AWS Region. This configuration includes Amazon Route 53 private hosted zone (PHZ) associations, Resolver forwarding rules, and Route 53 Resolver DNS Firewall rule groups. You can quickly and simply verify that all of your VPCs have the same DNS setup by using Profiles, saving you the trouble of managing different Route 53 resources. It is now as easy to manage DNS for several VPCs as it was for a single VPC.

Because Profiles and AWS Resource Access Manager (RAM) are naturally connected, you can exchange Profiles between accounts or with your AWS Organizations account. By enabling you to create and add pre-existing private hosted zones to your Profile, Profiles effortlessly interacts with Route 53 private hosted zones. This means that when the Profile is shared across accounts, your organizations will have access to the same settings. When accounts are initially provisioned, AWS CloudFormation enables you to utilize Profiles to define DNS settings for VPCs regularly. You may now more effectively manage DNS settings for your multi-account environments with today’s release.

Amazon Route 53 benefits

Automatic scaling and internationally distributed Domain Name System (DNS) servers ensure dependable user routing to your website

Amazon Route 53 uses globally dispersed Domain Name System (DNS) servers to provide dependable and effective end-user routing to your website. By dynamically adapting to changing workloads, automated scaling maximises efficiency and preserves a flawless user experience.

With simple visual traffic flow tools and domain name registration, set up your DNS routing in a matter of minutes

With simple visual traffic flow tools and a fast and easy domain name registration process, Amazon Route 53 simplifies DNS routing configuration. This makes it easier for consumers to manage and direct web traffic effectively by allowing them to modify their DNS settings in a matter of minutes.

To cut down on latency, increase application availability, and uphold compliance, modify your DNS routing policies

Users can customize DNS routing settings with Amazon Route 53 to meet unique requirements including assuring compliance, improving application availability, and lowering latency. With this customization, customers can optimize DNS configurations for resilience, performance, and legal compliance.

How it functions

A DNS (Domain Name System) online service that is both scalable and highly available is Amazon Route 53. Route 53 links user queries to on-premises or AWS internet applications.Image credit to AWS

Use cases

Control network traffic worldwide

Easy-to-use global DNS features let you create, visualize, and scale complicated routing interactions between records and policies.

Construct programmes that are extremely available

In the event of a failure, configure routing policies to predetermine and automate responses, such as rerouting traffic to different Availability Zones or Regions.

Configure a private DNS

In your Amazon Virtual Private Cloud, you can assign and access custom domain names (VPC). Utilise internal AWS servers and resources to prevent DNS data from being visible to the general public.

Which actions can you perform in Amazon Route 53

The operation of Route 53 Profiles

You go to the AWS Management Console for Route 53 to begin using the Route 53 Profiles. There, you can establish Profiles, furnish them with resources, and link them to their respective VPCs. Then use AWS RAM to share the profile you made with another account.

To set up my profile, you select Profiles from the Route 53 console’s navigation pane, and then you select Create profile.

You will optionally add tags to my Profile configuration and give it a pleasant name like MyFirstRoute53Profile.

The Profile console page allows me to add new Resolver rules, private hosted zones, and DNS Firewall rule groups to my account or modify the ones that are already there.

You select which VPCs to link to the Profile. In addition to configuring recursive DNSSEC validation the DNS Firewalls linked to my VPCs’ failure mode, you are also able to add tags. Additionally, you have the ability to decide which comes first when evaluating DNS: Profile DNS first, VPC DNS second, or VPC DNS first.

Up to 5,000 VPCs can be linked to a single Profile, and you can correlate one Profile with each VPC.

You can control VPC settings for different accounts in your organization by using profiles. Instead of setting them up per-VPC, you may disable reverse DNS rules for every VPC that the Profile is connected to. To make it simple for other services to resolve hostnames from IP addresses, the Route 53 Resolver automatically generates rules for reverse DNS lookups on my behalf. You can choose between failing open and failing closed when using DNS Firewall by going into the firewall’s settings. Additionally, you may indicate if you want to employ DNSSEC signing in Amazon Route 53 (or any other provider) in order to enable recursive DNSSEC validation for the VPCs linked to the Profile.

Assume you can link a Profile to a VPC. What occurs when a query precisely matches a PHZ or resolver rule that is linked to the VPC’s Profile as well as one that is related with the VPC directly? Which DNS settings, those from the local VPCs or the profiles, take priority? In the event that the Profile includes a PHZ for example.com and the VPC is linked to a PHZ for example.com, the VPC’s local DNS settings will be applied first. The most specific name prevails when a name query for a conflicting domain name is made (for instance, the VPC is linked to a PHZ with the name account1.infra.example.com, while the Profile has a PHZ for infra.example.com).

Using AWS RAM to share Route 53 Profiles between accounts

You can share the Profile you made in the previous part with my second account using AWS Resource Access Manager (RAM).

On the Profiles detail page, you select the Share profile option. Alternatively, you may access the AWS RAM console page and select Create resource share.

You give your resource share a name, and then you go to the Resources area and look for the “Route 53 Profiles.” You choose the Profile under the list of resources. You have the option to add tags. Next is what you select.

RAM controlled permissions are used by profiles, enabling me to assign distinct permissions to various resource types. The resources inside the Profile can only be changed by the Profile’s owner, the network administrator, by default. Only the contents of the Profile (in read-only mode) will be accessible to the recipients of the Profile, which are the VPC owners. The resource must have the required permissions attached to it in order for the Profile’s recipient to add PHZs or other resources to it. Any resources that the Profile owner adds to the shared resource cannot be edited or removed by recipients.

