CloudSecurity

Prevent cloud chaos with practical infrastructure drift management

That Monday morning feeling hits hard. Your team scrambles, troubleshooting a critical application glitch that seemingly appeared out of nowhere. No one admits to making changes, and deployment logs show nothing recent, yet the application’s behavior and system logs tell a different, frustrating story. Meanwhile, an alert pops up, the cloud bill has spiked unexpectedly, driven by resources you don’t recognize. This quiet disruption, this subtle, creeping chaos slowly undermining your carefully architected setup, has a name: infrastructure drift.

So, what exactly is this invisible force causing so much friction? Infrastructure drift is the inevitable gap between your infrastructure’s intended design, the desired state meticulously defined in your Infrastructure as Code (IaC) templates, and what’s running live in your production environment. Think of it like having incredibly detailed, architect-approved blueprints for your house. You know precisely where every wall, wire, and pipe should be. But over time, perhaps a contractor repainted a wall a slightly different shade during a quick touch-up, an electrician swapped out a light fixture for a similar-but-not-identical model without updating the master plans, or a tiny, unnoticed leak starts dripping behind a wall. These unrecorded modifications, whether accidental manual tweaks, undocumented “hotfixes,” or even automated actions by other systems, constitute drift.

While individual instances might seem minor, the cumulative effects of unchecked drift can be surprisingly severe, impacting operations across the board:

Security gaps: Unplanned open ports become attack vectors, overly permissive access rules grant unintended privileges, and outdated software configurations harbor known vulnerabilities. Each drift instance can poke a small hole in your security posture, eventually leading to significant breaches.
Compliance nightmares: Configurations subtly shifting out of line with required industry regulations (like GDPR, HIPAA, or PCI-DSS) can lead to failed audits, hefty fines, and reputational damage. What was compliant yesterday might not be today due to drift.
Deployment roadblocks: Inconsistencies between development, staging, and production environments, often caused by drift, lead to software rollouts failing unexpectedly, causing delays and requiring complex debugging efforts. “It worked on my machine” becomes an infrastructure problem.
Budget blowouts: Orphaned virtual machines, unattached storage volumes, or over-provisioned databases, and resources created outside of IaC or left behind after manual tests, silently consume funds, inflating your cloud spending unnecessarily.
Reliability erosion: An unpredictable environment where the actual state doesn’t match the documented state makes troubleshooting exponentially harder. Engineers waste valuable time chasing ghosts, trying to diagnose issues based on inaccurate assumptions about the infrastructure’s configuration.

The good news? This isn’t an uncontrollable force of nature you simply have to accept it. Drift is manageable. With the right blend of awareness, tooling, and proactive strategies, you can spot drift early, correct it efficiently, and keep your cloud environment stable, secure, and predictable.

Spotting the unseen detecting drift before it bites

You can’t fix what you can’t see, and you certainly can’t prevent problems you’re unaware of. Effective drift management hinges on early, reliable detection. Making detection a routine practice is the first crucial step towards regaining control and preventing minor deviations from snowballing into major incidents. How do we catch these silent, potentially harmful changes before they escalate? Luckily, the ecosystem provides some reliable watchdogs.

CloudFormation’s built-in vigilance

If you’re managing infrastructure natively on AWS, CloudFormation offers a powerful built-in drift detection feature. It acts like a diligent auditor, meticulously comparing the stack template you originally deployed (your source of truth) against the actual, live configuration settings of the deployed resources within that stack. For instance, imagine your template explicitly specifies that SSH port 22 should be closed on a particular Security Group for security reasons. If someone manually opens that port later, perhaps for a temporary debugging session, and forgets to revert the change, CloudFormation’s next drift detection run will flag this specific resource and property (the Security Group rule) as ‘MODIFIED’, clearly highlighting the discrepancy and alerting you to the unauthorized, potentially risky change.

Terraform’s strategic planning

For organizations using the popular multi-cloud tool Terraform, the Terraform plan command is your fundamental weapon against drift. It does much more than just preview the changes Terraform intends to make based on your code; it also performs a crucial reconciliation by comparing your configuration files against the real-world state recorded in its state file, revealing any discrepancies. Running Terraform plan regularly is key, and automating this within your Continuous Integration (CI) pipelines transforms it into a powerful, proactive check. Before any code changes are even merged, the pipeline can run plan to ensure the proposed changes align with reality and flag any unexpected drift that might have occurred since the last run. Think of it like doing a meticulous pantry inventory before you even write your next grocery list: you compare your current stock against your master list to see exactly what’s missing, what extra items have mysteriously appeared, or what’s been moved, ensuring your shopping list (your planned changes) is based on accurate information.

To make this process reliable in collaborative environments, Terraform relies heavily on remote state files, often stored securely in object storage like AWS S3 or Azure Blob Storage. Combining this remote storage with a state-locking mechanism, such as AWS DynamoDB or HashiCorp Consul, is vital. This combination acts like a meticulous librarian managing the single ‘master plan’ (the state file) for your infrastructure. When one engineer runs Terraform, it ‘checks out’ the plan by acquiring a lock, preventing anyone else from making conflicting changes simultaneously. Once finished, the lock is released. This ensures everyone is always working from the most current and accurate blueprint, preventing dangerous race conditions and inconsistent state issues.

Building strong foundations proactive drift management

Detection tells you when things have gone off-script, but the ultimate goal is prevention, minimizing the chances of drift occurring in the first place. Truly mastering drift involves shifting from a reactive cleanup mode to building robust, proactive practices into your daily workflows. It’s about making conscious, disciplined decisions today that ensure the long-term stability, security, and predictability of your infrastructure tomorrow.

Infrastructure as Code the single source of truth

The absolute bedrock of drift prevention and management is defining everything possible through Infrastructure as Code (IaC) using declarative tools like Terraform, CloudFormation, Pulumi, or Bicep. Your code becomes the definitive blueprint, the verifiable single source of truth for what your infrastructure should look like at any given time. Manual changes via cloud consoles should become the rare exception, not the rule.

Storing this invaluable IaC codebase in a version control system like Git is non-negotiable. Git provides far more than just a backup; it offers a complete, auditable history of every single change, who made it, when, and hopefully why (via commit messages). It enables seamless collaboration among team members and, critically, facilitates peer review through mechanisms like Pull Requests (PRs). Think of it like maintaining a master, collaborative recipe book for your complex infrastructure ‘dishes’. Every proposed ingredient change or instruction tweak (code modification) is submitted as a draft (a PR), reviewed by other experienced ‘chefs’ (team members), potentially tested automatically, and only merged into the main cookbook (main branch) once approved. Regular code reviews and even automated static analysis of the IaC itself ensure that only validated, intentional, and hopefully secure changes make it through this quality gate.

