DEV Community: Arshad Zackeriya 🇳🇿 ☁️

good one!

Arshad Zackeriya 🇳🇿 ☁️ — Wed, 17 Dec 2025 10:38:47 +0000

How I Built My First App with Kiro

Derek Bingham ☘️ for AWS ・ Dec 12

#aws #genai #kiro

[Boost]

Arshad Zackeriya 🇳🇿 ☁️ — Wed, 17 Dec 2025 10:37:50 +0000

How I Built My First App with Kiro

Derek Bingham ☘️ for AWS ・ Dec 12

#aws #genai #kiro

[Boost]

Arshad Zackeriya 🇳🇿 ☁️ — Sun, 29 Dec 2024 22:15:25 +0000

Effortless API Scaling: Unlock the Power of AWS AppSync

Lilupa Karu ・ Dec 26 '24

#aws #appsync #graphql #serverless

Simplify IP Utilization Monitoring in Subnets with Serverless Automation

Arshad Zackeriya 🇳🇿 ☁️ — Mon, 28 Oct 2024 03:23:33 +0000

I want to begin with saying that Amazon Q developer and AWS Infrastructure Composer helped me to design this solution in a matter of minutes.

Amazon Q: https://aws.amazon.com/q/
AWS Infrastructure Composer: https://aws.amazon.com/infrastructure-composer/

Problem:

Let's discuss the problem I'm attempting to tackle. IP exhaustion, which occurs when given subnets run out of IPs, is a problem that may arise if you are using Amazon EKS and your workload is growing.

Unless you have IPAM, AWS Cloudwatch metrics do not support them at the time I am writing this blog. Monitoring your available IP addresses in subnets without the use of IPAM is what I'm attempting to accomplish here.

Solution:

AWS Services involved in this solution:

AWS Lambda
Event Bridge Scheduler
Amazon CloudWatch Metrics
Amazon CloudWatch Alarm
Amazon SNS

Lambda Function

I was able to create this in a matter of minutes with the help of Amazon Q Developer, however, I obviously needed to make a few little adjustments. This is very beneficial if you understand the basics and what you are doing. Instead of configuring AWS services blindly, I recommend everyone to better understand AWS services.

Full Python Script here:

import boto3
import os
from botocore.exceptions import ClientError

def lambda_handler(event, context):
    vpc_id = os.environ['VPC_ID']
    subnet_ids = os.environ['SUBNET_IDS'].split(',')
    namespace = os.environ['NAMESPACE']

    ec2 = boto3.client('ec2')
    cloudwatch = boto3.client('cloudwatch')

    try:
        response = ec2.describe_subnets(
            Filters=[
                {'Name': 'vpc-id', 'Values': [vpc_id]},
                {'Name': 'subnet-id', 'Values': subnet_ids}
            ]
        )

        for subnet in response['Subnets']:
            subnet_id = subnet['SubnetId']
            available_ip_count = subnet['AvailableIpAddressCount']
            cidr_block = subnet['CidrBlock']
            total_ip_count = 2 ** (32 - int(cidr_block.split('/')[1])) - 5  # Subtract 5 for reserved IPs

            subnet_name = subnet_id  # Default to subnet ID if no name tag
            for tag in subnet.get('Tags', []):
                if tag['Key'] == 'Name':
                    subnet_name = tag['Value']
                    break

            utilization_percentage = ((total_ip_count - available_ip_count) / total_ip_count) * 100

            # Send metrics to CloudWatch
            cloudwatch.put_metric_data(
                Namespace=namespace,
                MetricData=[
                    {
                        'MetricName': 'AvailableIPAddresses',
                        'Dimensions': [
                            {'Name': 'SubnetName', 'Value': subnet_name},
                            {'Name': 'SubnetId', 'Value': subnet_id}
                        ],
                        'Value': available_ip_count,
                        'Unit': 'Count'
                    },
                    {
                        'MetricName': 'IPUtilizationPercentage',
                        'Dimensions': [
                            {'Name': 'SubnetName', 'Value': subnet_name},
                            {'Name': 'SubnetId', 'Value': subnet_id}
                        ],
                        'Value': utilization_percentage,
                        'Unit': 'Percent'
                    }
                ]
            )

            print(f"Metrics sent for Subnet: {subnet_name} (ID: {subnet_id})")

    except ClientError as e:
        print(f"An error occurred: {e}")
        return {
            'statusCode': 500,
            'body': str(e)
        }

    return {
        'statusCode': 200,
        'body': 'Subnet monitoring completed'
    }

Get IP address utilization:

Send metrics to CloudWatch:

Use AWS Infrastructure Composer to design the infrastructure.

