EC2 Instance Connect — халява закончилась

Две недели порадовались и хватит. AWS ограничила использование EC2 Instance Connect лишь портами SSH/RDP и теперь при попытке присоединиться к RDS или другим ресурсам, получаем ошибку:

"The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."

То есть они теперь проверяют параметр --remote-port и если он не 22 или 3389, то отбой.

Что ж, очень жаль, будем искать.

P.S. SSM Session Manager снова/всегда рулит. 😁

#EC2_Instance_Connect

GenAI чатбот нужно?
https://github.com/aws-samples/aws-genai-llm-chatbot

​​Multi-Layered Security.

#friday

Are you passionate about cloud computing and love to share your knowledge with others? #aws has an exciting opportunity for you!

The AWS Community Builder Program is now open for applications until July 13th. Join a vibrant community of like-minded individuals, connect with AWS experts, and contribute to the growth of the AWS community.

Apply here: APPLICATION FORM
More info: OFFICIAL PAGE

🌥 Issue #78 | 2 July 2023

▪️  Amazon Linux 2023.1 secure boot
▪️  Amplify Hosting monorepo frameworks support
▪️  AppFabric new no code service to connect SaaS applications
▪️  App Runner update and rebuild a failed service
▪️  AppStream 2.0 applications manager
▪️  Athena
      ▫️  new ODBC driver
      ▫️  querying restored data in S3 Glacier
▪️  Aurora MySQL zero-ETL integration with Redshift | Preview
▪️  Batch ‘Min vCPUs’ for Multi-Node Parallel Jobs
▪️  CloudFormation launches Guard 3.0 with support for stateful rules
▪️  CloudWatch dashboard variables
▪️  Connect Chat
      ▫️  additional customization options for the chat widget
      ▫️  quick reply and carousel messages
      ▫️  search for tags within an instance
▪️  Database Migration Service more comprehensive pre-migration assessments
▪️  DevOps Guru encryption using customer managed keys
▪️  DynamoDB simplifies and lowers the cost of handling failed conditional writes
▪️  EC2 R6a with faster EBS-optimized performance
▪️  ECS faster tasks launch on instances with prolonged shutdown
▪️  Elemental MediaConnect higher frequency metrics
▪️  Elemental MediaTailor creative ad id signaling in video manifests
▪️  FSx for OpenZFS CSI Driver
▪️  GameLift Amazon Linux 2023
▪️  Glue native Snowflake connector with new ETL capabilities  | Preview
▪️  Incident Detection & Response 3rd Party Event Ingestion
▪️  IoT TwinMaker Knowledge Graph supports showing query results in scenes
▪️  Kendra Retrieval API
▪️  Kinesis Data Analytics Studio Flink version 1.15
▪️  Lambda
      ▫️  remote invoke with SAM CLI
      ▫️  simplifies copying environment variables in the console code editor
▪️  Marketplace transaction purchase order support for server products
▪️  Omics Common Workflow Language
▪️  OpenSearch
      ▫️  ingesting events from Security Lake
      ▫️  update cluster manager nodes without blue/green
▪️  Pinpoint time zone estimation for endpoints
▪️  Private 5G New commitment pricing | GA
▪️  RDS Optimized Writes for MySQL and MariaDB supports m5d, r5d, and m6gd database instances
▪️  Redshift native console integration with ThoughtSpot
▪️  Resilience Hub EC2 Support
▪️  S3
      ▫️  Mountpoint adds support for creating new files
      ▫️  query restore Glacier object status with S3 LIST API
▪️  SageMaker
      ▫️  Canvas Parquet file format support
      ▫️  Data Wrangler direct connection to Snowflake data
      ▫️  Feature Store time to live (TTL) in online store
      ▫️  improved developer productivity with RStudio
      ▫️  Neo PyTorch/TensorFlow models compilation for Inferentia 2/Trainium 1
      ▫️  Role Manager fine-grained permissions with CDK Lib within minutes
▪️  Simple Email Service metric export
▪️  Timestream free trial
▪️  Translate custom terminology feature

​​A great example of how to migrate from MongoDB to PostgreSQL.

https://blog.stuartspence.ca/2023-05-goodbye-mongo.html

Five years ago, MongoDB was all the rage. Riding the NoSQL fad, rather than real-world requirements, many startups chose MongoDB as their primary database. If you have such a project, a migration to a "regular" SQL database is a very good idea.

PostgreSQL is now the most popular, and rightly so. This article will give you the arguments for migration to a more convenient for most cases PostgreSQL.

