CloudSecurity

Secure and simplify EC2 access with AWS Session Manager

Accessing EC2 instances used to be a hassle. Bastion hosts, SSH keys, firewall rules, each piece added another layer of complexity and potential security risks. You had to open ports, distribute keys, and constantly manage access. It felt like setting up an intricate vault just to perform simple administrative tasks.

AWS Session Manager changes the game entirely. No exposed ports, no key distribution nightmares, and a complete audit trail of every session. Think of it as replacing traditional keys and doors with a secure, on-demand teleportation system, one that logs everything.

How AWS Session Manager works

Session Manager is part of AWS Systems Manager, a fully managed service that provides secure, browser-based, and CLI-based access to EC2 instances without needing SSH or RDP. Here’s how it works:

An SSM Agent runs on the instance and communicates outbound to AWS Systems Manager.
When you start a session, AWS verifies your identity and permissions using IAM.
Once authorized, a secure channel is created between your local machine and the instance, without opening any inbound ports.

This approach significantly reduces the attack surface. There is no need to open port 22 (SSH) or 3389 (RDP) for bastion hosts. Moreover, since authentication and authorization are managed by IAM policies, you no longer have to distribute or rotate SSH keys.

Setting up AWS Session Manager

Getting started with Session Manager is straightforward. Here’s a step-by-step guide:

1. Ensure the SSM agent is installed

Most modern Amazon Machine Images (AMIs) come with the SSM Agent pre-installed. If yours doesn’t, install it manually using the following command (for Amazon Linux, Ubuntu, or RHEL):

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

2. Create an IAM Role for EC2

Your EC2 instance needs an IAM role to communicate with AWS Systems Manager. Attach a policy that grants at least the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession"
      ],
      "Resource": [
        "arn:aws:ec2:REGION:ACCOUNT_ID:instance/INSTANCE_ID"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:TerminateSession",
        "ssm:ResumeSession"
      ],
      "Resource": [
        "arn:aws:ssm:REGION:ACCOUNT_ID:session/${aws:username}-*"
      ]
    }
  ]
}

Replace REGION, ACCOUNT_ID, and INSTANCE_ID with your actual values. For best security practices, apply the principle of least privilege by restricting access to specific instances or tags.

3. Connect to your instance

Once the IAM role is attached, you’re ready to connect.

From the AWS Console: Navigate to EC2 > Instances, select your instance, click Connect, and choose Session Manager.

From the AWS CLI: Run:

aws ssm start-session --target i-xxxxxxxxxxxxxxxxx

That’s it, no SSH keys, no VPNs, no open ports.

Built-in security and auditing

Session Manager doesn’t just improve security, it also enhances compliance and auditing. Every session can be logged to Amazon S3 or CloudWatch Logs, capturing a full record of all executed commands. This ensures complete visibility into who accessed which instance and what actions were taken.

To enable logging, navigate to AWS Systems Manager > Session Manager, configure Session Preferences, and enable logging to an S3 bucket or CloudWatch Log Group.

Why Session Manager is better than traditional methods

Let’s compare Session Manager with traditional access methods:

Feature	Bastion Host & SSH	AWS Session Manager
Open inbound ports	Yes (22, 3389)	No
Requires SSH keys	Yes	No
Key rotation required	Yes	No
Logs session activity	Manual setup	Built-in
Works for on-premises	No	Yes

Session Manager removes unnecessary complexity. No more juggling bastion hosts, no more worrying about expired SSH keys, and no more open ports that expose your infrastructure to unnecessary risks.

Real-World applications and operational Benefits

Session Manager is not just a theoretical improvement, it delivers real-world value in multiple scenarios:

Developers can quickly access production or staging instances without security concerns.
System administrators can perform routine maintenance without managing SSH key distribution.
Security teams gain complete visibility into instance access and command history.
Hybrid cloud environments benefit from unified access across AWS and on-premises infrastructure.

With these advantages, Session Manager aligns perfectly with modern cloud-native security principles, helping teams focus on operations rather than infrastructure headaches.

In summary

AWS Session Manager isn’t just another tool, it’s a fundamental shift in how we access EC2 instances securely. If you’re still relying on bastion hosts and SSH keys, it’s time to rethink your approach.Try it out, configure logging, and experience a simpler, more secure way to manage your instances. You might never go back to the old ways.

Building a strong cloud foundation with Landing Zones

The cloud is a dream come true for businesses. Agility, scalability, global reach, it’s all there. But, jumping into the cloud without a solid foundation is like setting up a city without roads, plumbing, or electricity. Sure, you can start building skyscrapers, but soon enough, you’ll be dealing with chaos, no clear way to manage access, tangled networking, security loopholes, and spiraling costs.

That’s where Landing Zones come in. They provide the blueprint, the infrastructure, and the guardrails so you can grow your cloud environment in a structured, scalable, and secure way. Let’s break it down.

What is a Landing Zone?

Think of a Landing Zone as the cloud’s equivalent of a well-planned neighborhood. Instead of letting houses pop up wherever they fit, you lay down roads, set up electricity, define zoning rules, and ensure there’s proper security. This way, when new residents move in, they have everything they need from day one.

In technical terms, a Landing Zone is a pre-configured cloud environment that enforces best practices, security policies, and automation from the start. You’re not reinventing the wheel every time you deploy a new application; instead, you’re working within a structured, repeatable framework.

Key components of any Landing Zone:

Identity and Access Management (IAM): Who has the keys to which doors?
Networking: The plumbing and wiring of your cloud city.
Security: Built-in alarms, surveillance, and firewalls.
Compliance: Ensuring regulations like GDPR or HIPAA are followed.
Automation: Infrastructure as Code (IaC) sets up resources predictably.
Governance: Rules that ensure consistency and control.

Why do you need a Landing Zone?

Why not just create cloud resources manually as you go? That’s like building a house without a blueprint, you’ll get something up, but sooner or later, it will collapse under its complexity.