This further enables you design your infrastructure visually, generate Infrastructure as Code and deploy it using AWS SAM (AWS Serverless Application Model) https://aws.amazon.com/serverless/sam/.

How to Deploy

Prerequisites

AWS CLI installed and configured with appropriate permissions
AWS Toolkit for Visual Studio Code installed and configured
AWS SAM CLI installed

Deployment Steps

Repository for entire code and instructions on how to deploy: https://github.com/awsfanboy/aws-subnet-ip-address-utilization-monitor

Modify the template.yaml file to adjust default parameter values or add/remove resources as needed. eg: VPC ID, Subnet Name, Subnet ID, CloudWatch Metric Namespace.
(Optional) Update the lambda_function.py file in the src directory.
Build the SAM application: sam build
Deploy the SAM application: sam deploy --guided
This will start an interactive deployment process. You'll be prompted to provide values for the parameters defined in the template. You can accept the default values or provide your own.
During the deployment, you'll be asked to confirm the creation of IAM roles and the changes to be applied. Review and confirm these.
SAM will output the ARNs of the created Lambda function and SNS topic once the deployment is complete.

Parameters

    VpcId: The ID of the VPC to monitor
    SubnetIds: Comma-separated list of subnet IDs to monitor
    SubnetName1: Name of the first subnet
    SubnetName2: Name of the second subnet
    CWMetericNamespace: The CloudWatch metric namespace
    AlertEmail: Email address to receive alerts

Resources Created

Lambda function for monitoring subnets
EventBridge rule to trigger the Lambda function every minute
SNS topic for sending alerts
CloudWatch alarms for each monitored subnet

Customization

To monitor more than two subnets, duplicate the SubnetUtilizationAlarm resource in the template and adjust the SubnetIds parameter.
Modify the Lambda function code in src/lambda_function.py to implement your specific monitoring logic.
Adjust the alarm thresholds and evaluation periods in the SubnetUtilizationAlarm resources as needed.

Cleanup

To remove all resources created by this stack: sam delete
Follow the prompts to confirm the deletion of resources.

Demo

I have an Amazon EKS cluster running a deployment with 6 replicas. Worker nodes are running on 2 Subnets. IP address utilization is looking good.

The alarm state is OK.

Okay! let's increase the number of replicas from 6 to 600.

Let's check metrics from the CloudWatch and ooops! now we can see that IP utilization is high.

Now, let's check the Alarms in the CloudWatch. Now the state changed from OK to ALARM state.

Let's check my emails

I can see there are 2 emails in my inbox.

Cost

I calculated the cost using calculator.aws, and it appears to be not bad though.

What Next?

These notifications can be sent to Slack, PagerDuty, and other platforms.

Conclusion

I hope my automation will help someone who doesn't want to use IPAM to monitor IP address utilization in subnets, and I truly wish we could access these metrics straight from CloudWatch.

If you have any suggestions for improvement or if you would like to use anything you currently have in a different way, please feel free to share.

We gave a lightning talk at the AWS Summit in Sydney 2024.

Arshad Zackeriya 🇳🇿 ☁️ — Sat, 27 Apr 2024 07:38:54 +0000

Have you heard about AWS Summits? I attended the AWS Summit in Sydney for the second time with my wife, following my attendance at AWS Summit Singapore in 2019.

This year, @geethikaguruge and I presented a session about "Streamlined Deployment to Amazon EKS with Amazon CodeCatalyst" at AWS Summit Sydney. We are honored to represent AWS Community Aotearoa (New Zealand). Thank you AWS UG Aotearoa. I would like to thank Belinda for giving us this opportunity and also thank Derek for all the support he provided. My wife, Shafwana, provided me with all the support I needed to prepare my talk.

How did Geethika and I prepare for the event?

We both planned our sessions with slides and demos well. We scheduled them a few days every week after dinner to practice and perfect the presentations. Since it was a lightning talk, we had to keep our speeches concise, with no more than 15 minutes. I want to mention the AWS New Voices program. Before the event, I was chosen to be a coach for the program, which provided me with the chance to enhance my public speaking skills while coaching other members of the community. Additionally, I was able to learn from Meridith Grundei, and I would like to express my gratitude to Mark Pergola for giving me this opportunity.

