Difference and Advantages of VPC, ACL and SG | CyberSecurityTV

Unlock the secrets of network security with our latest video on VPC, ACL, and SG! 🌐🔒 Dive deep into the world of cybersecurity as we unravel the key differences and advantages of Virtual Private Clouds (VPC), Access Control Lists (ACL), and Security Groups (SG). 💻🔐 Don't miss out on essential insights to fortify your digital defenses. Watch now to stay one step ahead in the cyber battlefield!

Are you ready to explore the world of Virtual Port Channels (VPC) and its components in-depth? DC Lessons presents an engaging course designed for IT professionals, network engineers, and anyone looking to master the intricacies of VPC configurations. https://www.dclessons.com/labconfiguring-vpc-its-components

Deploying Containers on AWS ECS with Fargate

Introduction

Amazon Elastic Container Service (ECS) with AWS Fargate enables developers to deploy and manage containers without managing the underlying infrastructure. Fargate eliminates the need to provision or scale EC2 instances, providing a serverless approach to containerized applications.

This guide walks through deploying a containerized application on AWS ECS with Fargate using AWS CLI, Terraform, or the AWS Management Console.

1. Understanding AWS ECS and Fargate

✅ What is AWS ECS?

Amazon ECS (Elastic Container Service) is a fully managed container orchestration service that allows running Docker containers on AWS.

✅ What is AWS Fargate?

AWS Fargate is a serverless compute engine for ECS that removes the need to manage EC2 instances, providing:

Automatic scaling

Per-second billing

Enhanced security (isolation at the task level)

Reduced operational overhead

✅ Why Choose ECS with Fargate?

✔ No need to manage EC2 instances ✔ Pay only for the resources your containers consume ✔ Simplified networking and security ✔ Seamless integration with AWS services (CloudWatch, IAM, ALB)

2. Prerequisites

Before deploying, ensure you have:

AWS Account with permissions for ECS, Fargate, IAM, and VPC

AWS CLI installed and configured

Docker installed to build container images

An existing ECR (Elastic Container Registry) repository

3. Steps to Deploy Containers on AWS ECS with Fargate

Step 1: Create a Dockerized Application

First, create a simple Dockerfile for a Node.js or Python application.

Example: Node.js DockerfiledockerfileFROM node:16-alpine WORKDIR /app COPY package.json . RUN npm install COPY . . CMD ["node", "server.js"] EXPOSE 3000

Build and push the image to AWS ECR:shaws ecr create-repository --repository-name my-app docker build -t my-app . docker tag my-app:latest <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/my-app:latest aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com docker push <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/my-app:latest

Step 2: Create an ECS Cluster

Use the AWS CLI to create a cluster:shaws ecs create-cluster --cluster-name my-cluster

Or use Terraform:hclresource "aws_ecs_cluster" "my_cluster" { name = "my-cluster" }

Step 3: Define a Task Definition for Fargate

The task definition specifies how the container runs.

Create a task-definition.js{ "family": "my-task", "networkMode": "awsvpc", "executionRoleArn": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/ecsTaskExecutionRole", "cpu": "512", "memory": "1024", "requiresCompatibilities": ["FARGATE"], "containerDefinitions": [ { "name": "my-container", "image": "<AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/my-app:latest", "portMappings": [{"containerPort": 3000, "hostPort": 3000}], "essential": true } ] }

Register the task definition:shaws ecs register-task-definition --cli-input-json file://task-definition.json

Step 4: Create an ECS Service

Use AWS CLI:shaws ecs create-service --cluster my-cluster --service-name my-service --task-definition my-task --desired-count 1 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[subnet-xyz],securityGroups=[sg-xyz],assignPublicIp=\"ENABLED\"}"

Or Terraform:hclresource "aws_ecs_service" "my_service" { name = "my-service" cluster = aws_ecs_cluster.my_cluster.id task_definition = aws_ecs_task_definition.my_task.arn desired_count = 1 launch_type = "FARGATE" network_configuration { subnets = ["subnet-xyz"] security_groups = ["sg-xyz"] assign_public_ip = true } }

Step 5: Configure a Load Balancer (Optional)

If the service needs internet access, configure an Application Load Balancer (ALB).

Create an ALB in your VPC.

Add an ECS service to the target group.

Configure a listener rule for routing traffic.

4. Monitoring & Scaling

🔹 Monitor ECS Service

Use AWS CloudWatch to monitor logs and performance.shaws logs describe-log-groups

🔹 Auto Scaling ECS Tasks

Configure an Auto Scaling Policy:sh aws application-autoscaling register-scalable-target \ --service-namespace ecs \ --scalable-dimension ecs:service:DesiredCount \ --resource-id service/my-cluster/my-service \ --min-capacity 1 \ --max-capacity 5

5. Cleaning Up Resources

After testing, clean up resources to avoid unnecessary charges.shaws ecs delete-service --cluster my-cluster --service my-service --force aws ecs delete-cluster --cluster my-cluster aws ecr delete-repository --repository-name my-app --force

Conclusion

AWS ECS with Fargate simplifies container deployment by eliminating the need to manage servers. By following this guide, you can deploy scalable, cost-efficient, and secure applications using serverless containers.

WEBSITE: https://www.ficusoft.in/aws-training-in-chennai/

Types of groups in Azure Active Directory

In Azure Active Directory (Azure AD), there are different types of groups that are used for different purposes. In this article, we will explain the different groups and their functions. […]

Read the full Article https://activedirectoryfaq.com/2023/09/types-of-groups-in-azure-active-directory/

#M365Groups, #SecurityGroups

In this blog, let's discuss the security group and access rights in Odoo 16.👇👇

AWS: Issue with accessing public IP

Basic Set-up

1. Create a EC2 instance. 2. Create an Elastic IP address. 3. Associate the IP address to EC2 instance. 4. Edit the security group and     a. add HTTP for port 80 and everywhere     b. change SSH to everywhere.

Now, with this, we go ahead SSH the machine, install and launch your webserver. And in the browser give the public IP address to access your website, it does NOT work. Has this happened to you?

If so, you could try this solution which helped me.

SOLUTION: Add CUSTOM TCP RULE and set the port to the port specified in your web app and everywhere. In my case the port specified as an example, it was 4567 and I set it for 4567, it worked.

Let me know by adding comments, if this helped to get your website working and access the website through the public IP or not.