Landing Zones save you from future headaches:

Faster Cloud Adoption: Everything is pre-configured, so teams can deploy applications quickly.
Stronger Security: Policies and guardrails are in place from day one, reducing risks.
Cost Efficiency: Prevents the dreaded “cloud sprawl” where resources are created haphazardly, leading to uncontrolled expenses.
Focus on Innovation: Teams spend less time on setup and more time on building.
Scalability: A well-structured cloud environment grows effortlessly with your needs.

It’s the difference between a well-organized toolbox and a chaotic mess of scattered tools. Which one lets you work faster and with fewer mistakes?

Different types of Landing Zones

Not all businesses need the same kind of cloud setup. The structure of your Landing Zone depends on your workloads and goals.

Cloud-Native: Designed for applications built specifically for the cloud.
Lift-and-Shift: Migrating legacy applications without significant changes.
Containerized: Optimized for Kubernetes and Docker-based workloads.
Data Science & AI/ML: Tailored for heavy computational and analytical tasks.
Hybrid Cloud: Bridging on-premises infrastructure with cloud resources.
Multicloud: Managing workloads across multiple cloud providers.

Each approach serves a different need, just like different types of buildings, offices, factories, and homes, serve different purposes in a city.

Landing Zones in AWS

AWS provides tools to make Landing Zones easier to implement, whether you’re a beginner or an advanced cloud architect.

Key AWS services for Landing Zones:

AWS Organizations: Manages multiple AWS accounts under a unified structure.
AWS Control Tower: Automates Landing Zone set up with best practices.
IAM, VPC, CloudTrail, Config, Security Hub, Service Catalog, CloudFormation: The building blocks that shape your environment.

Two ways to set up a Landing Zone in AWS:

AWS Control Tower (Recommended) – Provides an automated, guided setup with guardrails and best practices.
Custom-built Landing Zone – Built manually using CloudFormation or Terraform, offering more flexibility but requiring expertise.

Basic setup with Control Tower:

Plan your cloud structure.
Set up AWS Organizations to manage accounts.
Deploy Control Tower to automate governance and security.
Customize it to match your specific needs.

A well-structured AWS Landing Zone ensures that accounts are properly managed, security policies are enforced, and networking is set up for future growth.

Scaling and managing your Landing Zone

Setting up a Landing Zone is not a one-time task. It’s a continuous process that evolves as your cloud environment grows.

Best practices for ongoing management:

Automate Everything: Use Infrastructure as Code (IaC) to maintain consistency.
Monitor Continuously: Use AWS CloudWatch and AWS Config to track changes.
Manage Costs Proactively: Keep cloud expenses under control with AWS Budgets and Cost Explorer.
Stay Up to Date: Cloud best practices evolve, and so should your Landing Zone.

Think of your Landing Zone like a self-driving car. You might have set it up with the best configuration, but if you never update the software or adjust its sensors, you’ll eventually run into problems.

Summarizing

A strong Landing Zone isn’t just a technical necessity, it’s a strategic advantage. It ensures that your cloud journey is smooth, secure, and cost-effective.

Many businesses rush into the cloud without a plan, only to find themselves overwhelmed by complexity and security risks. Don’t be one of them. A well-architected Landing Zone is the difference between a cloud environment that thrives and one that turns into a tangled mess of unmanaged resources.

Set up your Landing Zone right, and you won’t just land in the cloud, you’ll be ready to take off.

Avoiding security gaps by limiting IAM Role permissions

Think about how often we take security for granted. You move into a new apartment and forget to lock the door because nothing bad has ever happened. Then, one day, someone strolls in, helps themselves to your fridge, sits on your couch, and even uses your WiFi. Feels unsettling, right? That’s exactly what happens in AWS when an IAM role is granted far more permissions than it needs, leaving the door wide open for potential security risks.

This is where the principle of least privilege comes in. It’s a fancy way of saying: “Give just enough permissions for the job to get done, and nothing more.” But how do we figure out exactly what permissions an application needs? Enter AWS CloudTrail and Access Analyzer, two incredibly useful tools that help us tighten security without breaking functionality.

The problem of overly generous permissions

Let’s say you have an application running in AWS, and you assign it a role with AdministratorAccess. It can now do anything in your AWS account, from spinning up EC2 instances to deleting databases. Most of the time, it doesn’t even need 90% of these permissions. But if an attacker gets access to that role, you’re in serious trouble.

What we need is a way to see what permissions the application is actually using and then build a custom policy that includes only those permissions. That’s where CloudTrail and Access Analyzer come to the rescue.

Watching everything with CloudTrail

AWS CloudTrail is like a security camera that records every API call made in your AWS environment. It logs who did what, which service they accessed, and when they did it. If you enable CloudTrail for your AWS account, it will capture all activity, giving you a clear picture of which permissions your application uses.

So, the first step is simple: Turn on CloudTrail and let it run for a while. This will collect valuable data on what the application is doing.

Generating a Custom Policy with Access Analyzer

Now that we have a log of the application’s activity, we can use AWS IAM Access Analyzer to create a tailor-made policy instead of guessing. Access Analyzer looks at the CloudTrail logs and automatically generates a policy containing only the permissions that were used.

It’s like watching a security camera playback of who entered your house and then giving house keys only to the people who actually needed access.

Why this works so well

This approach solves multiple problems at once:

Precise permissions: You stop giving unnecessary access because now you know exactly what is needed.
Automated policy generation: Instead of manually writing a policy full of guesswork, Access Analyzer does the heavy lifting.
Better security: If an attacker compromises the role, they get access only to a limited set of actions, reducing damage.
Following best practices: Least privilege is a fundamental rule in cloud security, and this method makes it easy to follow.

Recap

Instead of blindly granting permissions and hoping for the best, enable CloudTrail, track what your application is doing, and let Access Analyzer craft a custom policy. This way, you ensure that your IAM roles only have the permissions they need, keeping your AWS environment secure without unnecessary exposure.

Security isn’t about making things difficult. It’s about making sure that only the right people, and applications, have access to the right things. Just like locking your door at night.