Day of the AWS Summit Sydney 2024

Geethika and myself presenting at AWS Summit Sydney

Adding more colours to AWS Summit Sydney with @xelfer and Kristine Howard

If you are interested in printing the AWS icons pattern, you can check it out on my blog by following the link provided: https://dev.to/aws-builders/level-up-your-aws-community-day-creating-custom-gaming-mats-with-aws-architecture-icons-547n

Playing AWS BuildersCard Game

Had an amazing time playing BuildersCard Game while learning about AWS Well-Architected Framework with Shehan Marino Perera at AWS Summit Sydney. Thank you Aileen Lu David Heidt.

@zachjonesnoel and I gave away some of our swags

With @xelfer and @ssennettau

After attending the summit, I attended the ANZ Community Leaders Meetup

First of all, @shafjag, I would like to thank you for organizing such a great event.

Amazing sessions by Kris Howard, Mike Chambers Scott Friend and Maria Encinar

It's all about community

I am proud to be part of the AWS Community Aotearoa (New Zealand) and grateful for the opportunity.

How to Secure Your AWS Account Using a Hardware security key [YubiKey]

Arshad Zackeriya 🇳🇿 ☁️ — Sun, 25 Feb 2024 00:42:31 +0000

I have set up Single Sign-On (SSO) for my personal AWS account, which is great because it allows me to effortlessly switch between AWS accounts while doing podcasts, live demos, or learning. I recently purchased a YubiKey from https://www.yubico.com/ to secure my personal AWS Account. You might be wondering why it's necessary to secure your AWS Account. It's important to keep your account secure regardless of whether you're using it for learning or production purposes.

AWS provides several options for setting up a MFA device. In this article, I will demonstrate how to easily configure Yubikey for SSO user log in in AWS.

Authenticator App
- Google Authenticator, Authy, or other similar apps for two-factor authentication.

Please ensure that you have already enabled this feature.

Built-in authenticator
- For example, Apple Touch ID, Windows Hello, or similar technology.
Security Key
- Using a hardware security key, such as YubiKey, for authentication purposes. I am writing about this topic today.
- If you'd like to learn more about WebAuthn and FIDO2, I recommend checking out this article: https://aws.amazon.com/blogs/aws/multi-factor-authentication-with-webauthn-for-aws-sso/

This is what I bought from https://www.yubico.com/nz/product/yubikey-bio-series/yubikey-c-bio/

Let's get started

Click the MFA Devices and click Register device

Select Security key and click Next

Insert the YubiKey into the USB port and touch the fingerprint reader (If you are using the same version), I bought a USB C Bio version. Allow the site to access the Key.

Enter the PIN "When setting up your YubiKey for the first time, you must create a secure PIN"

Touch the key again to complete the setup

Yay!! The security key has been registered successfully.

I can see that a new security key has been added to the MFA devices.

Let's log in back to the AWS SSO

After you enter your username and password, it will display a prompt that looks like this.

Plug the key and touch the fingerprint sensor

Conclusion

WebAuthn is a highly secure authentication method. By using a hardware security key, you can make log in to and securing your AWS account much easier. In this article, I have demonstrated how to secure your AWS SSO log in using hardware security key (YubiKey). However, you can also use a hardware security key to secure your IAM access.

My experience with using AWS Application Composer in Visual Studio Code

Arshad Zackeriya 🇳🇿 ☁️ — Thu, 01 Feb 2024 21:02:01 +0000

We all love shopping. And what if we could buy everything we need in one place? The same concept applies to our development tools. At the 2022 AWS re:Invent, AWS announced an amazing tool called AWS Application Composer. With this tool, you can build your serverless application on a visual canvas. Later on, AWS expanded its support to cover not only serverless applications, but also over 1000+ CloudFormation resources.

During the 2023 AWS re:Invent, AWS announced the support of AWS Application Composer in AWS Toolkit for Visual Studio Code . I find this very exciting because it allows developers to use the AWS Application Composer, as well as Amazon Q, CodeWhisperer, CodeCatalyst all in one place in the Visual Studio Code editor. This will make infrastructure-as-code (IaC) development quicker and reduce the need for context switching.