Consistent tagging the power of labels

In a sprawling, dynamic cloud environment, simply knowing what resources exist isn’t enough; you need to understand their context. Implementing a consistent, comprehensive tagging strategy for all managed resources provides immense operational benefits:

Clear identification: Quickly understand a resource’s purpose (e.g., service: web-frontend), owner (owner: team-alpha), or environment (environment: production).
Cost allocation & optimization: Accurately track spending across different projects, teams, or cost centers using tags (e.g., cost-center: 12345). This data is crucial for identifying optimization opportunities.
Targeted automation: Use tags to select specific resources for automated actions, such as scheduling backups for resources tagged backup-policy: daily or initiating automated shutdowns for resources tagged auto-shutdown: true.
Simplified auditing & security: Easily filter and review resources during security assessments or compliance checks (e.g., finding all resources associated with a specific compliance standard like compliance: pci-dss).

Define a clear tagging policy and enforce it. Use meaningful tags consistently, including identifiers like deployment IDs, creation timestamps, application names, and data sensitivity levels. It’s like putting clear, detailed, standardized labels on every single box during a large office move. You instantly know what’s inside, which department it belongs to, where it needs to go, and who packed it, making it incredibly easy to organize the move, track assets, and immediately spot if a box is missing, misplaced, or if an unexpected, unlabeled one appears.

The human eye regular manual audits

Automation and IaC are incredibly powerful, but they aren’t foolproof substitutes for experienced human judgment. Regular manual audits serve as a vital complement, catching nuances and potential issues that automated checks might miss. These reviews involve experienced engineers or architects systematically examining the cloud environment, looking beyond simple configuration mismatches. They seek out untagged or ‘orphaned’ resources wasting money, subtle misconfigurations that aren’t technically ‘drift’ but are inefficient or insecure, obsolete components that should be decommissioned, or security nuances and potential logical flaws in the architecture that require a deeper understanding of the applications involved. Think of it like having a professional home inspection periodically. Your smoke detectors and security sensors (automated checks) are essential for immediate alerts, but an experienced inspector might spot hidden issues like developing foundation cracks, inefficient insulation, or subtle signs of water damage that the sensors simply aren’t designed to detect.

Achieving harmony and keeping infrastructure in tune

Infrastructure drift is an inherent, persistent challenge in today’s dynamic cloud environments, a constant low-level hum beneath the surface of operations. However, it’s manageable and should not be accepted as an unavoidable cost of doing business. Mastering drift doesn’t require a single magic bullet or an expensive, complex tool. Instead, it stems from the disciplined, combined application of sound practices: rigorous use of Infrastructure as Code stored and versioned in Git as the single source of truth, automated detection integrated seamlessly into CI/CD pipelines (using tools like CloudFormation drift detection or terraform plan), a consistent and enforced resource tagging strategy for visibility and control, and the crucial, irreplaceable oversight provided by regular manual audits conducted by experienced personnel.

Committing to these interwoven strategies yields significant, tangible rewards: demonstrably enhanced operational reliability and reduced outages, a stronger and more verifiable security posture, smoother and less stressful compliance audits, more predictable and faster software deployments, and ultimately, optimized and controlled cloud spending.

Keeping your cloud infrastructure consistent, secure, and aligned with its intended design isn’t a one-off project to be completed and forgotten; it’s an ongoing commitment, a continuous process of vigilance, refinement, and care, much like diligently tending a garden to ensure it remains healthy, productive, and thrives exactly as you intend. Make this continuous oversight and proactive management a standard, ingrained practice for your team. Your infrastructure’s health, your application’s stability, and your own peace of mind fundamentally depend on it.

Keeping your SaaS services safe with AWS WAF

Building and running SaaS applications in the cloud can often feel like throwing a public event. Most guests are welcome, but a few may try to sneak in, cause trouble, or overwhelm the entrance. In the digital world, these guests come in the form of cyber threats like DDoS attacks and malicious bots. Thankfully, AWS gives us a capable bouncer at the door: the AWS Web Application Firewall, or AWS WAF.

This article tries to explain how AWS WAF helps protect cloud-based APIs and applications. Whether you’re a DevOps engineer, an SRE, a developer, or an architect, if your system speaks HTTP, WAF is a strong ally worth having.

Understanding common web threats

When your service becomes publicly available, you’re not just attracting users, you’re also catching the attention of potential attackers. Some are highly skilled, but many rely on automation. Distributed Denial of Service (DDoS) attacks, for instance, use large networks of compromised devices (bots) to flood your systems with traffic. These bots aren’t always destructive; some just probe endpoints or scrape content in preparation for more aggressive steps.

That said, not all bots are harmful. Some, like those from search engines, help index your content and improve your visibility. So, the real trick is telling the good bots from the bad ones, and that’s where AWS WAF becomes valuable.

How AWS WAF works to protect you

AWS WAF gives you control over HTTP and HTTPS traffic to your applications. It integrates with key AWS services such as CloudFront, API Gateway, Application Load Balancer, AppSync, Cognito, App Runner, and Verified Access. Whether you’re using containers or serverless functions, WAF fits right in.

To start, you create a Web Access Control List (Web ACL), define rules within it, and then link it to the application resources you want to guard. Think of the Web ACL as a checkpoint. Every request to your system passes through it for inspection.

Each rule tells WAF what to look for and how to respond. Actions include allowing, blocking, counting, or issuing a CAPTCHA challenge. AWS provides managed rule groups that cover a wide range of known threats and are updated regularly. These rules are efficient and reliable, perfect for a solid baseline. But when you need more tailored protection, custom rules come into play.

Custom rules can screen traffic based on IP addresses, country, header values, and even regex patterns. You can combine these conditions using logic like AND, OR, and NOT. The more advanced the logic, the more WebACL Capacity Units (WCUs) it uses. So, it’s important to find the right balance between protection and performance.

Who owns what in the security workflow

While security is a shared concern, roles help ensure clarity and effectiveness. Security architects typically design the rules and monitor overall protection. Developers translate those rules into code using AWS CDK or Terraform, deploy them, and observe the results.

This separation creates a practical workflow. If something breaks, say, users are suddenly blocked, developers need to debug quickly. This requires full visibility into how WAF is affecting traffic, making good observability a must.

Testing without breaking things

Rolling out new WAF rules in production without testing is risky, like making engine changes while flying a plane. That’s why it’s wise to maintain both development and production WAF environments. Use development to safely experiment with new rules using simulated traffic. Once confident, roll them out to production.

Still, mistakes happen. That’s why you need a clear “break glass” strategy. This might be as simple as reverting a GitHub commit or disabling a rule via your deployment pipeline. What matters most is that developers know exactly how and when to use it.

Making logs useful

AWS WAF supports logging, which can be directed to S3, Kinesis Firehose, or a CloudWatch Log Group. While centralized logging with S3 or Kinesis is powerful, it often comes with the overhead of maintaining data pipelines and managing permissions.

For many teams, using CloudWatch strikes the right balance. Developers can inspect WAF logs directly with familiar tools like Logs Insights. Just remember to set log retention to 7–14 days to manage storage costs efficiently.

Understanding costs and WCU limits

WAF pricing is based on the number of rules, Web ACLs, and the volume of incoming requests. Every rule consumes WCUs, with each Web ACL having a 5,000 WCU limit. AWS-managed rules are performance-optimized and cost-effective, making them an excellent starting point.

Think of WCUs as computational effort: the more complex your rules, the more resources WAF uses to evaluate them. This affects both latency and billing, so plan your configurations with care.