January 31, 2025 by Fernando SRE Cloud stuff SRE stuff 0

AWS Identity Management – Choosing the right Policy or Role

Let’s be honest, AWS Identity and Access Management (IAM) can feel like a jungle. You’ve got your policies, your roles, your managed this, and your inline that. It’s easy to get lost, and a wrong turn can lead to a security vulnerability or a frustrating roadblock. But fear not! Just like a curious explorer, we’re going to cut through the thicket and understand this thing. Why? Mastering IAM is crucial to keeping your AWS environment secure and efficient. So, which policy type is the right one for the job? Ever scratched your head over when to use a service-linked role? Stick with me, and we’ll figure it out with a healthy dose of curiosity and a dash of common sense.

Understanding Policies and Roles

First things first. Let’s get our definitions straight. Think of policies as rulebooks. They are written in a language called JSON, and they define what actions are allowed or denied on which AWS resources. Simple enough, right?

Now, roles are a bit different. They’re like temporary access badges. An entity, be it a user, an application, or even an AWS service itself, can “wear” a role to gain specific permissions for a limited time. A user or a service is not granted permissions directly, it’s the role that has the permissions.

AWS Policy types

Now, let’s explore the different flavors of policies.

AWS Managed Policies

These are like the standard-issue rulebooks created and maintained by AWS itself. You can’t change them, just like you can’t rewrite the rules of physics! But AWS keeps them updated, which is quite handy.

Use Cases: Perfect for common scenarios. Need to give someone basic access to S3? There’s probably an AWS-managed policy for that.
Pros: Easy to use, always up-to-date, less work for you.
Cons: Inflexible, you’re stuck with what AWS provides.

Customer Managed Policies

These are your rulebooks. You write them, you modify them, you control them.

Use Cases: When you need fine-grained control, like granting access to a very specific resource or creating custom permissions for your application, this is your go-to choice.
Pros: Total control, flexible, adaptable to your unique needs.
Cons: More responsibility, you need to know what you’re doing. You’ll be in charge of updating and maintaining them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-specific-bucket/*"
        }
    ]
}

This simple policy allows getting objects only from my-specific-bucket. You have to adapt it to your necessities.

Inline Policies

These are like sticky notes attached directly to a user, group, or role. They’re tightly bound and can’t be reused.

Use Cases: For precise, one-time permissions. Imagine a developer who needs temporary access to a particular resource for a single task.
Pros: Highly specific, good for exceptions.
Cons: A nightmare to manage at scale, not reusable.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dynamodb:DeleteItem",
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
        }
    ]
}

This policy is directly embedded within users and permits them to delete items from the MyTable DynamoDB table. It does not apply to other users or resources.

Service-Linked Roles. The smooth operators

These are special roles pre-configured by AWS services to interact with other AWS services securely. You don’t create them, the service does.

Use Cases: Think of Auto Scaling needing to launch EC2 instances or Elastic Load Balancing managing resources on your behalf. It’s like giving your trusted assistant a special key to access specific rooms in your house.
Pros: Simplifies setup, and ensures security best practices are followed. AWS takes care of these roles behind the scenes, so you don’t need to worry about them.
Cons: You can’t modify them directly. So, it’s essential to understand what they do.

aws autoscaling create-auto-scaling-group \ --auto-scaling-group-name my-asg \ --launch-template "LaunchTemplateId=lt-0123456789abcdef0,Version=1" \ --min-size 1 \ --max-size 3 \ --vpc-zone-identifier "subnet-0123456789abcdef0" \ --service-linked-role-arn arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

This code creates an Auto Scaling group, and the service-linked-role-arn parameter specifies the ARN of the service-linked role for Auto Scaling. It’s usually created automatically by the service when needed.

Best practices

Least Privilege: Always, always, always grant only the necessary permissions. It’s like giving out keys only to the rooms people need to access, not the entire house!
Regular Review: Things change. Regularly review your policies and roles to make sure they’re still appropriate.
Use the Right Tools: AWS provides tools like IAM Access Analyzer to help you manage this stuff. Use them!
Document Everything: Keep track of your policies and roles, their purpose, and why they were created. It will save you headaches later.

In sum

The right policy or role depends on the specific situation. Choose wisely, keep things tidy, and you will have a secure and well-organized AWS environment.

January 29, 2025 by Fernando SRE Cloud stuff SRE stuff 0

AWS Fault Injection service, the unknown service

Let’s discuss something near and dear to every AWS Architect and DevOps Engineer’s heart: resilience. Or, as I like to call it, “making sure your digital baby doesn’t throw a tantrum when things go sideways.”

We’ve all been there. Like a magnificent sandcastle, you build this beautiful, intricate system in the cloud. It’s got auto-scaling, high availability, and the works. You’re feeling pretty proud of yourself. Then, BAM! Some unforeseen event, a tiny ripple in the force of the internet, and your sandcastle starts to crumble. Panic ensues.

But what if, instead of waiting for disaster to strike, you could be a bit… mischievous? What if you could poke and prod your system before it has a meltdown in front of your users? Enter AWS Fault Injection Simulator (FIS), a service that’s about as well-known as a quiet librarian at a rock concert, but far more useful.

What’s this FIS thing, anyway?

Think of FIS as your friendly neighborhood chaos monkey but with a PhD in engineering and a strict code of conduct. It’s a fully managed service that lets you run controlled chaos experiments on your AWS workloads. Yes, you read that right. You can intentionally break things but in a safe and measured way. It is like playing Jenga but only for advanced players.

Why would you do that, you ask? Well, my friends, it’s all about finding those hidden weaknesses before they become major headaches. It’s like giving your application a stress test, similar to how doctors check your heart’s health. You want to see how it handles the pressure before it’s out there running a marathon in the real world. The idea is simple: you don’t know how strong the dam will be until you put the river on it.

Why is this CHAOS stuff so important?

In the old days (you know, like five years ago), we tested for predictable failures. Server goes down? No problem, we have a backup! But the cloud is a complex beast, and failures can be, well, weird. Latency spikes, partial network outages, API throttling… it’s a jungle out there.

FIS helps you simulate these real-world, often unpredictable scenarios. By deliberately injecting faults, you expose how your system behaves under stress. This way you will discover if your great ideas in whiteboards are translated into a great and resilient system in the cloud.