This post is mainly about to show the experience of AWS Application Composer in Visual Studio Code.

Prerequisites

Visual Studio Code
- https://code.visualstudio.com/
AWS Toolkit for Visual Studio Code
- download from here https://marketplace.visualstudio.com/items?itemName=AmazonWebServices.aws-toolkit-vscode

This is the updated AWS Toolkit for Visual Studio Code

AWS Application Composer in Visual Studio CODE

It's really simple, just create a blank yaml file eg: template.yaml
Right click on the file and click Open with Application Composer
If you are using a big screen you can experience the best out of it

To make things easier to show, I made a little video.

I basically used AWS Application Composer in Visual Studio Code to create a lambda function and lambda layer, which generated my IaC. How awesome is that?

The following video demonstrates how to use the AWS Step Functions Workflow Studio using AWS Application Composer in Visual Studio Code.

AWS Application Composer Support 1000+ CloudFormation resources

I launched a CloudFormation Stack for an EKS Cluster with all the dependencies, like as a VPC, NAT Gateway, SUBNETS, and so on, because I was curious to try this out in Visual Studio Code. It was beautifully visualized using AWS Application Composer.

Conclusion

I want to stay away from context switching as a developer. Amazon Q, CodeWhisperer, CodeCatalyst, and Application Composer are now all available in one location. This will help with the development of code for me and other developers.

In my next article, I'll go into detail on how to use AWS SAM to deploy your infrastructure.

Me and @zachjonesnoel will be doing deep dive soon in our of the The Zacs' Show Talking AWS Shows

Level Up Your AWS Community Day: Creating Custom Gaming Mats with AWS Architecture Icons

Arshad Zackeriya 🇳🇿 ☁️ — Sun, 10 Sep 2023 21:44:27 +0000

The AWS Community Day Aotearoa- 2023 (New Zealand) was a success. This Gaming Mat SWAG drew a lot of attention from the attendees. First and foremost, I'd like to thank fellow AWS Community Builder @rmitula for his assistance in designing the Gaming Mat for AWS Community Day Aotearoa (New Zealand). The custom-made AWS Architecture Icons Mouse Pad that was given away during Poland AWS Community Day - Warsaw inspired me to do this.

Here is the Cool Gaming Mat:

So I decided to include the steps and a script for creating the Gaming Mat design.

Check this out if you're searching for some fantastic SWAGS for your AWS Community Day: https://github.com/awsfanboy/AWS-Community-Day-Gaming-Mat

Let me know if you need any help :) .

Fortify Your AWS Network Security with AWS Network Firewall: A Complete Guide (Terraform Code included)

Arshad Zackeriya 🇳🇿 ☁️ — Mon, 06 Mar 2023 10:28:05 +0000

I've wanted to write about this since last December, when I participated in a session at AWS Community Day Sri Lanka 2022, which was organised by AWS User Group Colombo. During the session, I delivered a speech and demonstrated how awesome and simple it is to set up an AWS Network firewall. later on, with Terraform, I was able to codify my demo to infrastructure as code. I hope you all enjoy this step-by-step guided workshop.

What you will get from this post (Hands on Lab)

Understand AWS Network Security
Learn about few of AWS Networking Services
Step-by-Step guide on how to deploy AWS Network Firewall using terraform

Prerequisites

AWS Account
Terraform (Version is available in the Github repo)
To use this lab, you need to have a basic understanding of the following services.
- VPC, Route Tables
- Transit Gateway
- VPC Endpoints

But before we dive into the AWS Network Firewall, it's essential that we comprehend a few things.

Basic AWS Network Security and Limitations

When you have multiple AWS accounts and VPCs, it is difficult to monitor, govern, and enforce security on the network resources.

A complicated hybrid network configuration in which multiple AWS networking services are linked with on-premises environments and AWS VPN traffic.
Manage multiple Security Groups and Limited rules supported by Security Groups. As of this writing, only 60 inbound rules for IPv4 and 60 inbound rules for IPv6 traffic are supported.

Little bit about AWS PrivateLink and VPC Endpoints, VPC Endpoint Services

Ref : https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html

AWS PrivateLink is a networking service offered by AWS that allows for secure and private communication between VPCs and AWS services without the need for traffic to pass through the internet or a NAT gateway. It uses VPC endpoints to establish a private connection between your VPC and AWS services via the AWS network, thereby avoiding the public internet.