Closing Reflections

Security isn’t about piling on tools, it’s about knowing the risks and using the right measures thoughtfully. AWS WAF is powerful, but its true value comes from how well it’s configured and maintained.

By establishing clear roles, thoroughly testing updates, understanding your logs, and staying mindful of performance and cost, you can keep your SaaS services resilient in the face of evolving cyber threats. And hopefully, sleep a little better at night.

How ABAC and Cross-Account Roles Revolutionize AWS Permission Management

Managing permissions in AWS can quickly turn into a juggling act, especially when multiple AWS accounts are involved. As your organization grows, keeping track of who can access what becomes a real headache, leading to either overly permissive setups (a security risk) or endless policy updates. There’s a better approach: ABAC (Attribute-Based Access Control) and Cross-Account Roles. This combination offers fine-grained control, simplifies management, and significantly strengthens your security.

The fundamentals of ABAC and Cross-Account roles

Let’s break these down without getting lost in technicalities.

First, ABAC vs. RBAC. Think of RBAC (Role-Based Access Control) as assigning a specific key to a particular door. It works, but what if you have countless doors and constantly changing needs? ABAC is like having a key that adapts based on who you are and what you’re accessing. We achieve this using tags – labels attached to both resources and users.

RBAC: “You’re a ‘Developer,’ so you can access the ‘Dev’ database.” Simple, but inflexible.
ABAC: “You have the tag ‘Project: Phoenix,’ and the resource you’re accessing also has ‘Project: Phoenix,’ so you’re in!” Far more adaptable.

Now, Cross-Account Roles. Imagine visiting a friend’s house (another AWS account). Instead of getting a copy of their house key (a user in their account), you get a special “guest pass” (an IAM Role) granting access only to specific rooms (your resources). This “guest pass” has rules (a Trust Policy) stating, “I trust visitors from my friend’s house.”

Finally, AWS Security Token Service (STS). STS is like the concierge who verifies the guest pass and issues a temporary key (temporary credentials) for the visit. This is significantly safer than sharing long-term credentials.

Making it real

Let’s put this into practice.

Example 1: ABAC for resource control (S3 Bucket)

You have an S3 bucket holding important project files. Only team members on “Project Alpha” should access it.

Here’s a simplified IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::your-project-bucket",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
        }
      }
    }
  ]
}

This policy says: “Allow actions like getting, putting, and listing objects in ‘your-project-bucket‘ if the ‘Project‘ tag on the bucket matches the ‘Project‘ tag on the user trying to access it.”

You’d tag your S3 bucket with Project: Alpha. Then, you’d ensure your “Project Alpha” team members have the Project: Alpha tag attached to their IAM user or role. See? Only the right people get in.

Example 2: Cross-account resource sharing with ABAC

Let’s say you have a “hub” account where you manage shared resources, and several “spoke” accounts for different teams. You want to let the “DataScience” team from a spoke account access certain resources in the hub, but only if those resources are tagged for their project.

Create a Role in the Hub Account: Create a role called, say, DataScienceAccess.

Trust Policy (Hub Account): This policy, attached to the DataScienceAccess role, says who can assume the role:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SPOKE_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
            "StringEquals": {
                "sts:ExternalId": "DataScienceExternalId"
            }
      }
    }
  ]
}

Replace SPOKE_ACCOUNT_ID with the actual ID of the spoke account, and it is a good practice to use an ExternalId. This means, “Allow the root user of the spoke account to assume this role”.

Permission Policy (Hub Account): This policy, also attached to the DataScienceAccess role, defines what the role can do. This is where ABAC shines:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::shared-resource-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Project": "${aws:PrincipalTag/Project}"
        }
      }
    }
  ]
}

This says, “Allow access to objects in ‘shared-resource-bucket’ only if the resource’s ‘Project’ tag matches the user’s ‘Project’ tag.”

In the Spoke Account: Data scientists in the spoke account would have a policy allowing them to assume the DataScienceAccess role in the hub account. They would also have the appropriate Project tag (e.g., Project: Gamma).

The flow looks like this:

Spoke Account User -> AssumeRole (Hub Account) -> STS provides temporary credentials -> Access Shared Resource (if tags match)

Advanced use cases and automation

Control Tower & Service Catalog: These services help automate the setup of cross-account roles and ABAC policies, ensuring consistency across your organization. Think of them as blueprints and a factory for your access control.
Auditing and Compliance: Imagine needing to prove compliance with PCI DSS, which requires strict data access controls. With ABAC, you can tag resources containing sensitive data with Scope: PCI and ensure only users with the same tag can access them. AWS Config and CloudTrail, along with IAM Access Analyzer, let you monitor access and generate reports, proving you’re meeting the requirements.

Best practices and troubleshooting

Tagging Strategy is Key: A well-defined tagging strategy is essential. Decide on naming conventions (e.g., Project, Environment, CostCenter) and enforce them consistently.
Common Pitfalls:
– Inconsistent Tags: Make sure tags are applied uniformly. A typo can break access.
– Overly Permissive Policies: Start with the principle of least privilege. Grant only the necessary access.
Tools and Resources:
– IAM Access Analyzer: Helps identify overly permissive policies and potential risks.
– AWS documentation provides detailed information.

Summarizing

ABAC and Cross-Account Roles offer a powerful way to manage access in a multi-account AWS environment. They provide the flexibility to adapt to changing needs, the security of fine-grained control, and the simplicity of centralized management. By embracing these tools, we can move beyond the limitations of traditional IAM and build a truly scalable and secure cloud infrastructure.

March 6, 2025 by Fernando SRE Cloud stuff DevOps stuff 0

How to monitor and analyze network traffic with AWS VPC Flow logs

Managing cloud networks can often feel like navigating through dense fog. You’re in control of your applications and services, guiding them forward, yet the full picture of what’s happening on the network road ahead, particularly concerning security and performance, remains obscured. Without proper visibility, understanding the intricacies of your cloud network becomes a significant challenge.

Think about it: your cloud network is buzzing with activity. Data packets are constantly zipping around, like tiny digital messengers, carrying instructions and information. But how do you keep track of all this chatter? How do you know who’s talking to whom, what they’re saying, and if everything is running smoothly?

This is where VPC Flow Logs come to the rescue. Imagine them as your network’s trusty detectives, diligently taking notes on every conversation happening within your Amazon Virtual Private Cloud (VPC). They provide a detailed record of the network traffic flowing through your cloud environment, making them an indispensable tool for DevOps and cloud teams.

In this article, we’ll explore the world of VPC Flow Logs, exploring what they are, how to use them, and how they can help you become a master of your AWS network. Let’s get started and shed some light on your network’s hidden stories!

What are VPC Flow Logs?

Alright, so what exactly are VPC Flow Logs? Think of them as detailed записные книжки (notebooks – just adding a touch of fun!) for your network traffic. They capture information about the IP traffic going to and from network interfaces in your VPC.

But what kind of information? Well, they note down things like:

Source and Destination IPs: Who’s sending the message and who’s receiving it?
Ports: Which “doors” are being used for communication?
Protocols: What language are they speaking (TCP, UDP)?
Traffic Decision: Was the traffic accepted or rejected by your security rules?

