AWS Config

Note: AWS Config records and evaluates configurations of your AWS resources.

You set up a bucket, a SNS topic and some rules.

The state of your AWS resources are stored and, if a non-compliant resource gets created, you get notified via the SNS topic.

Example rules might be:

  • Only SSL requests on S3 buckets
  • Logging enabled on S3 buckets
  • Versioning enabled on S3 buckets
  • Volumes are encrypted
  • SSH restricted: i.e. only a restricted set of IPs are allowed to access via SSH

https://aws.amazon.com/config/

 

Note: AWS Config is expensive.

AWS Control Tower

AWS Control Tower automates the set-up of a baseline environment, or landing zone, that is a secure, well-architected multi-account AWS environment.

Announced at re:Invent 2018.

https://aws.amazon.com/blogs/aws/aws-previews-and-pre-announcements-at-reinvent-2018-andy-jassy-keynote/

https://aws.amazon.com/controltower/

 

Uses AWS Config (expensive).

Note: AWS Config records and evaluates configurations of your AWS resources.

https://aws.amazon.com/config/

AWS Billing Alerts

Here’s how to get an alert if your AWS Bill exceeds a certain amount.

After you’ve enabled Billing Alerts:

1. change Region to us-east-1 (N. Virginia)

2. CloudWatch > Alarms > Create Alarm

3. Select Metric > Billing > Total Estimated Charge

4. Tick USD | EstimatedCharges

5. click Select Metric

6. Enter value in exceed

7. pick from send a notification to: (I use a List called NotifyMe with my email address). It seems to take a while for the drop down to respond.

8. click Show Advanced Option (at bottom) then update Name, Description

Note: you cannot change the Name after you’ve created an Alarm. The only way to do so is to delete your Alarm and start again.

9. click Create Alarm

 

Top tip:

  • go create alarms up to 100x your current billing in suitable increments – one day you’ll hit them and you want to be warned!

 

 

 

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html

 

Service Meshes on Kubernetes: Istio, Linkerd, SuperGloo

Quick note: there’s a lot going on in the Service Mesh space for Kubernetes.

Istio (based on Envoy) is the elephant in the room with a ton of funding.

But there’s also Linkerd and SuperGloo.

And a recent announcement from AWS: AWS App Mesh.

 

Great summary of Istio:

Generally traffic is defined as north/south (into and out of the datacenter) or east/west (between servers in the datacenter).

Istio is for east/west traffic within your K8S cluster, designed to connect your services together by moving all the network traffic through the Envoy proxy. It is usually done by wrapping your deployments with an extra sidecar pod (automatically using K8S APIs) that intercepts all the networking to other services and pods. You would still use a load balancer or ingress to route external traffic into the cluster, although there are options like Heptio Contour that also use Envoy for this.

This provides a single data and control plane to centralize all network reliability, security, service discovery, and monitoring.

Note: Istio uses an extended version of the Envoy proxy: https://istio.io/docs/concepts/what-is-istio/#envoy
Istio provides:
  • Dynamic service discovery
  • Load balancing
  • TLS termination
  • HTTP/2 and gRPC proxies
  • Circuit breakers
  • Health checks
  • Staged rollouts with %-based traffic split
  • Fault injection
  • Rich metrics
And an interesting post about Service Meshes:

AWS: Logs – install/configure the CloudWatch Logs Agent

Quick guide:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

 

awslogs:

Super handy CLI: https://github.com/jorgebastida/awslogs

Install with: pip install awslogs --ignore-installed six

Examples:

List groups: awslogs groups

 

List streams in a group

Assuming your group is /var/log/syslog then:

awslogs streams /var/log/syslog

 

Watch all logs:

awslogs get /var/log/syslog ALL --watch

 

 

 

AWS: add ssh key, check fingerprint and add to Terraform

1. Generate key

ssh-keygen -t rsa -b 4096 -C "<email address>"

File name: /home/dir/.ssh/file-name_id_rsa

 

2. Upload

AWS Dashboard > EC2 > Key Pairs > Upload

 

You can check the fingerprint with:

openssl rsa -in path_to_private_key -pubout -outform DER | openssl md5 -c

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#verify-key-pair-fingerprints

It’s important to use the correct openssl command. There are 2 separate commands – one for an AWS generated key and the second for a key you upload.

 

3. add the key_name to Terraform

e.g. a launch configuration:

https://www.terraform.io/docs/providers/aws/r/launch_configuration.html

 

4. ssh in with

ssh -i ~/.ssh/<new-key> ec2-user@<public ip>

If you’re unable to connect make sure you’ve got port 22 open on the EC2 instance Security Group.

E.g. Inbound rule:

e.g.