You can create a private, highly available and scalable connection between your VPC and AWS services or your own application services running on EC2 instances, AWS Lambda functions, or other AWS resources using VPC endpoints and endpoint services.

Little bit about the Gateway Load Balancer

Ref : https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-your-custom-logic-or-appliance-with-aws-gateway-load-balancer/

Gateway Load Balancers enable the deployment, scalability, and management of virtual appliances such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It combines a transparent network gateway (a single entry and exit point for all traffic) and traffic distribution while scaling your virtual appliances with demand.

For an example, if you want to deploy Trendmicro, Fortinet, Palo Alto Networks, or any other vendor's Appliances as your Firewall in your AWS Cloud Infrastructure, Gateway Load Balancer fulfils that requirement.

You may be wondering why this guy is talking everything but AWS Network Firewall

AWS Network Firewall is actually powered by AWS Gateway Load Balancer.

Yes! Yes, you read that correctly. So, what is the difference between Gateway Load Balancer and AWS Network Firewall? Simply put, if you want to use a third-party firewall solution as an appliance, you can pick Gateway Load Balancer, but you must manage the infrastructure of the firewall instance. However, if you require a Firewall solution that can be deployed fast, is a managed service and is highly available, then AWS Network Firewall is the solution.

Let's go to AWS Network Firewall now

AWS Network Firewall is a fully managed network security service offered by AWS that enables users to set up, manage, and scale firewall protection across their VPC and on-premises networks.

AWS Network Firewall Supports

OSI Layer 3 and 7 Traffic Filtering
Domain name filtering
More number of rules
Inspect traffic between VPCs (Through TGW) or inbound/outbound Internet traffic
AWS Direct Connect and AWS VPN traffic running through AWS Transit Gateway
Managed rules from the AWS Marketplace

As of the time of writing, AWS Network Firewall does not support (DPI) Deep Packet Inspection for encrypted traffic. Gateway Load Balancer is the best solution if you are looking for such a solution. As well as the following:

VPC peering traffic

Virtual private gateways

Inspection of AWS Global Accelerator traffic

Inspection of AmazonProvidedDNS traffic for Amazon EC2

I'm not going to deep into detail about AWS Network Firewall offerings because we have these excellent documents instead. https://aws.amazon.com/network-firewall/faqs/

Architecture of The Lab

Clone the project

git clone https://github.com/devopswithzack/lab-aws-networkfirewall.git

cd lab-aws-networkfirewall

Once cloned, open it in an IDE such as VSCODE. Before we proceed, we must make some changes.

Generate the keys for EC2 instances

Then copy the public key and paste in the `env.tfvars`

This is an optional step. Use only if your backend is an S3 bucket and you want to keep your state in DynamoDB.

Run a terraform init

terraform init

My backend is a S3 bucket and I use dynamo db to lock my state. If you use the same, you can use the backend.conf file with terraform init -backend-config=backend.conf.

Once all done , run `terraform plan` to verify the resources that you are going to create.

terraform plan -var-file=env.tfvars

Now we can apply using the terraform apply

terraform apply -var-file=env.tfvars

Type yes and enter to the prompt.

this will take some time to deploy.

I'm going to cover two scenarios in this lab.

Bastion host in the Egrees VPC public subnet accessing the App EC2 instance in the App VPC.
App EC2 in the APP VPC's private subnet accessing https://www.google.com.

Let's test the AWS Network Firewall.

The numbers listed below correspond to the yellow circled numbers in the architecture diagram.

Scenario 1

SSH into the JUMP HOST, which is on the Public subnet and has port 22 open to the public.

1- SSH from JUMP HOST to the APP EC2 in the APP VPC's Private Subnet
2 - Routing to 10.0.0.8/8 results in TGW
3 - It should go to Inspection VPC, according to the TGW attachment
4 - Direct traffic to the AWS Network Firewall VPC Endpoint vpce-az-a-id
5 - After passing through the firewall, the traffic is routed to the tgw route tables
6 - TGW routes traffic to 10.1.0.0/16 and sends it to App VPC

Scenario 2

The app server attempts to connect the https://www.google.com.