This tutorial aims to take the reader through creating an Application Load balancer and its dependencies using CloudFormation. The template will create: The Application Load Balancer The Target Groups The Listeners The Listener Rules The AWS cloud platform provides managed load balancers using the Elastic Load Balancer service. One has options to create an Application (layer7), Network (layer 4), or Classic Load Balancer (both layer 4 and 7). For this tutorial, we will create an Application Load balancer. A load balancer is useful because: It gives our applications high availability. Using a load balancer in our applications enables one to route traffic to multiple backend servers. In case one server fails, traffic will be routed to the other servers. This is also good for ensuring even distribution of traffic between the various servers. It is also useful for directing/filtering traffic based on the rules configured. Using host-based, path-based routing, or a combination of both, one can direct traffic to different servers. Setup Prerequisites The user will need to have: An AWS Account. A user with permissions to create resources on AWS. Generated a certificate for their specific domain name (We used AWS Certificate Manager to generate ours). An IDE to write and edit your CloudFormation Template. N/B: A user can import certificates generated from other certificate generation entities to the AWS certificate manager and use them. Step 1: Create CloudFormation Template Use the below code for your CloudFormation template. The user can edit the various parts of the template as explained in the next section. AWSTemplateFormatVersion: "2010-09-09" Description: "Create ALB, ALB security group, target groups, listeners and listener rules" Parameters: VPC: Type: String Description: The vpc to launch the service Default: vpc-ID PublicSubnet1: Type: String Description: The subnet where to launch the service Default: subnet-ID PublicSubnet2: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: ALBSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for ALB" GroupName: "test-ALB-SG" Tags: - Key: "Project" Value: "test-blog" - Key: "createdBy" Value: "Maureen Barasa" - Key: "Environment" Value: "test" - Key: "Name" Value: "test-ALB-SG" VpcId: !Ref VPC SecurityGroupIngress: - CidrIp: "0.0.0.0/0" FromPort: 80 IpProtocol: "tcp" ToPort: 80 - CidrIp: "0.0.0.0/0" FromPort: 443 IpProtocol: "tcp" ToPort: 443 ApplicationLoadBalancer: Type: "AWS::ElasticLoadBalancingV2::LoadBalancer" Properties: Name: "test-Application-Load-Balancer" Scheme: "internet-facing" Type: "application" Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup IpAddressType: "ipv4" LoadBalancerAttributes: - Key: "access_logs.s3.enabled" Value: "false" - Key: "idle_timeout.timeout_seconds" Value: "60" - Key: "deletion_protection.enabled" Value: "false" - Key: "routing.http2.enabled" Value: "true"

- Key: "routing.http.drop_invalid_header_fields.enabled" Value: "false" HTTPSListener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 443 Protocol: "HTTPS" SslPolicy: "ELBSecurityPolicy-2016-08" Certificates: - CertificateArn: arn:aws:acm:eu-central-1:**************:certificate/********************* DefaultActions: - Order: 1 TargetGroupArn: !Ref Test1TargetGroup Type: "forward" HTTPListener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: "HTTP" DefaultActions: - Order: 1 RedirectConfig: Protocol: "HTTPS" Port: "443" Host: "#host" Path: "/#path" Query: "#query" StatusCode: "HTTP_301" Type: "redirect" Test1TargetGroup: Type: "AWS::ElasticLoadBalancingV2::TargetGroup" Properties: HealthCheckIntervalSeconds: 30 HealthCheckPath: "/" Port: 80 Protocol: "HTTP" HealthCheckPort: "traffic-port" HealthCheckProtocol: "HTTP" HealthCheckTimeoutSeconds: 5 UnhealthyThresholdCount: 2 TargetType: "instance" Matcher: HttpCode: "200" HealthyThresholdCount: 5 VpcId: !Ref VPC Name: "target-group-1" HealthCheckEnabled: true TargetGroupAttributes: - Key: "stickiness.enabled" Value: "false" - Key: "deregistration_delay.timeout_seconds" Value: "300" - Key: "stickiness.type" Value: "lb_cookie" - Key: "stickiness.lb_cookie.duration_seconds" Value: "86400" - Key: "slow_start.duration_seconds" Value: "0" - Key: "load_balancing.algorithm.type" Value: "round_robin" Test2TargetGroup: Type: "AWS::ElasticLoadBalancingV2::TargetGroup" Properties: HealthCheckIntervalSeconds: 30 HealthCheckPath: "/" Port: 80 Protocol: "HTTP" HealthCheckPort: "traffic-port" HealthCheckProtocol: "HTTP" HealthCheckTimeoutSeconds: 5 UnhealthyThresholdCount: 2 TargetType: "instance" Matcher: HttpCode: "200" HealthyThresholdCount: 5 VpcId: !Ref VPC Name: "target-group-2" HealthCheckEnabled: true TargetGroupAttributes: - Key: "stickiness.enabled" Value: "false" - Key: "deregistration_delay.timeout_seconds" Value: "300" - Key: "stickiness.type" Value: "lb_cookie" - Key: "stickiness.lb_cookie.duration_seconds" Value: "86400" - Key: "slow_start.duration_seconds" Value: "0" - Key: "load_balancing.algorithm.type" Value: "round_robin" TestListenerRule1: Type: "AWS::ElasticLoadBalancingV2::ListenerRule" Properties:

Priority: "1" ListenerArn: !Ref HTTPSListener Conditions: - Field: "host-header" Values: - "test1.blog.avrcr.com" Actions: - Type: "forward" TargetGroupArn: !Ref Test1TargetGroup Order: 1 ForwardConfig: TargetGroups: - TargetGroupArn: !Ref Test1TargetGroup Weight: 1 TargetGroupStickinessConfig: Enabled: false TestListenerRule2: Type: "AWS::ElasticLoadBalancingV2::ListenerRule" Properties: Priority: "2" ListenerArn: !Ref HTTPSListener Conditions: - Field: "host-header" Values: - "test2.blog.com" Actions: - Type: "forward" TargetGroupArn: !Ref Test2TargetGroup Order: 1 ForwardConfig: TargetGroups: - TargetGroupArn: !Ref Test2TargetGroup Weight: 1 TargetGroupStickinessConfig: Enabled: false Outputs: ALB: Description: The created loadbalancer Value: !Ref ApplicationLoadBalancer TargetGroup1: Description: The created TargetGroup 1 Value: !Ref Test1TargetGroup TargetGroup2: Description: The created TargetGroup 2 Value: !Ref Test2TargetGroup LoadBalancerSecurityGroup: Description: the securty group for the ALB Value: !Ref ALBSecurityGroup The CloudFormation Template Explained The template contains 3 sections. Parameters, Resources and Outputs. Parameters Section In the parameters section, the user inputs their dynamic variables. On our template, the user should customize the template by inputting their VPC and Subnets IDs. In our case, the load balancer is internet-facing hence the need to have it created on public subnets. Should the user want to create an internal load balancer, it would be prudent to have it created on private subnets. Resources Section The resources section allows the user to define the AWS resources they will create. On our template, we start by creating the load balancer security group. The security group creates allows inbound traffic from port 80 and 443. The user can also customize or add more rules to the security group. Next, the template creates a load balancer. The user can customize the name of the load balancer, the scheme, or whether it will be internal or internet-facing. If internal, kindly ensure you change the subnets from public to private. They can also customize the load balancer attributes as per their specific needs. Since we have opened port 80 and 443 on the load balancer security group, the template creates the two listeners for the load balancer. One listener on port 80 (HTTP) and the other on port 443 (HTTPS). Then for the HTTP listener, the template is configured to create a default action to forward all requests to the HTTPS listener by default. This can also be customizable as per the user’s needs. For the HTTPS listener, we have included the certificate we generated for our domain name. The user should change the certificate ARN to their own certificate ARN ID. Also, we created a default action to forward traffic to a target group. This will forward all traffic otherwise not routed to the target group. Again, the user can customize the HTTPS Listener default actions to their specific needs. Next, the template creates two target groups. The user can customize the target groups’ properties as per their specific needs. Important to note is that the target type can either be an instance (EC2) or an IP.

Finally, the template creates listener rules. For our case based on host-based routing, we created listener rules that forward to the specific target groups. The user has the option to customize the rules. Also, they can change from host-based to path-based routing. Outputs Section The outputs section outputs the names of the resources you created. Step 2: Create CodePipeline to Deploy the Template Create the CodePipeline role to deploy template to CloudFormation. Use the below cloudformation template to create the role. AWSTemplateFormatVersion: "2010-09-09" Description: "Template to create centos ec2 instance and install ssm on it" Resources: IAMInstanceRole: Type: 'AWS::IAM::Role' Properties: Description: The SSM Instance Profile RoleName: codepipeline-test AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - cloudformation.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - arn:aws:iam::aws:policy/CloudWatchFullAccess - arn:aws:iam::aws:policy/AmazonEC2FullAccess Tags: - Key: "Project" Value: "test-blog" - Key: "Environment" Value: "test" - Key: "createdBy" Value: "Maureen Barasa" - Key: "Name" Value: "codepipeline-test" IAMInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: codepipeline-test Roles: - !Ref IAMInstanceRole Outputs: Profile: Description: The created Instance Profile Value: !Ref IAMInstanceProfile Role: Description: The created role Value: !Ref IAMInstanceRole Next, go to the CodeCommit console. Then create a code commit repository. Commit your alb template to the repository. On the CodePipeline console, select create pipeline. Create Pipeline After, choose pipeline settings. For service role, opt to create a new service role. Choose Pipeline Settings Also, under Advanced Settings choose the S3 bucket that you will use to store your artifacts. For the encryption key choose the default AWS key. Then click next. Advanced Settings On the add source stage screen, choose code commit as your source provider. Add Source Stage Enter the details of your CodeCommit repository name and the branch. Also, for change detection leave the setting to Amazon CloudWatch Events. This enables CloudWatch to detect changes made on your code and auto-start the pipeline to update those changes. When done click next. Add Source Stage Settings On the add build stage screen, click skip build stage. Skip Build Stage Finally, on the add deploy stage screen, select CloudFormation as your deployment option. Select CloudFormation as Deployment Option Fill in the details for your CloudFormation deployment. N/B: for the role, use the role you created with the CloudFormation template at the beginning of the section. Add Deployment Stage Details The next stage allows the user to review all the configurations done. If all configurations are correct click on create pipeline. You have now created your first pipeline to deploy a CloudFormation template. A Successful Deployment Pipeline Important Links https://aws.amazon.com/elasticloadbalancing/ https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html

Migrating an ECS service from EC2 container instances to Fargate

I've recently migrated an ECS service from ECS container instances to Fargate.

I used EC2 instances for some reasons. At first, there wasn't Fargate when I started using ECS. Even when they introduced Fargate, I needed EC2 container instances to mount EFS in containers. There are some other reasons including its pricing.

But it comes to auto scaling, using Fargate is much easier than using EC2 container instances because I no longer need to think about scaling EC2 instances, but can focus on scaling ECS tasks.

So what I needed to move to Fargate when I migrated an ECS service associated with ALB?

First, I needed to recreate an ALB target group. When you associate an ECS service running on Fargate with an ALB target group, the type of the target group has to be ip, not instance which is the default.

aws --region $REGION elbv2 create-target-group \ --name $TARGET_GROUP_NAME \ --protocol HTTP \ --port $PORT \ --vpc-id $VPC_ID \ --target-type ip \ --health-check-protocol HTTP \ --health-check-path /

Second, I needed to update a task definition to make it use awsvpc network mode. Also, I needed to specify executionRoleArn, cpu and memory. You also need to change hostPort in portMappings to use the same port as containerPort. It should have been 0 when you used EC2 container instances. In addition to that, I needed to remove systemControls from container definitions in the task.

Lastly, set launch type of the service to FARGATE, and specify network configurations. You may need to remove placement strategy if you used it.

aws --region $REGION ecs create-service \ --cluster $CLUSTER_NAME \ --service-name $SERVICE_NAME \ --task-definition $TASK_NAME \ --desired-count 2 \ --launch-type FARGATE \ --network-configuration "awsvpcConfiguration={subnets=[$SUBNET1_ID,$SUBNET2_ID],securityGroups=[$SECURITY_GROUP_ID],assignPublicIp=DISABLED}" \ --deployment-configuration maximumPercent=200,minimumHealthyPercent=100 --load-balancers targetGroupArn=$TARGET_GROUP_ARN,containerName=$CONTAINER_NAME,containerPort=$PORT

You can set FARGATE capacity provider as a service's capacity provider (or even set it as a default capacity provider of your cluster) instead of specifying a launch type.