#PostgreSQL #MongoDB

​​🏗️ Terraform on AWS — Workshop

https://catalog.us-east-1.prod.workshops.aws/workshops/41c5a1b6-bd3e-41f4-bd46-85ab7dc6dad4/en-US

▫️ Understand the basic building blocks of Terraform (providers, data sources, resources, etc)
▫️ Develop your first Terraform project on AWS
▫️ Getting started into a typical workflow for Terraform
▫️ Update and deploy changes into your infrastructure environment

#Terraform #workshop

​​Видео с конференции по безопасности контейнеров:

https://www.youtube.com/playlist?list=PL80eyh4Ug9W_808zqJhiRGeXT6JvXpwBk

#containers #kubernetes #security

​​CloudFormation team is running a survey to learn more about your perception of CloudFormation performance, with the goal of helping to improve the customer experience.

📢 Take the survey at:

https://amazonmr.au1.qualtrics.com/jfe/form/SV_2lwFTzuDD4aZL0i

#CloudFormation

У настоящего безопасника нет цели, у него есть лишь сертификации:

https://pauljerimy.com/security-certification-roadmap/

#security

​​☁️ Отличия облачных провайдеров по публичным проектам:

https://iot-analytics.com/global-cloud-projects

Качественная аналитика, которая даёт представление о специфике клиентской базы провайдеров на основании порядка 7 тысяч публично доступных проектов, которые указывают используемое облако.

Company / Market share / Share of public projects
AWS 39% 37%
Azure 27% 30%
Google 9% 22%
Oracle 2% 7%
Alibaba 5% 4%
Others 18% n/a

Интересное:

🔹 Oracle для публичных проектов идёт четвёртым

🔸 У Google 2/3 клиентов мелкие, у AWS половина, а у Azure лишь треть (т.е. 2/3 большие и очень большие)

🔹 AWS доминирует в Индии, Azure в Японии, Google во Франции

🔸 Alibaba на 87% это Китай и Азия

#info

​​🆕 CodeBuild + GitHub Actions:

https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html

You can use an action runner to run GitHub Actions within CodeBuild. This can be done by adding steps to any phase in your buildspec file.

#CodeBuild #GitHub

⛅ Issue #79 | 9 July 2023

▪️  Application Migration Service multi-account migrations
▪️  Backup expands cross-account backup AWS Region coverage
▪️  CloudWatch Cross-Account Service Quotas
▪️  CodeBuild GitHub Actions support
▪️  Config +16 resource types
▪️  Connect autorun based on agent activity
▪️  DynamoDB
      ▫️ Distributed Cache Provider .NET
      ▫️ local version 2.0
▪️  EKS increases pod density limits for Windows containers
▪️  Elemental MediaLive input thumbnail images
▪️  Glue Crawlers Apache Iceberg Tables
▪️  GuardDuty EKS Runtime Monitoring expands OS and processor support
▪️  Mainframe Modernization Blu Age runtime deployment
▪️  OpenSearch Service higher IOPS and throughput for gp3 volumes
▪️  Personalize latest streamed data
▪️  RDS
      ▫️ PostgreSQL 16 Beta 2 Preview Environment
      ▫️ PostgreSQL Multi-AZ logical replication with 2 readable standbys
▪️  SageMaker Model Cards now integrated with model versions in Registry
▪️  Systems Manager Parameter Store increases API throughput limit
▪️  Textract AnalyzeDocument - Forms

☸️ Confidential Kubernetes

https://kubernetes.io/blog/2023/07/06/confidential-kubernetes/

Реально хорошая статья по состоянию дел с Confidential Computing в отношении Kubernetes. Жаль, без авторов со стороны AWS, потому для человека в теме, по части AWS будут сразу видны некоторые, скажем так, моменты.

1️⃣ «A managed CloudHSM from AWS costs around $1.50 / hour or ~$13,500 / year.»

А-ха-ха. В год, страшное дело, для бизнеса с такими требованиями по безопасности. И особенно смешно с учётом стоимости HSM в Azure: 😃

Hourly usage fee per HSM
Azure Dedicated HSM $4.85

2️⃣ Технология Confidential Computing на AWS или AWS Nitro Enclaves, лишь кратко упомянута из-за «have a different threat model compared to the CPU-based solutions by Intel and AMD».

Тут всё верно, целиком согласен. Nitro Enclaves — крутая фича, однако годность её AWS придётся всю жизнь доказывать, т.к. простых путей проверить этого нет и нужно целиком полагаться на авторитет AWS и аудиторов, а не техническую невозможность доступа в изолированное окружение.

3️⃣ AMD SEV — упомянуты лишь Azure и Google. Хотя на AWS теперь тоже доступны SEV-SNP (в то время как на Google лишь SEV-ES).

4️⃣ Скорость работы — реализация Confidential Computing от AMD очень эффективна: «SEV-SNP VM overhead is <10%». Про реализацию от Intel сказано расплывчато, что "hard to benchmark". Перевожу на простой — полный тормоз. 😁

5️⃣ Смешное название CoCo (Confidential Containers) и возможность запускать Confidential Kubernetes worker nodes вновь распространяется лишь Azure и Google. А правильно было упомянуть, что AWS Nitro Enclaves работает на EKS.