7 - Access to https://www.google.com
8 - Any traffic should go to the TGW, according to the Route Tables
9 - According to the TGW attachment, it should go to Inspection VPC
10 - Send traffic directly to the AWS Network Firewall VPC Endpoint vpce-az-a-id
11 - Traffic is routed to the tgw route tables after passing through the firewall
12 - Internet traffic is routed to the Egress VPC using the TGW Route Tables
13 - A NAT Gateway traffic route
14 - The Internet Gateway directs traffic to https://www.google.com

Test 1 - Check the SSH Traffic

SSH to The Jump Host using the public IP, Both APP EC2 and the JUMP host

Now copy the same SSH Private key we created to the Jump host as sshkey.pem and set the permission as chmod 400 sshkey.pem
Get the private IP of the APP EC2 from the console and try to SSH from the JUMP HOST

You may notice that it will take some time and that you will be given a timeout.

In one of the AWS Network Firewall Rule Groups, SSH Access has been blocked.

# Block SSH
resource "aws_networkfirewall_rule_group" "block_ssh" {
  capacity = 50
  name     = "block-ssh"
  type     = "STATEFUL"
  rule_group {
    rules_source {
      stateful_rule {
        action = "DROP"
        header {
          destination      = "ANY"
          destination_port = "ANY"
          direction        = "ANY"
          protocol         = "SSH"
          source           = "ANY"
          source_port      = "ANY"
        }
        rule_option {
          keyword  = "sid"
          settings = ["1"]
        }
      }
    }
  }

}

Let's now manually remove the rule from the console and try it again.

Navigate to the VPC in AWS Console, then select 'Firewalls' from the Network Firewall section

There are two rule groups under Stateful Rule Groups.

Disassociate the block-ssh from the rule group

Wait 1-2 Minutes

SSH to the APP EC2 from the JUMP HOST. Now you should be able to SSH

Do not exit the APP EC2, as we will try the next scenario

Test 2 - Access `https://www.google.com` from the APP EC2 server

As you are still in the APP EC2 server try to curl the https://www.google.com You will get a time out eventually

In one of the AWS Network Firewall Rule Groups, Accessing google.com is been blocked.

The IP CIDR range from APP VPC is not permitted to access '*.google.com', according to the terraform resource code block below.

# Block google.com
resource "aws_networkfirewall_rule_group" "block_google" {
  capacity = 100
  name     = "block-google"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "HOME_NET"
        ip_set {
          definition = [module.app_vpc.vpc_cidr_block]
        }
      }
    }
    rules_source {
      rules_source_list {
        generated_rules_type = "DENYLIST"
        target_types         = ["HTTP_HOST", "TLS_SNI"]
        targets              = [".google.com"]
      }
    }
  }
}

Let's now manually remove the rule from the console and try it again. Follow the same steps in Test scenario one to access the rule groups

Wait 1-2 Minutes

Now curl the `https://www.google.com` url from the APP EC2 Server

Now you should be able to access https://www.google.com.

CloudWatch Logs

In the AWS Console, go to CloudWatch and select the logs groups

You should be able to see the alert logs, click on them, and examine the logs

Block SSH

Block Google.com

Delete the lab

When you're finished testing, make sure to delete the stack to avoid charging.terraform destroy -var-file=env.tfvars

Let's wrap this up

You now understand how the AWS Network Firewall works and how to integrate it into your infrastructure. If you want to contribute to this LAB, please open a PR in the repo: https://github.com/awsfanboy/lab-aws-networkfirewall . I welcome feedback and suggestions, so please leave them in the comments or email them to hello@awsfanboy.com.

Manage CodeCommit and CodePipeline in Multiple AWS Accounts

Arshad Zackeriya 🇳🇿 ☁️ — Sun, 13 Feb 2022 15:09:10 +0000

This video demonstrate how to setup AWS Codepipelines in multiple AWS accounts with single CodeComit as a Single Source Of Truth.

https://youtu.be/bB3vwAUgsBk

Use this repo to access the IAM policy materials used in this demo.
https://github.com/awsfanboy/aws-codecommit-with-crossaccount-codepipeline

AWS VPC Endpoint Service for Access Elasticache Redis From Multiple AWS Accounts

Arshad Zackeriya 🇳🇿 ☁️ — Wed, 20 Oct 2021 12:58:40 +0000

This is a scenario, that how to access the AWS Elasticache From Multiple AWS Accounts using VPC Endpoints.
Eg: AWS Account A Application Servers needs to Access the AWS Account B Elasticache Service trough VPC Endpoints.