AWS VPC - A Crash Course (Demos Included) http://ehelpdesk.tk/wp-content/uploads/2020/02/logo-header.png [ad_1] Course Contents ⭐️ ⌨️ (00:00) In... #awscertification #awscertifiedcloudpractitioner #awscertifieddeveloper #awscertifiedsolutionsarchitect #awscertifiedsysopsadministrator #awscloud #awsnetworking #awsvpc #ciscoccna #comptiaa #comptianetwork #comptiasecurity #cybersecurity #ethicalhacking #it #kubernetes #linux #microsoftaz-900 #microsoftazure #nacl #networksecurity #securitygroup #software #vpc #windowsserver

Difference and Advantages of VPC, ACL and SG | CyberSecurityTV

Explore the Ultimate Shield 🛡️ Showdown! In this exclusive CyberSecurityTV episode, they dissect the key differences and unbeatable advantages of VPC, ACL, and SG.

Don't miss this in-depth dive into the world of network security!

Unlock the full potential of #AWS with comprehensive courses at your fingertips. Stay updated on cloud advancements and harness the power of Amazon Web Services for your projects. https://www.dclessons.com/amazon-virtual-private-cloud

AWS CDKでAWS::CloudFormation::Init タイプを使ってEC2インスタンスの環境構築ができるようにしてみた https://ift.tt/2lkBYUK

前回、AWS Cloud Development Kit(AWS CDK)を利用してEC2インスタンスを立ち上げてみたのですが、AWS CDKでAWS::CloudFormation::Initタイプが利用できるのかも確認してみました。

AWS Cloud Development Kit(AWS CDK)でEC2インスタンスを立ち上げてみる – Qiita https://cloudpack.media/48912

AWS::CloudFormation::Init タイプについては下記をご参考ください。

AWS::CloudFormation::Init タイプを使ってEC2インスタンスの環境構築ができるようにしてみた – Qiita https://cloudpack.media/48540

前提

AWSアカウントがある

AWS CLIが利用できる

Node.jsがインストール済み

実装

前回記事の実装をベースにしてAWS::CloudFormation::Initタイプの定義を追加しました。

AWS Cloud Development Kit(AWS CDK)でEC2インスタンスを立ち上げてみる – Qiita https://cloudpack.media/48912

import cdk = require('@aws-cdk/core'); import ec2 = require('@aws-cdk/aws-ec2/lib'); export class UseCdkEc2Stack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); let vpc = ec2.Vpc.fromLookup(this, 'VPC', { vpcId: this.node.tryGetContext('vpc_id') }); const cidrIp = this.node.tryGetContext('cidr_ip'); const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc }); securityGroup.addEgressRule(ec2.Peer.anyIpv4(), ec2.Port.allTraffic()); securityGroup.addIngressRule(ec2.Peer.ipv4(cidrIp), ec2.Port.tcp(22)); let ec2Instance = new ec2.CfnInstance(this, 'myInstance', { imageId: new ec2.AmazonLinuxImage().getImage(this).imageId, instanceType: new ec2.InstanceType('t3.small').toString(), networkInterfaces: [{ associatePublicIpAddress: true, deviceIndex: '0', groupSet: [securityGroup.securityGroupId], subnetId: vpc.publicSubnets[0].subnetId }], keyName: this.node.tryGetContext('key_pair') }); ec2Instance.addOverride('Metadata', { 'AWS::CloudFormation::Init': { 'config': { 'commands': { 'test': { 'command': "echo $STACK_NAME test", 'env': { 'STACK_NAME': this.stackName } } }, } } }); let userData = ec2.UserData.forLinux(); userData.addCommands( '/opt/aws/bin/cfn-init', `--region ${this.region}`, `--stack ${this.stackName}`, `--resource ${ec2Instance.logicalId}` ); userData.addCommands('echo', 'hoge!'); ec2Instance.userData = cdk.Fn.base64(userData.render()); new cdk.CfnOutput(this, 'Id', { value: ec2Instance.ref }); new cdk.CfnOutput(this, 'PublicIp', { value: ec2Instance.attrPublicIp }); } }

公式ドキュメントを漁ってみたものの良い情報が得られず、下記Issueを参考にしました。

Add support for AWS::CloudFormation::Init · Issue #777 · aws/aws-cdk https://github.com/aws/aws-cdk/issues/777

ec2: cfn-init support in ASGs · Issue #1413 · aws/aws-cdk https://github.com/aws/aws-cdk/issues/1413

feat(aws-ec2): add support for CloudFormation::Init by rix0rrr · Pull Request #792 · aws/aws-cdk https://github.com/aws/aws-cdk/pull/792

追加した実装は以下となります。 ポイントとしてec2Instance.addOverride()でメタデータを追加してAWS::CloudFormation::Initタイプで定義を追加します。 /opt/aws/bin/cfn-initの--resourceオプションでリソース名を指定するのにec2Instanceを作ってからuserDataを設定することで、ec2Instance.logicalIdが利用できるようにしています。ベタ書きでもいいっちゃいいですね。

ec2Instance.addOverride('Metadata', { 'AWS::CloudFormation::Init': { 'config': { 'commands': { 'test': { 'command': "echo $STACK_NAME test", 'env': { 'STACK_NAME': this.stackName } } }, } } }); let userData = ec2.UserData.forLinux(); userData.addCommands( '/opt/aws/bin/cfn-init', `--region ${this.region}`, `--stack ${this.stackName}`, `--resource ${ec2Instance.logicalId}` ); userData.addCommands('echo', 'hoge!'); ec2Instance.userData = cdk.Fn.base64(userData.render()); (略)

デプロイしてみる

> cdk deploy \ -c vpc_id=vpc-xxxxxxxx \ -c key_pair=cdk-test-ec2-key \ -c cidr_ip=xxx.xxx.xxx.xxx/32 This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening). Please confirm you intend to make the following modifications: Security Group Changes ┌───┬──────────────────────────┬─────┬────────────┬────────────────────┐ │ │ Group │ Dir │ Protocol │ Peer │ ├───┼──────────────────────────┼─────┼────────────┼────────────────────┤ │ + │ ${SecurityGroup.GroupId} │ In │ TCP 22 │ xxx.xxx.xxx.xxx/32 │ │ + │ ${SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │ └───┴──────────────────────────┴─────┴────────────┴────────────────────┘ (NOTE: There may be security-related changes not in this list. See http://bit.ly/cdk-2EhF7Np) Do you wish to deploy these changes (y/n)? y UseCdkEc2Stack: deploying... useCdkEc2Stack: creating CloudFormation changeset... 0/4 | 14:30:29 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata 0/4 | 14:30:30 | CREATE_IN_PROGRESS | AWS::EC2::SecurityGroup | SecurityGroup (SecurityGroupDD263621) 0/4 | 14:30:32 | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated 1/4 | 14:30:32 | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata 1/4 | 14:30:35 | CREATE_IN_PROGRESS | AWS::EC2::SecurityGroup | SecurityGroup (SecurityGroupDD263621) Resource creation Initiated 2/4 | 14:30:37 | CREATE_COMPLETE | AWS::EC2::SecurityGroup | SecurityGroup (SecurityGroupDD263621) 2/4 | 14:30:39 | CREATE_IN_PROGRESS | AWS::EC2::Instance | myInstance 2/4 | 14:30:40 | CREATE_IN_PROGRESS | AWS::EC2::Instance | myInstance Resource creation Initiated`` 3/4 | 14:30:56 | CREATE_COMPLETE | AWS::EC2::Instance | myInstance 4/4 | 14:30:59 | CREATE_COMPLETE | AWS::CloudFormation::Stack | UseCdkEc2Stack