It’s like having a super-detailed receipt for every network transaction. But why is this useful? Loads of reasons!

Security Auditing: Want to know who’s been knocking on your network’s doors? Flow Logs can tell you, helping you spot suspicious activity.
Performance Optimization: Is your application running slow? Flow Logs can help you pinpoint network bottlenecks and optimize traffic flow.
Compliance: Need to prove you’re keeping a close eye on your network for regulatory reasons? Flow Logs provide the audit trail you need.

Now, there’s a little catch to be aware of, especially if you’re running a hybrid environment, mixing cloud and on-premises infrastructure. VPC Flow Logs are fantastic, but they only see what’s happening inside your AWS VPC. They don’t directly monitor your on-premises networks.

So, what do you do if you need visibility across both worlds? Don’t worry, there are clever workarounds:

AWS Site-to-Site VPN + CloudWatch Logs: If you’re using AWS VPN to connect your on-premises network to AWS, you can monitor the traffic flowing through that VPN tunnel using CloudWatch Logs. It’s like having a special log just for the bridge connecting your two worlds.
External Tools: Think of tools like Security Lake. It’s like a central hub that can gather logs from different environments, including on-premises and multiple clouds, giving you a unified view. Or, you could use open-source tools like Zeek or Suricata directly on your on-premises servers to monitor traffic there. These are like setting up your independent network detectives in your local office!

Configuring VPC Flow Logs

Ready to turn on your network detectives? Configuring VPC Flow Logs is pretty straightforward. You have a few choices about where you want to enable them:

VPC-level: This is like casting a wide net, logging all traffic in your entire VPC.
Subnet-level: Want to focus on a specific neighborhood within your VPC? Subnet-level logs are for you.
ENI-level (Elastic Network Interface): Need to zoom in on a single server or instance? ENI-level logs track traffic for a specific network interface.

You also get to choose what kind of traffic you want to log with filters:

ACCEPT: Only log traffic that was allowed by your security rules.
REJECT: Only log traffic that was blocked. Super useful for security troubleshooting!
ALL: Log everything – the full story, both accepted and rejected traffic.

Finally, you decide where you want to send your detective’s notes, and the destinations:

S3: Store your logs in Amazon S3 for long-term storage and later analysis. Think of it as archiving your detective notebooks.
CloudWatch Logs: Send logs to CloudWatch Logs for real-time monitoring, alerting, and quick insights. Like having your detective radioing in live reports.
Third-party tools: Want to use your favorite analysis tool? You can send Flow Logs to tools like Splunk or Datadog for advanced analysis and visualization.

Want to get your hands dirty quickly? Here’s a little AWS CLI snippet to enable Flow Logs at the VPC level, sending logs to CloudWatch Logs, and logging all traffic:

aws ec2 create-flow-logs --resource-ids vpc-xxxxxxxx --resource-type VPC --log-destination-type cloud-watch-logs --traffic-type ALL --log-group-name my-flow-logs

Just replace vpc-xxxxxxxx with your actual VPC ID and my-flow-logs with your desired CloudWatch Logs log group name. Boom! You’ve just turned on your network visibility.

Tools and techniques for analyzing Flow Logs

Okay, you’ve got your Flow Logs flowing. Now, how do you read these detective notes and make sense of them? AWS gives you some great built-in tools, and there are plenty of third-party options too.

Built-in AWS Tools:

Athena: Think of Athena as a super-powered search engine for your logs stored in S3. It lets you use standard SQL queries to sift through massive amounts of Flow Log data. Want to find all blocked SSH traffic? Athena is your friend.
CloudWatch Logs Insights: For logs sent to CloudWatch Logs, Insights lets you run powerful queries and create visualizations directly within CloudWatch. It’s fantastic for quick analysis and dashboards.

Third-Party tools:

Splunk, Datadog, etc.: These are like professional-grade detective toolkits. They offer advanced features for log management, analysis, visualization, and alerting, often integrating seamlessly with Flow Logs.
Open-source options: Tools like the ELK stack (Elasticsearch, Logstash, Kibana) give you powerful log analysis capabilities without the commercial price tag.

Let’s see a quick example. Imagine you want to use Athena to identify blocked traffic (REJECT traffic). Here’s a sample Athena query to get you started:

SELECT
    vpc_id,
    srcaddr,
    dstaddr,
    dstport,
    protocol,
    action
FROM
    aws_flow_logs_s3_db.your_flow_logs_table  -- Replace with your Athena table name
WHERE
    action = 'REJECT'
    AND start_time >= timestamp '2024-07-20 00:00:00' -- Adjust time range as needed
LIMIT 100

Just replace aws_flow_logs_s3_db.your_flow_logs_table with the actual name of your Athena table, adjust the time range, and run the query. Athena will return the first 100 log entries showing rejected traffic, giving you a starting point for your investigation.

Troubleshooting common connectivity issues

This is where Flow Logs shine! They can be your best friend when you’re scratching your head trying to figure out why something isn’t connecting in your cloud network. Let’s look at a few common scenarios:

Scenario 1: Diagnosing SSH/RDP connection failures. Can’t SSH into your EC2 instance? Check your Flow Logs! Filter for REJECTED traffic, and look for entries where the destination port is 22 (for SSH) or 3389 (for RDP) and the destination IP is your instance’s IP. If you see rejected traffic, it likely means a security group or NACL is blocking the connection. Flow Logs pinpoint the problem immediately.

Scenario 2: Identifying misconfigured security groups or NACLs. Imagine you’ve set up security rules, but something still isn’t working as expected. Flow Logs help you verify if your rules are actually behaving the way you intended. By examining ACCEPT and REJECT traffic, you can quickly spot rules that are too restrictive or not restrictive enough.

Scenario 3: Detecting asymmetric routing problems. Sometimes, network traffic can take different paths in and out of your VPC, leading to connectivity issues. Flow Logs can help you spot these asymmetric routes by showing you the path traffic is taking, revealing unexpected detours.

Security threat detection with Flow Logs

Beyond troubleshooting connectivity, Flow Logs are also powerful security tools. They can help you detect malicious activity in your network.

Detecting port scanning or brute-force attacks. Imagine someone is trying to break into your servers by rapidly trying different passwords or probing open ports. Flow Logs can reveal these attacks by showing spikes in REJECTED traffic to specific ports. A sudden surge of rejected connections to port 22 (SSH) might indicate a brute-force attack attempt.

Identifying data exfiltration. Worried about data leaving your network without your knowledge? Flow Logs can help you spot unusual outbound traffic patterns. Look for unusual spikes in outbound traffic to unfamiliar destinations or ports. For example, a sudden increase in traffic to a strange IP address on port 443 (HTTPS) might be worth investigating.

You can even use CloudWatch Metrics to automate security monitoring. For example, you can set up a metric filter in CloudWatch Logs to count the number of REJECT events per minute. Then, you can create a CloudWatch alarm that triggers if this count exceeds a certain threshold, alerting you to potential port scanning or attack activity in real time. It’s like setting up an automatic alarm system for your network!