AWS Secret Manager with a simple Golang ECS Task.

Arshad Zackeriya 🇳🇿 ☁️ — Fri, 06 Nov 2020 04:49:23 +0000

This article is about sharing my experience how we have secured the database credentials using AWS Secret manager. This has been a challenge always where and how to access the database configurations.

When i was setting up a CI/CD pipeline for a Golang based project we wanted to Store the RDS credentials in a secured location. Thanks to AWS Secret Manager we were able to overcome that challenge. Secret manager will store the RDS credentials and can simply call the AWS Secret manger through the code to retrieve them. Lets See the below architecture how the services are connected.

Basically in my above simple setup demonstrate the connectivity of all the services. In the codepool we are not storing any database credentials. When the code is building lets assume i need to do some update queries to the database, then we must need the database credentials to connect the database.For any situations like this can configure an environment variable in the code build configurations as below.

But this example i don't have any pre-build queries to run. lets go through below step by step how to configure the secrete manager for RDS credentials and how to retrieve them from your application on ECS cluster. as a summary my task needs to connect to the RDS database but we are not storing any database credentials inside the code.

First go to the secret manager and enter your RDS information as below and select your right RDS, in my example i have only one RDS.

Once you have entered the information then click next, and it will take you to the below screen.

Here you have to give a Secret Name for your credentials, my example i have mentioned as “dev/aws-secret-manager-test/postgres”. Then click next.

This screen is really interesting, lets assume in your organization that you have any security policies for password rotations then this would be great option to use.

Finally in the review page you can see the Secret Name as highlighted and AWS will provide you some sample code block how to retrieve your secrete using different programing languages. For my example i am using Golang.

below 2 functions where i am accessing the RDS and testing the connection to the database. If you are using in a local machine or server use the docker build.

func main() {
    var err error

    databaseAuth := getDatabaseAuth()
    psql := fmt.Sprintf("host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
        databaseAuth.Host, databaseAuth.Port, databaseAuth.UserName, databaseAuth.Password, os.Getenv("DB_NAME"))

    DB, err = sql.Open("postgres", psql)
    if err != nil {
        Logger.AddLogger(Logger.ERROR, "Database driver error")
        panic(err)

    }
    if err = DB.Ping(); err != nil {
        Logger.AddLogger(Logger.ERROR, "Database parameters error")
        panic(err)
    }
    Logger.AddLogger(Logger.INFO, "Connected to Database")
}

func getDatabaseAuth() Models.DatabaseAuth {
    secretName := os.Getenv("AWS_SECRET_NAME")
    region := os.Getenv("AWS_REGION")

    svc := secretsmanager.New(session.New(&aws.Config {
        Region: &region,
    }))

    input := &secretsmanager.GetSecretValueInput{
        SecretId:     aws.String(secretName),
        VersionStage: aws.String("AWSCURRENT"),
    }

    result, err := svc.GetSecretValue(input)
    var databaseAuth = Models.DatabaseAuth{}

    if err == nil {
        var secretString, decodedBinarySecret string

        if result.SecretString != nil {
            secretString = result.SecretString
            json.Unmarshal([]byte(secretString) , &databaseAuth)
        } else {
            decodedBinarySecretBytes := make([]byte, base64.StdEncoding.DecodedLen(len(result.SecretBinary)))
            len, err := base64.StdEncoding.Decode(decodedBinarySecretBytes, result.SecretBinary)
            if err != nil {
                fmt.Println("Base64 Decode Error:", err)
            }
            decodedBinarySecret = string(decodedBinarySecretBytes[:len])
            json.Unmarshal([]byte(decodedBinarySecret) , &databaseAuth)
        }
    }
    return databaseAuth
}

Now lets check about the security which is really pivotal, if the source resources are out of AWS cloud then you can use an IAM user to access. since i am using the ECS service i have created an IAM role and attached to the task. Lets see the task now.

My role name is : dev-EcsTaskExecutionRole

For the above role attach these policies (AmazonECSTaskExecutionRolePolicy, CloudWatchEventsFullAccess) and you have to make a custom policy for access the secret manager. you can replace the Resource as per to your region and the resource ids.