6️⃣ Хорошее и важное замечание «they don't offer a dedicated confidential control plane» — пока никакое облако не предлагает Confidential Kubernetes мастер-ноды, речь только о workers.

7️⃣ Constellation — интересная штука, буду признателен, если кто-то поделится опытом использования.

Итого, хорошая статья, очень рекомендую ознакомиться.

#security #ConfidentialComputing #ConfidentialKubernetes

10 полезных советов по ускорению OpenSearch:

https://www.tecracer.com/blog/2023/07/performance-boost-10-expert-tips-for-optimizing-your-amazon-opensearch-service-cluster.html

▫️ Choose the right instance type
▫️ Start big
▫️ Use bulk ingest requests and employ multi-threading
▫️ Minimize frequent updates to the same document
▫️ Monitoring
▫️ Profile queries
▫️ Find an optimal shard number and size
▫️ Optimize shard locating
▫️ Use filters
▫️ Use search templates

#OpenSearch

AWS is offering 7-day free trial on Skill Builder - a learning platform built by the experts at AWS.

Practice building with AWS Builder Labs, develop your role-based skills using gamified learning with AWS Cloud Quest, verify your skills by taking a Jam Journey challenge, and prepare for an AWS Certification with enhanced exam prep materials.

Details: https://pages.awscloud.com/GLOBAL-Other-GC-Skill-Builder-Subscription-Free-Trial.html

NOTE: This promotion is redeemable through July 30th, 2023. Terms and conditions apply. If you do not cancel your free trial after 7 days, you will be automatically subscribed at $29 USD per month.

✅ Issue #80 | 16 July 2023

▪️  Aurora PostgreSQL pgvector for vector storage and similarity search & version updates
▪️  Batch on Fargate Linux ARM64 and Windows x86 containers in CLI/SDK
▪️  CloudFront 3072-bit RSA certificates
▪️  Connect programmatically delete Routing Profiles and Queues
▪️  DMS Redshift Serverless support
▪️  DocumentDB index improvements
▪️  Elemental MediaLive
      ▫️  1-second metrics
      ▫️  alert categories in Channel Assembly
▪️  EMR on EKS programmatic execution for managed endpoints
▪️  FSx for NetApp ONTAP
      ▫️  IPSec encryption of data in transit
      ▫️  two additional monitoring and troubleshooting capabilities
      ▫️  write once, read many (WORM) protection with SnapLock
▪️  Karpenter Windows containers support
▪️  Lambda now detects and stops recursive loops in Lambda functions
▪️  Location Service
      ▫️  API Keys for Maps, Places, and Routes
      ▫️  publishing device position updates on EventBridge
▪️  Mainframe Modernization expands control and visibility of runtime
▪️  Omics FedRAMP Moderate authorization
▪️  OpenSearch Service version 2.7
▪️  Personalize add columns to existing datasets
▪️  Proton deployment history
▪️  QuickSight
      ▫️  axis customization options for small multiples and radar chart
      ▫️  unified color experience for analysis and dashboards
▪️  RDS for SQL Server self-managed Active Directory
▪️  S3 Inventory ACLs as object metadata in inventory reports

🟢 Issue #81 | 23 July 2023

▪️ Amplify JS lib better performance
▪️ AppConfig Agent simplifies feature flag and config use for EC2
▪️ CloudWatch ML backed Logs Insights pattern query command
▪️ CodeCatalyst workflows triggered by GitHub pull requests
▪️ Config advanced queries +65 resource types
▪️ Connect
     ▫️ CloudFormation support for routing profiles and queues
     ▫️ pre-defined Contact Lens conversational analytics metrics
▪️ Connect Cases case assignment
▪️ Connect Wisdom chat agents
▪️ ECS domainless gMSA authentication
▪️ Elemental MediaTailor cue ad tags in Channel Assembly
▪️ EMR on EKS Apache Spark with Java 17
▪️ Fargate faster container startup using Seekable OCI
▪️ Glue Crawlers Apache Hudi Tables
▪️ IoT Device Defender monitoring of device disconnect durations
▪️ IVS rendition filtering and higher frequency thumbnails
▪️ Lake Formation delegation of LF-Tag management
▪️ Lambda & EventBridge Pipes enhanced filtering
▪️ Lex Introducing Analytics
▪️ PrivateLink CloudWatch Contributor Insights integration
▪️ Redshift QUALIFY clause in SELECT SQL statement
▪️ Redshift ML integration with Amazon Forecast
▪️ Route 53 Resolver is now available on AWS Outposts rack
▪️ SageMaker JumpStart Meta Llama 2 foundation models
▪️ SNS mobile push notifications in 12 new regions
▪️ Tools Lambda Annotations Framework for .NET.
▪️ Translate real time translation of Docx files
▪️ WAF URI path aggregation key for rate-based rules

Good Demo for GameTech on Unity Engine + TeamCity CI/CD + Rider IDE
https://www.twitch.tv/videos/1882050229