This isn’t just about avoiding downtime, though that’s a big plus. It’s about:

Improving Reliability: Find and fix weak points, leading to a more robust and dependable system.
Boosting Performance: Identify bottlenecks and optimize your application’s response under duress.
Validating Your Assumptions: Does your fancy auto-scaling work as intended? FIS will tell you.
Building Confidence: Knowing your system can handle the unexpected gives you peace of mind. And maybe, just maybe, you can sleep through the night without getting paged. A DevOps Engineer can dream, right?

Let’s get our hands dirty (Virtually, of course)

So, how does this magical chaos tool work? FIS operates through experiment templates. These are like recipes for disaster (the good kind, of course). In these templates, you define:

Actions: What kind of mischief do you want to unleash? FIS offers a menu of pre-built actions, like:
- aws:ec2:stop-instances: Stop EC2 instances. You pick which ones.
- aws:ec2:terminate-instances: Terminate EC2 instances. Poof, they are gone.
- aws:ssm:send-command: Run a script on an instance that causes, for example, CPU stress, or memory stress.
- aws:fis:inject-api-latency: Add latency to internal or external APIs.
Targets: Where do you want to inject these faults? You can target specific EC2 instances, ECS clusters, EKS clusters, RDS databases… You get the idea. You can select the resources by tags, by name, by percentage… You have plenty of options here.
Stop Conditions: This is your “emergency brake.” You define CloudWatch alarms that, if triggered, will automatically halt the experiment. Safety first, people! Imagine that the experiment is affecting more components than expected, the stop condition will be your friend here.
IAM Role: This role is very important. It will give the FIS service permission to inject the fault into your resources. Remember to assign only the necessary permissions, nothing more.

Once you’ve crafted your experiment template, you can run it and watch the magic (or mayhem) unfold. FIS provides detailed logs and integrates with CloudWatch, so you can monitor the impact in real time.

FIS in the Wild

Let’s say you have a microservices architecture running on ECS. You want to test how your system handles the failure of a critical service. With FIS, you could create an experiment that:

Action: Terminates a percentage of the tasks in your critical service.
Target: Your ECS service, specifically the tasks tagged as “critical-service.”
Stop Condition: A CloudWatch alarm that triggers if your application’s latency exceeds a certain threshold or the error rate increases.

By running this experiment, you can observe how your other services react, whether your load balancing works as expected, and if your system can gracefully recover.

Or, imagine you want to test the resilience of your RDS database. You could simulate a failover by:

Action: aws:rds:reboot-db-instance with the failover option set to true.
Target: Your primary RDS instance.
Stop Condition: A CloudWatch alarm that monitors the database’s availability.

This allows you to validate your read replica setup and ensure a smooth transition in case of a real-world primary instance failure.

I remember one time I was helping a startup that had a critical application running on EC2. They were convinced their auto-scaling was flawless. We used FIS to simulate a sudden surge in traffic by terminating a bunch of instances. Guess what? Their auto-scaling took longer to kick in than they expected, leading to a brief period of performance degradation. Thanks to the experiment, they were able to fix the issue, avoiding real user impact in the future.

My Two Cents (and Maybe a Few More)

I’ve been around the AWS block a few times, and I can tell you that FIS is a game-changer. It’s not just about breaking things; it’s about understanding things. It’s about building systems that are not just robust on paper but resilient in the face of the unpredictable chaos of the real world.

January 18, 2025 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0

S3 Access Points explained

Don’t you feel like your data in the cloud is a bit too… exposed? Like you’ve got a treasure chest full of valuable information (your S3 bucket), but it’s just sitting there, practically begging for unwanted attention? You wouldn’t leave your valuables out in the open in the real world, would you? Well, the same logic applies to your data in the cloud.

This is where AWS S3 Access Points come in. They act like bouncers for your data, ensuring only the right people get in. And for those of you with data scattered across the globe, we’ve got something even fancier: Multi-Region Access Points (MRAPs). They’re like the global positioning system for your data, ensuring fast access no matter where you are.

So buckle up, and let’s explore the fascinating world of S3 Access Points and MRAPs. Let’s try to make it fun.

The problem is that your S3 Bucket is wide open (By Default)

Think of an S3 bucket as a giant storage locker in the cloud. When you first create one, it’s like leaving the locker door wide open. Anyone who knows the lockers there can just waltz in and take a peek, or worse, start messing with your stuff.

This might be fine if you’re just storing cat memes, but what if you have sensitive customer data, financial records, or top-secret project files? You need a way to control who gets in and what they can do.

The solution is the Access Points, your data’s bouncers

Imagine Access Points as the bouncers standing guard at the entrance of your storage locker. They check IDs, make sure everyone’s on the guest list, and only let in the people you’ve authorized.

In more technical terms, an Access Point is a unique hostname that you create to enforce distinct permissions and network controls for any request made through it. You can configure each Access Point with its own IAM policy, tailored to specific use cases.

Why you need Access Points. It’s all about control

Here’s the deal:

Granular Access Control: You can create different Access Points for different applications or teams, each with its own set of permissions. Maybe your marketing team only needs read access to product images, while your developers need full read and write access to application logs. Access Points make this a breeze.
Simplified Policy Management: Instead of one giant, complicated bucket policy, you can have smaller, more manageable policies for each Access Point. It’s like having a separate rule book for each group that needs access.
Enhanced Security: By restricting access through specific Access Points, you reduce the risk of accidental data exposure or unauthorized modification. It’s like having multiple layers of security for your precious data.
Compliance Made Easier: Many industries have strict regulations about data access and security (think GDPR, HIPAA). Access Points help you meet these requirements by providing a clear and auditable way to control who can access what.

Let’s get practical with an Access Point policy example

Okay, let’s see how this works in practice. Here’s an example of an Access Point policy that only allows access to a bucket named “pending-documentation” and only permits read and write actions (no deleting!):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/Alice"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/pending-documentation/*"
    }
  ]
}

Explanation:

Version: Specifies the policy language version.
Statement: An array of permission statements.
Effect: “Allow” means this statement grants permission.
Principal: This specifies who is granted access. In this case, it’s the IAM user “Alice” (you’d replace this with the actual ARN of your user or role).
Action: The S3 actions allowed. Here, it’s s3:GetObject (read) and s3:PutObject (write).
Resource: This is the crucial part. It specifies the resource the policy applies to. Here, it’s the “pending-documentation” bucket accessed through the “my-access-point” Access Point. The /* at the end means all objects within that bucket path.