︎ UseCdkEc2Stack Outputs: UseCdkEc2Stack.PublicIp = xxx.xxx.xxx.xxx UseCdkEc2Stack.Id = i-xxxxxxxxxxxxxxxxx Stack ARN: arn:aws:cloudformation:us-east-1:xxxxxxxxxxxx:stack/UseCdkEc2Stack/72304c90-b41d-11e9-b604-129cd46a326a

デプロイできたらSSHアクセスして実行ログを確認してみます。

> ssh -i cdk-test-ec2-key \ [email protected] $ cat /var/log/cfn-init.log 2019-08-01 05:31:11,740 [INFO] -----------------------Starting build----------------------- 2019-08-01 05:31:11,740 [INFO] Running configSets: default 2019-08-01 05:31:11,741 [INFO] Running configSet default 2019-08-01 05:31:11,742 [INFO] Running config config 2019-08-01 05:31:11,746 [INFO] Command test succeeded 2019-08-01 05:31:11,746 [INFO] ConfigSets completed 2019-08-01 05:31:11,746 [INFO] -----------------------Build complete----------------------- $ cat /var/log/cfn-init-cmd.log 2019-08-01 05:31:11,742 P2090 [INFO] ************************************************************ 2019-08-01 05:31:11,742 P2090 [INFO] ConfigSet default 2019-08-01 05:31:11,743 P2090 [INFO] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2019-08-01 05:31:11,743 P2090 [INFO] Config config 2019-08-01 05:31:11,743 P2090 [INFO] ============================================================ 2019-08-01 05:31:11,743 P2090 [INFO] Command test 2019-08-01 05:31:11,746 P2090 [INFO] -----------------------Command Output----------------------- 2019-08-01 05:31:11,746 P2090 [INFO] UseCdkEc2Stack test 2019-08-01 05:31:11,746 P2090 [INFO] ------------------------------------------------------------ 2019-08-01 05:31:11,746 P2090 [INFO] Completed successfully. $ cat /var/log/cloud-init-output.log (略) Updated: bind-libs.x86_64 32:9.8.2-0.68.rc1.60.amzn1 bind-utils.x86_64 32:9.8.2-0.68.rc1.60.amzn1 kernel-tools.x86_64 0:4.14.133-88.105.amzn1 python27-jinja2.noarch 0:2.7.2-3.16.amzn1 vim-common.x86_64 2:8.0.0503-1.46.amzn1 vim-enhanced.x86_64 2:8.0.0503-1.46.amzn1 vim-filesystem.x86_64 2:8.0.0503-1.46.amzn1 vim-minimal.x86_64 2:8.0.0503-1.46.amzn1 Complete! Cloud-init v. 0.7.6 running 'modules:final' at Thu, 01 Aug 2019 05:31:11 +0000. Up 18.18 seconds. hoge! Cloud-init v. 0.7.6 finished at Thu, 01 Aug 2019 05:31:11 +0000. Datasource DataSourceEc2. Up 18.77 seconds

ユーザーデータの/opt/aws/bin/cfn-initコマンド実行でメタデータにAWS::CloudFormation::Initタイプで指定したコマンドが実行されました。やったぜ。

まとめ

メタデータの指定について、もっと良い実装ができそうですが、ひとまずAWS CDKでもAWS::CloudFormation::Initタイプを利用できるのが確認できたので満足です。

参考

AWS Cloud Development Kit(AWS CDK)でEC2インスタンスを立ち上げてみる – Qiita https://cloudpack.media/48912

AWS::CloudFormation::Init タイプを使ってEC2インスタンスの環境構築ができるようにしてみた – Qiita https://cloudpack.media/48540

Add support for AWS::CloudFormation::Init · Issue #777 · aws/aws-cdk https://github.com/aws/aws-cdk/issues/777

ec2: cfn-init support in ASGs · Issue #1413 · aws/aws-cdk https://github.com/aws/aws-cdk/issues/1413

feat(aws-ec2): add support for CloudFormation::Init by rix0rrr · Pull Request #792 · aws/aws-cdk https://github.com/aws/aws-cdk/pull/792

元記事はこちら

「AWS CDKでAWS::CloudFormation::Init タイプを使ってEC2インスタンスの環境構築ができるようにしてみた」

September 02, 2019 at 04:00PM

Milton Security Announces Partnership With Carbon Black FULLERTON, Calif., Sept. 6, 2017 /PRNewswire/ -- Milton #SecurityGroup Inc., a #cybersecurity company that specializes in Managed Detection & Response (MDR) and Carbon Black, the leader in next-generation endpoint security, announced a partnership to bring Milton Security's virtual Security Operations Center with MDR and Carbon Black's CB Endpoint Security Platform together to bring the next level of visibility and security for organizations of all sizes. Milton Security offers its #virtualSecurity Operations Center with #MDR, a multi-faceted offering that combines Managed Detection, Incident Response, Real-Time monitoring and threat hunting all with an affordable pricing #matrix that starts from $3,066 per year. Customers are able to sign up for a vSOC/MDR Plan that best suits their company's needs at an affordable price. Paired together with Carbon Black's Endpoint #SecurityPlatform, it brings even more visibility and mitigation potential. "This partnership with Carbon Black will allow Milton Security to utilize premier tools like #CBDefense and CB Response to assist in the mitigation of endpoint threats," said #JamesMcMurry, CEO of Milton Security. "Together, Milton Security and Carbon Black is the ultimate combination of technical prowess from both sides. All of us at Milton Security are extremely excited about this new partnership." "At Carbon Black, security is in our #DNA and we look for partners who have the same makeup. #MiltonSecurity is one of those companies," said #CarbonBlack Security Strategist, #RickMcElroy. "Carbon Black was created by #securityexperts who understand how difficult the job of being a managed provider is. This partnership will allow current Milton customers to rapidly mature their end point security posture as well as allowing #Milton the ability to provide proactive scalable end point detection and response." http://www.miltonsecurity.com Via @prnewswire