Best practices for effective Flow Log monitoring

To get the most out of your Flow Logs, here are a few best practices:

Filter aggressively to reduce noise. Flow Logs can generate a lot of data, especially at high traffic volumes. Filter out unnecessary traffic, like health checks or very frequent, low-importance communications. This keeps your logs focused on what truly matters.
Automate log analysis with Lambda or Step Functions. Don’t rely on manual analysis for everything. Use AWS Lambda or Step Functions to automate common analysis tasks, like summarizing traffic patterns, identifying anomalies, or triggering alerts based on specific events in your Flow Logs. Let robots do the routine detective work!
Set retention policies and cross-account logging for audits. Decide how long you need to keep your Flow Logs based on your compliance and audit requirements. Store them in S3 for long-term retention. For centralized security monitoring, consider setting up cross-account logging to aggregate Flow Logs from multiple AWS accounts into a central security account. Think of it as building a central security command center for all your AWS environments.

Some takeaways

So, your network is an invaluable audit trail. They provide detailed visibility to understand, troubleshoot, secure, and optimize your AWS cloud networks. From diagnosing simple connection problems to detecting sophisticated security threats, Flow Logs empower DevOps, SRE, and Security teams to master their cloud environments truly. Turn them on, explore their insights, and unlock the hidden stories within your network traffic.

February 26, 2025 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0

Secure and simplify EC2 access with AWS Session Manager

Accessing EC2 instances used to be a hassle. Bastion hosts, SSH keys, firewall rules, each piece added another layer of complexity and potential security risks. You had to open ports, distribute keys, and constantly manage access. It felt like setting up an intricate vault just to perform simple administrative tasks.

AWS Session Manager changes the game entirely. No exposed ports, no key distribution nightmares, and a complete audit trail of every session. Think of it as replacing traditional keys and doors with a secure, on-demand teleportation system, one that logs everything.

How AWS Session Manager works

Session Manager is part of AWS Systems Manager, a fully managed service that provides secure, browser-based, and CLI-based access to EC2 instances without needing SSH or RDP. Here’s how it works:

An SSM Agent runs on the instance and communicates outbound to AWS Systems Manager.
When you start a session, AWS verifies your identity and permissions using IAM.
Once authorized, a secure channel is created between your local machine and the instance, without opening any inbound ports.

This approach significantly reduces the attack surface. There is no need to open port 22 (SSH) or 3389 (RDP) for bastion hosts. Moreover, since authentication and authorization are managed by IAM policies, you no longer have to distribute or rotate SSH keys.

Setting up AWS Session Manager

Getting started with Session Manager is straightforward. Here’s a step-by-step guide:

1. Ensure the SSM agent is installed

Most modern Amazon Machine Images (AMIs) come with the SSM Agent pre-installed. If yours doesn’t, install it manually using the following command (for Amazon Linux, Ubuntu, or RHEL):

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

2. Create an IAM Role for EC2

Your EC2 instance needs an IAM role to communicate with AWS Systems Manager. Attach a policy that grants at least the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartSession"
      ],
      "Resource": [
        "arn:aws:ec2:REGION:ACCOUNT_ID:instance/INSTANCE_ID"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:TerminateSession",
        "ssm:ResumeSession"
      ],
      "Resource": [
        "arn:aws:ssm:REGION:ACCOUNT_ID:session/${aws:username}-*"
      ]
    }
  ]
}

Replace REGION, ACCOUNT_ID, and INSTANCE_ID with your actual values. For best security practices, apply the principle of least privilege by restricting access to specific instances or tags.

3. Connect to your instance

Once the IAM role is attached, you’re ready to connect.

From the AWS Console: Navigate to EC2 > Instances, select your instance, click Connect, and choose Session Manager.

From the AWS CLI: Run:

aws ssm start-session --target i-xxxxxxxxxxxxxxxxx

That’s it, no SSH keys, no VPNs, no open ports.

Built-in security and auditing

Session Manager doesn’t just improve security, it also enhances compliance and auditing. Every session can be logged to Amazon S3 or CloudWatch Logs, capturing a full record of all executed commands. This ensures complete visibility into who accessed which instance and what actions were taken.

To enable logging, navigate to AWS Systems Manager > Session Manager, configure Session Preferences, and enable logging to an S3 bucket or CloudWatch Log Group.

Why Session Manager is better than traditional methods

Let’s compare Session Manager with traditional access methods:

Feature	Bastion Host & SSH	AWS Session Manager
Open inbound ports	Yes (22, 3389)	No
Requires SSH keys	Yes	No
Key rotation required	Yes	No
Logs session activity	Manual setup	Built-in
Works for on-premises	No	Yes

Session Manager removes unnecessary complexity. No more juggling bastion hosts, no more worrying about expired SSH keys, and no more open ports that expose your infrastructure to unnecessary risks.

Real-World applications and operational Benefits

Session Manager is not just a theoretical improvement, it delivers real-world value in multiple scenarios:

Developers can quickly access production or staging instances without security concerns.
System administrators can perform routine maintenance without managing SSH key distribution.
Security teams gain complete visibility into instance access and command history.
Hybrid cloud environments benefit from unified access across AWS and on-premises infrastructure.

With these advantages, Session Manager aligns perfectly with modern cloud-native security principles, helping teams focus on operations rather than infrastructure headaches.

In summary

AWS Session Manager isn’t just another tool, it’s a fundamental shift in how we access EC2 instances securely. If you’re still relying on bastion hosts and SSH keys, it’s time to rethink your approach.Try it out, configure logging, and experience a simpler, more secure way to manage your instances. You might never go back to the old ways.

February 14, 2025 by Fernando SRE Cloud stuff SRE stuff 0

Building a strong cloud foundation with Landing Zones

The cloud is a dream come true for businesses. Agility, scalability, global reach, it’s all there. But, jumping into the cloud without a solid foundation is like setting up a city without roads, plumbing, or electricity. Sure, you can start building skyscrapers, but soon enough, you’ll be dealing with chaos, no clear way to manage access, tangled networking, security loopholes, and spiraling costs.

That’s where Landing Zones come in. They provide the blueprint, the infrastructure, and the guardrails so you can grow your cloud environment in a structured, scalable, and secure way. Let’s break it down.

What is a Landing Zone?

Think of a Landing Zone as the cloud’s equivalent of a well-planned neighborhood. Instead of letting houses pop up wherever they fit, you lay down roads, set up electricity, define zoning rules, and ensure there’s proper security. This way, when new residents move in, they have everything they need from day one.

In technical terms, a Landing Zone is a pre-configured cloud environment that enforces best practices, security policies, and automation from the start. You’re not reinventing the wheel every time you deploy a new application; instead, you’re working within a structured, repeatable framework.

Key components of any Landing Zone:

Identity and Access Management (IAM): Who has the keys to which doors?
Networking: The plumbing and wiring of your cloud city.
Security: Built-in alarms, surveillance, and firewalls.
Compliance: Ensuring regulations like GDPR or HIPAA are followed.
Automation: Infrastructure as Code (IaC) sets up resources predictably.
Governance: Rules that ensure consistency and control.

Why do you need a Landing Zone?

Why not just create cloud resources manually as you go? That’s like building a house without a blueprint, you’ll get something up, but sooner or later, it will collapse under its complexity.