Delegating access control to the Access Point (Bucket Policy)

You also need to configure your S3 bucket policy to delegate access control to the Access Point. Here’s an example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:DataAccessPointArn": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point"
        }
      }
    }
  ]
}

This policy allows any principal (“AWS”: “*”) to perform any S3 action (“s3:*”), but only if the request goes through the specified Access Point ARN.

Taking it global, Multi-Region Access Points (MRAPs)

Now, let’s say your data is spread across multiple AWS regions. Maybe you have users all over the world, and you want them to have fast access to your data, no matter where they are. This is where Multi-Region Access Points (MRAPs) come to the rescue!

Think of an MRAP as a smart global router for your data. It’s a single endpoint that automatically routes requests to the closest copy of your data in one of your S3 buckets across multiple regions.

Why Use MRAPs? Think speed and resilience

Reduced Latency: MRAPs ensure that users are always accessing the data from the nearest region, minimizing latency and improving application performance. It is like having a fast-food in each country, so clients can have their orders faster.
High Availability: If one region becomes unavailable, MRAPs automatically route traffic to another region, ensuring your application stays up and running. It’s like having a backup generator for your data.
Simplified Management: Instead of managing multiple endpoints for different regions, you have one MRAP to rule them all.

MRAPs vs. Regular Access Points, what’s the difference?

While both are about controlling access, MRAPs take it to the next level:

Scope: Regular Access Points are regional; MRAPs are multi-regional.
Focus: Regular Access Points primarily focus on security and access control; MRAPs add performance and availability to the mix.
Complexity: MRAPs are a bit more complex to set up because you’re dealing with multiple regions.

When to unleash the power of Access Points and MRAPs

Data Lakes: Use Access Points to create secure “zones” within your data lake, granting different teams access to only the data they need.
Content Delivery: MRAPs can accelerate content delivery to users around the world by serving data from the nearest region.
Hybrid Cloud: Access Points can help integrate your on-premises applications with your S3 data in a secure and controlled manner.
Compliance: Meeting regulations like GDPR or HIPAA becomes easier with the fine-grained access control provided by Access Points.
Global Applications: If you have a globally distributed application, MRAPs are essential for delivering a seamless user experience.

Lock down your data and speed up access

AWS S3 Access Points and Multi-Region Access Points are powerful tools for managing access to your data in the cloud. They provide the security, control, and performance that modern applications demand.

January 7, 2025 by Fernando SRE Cloud stuff SRE stuff 0

Managing SSL certificates with SNI on AWS ALB and NLB

The challenge of hosting multiple SSL-Secured sites

Let’s talk about security on the web. You want your website to be secure. Of course, you do! That’s where HTTPS and those little SSL/TLS certificates come in. They’re like the secret handshakes of the internet, ensuring that the information flowing between your site and visitors is safe from prying eyes. But here’s the thing: back in the day, if you wanted a bunch of websites, each with its secure certificate, you needed a separate IP address. Imagine having to get a new phone number for every person you wanted to call! It was a real headache and cost a pretty penny, too, especially if you were running a whole bunch of websites.

Defining SNI as a modern SSL/TLS extension

Now, what if I told you there was a clever way around this whole IP address mess? That’s where this little gem called Server Name Indication (SNI) comes in. It’s like a smart little addition to the way websites and browsers talk to each other securely. Think of it this way, your server’s IP address is like a big apartment building, and each website is a different apartment. Without SNI, it’s like visitors can only shout the building’s address (the IP address). The doorman (the server) wouldn’t know which apartment to send them to. SNI fixes that. It lets the visitor whisper both the building address and the apartment number (the website’s name) right at the start. Pretty neat.

Understanding the SNI handshake process

So, how does this SNI thing work? Let’s lift the hood and take a peek at the engine, shall we? It all happens during this little dance called the SSL/TLS handshake, the very beginning of a secure connection.

Client Hello: First, the client (like your web browser) says “Hello!” to the server. But now, thanks to SNI, it also whispers the name of the website it wants to talk to. It is like saying “Hey, I want to connect, and by the way, I’m looking for ‘www.example.com‘”.
Server Selection: The server gets this message and, because it’s a smart cookie, it checks the SNI part. It uses that website name to pick out the right secret handshake (the SSL certificate) from its big box of handshakes.
Server Hello: The server then says “Hello!” back, showing off the certificate it picked.
Secure Connection: The client checks if the handshake looks legit, and if it does, boom! You’ve got yourself a secure connection. It’s like a secret club where everyone knows the password, and they’re all speaking in code so no one else can understand.

AWS load balancers and SNI as a perfect match

Now, let’s bring this into the world of Amazon Web Services (AWS). They’ve got these things called load balancers, which are like traffic cops for websites, directing visitors to the right place. The newer ones, Application Load Balancers (ALB) and Network Load Balancers (NLB) are big fans of SNI. It means you can have a whole bunch of websites, each with its certificate, all hiding behind one of these load balancers. Each of those websites could be running on different computers (EC2 instances, as they call them), but the load balancer, thanks to SNI, knows exactly where to send the visitors.

CloudFront’s adoption of SNI for secure content delivery at scale

And it’s not just load balancers, AWS has this other thing called CloudFront, which is like a super-fast delivery service for websites. It makes sure your website loads quickly for people all over the world. And guess what? CloudFront loves SNI, too. It lets you have different secret handshakes (certificates) for different websites, even if they’re all being delivered through the same CloudFront setup. Just remember, the old-timer, Classic Load Balancer (CLB), doesn’t know this SNI trick. It’s a bit behind the times, so keep that in mind.

Cost savings through optimized resource utilization

Why should you care about all this? Well, for starters, it saves you money! Instead of needing a whole bunch of IP addresses (which cost money), you can use just one with SNI. It is like sharing an office space instead of everyone renting their building.

Simplified management by streamlining certificate handling

And it makes your life a whole lot easier, too. Managing those secret handshakes (certificates) can be a real pain. But with SNI, you can manage them all in one place on your load balancer. It is way simpler than running around to a dozen different offices to update everyone’s secret handshake.