This article is part 3 of a 4 part guide to running Docker containers on AWS ECS. ECS stands for Elastic Container Service. It is a managed container service that can run docker containers. Although AWS also offers container management with Kubernetes, (EKS) it also has its proprietary solution (ECS). The guide will cover: Creating the ECS Cluster. Provision an Image Registry (ECR) and push docker images to the registry. Deploying Containers to the cluster using Task and Service Definitions. Creating a Pipeline to Update the services running on the ECS Cluster. Here are the part 1 and 2: Running Docker Containers on AWS With ECS – Part 1 Running Docker Containers on AWS ECS – Upload Docker Images to ECR – part 2 Part 3 of this guide will cover, “Deploying Containers to the cluster using Task and Service Definitions,”. For this demonstration, we will use the simple hello-world image we had pushed to our ECR registry from Docker Hub. We will create a task and service definition and deploy this to the ECS cluster. Requirements/Prerequisites An AWS Account. Created a User on the account with Permissions to provision resources on the account. Created a Route 53 Hosted Zone with your custom domain (Can be public or Private zone depending on the user requirements). Imported or generated your site certificate to ACM (Amazon Certificate Manager). Provisioned an AWS ECS Cluster. Uploaded your Docker Image to the ECR Registry. Create the AWS Application Load Balancer and Target Group The ALB (Application Load Balancer) is an AWS managed load balancer that routes traffic based on OSI layer 7 protocols. We will use the Load Balancer to expose our hello-world service endpoint. We already have an AWS guide on creating an Application load balancer on the link below: Create and Configure AWS Application Load Balancer with CloudFormation Hence, I will not go into too much detail about the ALB. We will use the CloudFormation template below to create and configure our ECS ALB. The template will provision; An ALB (Application Load balancer). The ALB Security Group. Target Group. ALB Listeners and Listener Rule. N/B: Should the reader/user want to expose their services internally, they should create the load balancer on the private subnets. Otherwise, the load balancer should be internet-facing and created on the public subnets. For a highly available load balancer, the user should provision it on different subnets in different availability zones. AWSTemplateFormatVersion: "2010-09-09" Description: "Create ALB, Target Groups and ALB security group" Parameters: VPC: Type: String Description: The vpc to launch the service Default: vpc-ID PublicSubnet1: Type: String Description: The subnet where to launch the service Default: subnet-ID PublicSubnet2: Type: String Description: the subnet where to Launch the service Default: subnet-ID Resources: ALBSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "security group for ALB" GroupName: "test-prod-ALB-SG" Tags: - Key: "Project" Value: "test-blog" - Key: "createdBy" Value: "Maureen Barasa" - Key: "Environment" Value: "test" - Key: "Name" Value: "test-ALB-SG" VpcId: !Ref VPC SecurityGroupIngress: - CidrIp: "0.0.0.0/0" FromPort: 80 IpProtocol: "tcp" ToPort: 80 - CidrIp: "0.0.0.0/0" FromPort: 443 IpProtocol: "tcp" ToPort: 443 ApplicationLoadBalancer:

Type: "AWS::ElasticLoadBalancingV2::LoadBalancer" Properties: Name: "test-Application-Load-Balancer" Scheme: "internet-facing" Type: "application" Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup IpAddressType: "ipv4" LoadBalancerAttributes: - Key: "access_logs.s3.enabled" Value: "true" - Key: "idle_timeout.timeout_seconds" Value: "60" - Key: "deletion_protection.enabled" Value: "false" - Key: "routing.http2.enabled" Value: "true" - Key: "routing.http.drop_invalid_header_fields.enabled" Value: "false" Tags: - Key: "Project" Value: "test-blog" - Key: "createdBy" Value: "Maureen Barasa" - Key: "Environment" Value: "test" - Key: "Name" Value: "test-Application-Load-Balancer" HTTPSListener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 443 Protocol: "HTTPS" SslPolicy: "ELBSecurityPolicy-2016-08" Certificates: - CertificateArn: arn:aws:acm:eu-central-1:*************:certificate/************ DefaultActions: - Order: 1 TargetGroupArn: !Ref TestTargetGroup Type: "forward" HTTPListener: Type: "AWS::ElasticLoadBalancingV2::Listener" Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: "HTTP" DefaultActions: - Order: 1 RedirectConfig: Protocol: "HTTPS" Port: "443" Host: "#host" Path: "/#path" Query: "#query" StatusCode: "HTTP_301" Type: "redirect" TestTargetGroup: Type: "AWS::ElasticLoadBalancingV2::TargetGroup" Properties: HealthCheckIntervalSeconds: 30 HealthCheckPath: "/" Port: 80 Protocol: "HTTP" HealthCheckPort: "traffic-port" HealthCheckProtocol: "HTTP" HealthCheckTimeoutSeconds: 5 UnhealthyThresholdCount: 2 TargetType: "ip" Matcher: HttpCode: "200" HealthyThresholdCount: 5 VpcId: !Ref VPC Name: "target-group-1" HealthCheckEnabled: true TargetGroupAttributes: - Key: "stickiness.enabled" Value: "false" - Key: "deregistration_delay.timeout_seconds" Value: "300" - Key: "stickiness.type" Value: "lb_cookie" - Key: "stickiness.lb_cookie.duration_seconds" Value: "86400" - Key: "slow_start.duration_seconds" Value: "0" - Key: "load_balancing.algorithm.type" Value: "round_robin" TestListenerRule1: Type: "AWS::ElasticLoadBalancingV2::ListenerRule" Properties: Priority: "1" ListenerArn: !Ref HTTPSListener Conditions:

- Field: "host-header" Values: - "test1.helloworld.com" Actions: - Type: "forward" TargetGroupArn: !Ref TestTargetGroup Order: 1 ForwardConfig: TargetGroups: - TargetGroupArn: !Ref TestTargetGroup Weight: 1 TargetGroupStickinessConfig: Enabled: false Outputs: ALB: Description: The created loadbalancer Value: !Ref ApplicationLoadBalancer TargetGroup: Description: The created TargetGroup Value: !Ref TestTargetGroup LoadBalancerSecurityGroup: Description: the securty group for the ALB Value: !Ref ALBSecurityGroup Ensure that under HTTPS Listener, replace the certificate with your generated certificate ARN. Also, under the listener rule, we should replace the host header with a record set created by the user on the route 53 hosted zone. The Tags and Names of the resources should also be customized to the user’s requirements. ECS Task and Service Definition An ECS Task Definition defines the requirements for your Docker container. It defines the image to be used, CPU, and memory requirements e.t.c. An ECS service definition defines how the application/service will be run. It defines the launch type, the cluster where the service will be run, the target group to use for the ALB, the task definition to use e.t.c. Create the ECS Task Execution Role N/B: The task execution role is usually already created on AWS accounts. One can search for it as ecsTaskExecutionRole. In case one has not been created on your account, use the below CloudFormation template to create one. AWSTemplateFormatVersion: "2010-09-09" Description: "Template to create ECS Task Execution Role" Resources: ECSTaskExecutionRole: Type: 'AWS::IAM::Role' Properties: Description: The ECS task execution Role RoleName: AWSECSTaskExecutionRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com Action: - 'sts:AssumeRole' ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Tags: - Key: "Project" Value: "test-blog" - Key: "Environment" Value: "test" - Key: "createdBy" Value: "Maureen Barasa" - Key: "Name" Value: "AWSECSTaskExecutionRole" Outputs: IAMRole: Description: the role created Value: !Ref ECSTaskExecutionRole Export: Name: !Sub "$AWS::StackName-rolename" Create the ECS Task and Service Definition Use the below templates to create the task and service definition. N/B: The template creates task and service definition for a Fargate cluster. Also, for the task role and task execution role arn, use the arn for the role created above, or if existing, use the arn for the ecsTaskExecutionRole. To create task and service definitions for EC2 cluster, replace LaunchType on Service Definition with EC2. On the Task Definition, EC2 can work with any Network Mode; awsvpc, bridge or host. Fargate only works with awsvpc mode. AWSTemplateFormatVersion: "2010-09-09" Description: "hello-world task and service definition" Parameters: VPC: Type: String Description: The vpc to launch the service Default: vpc-ID Subnet1: Type: String Description: The subnet where to launch the service Default: subnet-ID Subnet2: Type: String Description: The subnet where to launch the service

Default: subnet-ID Resources: CWLoggroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: ecs-hello-world-Loggroup TaskDefinition: Type: "AWS::ECS::TaskDefinition" Properties: ContainerDefinitions: - Essential: true Image: 429758582529.dkr.ecr.eu-central-1.amazonaws.com/hello-world:latest LogConfiguration: LogDriver: "awslogs" Options: awslogs-group: !Ref CWLoggroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: "ecs" Name: "Hello_World" PortMappings: - ContainerPort: 80 HostPort: 80 Protocol: "tcp" Family: "Hello_World" TaskRoleArn: arn:aws:iam::429758582529:role/AWSECSTaskExecutionRole ExecutionRoleArn: arn:aws:iam::429758582529:role/AWSECSTaskExecutionRole NetworkMode: "awsvpc" RequiresCompatibilities: - "FARGATE" Cpu: "256" Memory: "512" ServiceDefinition: Type: "AWS::ECS::Service" Properties: ServiceName: "hello-world" Cluster: "arn:aws:ecs:eu-central-1:429758582529:cluster/eu-central-1-test-ECS-Fargate-Cluster" LoadBalancers: - TargetGroupArn: "arn:aws:elasticloadbalancing:eu-central-1:************:targetgroup/test-fargate-hello/*********" ContainerName: "Hello_World" ContainerPort: 80 DesiredCount: 1 LaunchType: "FARGATE" PlatformVersion: "1.4.0" TaskDefinition: !Ref TaskDefinition DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 100 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: "ENABLED" SecurityGroups: - "sg-ID" Subnets: - !Ref Subnet1 - !Ref Subnet2 HealthCheckGracePeriodSeconds: 300 SchedulingStrategy: "REPLICA" Outputs: HelloTaskDefinition: Description: The created name of the ECS TaskDefinition Value: !Ref TaskDefinition HelloService: Description: The ECS service Value: !Ref Service N/B: The CloudFormation Template should be customized to the user’s requirements. We can customize the: Names of the resources to be provisioned. For Container Definitions, we can change the image name, port mappings, etc. The user/reader should also replace the cluster and target group arn to reflect his/her own values. When done you should have the service running on your ECS Cluster as below. ECS Cluster with Running Task and Service You can now access your service via the domain name you created. Important Links Create and Configure AWS Application Load Balancer with CloudFormation AWS ALB Docs AWS ECS Docs

2019/04/22-28

*【Python】もうprintデバッグはいらない / PySnoozerで楽々デバッキング https://blog.ikedaosushi.com/entry/2019/04/28/085904 >インストールは pip で行えます。

>print をたくさん入れたり、 pdb などのデバッガーをセットアップする >必要なく、簡単にデバッグを行うことができます。

*Windows10の次期アップデート 容量小さい端末はインストールできない？ http://news.livedoor.com/article/detail/16383721/ >Microsoftは2019年5月にWindows 10の次期大型アップデートとなる >「Windows 10 May 2019 Update」を配信予定です。

>ハードディスクの空き容量：16GB(32ビットOS)または20GB(64ビットOS)

>Ars Technicaによると、バージョン1903では将来的なアップデートが >問題なくインストールできるように、インストールプロセス用に7GBの >ストレージを恒久的に確保しているとのこと。

>Ars Technicaによると、バージョン1903では将来的なアップデートが >問題なくインストールできるように、インストールプロセス用に7GBの >ストレージを恒久的に確保しているとのこと。これによりOSアップ >デート時にストレージの空き不足で起きるエラーを回避できるように >なるわけですが、ストレージ容量の小さな端末では自由に使える容量が >劇的に小さくなることが予想できます。

>新しいシステム要件はWindows 10のIoTエディションには適用されません。

*【全員必須】GuardDutyがコスパ最強の脅威検知サービスであることを証明してみた https://dev.classmethod.jp/cloud/aws/guardduty-si-strongest-thread-detection/ >GuardDutyはAWS利用費全体のうち、85%以上のアカウントで1%以下の >料金で利用しています！ > >そして、95%以上のアカウントで2%以下の料金で利用しています！

>GuardDutyは無料で30日間利用できます。その間に実際いくらかかるか >わかります！

*一発でGuardDutyを全リージョン有効化して通知設定するテンプレート作った https://dev.classmethod.jp/cloud/aws/set-guardduty-all-region/

*AWS導入前に知っておきたかった「VPC設計」 https://qiita.com/takuya_tsurumi/items/77f246c0ad4bc8caf234