Landing Zones save you from future headaches:

Faster Cloud Adoption: Everything is pre-configured, so teams can deploy applications quickly.
Stronger Security: Policies and guardrails are in place from day one, reducing risks.
Cost Efficiency: Prevents the dreaded “cloud sprawl” where resources are created haphazardly, leading to uncontrolled expenses.
Focus on Innovation: Teams spend less time on setup and more time on building.
Scalability: A well-structured cloud environment grows effortlessly with your needs.

It’s the difference between a well-organized toolbox and a chaotic mess of scattered tools. Which one lets you work faster and with fewer mistakes?

Different types of Landing Zones

Not all businesses need the same kind of cloud setup. The structure of your Landing Zone depends on your workloads and goals.

Cloud-Native: Designed for applications built specifically for the cloud.
Lift-and-Shift: Migrating legacy applications without significant changes.
Containerized: Optimized for Kubernetes and Docker-based workloads.
Data Science & AI/ML: Tailored for heavy computational and analytical tasks.
Hybrid Cloud: Bridging on-premises infrastructure with cloud resources.
Multicloud: Managing workloads across multiple cloud providers.

Each approach serves a different need, just like different types of buildings, offices, factories, and homes, serve different purposes in a city.

Landing Zones in AWS

AWS provides tools to make Landing Zones easier to implement, whether you’re a beginner or an advanced cloud architect.

Key AWS services for Landing Zones:

AWS Organizations: Manages multiple AWS accounts under a unified structure.
AWS Control Tower: Automates Landing Zone set up with best practices.
IAM, VPC, CloudTrail, Config, Security Hub, Service Catalog, CloudFormation: The building blocks that shape your environment.

Two ways to set up a Landing Zone in AWS:

AWS Control Tower (Recommended) – Provides an automated, guided setup with guardrails and best practices.
Custom-built Landing Zone – Built manually using CloudFormation or Terraform, offering more flexibility but requiring expertise.

Basic setup with Control Tower:

Plan your cloud structure.
Set up AWS Organizations to manage accounts.
Deploy Control Tower to automate governance and security.
Customize it to match your specific needs.

A well-structured AWS Landing Zone ensures that accounts are properly managed, security policies are enforced, and networking is set up for future growth.

Scaling and managing your Landing Zone

Setting up a Landing Zone is not a one-time task. It’s a continuous process that evolves as your cloud environment grows.

Best practices for ongoing management:

Automate Everything: Use Infrastructure as Code (IaC) to maintain consistency.
Monitor Continuously: Use AWS CloudWatch and AWS Config to track changes.
Manage Costs Proactively: Keep cloud expenses under control with AWS Budgets and Cost Explorer.
Stay Up to Date: Cloud best practices evolve, and so should your Landing Zone.

Think of your Landing Zone like a self-driving car. You might have set it up with the best configuration, but if you never update the software or adjust its sensors, you’ll eventually run into problems.

Summarizing

A strong Landing Zone isn’t just a technical necessity, it’s a strategic advantage. It ensures that your cloud journey is smooth, secure, and cost-effective.

Many businesses rush into the cloud without a plan, only to find themselves overwhelmed by complexity and security risks. Don’t be one of them. A well-architected Landing Zone is the difference between a cloud environment that thrives and one that turns into a tangled mess of unmanaged resources.

Set up your Landing Zone right, and you won’t just land in the cloud, you’ll be ready to take off.

February 10, 2025 by Fernando SRE Cloud stuff DevOps stuff 0

Avoiding security gaps by limiting IAM Role permissions

Think about how often we take security for granted. You move into a new apartment and forget to lock the door because nothing bad has ever happened. Then, one day, someone strolls in, helps themselves to your fridge, sits on your couch, and even uses your WiFi. Feels unsettling, right? That’s exactly what happens in AWS when an IAM role is granted far more permissions than it needs, leaving the door wide open for potential security risks.

This is where the principle of least privilege comes in. It’s a fancy way of saying: “Give just enough permissions for the job to get done, and nothing more.” But how do we figure out exactly what permissions an application needs? Enter AWS CloudTrail and Access Analyzer, two incredibly useful tools that help us tighten security without breaking functionality.

The problem of overly generous permissions

Let’s say you have an application running in AWS, and you assign it a role with AdministratorAccess. It can now do anything in your AWS account, from spinning up EC2 instances to deleting databases. Most of the time, it doesn’t even need 90% of these permissions. But if an attacker gets access to that role, you’re in serious trouble.

What we need is a way to see what permissions the application is actually using and then build a custom policy that includes only those permissions. That’s where CloudTrail and Access Analyzer come to the rescue.

Watching everything with CloudTrail

AWS CloudTrail is like a security camera that records every API call made in your AWS environment. It logs who did what, which service they accessed, and when they did it. If you enable CloudTrail for your AWS account, it will capture all activity, giving you a clear picture of which permissions your application uses.

So, the first step is simple: Turn on CloudTrail and let it run for a while. This will collect valuable data on what the application is doing.

Generating a Custom Policy with Access Analyzer

Now that we have a log of the application’s activity, we can use AWS IAM Access Analyzer to create a tailor-made policy instead of guessing. Access Analyzer looks at the CloudTrail logs and automatically generates a policy containing only the permissions that were used.

It’s like watching a security camera playback of who entered your house and then giving house keys only to the people who actually needed access.

Why this works so well

This approach solves multiple problems at once:

Precise permissions: You stop giving unnecessary access because now you know exactly what is needed.
Automated policy generation: Instead of manually writing a policy full of guesswork, Access Analyzer does the heavy lifting.
Better security: If an attacker compromises the role, they get access only to a limited set of actions, reducing damage.
Following best practices: Least privilege is a fundamental rule in cloud security, and this method makes it easy to follow.

Recap

Instead of blindly granting permissions and hoping for the best, enable CloudTrail, track what your application is doing, and let Access Analyzer craft a custom policy. This way, you ensure that your IAM roles only have the permissions they need, keeping your AWS environment secure without unnecessary exposure.

Security isn’t about making things difficult. It’s about making sure that only the right people, and applications, have access to the right things. Just like locking your door at night.

January 31, 2025 by Fernando SRE Cloud stuff SRE stuff 0

AWS Identity Management – Choosing the right Policy or Role

Let’s be honest, AWS Identity and Access Management (IAM) can feel like a jungle. You’ve got your policies, your roles, your managed this, and your inline that. It’s easy to get lost, and a wrong turn can lead to a security vulnerability or a frustrating roadblock. But fear not! Just like a curious explorer, we’re going to cut through the thicket and understand this thing. Why? Mastering IAM is crucial to keeping your AWS environment secure and efficient. So, which policy type is the right one for the job? Ever scratched your head over when to use a service-linked role? Stick with me, and we’ll figure it out with a healthy dose of curiosity and a dash of common sense.

Understanding Policies and Roles

First things first. Let’s get our definitions straight. Think of policies as rulebooks. They are written in a language called JSON, and they define what actions are allowed or denied on which AWS resources. Simple enough, right?