Enhanced scalability for efficient infrastructure growth

And if your website gets popular, no problem, SNI lets you add new websites to your load balancer without breaking a sweat. You don’t have to worry about getting new IP addresses every time you want to launch a new site. It’s like adding new apartments to your building without having to change the building’s address.

Client compatibility to ensure broad support

Now, I have to be honest with you. There might be some really, really old web browsers out there that haven’t heard of SNI. But, honestly, they’re becoming rarer than a dodo bird. Most browsers these days are smart enough to handle SNI, so you don’t have to worry about it.

SNI as a cornerstone of modern Web hosting on AWS

So, there you have it. SNI is like a secret weapon for running websites securely and efficiently on AWS. It’s a clever little trick that saves you money, simplifies your life, and lets your website grow without any headaches. It is proof that even small changes to the way things work on the internet can make a huge difference. When you’re building things on AWS, remember SNI. It’s like having a master key that unlocks a whole bunch of possibilities for a secure and scalable future. It’s a neat piece of engineering if you ask me.

January 5, 2025 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0

Advanced AWS VPC networking patterns

Managing cloud networks at an enterprise scale is like conducting a symphony orchestra in a massive digital city. Each connection must play its part perfectly, maintaining harmony, efficiency, and security. While most AWS architects are familiar with basic VPC concepts, the real power of AWS networking lies in its advanced capabilities, which enable robust, scalable, and secure architectures.

The landscape of cloud networking evolves rapidly, and AWS continuously introduces sophisticated tools and services. The possibilities for building complex networks are endless, from VPC Lattice to Transit Gateway and IPv6 support. This article will explore advanced VPC networking patterns and practical tips to help you optimize your AWS architecture, whether managing a growing startup’s infrastructure or architecting solutions for a global enterprise.

Simplifying service communication with VPC Lattice

Remember when connecting microservices felt like untangling a spider web? Each service had its thread, carefully tied to another, and even the smallest misstep could send the whole network into chaos. AWS VPC Lattice steps in to unravel that web and replace it with a finely tuned machine, one that handles the complexity for you.

So, what exactly is VPC Lattice? Think of it as a traffic controller for your services. But unlike a traditional traffic controller, VPC Lattice doesn’t just tell cars when to stop or go, it builds the roads, sets the rules, and even hands out the maps to ensure everyone gets where they need to go. It operates across VPCs and AWS accounts, enabling seamless communication without requiring the usual tangle of custom routing, peering, or private links.

Here’s how it works: VPC Lattice creates a service network, a kind of invisible highway system, that links your microservices. It automatically handles service discovery, load balancing, and security, so you don’t have to configure these elements for every single connection. Whether a service lives in the same VPC, a different AWS account, or even across regions, VPC Lattice ensures they can communicate effortlessly and securely.

Key features of VPC Lattice:

Service Discovery and Load Balancing: Automatically finds and balances traffic between your services, regardless of their location.
Unified Access Control: Define and enforce security policies at the service level, no matter how complex the network gets.
Cross-VPC and Cross-Account communication: Forget about custom configurations, VPC Lattice bridges the gaps for you.

Real-World example

Imagine you’re running a food delivery app. You’ve got three critical services:

Order Service to handle customer orders.
Payment Service to process transactions.
Delivery Tracking Service to keep customers updated.

Traditionally, you’d need to create individual connections between each service, setting up security groups, routing tables, and load balancers for every pair. With VPC Lattice, you define these services once, add them to a service network, and let AWS handle the rest. It’s like moving from a chaotic neighborhood of one-way streets to a city grid with clear traffic signals and signs.

Why it matters

For developers and architects working with microservices, VPC Lattice isn’t just a convenience, it’s a game-changer. It reduces operational overhead, simplifies scaling, and ensures a consistent level of security and reliability, no matter how large or distributed your network becomes.

By leveraging VPC Lattice, you can focus on building and optimizing your application, not wrangling the connections between its parts.

Security Groups and NACLs, the dynamic duo of network security

Let’s demystify network security. Think of Security Groups as bouncers at a club and Network ACLs (NACLs) as the neighborhood watch. Both are essential but operate differently.

Security Groups (The Bouncers):

Stateful: They remember who’s allowed in.
Permission-focused: Only allow traffic; no blocking rules.
Instance-level: Rules are applied to individual instances.

NACLs (The Neighborhood Watch):

Stateless: Each request is treated independently.
Permission and denial rules: Can allow or deny traffic.
Subnet-level: Rules apply to all instances in a subnet.

Example: Three-Tier Application

Frontend servers in public subnets: Security Group allows HTTP/HTTPS from anywhere.
Application servers in private subnets: Security Group allows traffic only from the frontend servers.
Database in isolated subnets: Security Group allows traffic only from application servers.

Layer	Security Group	NACL
Public Subnet	Allow HTTP/HTTPS from anywhere	Block known malicious IPs
Private Subnet	Allow traffic from Public Subnet IPs	Allow only whitelisted IPs
Database Subnet	Allow traffic from Private Subnet IPs	Restrict access to private subnet traffic only

This combination ensures robust security at both granular and broader levels.

Transit gateway as the universal router

Transit Gateway acts as the central train station for your cloud network. Instead of creating direct connections between every VPC (like direct flights), it consolidates connections into a central hub.

Real-World scenario:

You manage three AWS regions: US, Europe, and Asia, each with multiple VPCs (dev, staging, prod). Without Transit Gateway, you’d need individual VPC connections, creating exponential complexity. With Transit Gateway:

Deploy a Transit Gateway in each region.
Connect VPCs to their respective Transit Gateway.
Set up Transit Gateway peering between regions.

Cost optimization tip:

Use AWS Resource Access Manager (RAM) to share Transit Gateways across accounts, reducing the need for redundant configurations and lowering networking costs.

Gateway versus Interface VPC Endpoints

Choosing the right VPC endpoint type can significantly impact your application’s performance, cost, and scalability. AWS provides two types of VPC endpoints: Gateway Endpoints and Interface Endpoints. While both facilitate private access to AWS services without using a public internet connection, they differ in how they function and the use cases they best serve.