“Resource”: “arn:aws:secretsmanager:ap-southeast-1:123456789123:secret:dev/aws-secret-manager-test/postgres”

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:ap-southeast-1:123456789123:secret:dev/aws-secret-manager-test/postgres"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:ListSecrets"
            ],
            "Resource": ""
        }
    ]
}

Task Definition

Make sure you select the correct role, in my setups its “dev-EcsTaskExecutionRole”

Set the Command to execute your file as “go,run,main.go”. Once you have create the task definition, run the task. Make sure your security groups and the subnets are correct.

The task should execute successfully and able to see the “Connected to Database” message in the container insight as below.

Summary

If you are concern about your database connection strings to be store in a secret location and access them securely AWS Secret manager is a good option. You can try other service like Parameter Store as well. Secret manager gives you the ability to store multiple key/values in a single secret, which is something parameter store can do, but not nearly as nicely. This is useful for many applications. please comment your thoughts and if you have any better way please comment.

Project Repo URL for testing

Docker file also included, if you have any feedback or any questions please feel free to comment.

aws-secret-manager-golang

DEV Community: Arshad Zackeriya 🇳🇿 ☁️

good one!

How I Built My First App with Kiro

Derek Bingham ☘️ for AWS ・ Dec 12

[Boost]

How I Built My First App with Kiro

Derek Bingham ☘️ for AWS ・ Dec 12

[Boost]

Effortless API Scaling: Unlock the Power of AWS AppSync

Lilupa Karu ・ Dec 26 '24

Simplify IP Utilization Monitoring in Subnets with Serverless Automation

Problem:

Solution:

AWS Services involved in this solution:

Lambda Function

Full Python Script here:

Get IP address utilization:

Send metrics to CloudWatch:

Use AWS Infrastructure Composer to design the infrastructure.

How to Deploy

Prerequisites

Deployment Steps

Repository for entire code and instructions on how to deploy: https://github.com/awsfanboy/aws-subnet-ip-address-utilization-monitor

Parameters

Resources Created

Customization

Cleanup

Demo

Cost

What Next?

Conclusion

We gave a lightning talk at the AWS Summit in Sydney 2024.

How did Geethika and I prepare for the event?

Day of the AWS Summit Sydney 2024

Adding more colours to AWS Summit Sydney with @xelfer and Kristine Howard

Playing AWS BuildersCard Game

@zachjonesnoel and I gave away some of our swags

After attending the summit, I attended the ANZ Community Leaders Meetup

It's all about community

How to Secure Your AWS Account Using a Hardware security key [YubiKey]

AWS provides several options for setting up a MFA device. In this article, I will demonstrate how to easily configure Yubikey for SSO user log in in AWS.

Let's get started

Let's log in back to the AWS SSO

Conclusion

My experience with using AWS Application Composer in Visual Studio Code

Prerequisites

This is the updated AWS Toolkit for Visual Studio Code

AWS Application Composer in Visual Studio CODE

AWS Application Composer Support 1000+ CloudFormation resources

Conclusion

Level Up Your AWS Community Day: Creating Custom Gaming Mats with AWS Architecture Icons

Fortify Your AWS Network Security with AWS Network Firewall: A Complete Guide (Terraform Code included)

What you will get from this post (Hands on Lab)

Prerequisites

Basic AWS Network Security and Limitations

Little bit about AWS PrivateLink and VPC Endpoints, VPC Endpoint Services

Little bit about the Gateway Load Balancer

You may be wondering why this guy is talking everything but AWS Network Firewall

Let's go to AWS Network Firewall now

AWS Network Firewall Supports

Architecture of The Lab

Clone the project

Generate the keys for EC2 instances

Then copy the public key and paste in the env.tfvars

Run a terraform init

Once all done , run terraform plan to verify the resources that you are going to create.

Now we can apply using the terraform apply

Let's test the AWS Network Firewall.

Scenario 1

Scenario 2

Test 1 - Check the SSH Traffic

Test 2 - Access https://www.google.com from the APP EC2 server

Let's now manually remove the rule from the console and try it again. Follow the same steps in Test scenario one to access the rule groups

Now curl the https://www.google.com url from the APP EC2 Server

CloudWatch Logs

In the AWS Console, go to CloudWatch and select the logs groups

Block SSH

Block Google.com

Delete the lab

Let's wrap this up

Then copy the public key and paste in the `env.tfvars`

Once all done , run `terraform plan` to verify the resources that you are going to create.

Test 2 - Access `https://www.google.com` from the APP EC2 server

Now curl the `https://www.google.com` url from the APP EC2 Server