Now, roles are a bit different. They’re like temporary access badges. An entity, be it a user, an application, or even an AWS service itself, can “wear” a role to gain specific permissions for a limited time. A user or a service is not granted permissions directly, it’s the role that has the permissions.

AWS Policy types

Now, let’s explore the different flavors of policies.

AWS Managed Policies

These are like the standard-issue rulebooks created and maintained by AWS itself. You can’t change them, just like you can’t rewrite the rules of physics! But AWS keeps them updated, which is quite handy.

Use Cases: Perfect for common scenarios. Need to give someone basic access to S3? There’s probably an AWS-managed policy for that.
Pros: Easy to use, always up-to-date, less work for you.
Cons: Inflexible, you’re stuck with what AWS provides.

Customer Managed Policies

These are your rulebooks. You write them, you modify them, you control them.

Use Cases: When you need fine-grained control, like granting access to a very specific resource or creating custom permissions for your application, this is your go-to choice.
Pros: Total control, flexible, adaptable to your unique needs.
Cons: More responsibility, you need to know what you’re doing. You’ll be in charge of updating and maintaining them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-specific-bucket/*"
        }
    ]
}

This simple policy allows getting objects only from my-specific-bucket. You have to adapt it to your necessities.

Inline Policies

These are like sticky notes attached directly to a user, group, or role. They’re tightly bound and can’t be reused.

Use Cases: For precise, one-time permissions. Imagine a developer who needs temporary access to a particular resource for a single task.
Pros: Highly specific, good for exceptions.
Cons: A nightmare to manage at scale, not reusable.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dynamodb:DeleteItem",
            "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
        }
    ]
}

This policy is directly embedded within users and permits them to delete items from the MyTable DynamoDB table. It does not apply to other users or resources.

Service-Linked Roles. The smooth operators

These are special roles pre-configured by AWS services to interact with other AWS services securely. You don’t create them, the service does.

Use Cases: Think of Auto Scaling needing to launch EC2 instances or Elastic Load Balancing managing resources on your behalf. It’s like giving your trusted assistant a special key to access specific rooms in your house.
Pros: Simplifies setup, and ensures security best practices are followed. AWS takes care of these roles behind the scenes, so you don’t need to worry about them.
Cons: You can’t modify them directly. So, it’s essential to understand what they do.

aws autoscaling create-auto-scaling-group \ --auto-scaling-group-name my-asg \ --launch-template "LaunchTemplateId=lt-0123456789abcdef0,Version=1" \ --min-size 1 \ --max-size 3 \ --vpc-zone-identifier "subnet-0123456789abcdef0" \ --service-linked-role-arn arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

This code creates an Auto Scaling group, and the service-linked-role-arn parameter specifies the ARN of the service-linked role for Auto Scaling. It’s usually created automatically by the service when needed.

Best practices

Least Privilege: Always, always, always grant only the necessary permissions. It’s like giving out keys only to the rooms people need to access, not the entire house!
Regular Review: Things change. Regularly review your policies and roles to make sure they’re still appropriate.
Use the Right Tools: AWS provides tools like IAM Access Analyzer to help you manage this stuff. Use them!
Document Everything: Keep track of your policies and roles, their purpose, and why they were created. It will save you headaches later.

In sum

The right policy or role depends on the specific situation. Choose wisely, keep things tidy, and you will have a secure and well-organized AWS environment.

January 29, 2025 by Fernando SRE Cloud stuff SRE stuff 0

AWS Fault Injection service, the unknown service

Let’s discuss something near and dear to every AWS Architect and DevOps Engineer’s heart: resilience. Or, as I like to call it, “making sure your digital baby doesn’t throw a tantrum when things go sideways.”

We’ve all been there. Like a magnificent sandcastle, you build this beautiful, intricate system in the cloud. It’s got auto-scaling, high availability, and the works. You’re feeling pretty proud of yourself. Then, BAM! Some unforeseen event, a tiny ripple in the force of the internet, and your sandcastle starts to crumble. Panic ensues.

But what if, instead of waiting for disaster to strike, you could be a bit… mischievous? What if you could poke and prod your system before it has a meltdown in front of your users? Enter AWS Fault Injection Simulator (FIS), a service that’s about as well-known as a quiet librarian at a rock concert, but far more useful.

What’s this FIS thing, anyway?

Think of FIS as your friendly neighborhood chaos monkey but with a PhD in engineering and a strict code of conduct. It’s a fully managed service that lets you run controlled chaos experiments on your AWS workloads. Yes, you read that right. You can intentionally break things but in a safe and measured way. It is like playing Jenga but only for advanced players.

Why would you do that, you ask? Well, my friends, it’s all about finding those hidden weaknesses before they become major headaches. It’s like giving your application a stress test, similar to how doctors check your heart’s health. You want to see how it handles the pressure before it’s out there running a marathon in the real world. The idea is simple: you don’t know how strong the dam will be until you put the river on it.

Why is this CHAOS stuff so important?

In the old days (you know, like five years ago), we tested for predictable failures. Server goes down? No problem, we have a backup! But the cloud is a complex beast, and failures can be, well, weird. Latency spikes, partial network outages, API throttling… it’s a jungle out there.

FIS helps you simulate these real-world, often unpredictable scenarios. By deliberately injecting faults, you expose how your system behaves under stress. This way you will discover if your great ideas in whiteboards are translated into a great and resilient system in the cloud.

This isn’t just about avoiding downtime, though that’s a big plus. It’s about:

Improving Reliability: Find and fix weak points, leading to a more robust and dependable system.
Boosting Performance: Identify bottlenecks and optimize your application’s response under duress.
Validating Your Assumptions: Does your fancy auto-scaling work as intended? FIS will tell you.
Building Confidence: Knowing your system can handle the unexpected gives you peace of mind. And maybe, just maybe, you can sleep through the night without getting paged. A DevOps Engineer can dream, right?

Let’s get our hands dirty (Virtually, of course)

So, how does this magical chaos tool work? FIS operates through experiment templates. These are like recipes for disaster (the good kind, of course). In these templates, you define:

Actions: What kind of mischief do you want to unleash? FIS offers a menu of pre-built actions, like:
- aws:ec2:stop-instances: Stop EC2 instances. You pick which ones.
- aws:ec2:terminate-instances: Terminate EC2 instances. Poof, they are gone.
- aws:ssm:send-command: Run a script on an instance that causes, for example, CPU stress, or memory stress.
- aws:fis:inject-api-latency: Add latency to internal or external APIs.
Targets: Where do you want to inject these faults? You can target specific EC2 instances, ECS clusters, EKS clusters, RDS databases… You get the idea. You can select the resources by tags, by name, by percentage… You have plenty of options here.
Stop Conditions: This is your “emergency brake.” You define CloudWatch alarms that, if triggered, will automatically halt the experiment. Safety first, people! Imagine that the experiment is affecting more components than expected, the stop condition will be your friend here.
IAM Role: This role is very important. It will give the FIS service permission to inject the fault into your resources. Remember to assign only the necessary permissions, nothing more.

Once you’ve crafted your experiment template, you can run it and watch the magic (or mayhem) unfold. FIS provides detailed logs and integrates with CloudWatch, so you can monitor the impact in real time.