*MySQLの準同期レプリケーションに関する質問への回答と詳細 https://yakst.com/ja/posts/5463 >ロスレス準同期レプリケーションは、上記の問題を解決するために >MySQL5.7で導入されました。ロスレス準同期レプリケーションでは、 >準同期の約束が守られます（クライアントがCOMMIT応答を受け取った >全てのトランザクションは伝播しています）。それに加えて、 >ファントムリードも発生しません。

*MySQLの準同期レプリケーション https://rkajiyama.hatenablog.com/entry/20150917/p1

*株式会社日本レジストリサービスに対する「.jp」ドメイン名の管理・運用に係る措置（要請） http://www.soumu.go.jp/menu_news/s-news/01kiban04_02000152.html

*AWS上のセキュリティ対策をどういう順序でやっていけばいいか https://speakerdeck.com/cmusudakeisuke/awsshang-falsesekiyuriteidui-ce-wodouiushun-xu-deyatuteikebaiika >AWSサービスで必須な項目 > - IAMの管理 > - SecurityGroupを適切に絞る > - CloudTrail / AWS Config有効化 > - GuardDuty設定 + SNS通知

*「パスワードの定期的変更は、古びた時代遅れの極めて価値の低い対策」、Microsoftが次期大型アップデートでポリシー変更 https://www.itmedia.co.jp/enterprise/articles/1904/26/news082.html >しかし「パスワードの定期的な失効は、古びた時代遅れの極めて >価値の低い対策であり、ベースラインとして徹底させる価値はない」 >とMicrosoftは断言。

*ハッキング被害に遭った2300万人以上が使っていた最も危険なパスワードは「123456」 https://gigazine.net/news/20190422-most-used-dangerous-password/

*Scientific Linux、開発終了へ。今後はCent OSへ移行 https://mag.osdn.jp/19/04/23/144500

*詳解 PostgreSQL［10/11対応］―現場で役立つ新機能と実践知識 http://gihyo.jp/dev/feature/01/dex_postgresql/0002

*ニフクラのウイルス・スパイウエア対策（ESET File Security for ニフクラ）を利用してみた https://blog.pfs.nifcloud.com/20140426_eset

*EC2で構築したWindows Serverの初期パスワードの取得について http://blog.serverworks.co.jp/tech/2019/04/26/get-windows-administrator-password/

*Amazon S3からAmazon RDS for PostgreSQLにデータをロードできるようになりました https://dev.classmethod.jp/cloud/aws/rds-postgresql-support-s3-load/

How shoud I prepare for AWS DevOps professional

AWS Certified Engineer - It looks like a professional level exam that seemed to me a full exam focuses more on the automation part. The test had a good mix of questions for both automating the provision of infrastructure and automating the deployment of applications. Almost all the questions were based on the scenario and were directed to verify their practical knowledge about the use of various AWS services that could help the organization implement DevOps. In the sections below, I will cover some details about the test. But before you can take the exam, there are some basic conditions.

 Pre-requisite

The basic requirement for the submission of this certification test is:

You must have already approved the Associate Level Certificate for AWS, SysOps Administrator, or AWS Developer. Without this you can not show up for the professional level of the DevOps exam.

AWS recommends that you have at least two years of practical experience, but that is not a difficult requirement. However, I also believe that the practical experience will be very useful here, since the type of questions that are asked depends mainly on the scenario.

Exam Overview

 The trial certificate costs $ 150. So far, the final test has not been published yet, but can be priced at $ 300 in line with the professional level certification exam from the solution engineer. You can also find some discount vouchers for certification exams at AWS public events.

The pilot test had about 105 multiple choice questions and multiple choices. It is not necessary to write or write practically as part of the test. The duration of the test is 170 minutes. I felt that this was a very long test because most of the questions were too long, and if you were not a quick reader, it would be difficult to try all the questions. But since this was the pilot test, more questions are expected. The final exam can reduce the number of questions.

Beta testing does not give you an immediate result compared to all AWS certification exams. They say it will take about 6 to 8 weeks before they can share the results. The percentage of approval has not been disclosed and Amazon may be trying to find the right storytelling through this experimental test.

Exam content

 The following are the exam ranges and the extent of their representation in the exam.

 1.0 Continuous Operation and Operations Automation (55%)

 This is the area where you can get the highest scores if you are well prepared, otherwise the problem will be the same. More focused questions on CloudFormation and Elastic Bean Tree Asked about a wide range of challenges from the implementation level when you have to automate the provisioning infrastructure using CloudFormation, configure boot-through procedures or implement an application using a rubber-tree beans. You should read a lot about updates to the CloudFormation package and how you can prevent some resources within the template from updating. Another area that was heavily dominated by continuous updates and back-end using Beanstalk's flexible technology is minimal downtime or non-stop. Also, how to use Route53 and Elastic Beanstalk together to perform A / B testing of application environments / versions. There are not many questions about CLI or SDK, but if you've worked with any of them briefly, you should be able to answer them.

 Not all new services like CodeCommit, CodeDeploy, and CodePipeline were part of the beta test. However, it is likely to appear in the final test.

 Monitoring 2.0, Measurements and Recording (20%)

 As the name implies, this section has standard questions about CloudWatch that include configuration alerts, activation procedures, custom Cloudwatch metrics, etc. CloudWatch Logs, one of the latest AWS services, was part of the test.

 3.0 Security, government and validation (10%)

 This section includes questions about different ways to keep their environments isolated, for example. If it is a good idea to use different VPCs in the same account or in completely different AWS accounts. Also, if you use the same account for different equipment / environments, how to control access to different resources. There were one or two questions about consolidated billing and invoicing. Most questions about security configuration using VPC / Subnet / SecurityGroup / IAM roles have been linked in one way or another to scenarios involving CloudForm, Beanstalk Elastic, or OpsWorks.

 4.0 High availability and flexibility (15%)

 This section also includes standard questions about error tolerance and high availability. There were not many questions related to them, but those that were part of the test were linked to the three-tier standard structure, including the Web and application level, and the database with traffic flow through Route 53 and ELB.

 Abstract

 In general, testing seems complete and practical with AWS is a must. I have found most use cases centered around CloudForm and Beanstalk rubbery and some of them around OpsWorks as well. The main focus was to reduce downtime and rationalize delivery flow by automating almost everything from provisioning to application configuration and application.

 Here's additional information that can help you plan this test.

 Here is the AWS test form.

AWS recommends two years of AWS practical experience.

AWS White Sheets.

Reference structures in AWS.