You choose to allow access to my second account by selecting Next, leaving the default settings.

You select Allow sharing with anyone on the following screen, type in the ID of my second account, and click Add. Next, You select that account ID under Selected Principals and click Next.

You select Create resource share on the Review and create page. The creation of the resource sharing is successful.

You, now navigate to the RAM console using your other account, which you share your profile with. You select the resource name you generated in the first account under the Resource sharing section of the navigation menu. You accept the offer by selecting Accept resource share.

And that’s it! now select the Profile that was shared with you on your Amazon Route 53Profiles page.

The private hosted zones, Resolver rules, and DNS Firewall rule groups of the shared profile are all accessible to you. You are able to link this Profile to the VPCs for this account. There are no resources that you can change or remove. As regional resources, profiles are not transferable between regions.

Amazon Route 53 availability

Using the AWS Management Console, Route 53 API, AWS CloudFormation, AWS Command Line Interface (AWS CLI), and AWS SDKs, you can quickly get started with Route 53 Profiles.

With the exception of Canada West (Calgary), the AWS GovCloud (US) Regions, and the Amazon Web Services China Regions, Route 53 Profiles will be accessible in every AWS Region.

Amazon Route 53 pricing

Please check the Route 53 price page for further information on the costs.

Read more on govindhtech.com

Amazon EBS 的 gp3 可以用在開機磁碟了

Amazon EBS 的 gp3 可以用在開機磁碟了

可以先參考「Amazon EBS 推出了 gp3」這篇，但剛出來的時候大家都有發現無論是透過 web console 還是透過 awscli，boot disk 都沒辦法改成 gp3，可是在官方的文件上又說可以用 gp3，所以就有人在 AWS 的 forum 上發問了：「EBS GP3 Boot Volume Issues」。

直到剛剛發現已經可以改成 gp3 了… 一個一個手動改當然也是 OK，但對於有一卡車 EBS 要換的人來說鐵定得弄指令來換，這邊搭配了 jq 一起改：

aws ec2 describe-volumes | jq '.Volumes[] | select(.VolumeType == "gp2") | .VolumeId' | xargs -n1 -P4 env aws ec2 modify-volume --volume-type gp3 --volume-id

View On WordPress

In this walkthrough, we’ll look at how to use user permissions with Amazon S3. We will create a bucket and AWS Identity and Access Management user on our AWS account with specific permissions. My use case for this was having IAM user that can upload files to AWS S3 buckets only, without the permission to delete objects. Create a Test bucket: Use aws command with s3 option to create a bucket: $ aws s3 mb s3://backupsonly make_bucket: backupsonly Create an IAM user The following create-user command creates an IAM user named uploadonly in the current account: $ aws iam create-user --user-name uploadonly Output: "User": "Path": "/", "UserName": "uploadonly", "UserId": "AIDAJII2GMOH3OAFWCIGK", "Arn": "arn:aws:iam::104530196855:user/uploadonly", "CreateDate": "2018-08-07T08:51:23.600Z" Create AWS User and Policy Next, we need to create a policy that will be associated with the created AWS user account. This is the json file that we’ll use for the policy: $ cat aws-s3-policy.json "Version": "2012-10-17", "Statement": [ "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*" ], "Resource": "*" ] We specified the actions for: List all bucket contents Get a list of all buckets on S3 Upload files to S3 buckets The following command creates a user managed policy named upload-only-policy: $ aws iam create-policy --policy-name upload-only-policy \ --policy-document file://aws-s3-policy.json You should get output like below: "Policy": "PolicyName": "upload-only-policy", "PolicyId": "ANPAZYBH8BTU6NFCTTR46", "Arn": "arn:aws:iam::104530196855:policy/upload-only-policy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "IsAttachable": true, "CreateDate": "2018-08-07T09:02:13.013Z", "UpdateDate": "2018-08-07T09:02:13.013Z" The policy used is a JSON document in the current folder that grants read/write access to all Amazon S3 buckets. You can also limit this to a specific bucket by changing resource section. Example: "Resource": [ "arn:aws:s3:::bucket-name/*" ] Or to a specific folder inside a bucket: "Resource": [ "arn:aws:s3:::bucket-name/folder1/*" ] You can also do the same from AWS IAM web interface: Assign AWS Policy to IAM User The following attach-user-policy command attaches the AWS managed policy named upload-only-policy to the IAM user named uploadonly: $ aws iam attach-user-policy --policy-arn \ arn:aws:iam::104530196855:policy/upload-only-policy --user-name uploadonly There is no output for this command You can now create an access key for an IAM user to test: $ aws iam create-access-key --user-name uploadonly Store the secret access key in a secure location. If it is lost, it cannot be recovered, and you must create a new access key. From UI go to IAM > Users > Add Permissions > Attach existing policies directly Configure your AWS CLI and test: $ sudo pip install awscli $ aws configure Provide: AWS Access Key ID AWS Secret Access Key Test file upload: $ aws s3 cp test-demo.yml s3://backupsonly/ upload: ./test-demo.yml to s3://backupsonly/test-demo.yml Try delete: $ aws s3 rm s3://backupsonly/test-demo.yml You should get an error message: delete failed: s3://backupsonly/test-demo.yml An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied Let me know through comments section if you encounter an error message.

How to install AWS-CLI on Linux? https://www.devopscheetah.com/how-to-install-aws-cli-on-linux/?feed_id=1554&_unique_id=61261a0682561