FIS in the Wild

Let’s say you have a microservices architecture running on ECS. You want to test how your system handles the failure of a critical service. With FIS, you could create an experiment that:

Action: Terminates a percentage of the tasks in your critical service.
Target: Your ECS service, specifically the tasks tagged as “critical-service.”
Stop Condition: A CloudWatch alarm that triggers if your application’s latency exceeds a certain threshold or the error rate increases.

By running this experiment, you can observe how your other services react, whether your load balancing works as expected, and if your system can gracefully recover.

Or, imagine you want to test the resilience of your RDS database. You could simulate a failover by:

Action: aws:rds:reboot-db-instance with the failover option set to true.
Target: Your primary RDS instance.
Stop Condition: A CloudWatch alarm that monitors the database’s availability.

This allows you to validate your read replica setup and ensure a smooth transition in case of a real-world primary instance failure.

I remember one time I was helping a startup that had a critical application running on EC2. They were convinced their auto-scaling was flawless. We used FIS to simulate a sudden surge in traffic by terminating a bunch of instances. Guess what? Their auto-scaling took longer to kick in than they expected, leading to a brief period of performance degradation. Thanks to the experiment, they were able to fix the issue, avoiding real user impact in the future.

My Two Cents (and Maybe a Few More)

I’ve been around the AWS block a few times, and I can tell you that FIS is a game-changer. It’s not just about breaking things; it’s about understanding things. It’s about building systems that are not just robust on paper but resilient in the face of the unpredictable chaos of the real world.

January 18, 2025 by Fernando SRE Cloud stuff DevOps stuff SRE stuff 0

S3 Access Points explained

Don’t you feel like your data in the cloud is a bit too… exposed? Like you’ve got a treasure chest full of valuable information (your S3 bucket), but it’s just sitting there, practically begging for unwanted attention? You wouldn’t leave your valuables out in the open in the real world, would you? Well, the same logic applies to your data in the cloud.

This is where AWS S3 Access Points come in. They act like bouncers for your data, ensuring only the right people get in. And for those of you with data scattered across the globe, we’ve got something even fancier: Multi-Region Access Points (MRAPs). They’re like the global positioning system for your data, ensuring fast access no matter where you are.

So buckle up, and let’s explore the fascinating world of S3 Access Points and MRAPs. Let’s try to make it fun.

The problem is that your S3 Bucket is wide open (By Default)

Think of an S3 bucket as a giant storage locker in the cloud. When you first create one, it’s like leaving the locker door wide open. Anyone who knows the lockers there can just waltz in and take a peek, or worse, start messing with your stuff.

This might be fine if you’re just storing cat memes, but what if you have sensitive customer data, financial records, or top-secret project files? You need a way to control who gets in and what they can do.

The solution is the Access Points, your data’s bouncers

Imagine Access Points as the bouncers standing guard at the entrance of your storage locker. They check IDs, make sure everyone’s on the guest list, and only let in the people you’ve authorized.

In more technical terms, an Access Point is a unique hostname that you create to enforce distinct permissions and network controls for any request made through it. You can configure each Access Point with its own IAM policy, tailored to specific use cases.

Why you need Access Points. It’s all about control

Here’s the deal:

Granular Access Control: You can create different Access Points for different applications or teams, each with its own set of permissions. Maybe your marketing team only needs read access to product images, while your developers need full read and write access to application logs. Access Points make this a breeze.
Simplified Policy Management: Instead of one giant, complicated bucket policy, you can have smaller, more manageable policies for each Access Point. It’s like having a separate rule book for each group that needs access.
Enhanced Security: By restricting access through specific Access Points, you reduce the risk of accidental data exposure or unauthorized modification. It’s like having multiple layers of security for your precious data.
Compliance Made Easier: Many industries have strict regulations about data access and security (think GDPR, HIPAA). Access Points help you meet these requirements by providing a clear and auditable way to control who can access what.

Let’s get practical with an Access Point policy example

Okay, let’s see how this works in practice. Here’s an example of an Access Point policy that only allows access to a bucket named “pending-documentation” and only permits read and write actions (no deleting!):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/Alice"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/pending-documentation/*"
    }
  ]
}

Explanation:

Version: Specifies the policy language version.
Statement: An array of permission statements.
Effect: “Allow” means this statement grants permission.
Principal: This specifies who is granted access. In this case, it’s the IAM user “Alice” (you’d replace this with the actual ARN of your user or role).
Action: The S3 actions allowed. Here, it’s s3:GetObject (read) and s3:PutObject (write).
Resource: This is the crucial part. It specifies the resource the policy applies to. Here, it’s the “pending-documentation” bucket accessed through the “my-access-point” Access Point. The /* at the end means all objects within that bucket path.

Delegating access control to the Access Point (Bucket Policy)

You also need to configure your S3 bucket policy to delegate access control to the Access Point. Here’s an example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:DataAccessPointArn": "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point"
        }
      }
    }
  ]
}

This policy allows any principal (“AWS”: “*”) to perform any S3 action (“s3:*”), but only if the request goes through the specified Access Point ARN.

Taking it global, Multi-Region Access Points (MRAPs)

Now, let’s say your data is spread across multiple AWS regions. Maybe you have users all over the world, and you want them to have fast access to your data, no matter where they are. This is where Multi-Region Access Points (MRAPs) come to the rescue!

Think of an MRAP as a smart global router for your data. It’s a single endpoint that automatically routes requests to the closest copy of your data in one of your S3 buckets across multiple regions.

Why Use MRAPs? Think speed and resilience

Reduced Latency: MRAPs ensure that users are always accessing the data from the nearest region, minimizing latency and improving application performance. It is like having a fast-food in each country, so clients can have their orders faster.
High Availability: If one region becomes unavailable, MRAPs automatically route traffic to another region, ensuring your application stays up and running. It’s like having a backup generator for your data.
Simplified Management: Instead of managing multiple endpoints for different regions, you have one MRAP to rule them all.

MRAPs vs. Regular Access Points, what’s the difference?

While both are about controlling access, MRAPs take it to the next level:

Scope: Regular Access Points are regional; MRAPs are multi-regional.
Focus: Regular Access Points primarily focus on security and access control; MRAPs add performance and availability to the mix.
Complexity: MRAPs are a bit more complex to set up because you’re dealing with multiple regions.

When to unleash the power of Access Points and MRAPs

Data Lakes: Use Access Points to create secure “zones” within your data lake, granting different teams access to only the data they need.
Content Delivery: MRAPs can accelerate content delivery to users around the world by serving data from the nearest region.
Hybrid Cloud: Access Points can help integrate your on-premises applications with your S3 data in a secure and controlled manner.
Compliance: Meeting regulations like GDPR or HIPAA becomes easier with the fine-grained access control provided by Access Points.
Global Applications: If you have a globally distributed application, MRAPs are essential for delivering a seamless user experience.

Lock down your data and speed up access

AWS S3 Access Points and Multi-Region Access Points are powerful tools for managing access to your data in the cloud. They provide the security, control, and performance that modern applications demand.

January 7, 2025 by Fernando SRE Cloud stuff SRE stuff 0