Gateway Endpoints are simpler and more cost-effective, designed for high-throughput services like Amazon S3 and DynamoDB. They route traffic directly through your VPC’s routing table, minimizing latency and eliminating per-hour costs.

Interface Endpoints, on the other hand, provide more flexibility and are compatible with a broader range of AWS services. These endpoints utilize Elastic Network Interfaces (ENIs) within your subnets, making them ideal for use cases requiring cross-regional support or integration with third-party services. However, they come with additional hourly and data transfer costs.

Understanding the nuances between Gateway and Interface Endpoints helps you make informed decisions tailored to your application’s specific needs.

Type	Best For	Cost	Latency	Scope
Gateway Endpoints	S3, DynamoDB	Free	Low	Regional
Interface Endpoints	Most AWS services	Per-hour + Per-GB	Higher	Cross-regional

Pro tip: For high-throughput services like S3, Gateway endpoints are a better choice due to their cost-efficiency and low latency.

VPC Flow logs as your network’s black box

VPC Flow logs provide invaluable insights into network activity. They capture details about accepted and rejected traffic, helping you troubleshoot and optimize security configurations.

Practical Use:

Analyze Flow Logs with Amazon Athena for cost-effective insights. For example:

SELECT *
FROM vpc_flow_logs
WHERE (action = 'REJECT' AND dstport = 443)
AND date_partition >= '2024-01-01';

This query identifies rejected HTTPS traffic, which might indicate a misconfigured Security Group.

Preparing for the future with IPv6

As IPv4 addresses become increasingly scarce, transitioning to IPv6 is no longer just an option, it’s a necessity for future-proofing your network infrastructure. IPv6 provides a virtually limitless pool of unique IP addresses, making it ideal for modern applications that demand scalability, especially in IoT, mobile services, and global deployments.

AWS fully supports dual-stack environments, allowing you to enable IPv6 alongside IPv4 without disrupting existing setups. This approach helps you gradually adopt IPv6 while maintaining compatibility with IPv4-dependent systems. Beyond the sheer availability of addresses, IPv6 also introduces efficiency improvements, such as simplified routing and better support for auto-configuration.

Implementing IPv6 in your AWS environment requires careful planning to ensure security and compatibility with your applications. Below are the steps to help you get started.

Steps to Implement IPv6:

Enable IPv6 for your VPC.
Add IPv6 CIDR blocks to subnets.
Update route tables and security rules to include IPv6.

Start with non-production environments and gradually migrate, ensuring applications are tested with IPv6 endpoints. IPv6 addresses are free, making them a cost-effective way to future-proof your architecture.

In a Few Words

Mastering AWS VPC networking patterns is not just about understanding individual components but also knowing when and why to use them. Whether it’s simplifying service communication with VPC Lattice, optimizing inter-region connectivity with Transit Gateway, or future-proofing with IPv6, these strategies empower you to build secure, scalable, and efficient cloud architectures.

Remember: The cloud is just someone else’s computer, but with VPC, it’s your private slice of that computer. Make it count!

December 9, 2024 by Fernando SRE Cloud stuff 0

Traffic Control in AWS VPC with Security Groups and NACLs

In AWS, Security Groups and Network ACLs (NACLs) are the core tools for controlling inbound and outbound traffic within Virtual Private Clouds (VPCs). Think of them as layers of security that, together, help keep your resources safe by blocking unwanted traffic. While they serve a similar purpose, each works at a different level and has distinct features that make them effective when combined.

1. Security Groups as room-level locks

Imagine each instance or resource within your VPC is like a room in a house. A Security Group acts as the lock on each of those doors. It controls who can get in and who can leave and remembers who it lets through so it doesn’t need to keep asking. Security Groups are stateful, meaning they keep track of allowed traffic, both inbound and outbound.

Key Features

Stateful behavior: If traffic is allowed in one direction (e.g., HTTP on port 80), it automatically allows the response in the other direction, without extra rules.
Instance-Level application: Security Groups apply directly to individual instances, load balancers, or specific AWS services (like RDS).
Allow-Only rules: Security Groups only have “allow” rules. If a rule doesn’t permit traffic, it’s blocked by default.

Example

For a database instance on RDS, you might configure a Security Group that allows incoming traffic only on port 3306 (the default port for MySQL) and only from instances within your backend Security Group. This setup keeps the database shielded from any other traffic.

2. Network ACLs as property-level gates

If Security Groups are like room locks, NACLs are more like the gates around a property. They filter traffic at the subnet level, screening everything that tries to get in or out of that part of the network. NACLs are stateless, so they don’t keep track of traffic. If you allow inbound traffic, you’ll need a separate rule to permit outbound responses.

Key Features

Stateless behavior: Traffic allowed in one direction doesn’t mean it’s automatically allowed in the other. Each direction needs explicit permission.
Subnet-Level application: NACLs apply to entire subnets, meaning they cover all resources within that network layer.
Allow and Deny rules: Unlike Security Groups, NACLs allow both “allow” and “deny” rules, giving you more granular control over what traffic is permitted or blocked.

Example

For a public-facing web application, you might configure a NACL to block any IPs outside a specific range or region, adding a layer of protection before traffic even reaches individual instances.

Best practices for using security groups and NACLs together

Combining Security Groups and NACLs creates a multi-layered security setup known as defense in depth. This way, if one layer misconfigures, the other provides a safety net.

Use security groups as your first line of defense

Since Security Groups are stateful and work at the instance level, they should define specific rules tailored to each resource. For example, allow only HTTP/HTTPS traffic for frontend instances, while backend instances only accept requests from the frontend Security Group.

Reinforce with NACLs for subnet-level control

NACLs are stateless and ideal for high-level filtering, such as blocking unwanted IP ranges. For example, you might use a NACL to block all traffic from certain geographic locations, enhancing protection before traffic even reaches your Security Groups.

Apply NACLs for public traffic control

If your application receives public traffic, use NACLs at the subnet level to segment untrusted traffic, keeping unwanted visitors at bay. For example, you could configure NACLs to block all ports except those explicitly needed for public access.

Manage NACL rule order carefully

Remember that NACLs evaluate traffic based on rule order. Rules with lower numbers are prioritized, so keep your most restrictive rules first to ensure they’re applied before others.

Applying layered security in a Three-Tier architecture

Imagine a three-tier application with frontend, backend, and database layers, each in its subnet within a VPC. Here’s how you could use Security Groups and NACLs:

Security Groups

Frontend: Security Group allows inbound traffic on ports 80 and 443 from any IP.
Backend: Security Group allows traffic only from the frontend Security Group, for example, on port 8080.
Database: Security Group allows traffic only from the backend Security Group, on port 3306 (for MySQL).

NACLs

Frontend Subnet: NACL allows inbound traffic only on ports 80 and 443, blocking everything else.
Backend Subnet: NACL allows inbound traffic only from the frontend subnet and blocks all other traffic.
Database Subnet: NACL allows inbound traffic only from the backend subnet and blocks all other traffic.

In a few words

Security Groups: Act at the instance level, are stateful, and only permit “allow” rules.
NACLs: Act at the subnet level, are stateless, and allow both “allow” and “deny” rules.
Combining Security Groups and NACLs: This approach gives you a layered “defense in depth” strategy, securing traffic control across every layer of your VPC.

November 14, 2024 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0

AWS Secrets Manager as a better solution than .env files for protecting sensitive data

Have you ever hidden your house key under the doormat? It seems convenient, right? Everyone knows where it is, and you can access it easily. Well, storing secrets in .env files is quite similar, but in the software world. And just like that key under the doormat, it’s not exactly the brightest idea.

The Curious case of .env files

When software systems were simpler, we used .env files to keep our secrets, passwords, API keys, and other sensitive information. It was like having a notebook where you wrote down all your passwords and left it on your desk. It worked… until it didn’t.

Imagine you are in a company with 100 developers, each with their copy of the secrets. It’s like having 100 copies of your house key distributed around the neighborhood. What could go wrong? Well, let me tell you…

The problems with .env files

It’s fascinating how we’ve managed secrets over the years. Picture running a bank but, instead of using a vault, you store all the money in shoeboxes under everyone’s desk. Sure, it’s convenient, everyone can access it quickly, but it’s certainly not Fort Knox. This is what we’re doing with .env files:

Plain text visibility: .env files store secrets in plain text, meaning anyone accessing your computer can read them. It’s like writing your PIN on your credit card.
The proliferation of copies: Every developer, every server, every deployment needs a copy. Soon, you end up with more copies of your secrets than holiday fruitcakes at a family reunion.
No audit trail: If someone peeks at your secrets, you will never know. It’s like having a diary that doesn’t tell you who has been reading it.

AWS Secrets Manager as the modern vault

Now, let me show you something better. AWS Secrets Manager is like upgrading from that shoebox to a sophisticated bank vault. But unlike a real bank vault, it’s always available instantly, anywhere in the world.

How does It work?

Think of AWS Secrets Manager as a super-smart safety deposit box system:

Instead of leaving your key under the doormat like this:

from dotenv import load_dotenv
load_dotenv()
secret = os.getenv('SUPER_SECRET_KEY')

You get it securely from the vault like this:

import boto3

def get_secret(secret_name):
    session = boto3.session.Session()
    client = session.client('secretsmanager')
    return client.get_secret_value(SecretId=secret_name)['SecretString']

The beauty of this system is that it’s like having a personal butler who:

Provides secrets on demand: Only give secrets to people you’ve authorized.
Maintains a detailed log: Keeps track of who asked for what, so you always have an audit trail.
Rotates secrets automatically: Changing the locks regularly, without any hassle.
Globally available: Works 24/7 across the globe.

Moreover, AWS Secrets Manager encrypts your secrets both at rest and in transit, ensuring that they’re secure throughout their lifecycle.

The cost of security and why free Isn’t always better

I know what you might be thinking: “But .env files are free!” Yes, just like leaving your key under the doormat is free too. AWS Secrets Manager costs about $0.40 per secret per month, about the price of a pack of gum. But let me share a story of false economy.

I was consulting for a fast-growing startup that handled payment processing for small businesses. They managed all their secrets through .env files, saving on what they thought would be an unnecessary $200-300 monthly cost.

One day, a junior developer accidentally pushed a .env file to a public repository. It was exposed for only 30 minutes before someone caught it, but that was enough. They had to:

Rotate all their production credentials.
Audit weeks of transaction logs for suspicious activity.
Notify their compliance officer and file security reports.
Put the entire engineering team on an emergency rotation.
Hire an external security firm to ensure no data was compromised.
Send disclosure notices to their customers.

The incident response alone took three developers off their main projects for two weeks. Add in legal consultations, security audits, and lost trust from three enterprise customers, and it ended up costing six figures. Ironically, the modern secret management system they “couldn’t afford” would have cost less than their weekly coffee budget.

Making the switch to AWS Secrets Manager

Transitioning from .env files to AWS Secrets Manager isn’t just a simple shift; it’s an upgrade in your approach to security. Here’s how to do it without the headaches:

Start Small
- Pick one application.
- Move its secrets to AWS Secrets Manager.
- Learn from the experience.
Scale Gradually
- Migrate team by team.
- Keep the old .env files temporarily (like training wheels).
- Build confidence in the new system.
Cut the Cord
- Remove all .env files.
- Document everything.
- Celebrate the switch with your team.

The future of secrets management

The wonderful thing about security is that it keeps evolving. Today, it’s AWS Secrets Manager; tomorrow, it could be quantum-encrypted brainwaves (okay, maybe not quite yet). But the principle remains the same: we must continually evolve to protect our secrets.

Security isn’t about making it impossible for attackers to breach; it’s about making it so difficult that they move on to easier targets, those who are still keeping their keys under the doormat.

So, what do you say? Ready to upgrade from that shoebox to a proper vault? Your secrets (and your future self) will thank you for it.

P.S. If you’re still using .env files, don’t feel bad, we all did at some point. The important thing is to start improving now. The best time to plant a tree was 20 years ago. The second best time is today. The same goes for managing secrets securely.

November 12, 2024 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0