DEV Community: Md. Mizanur Rahman

Build Node.js app in Replit & use s3 as static web hosting serving with CDN

Md. Mizanur Rahman — Mon, 14 Jul 2025 12:19:36 +0000

In this AI Era, there's lot of prompt module are available to ease our daily life. Among them i have found one good one which is 'replit'. link: https://replit.com/

I have developed my portfolio in replit. it's node.js app. i have given a prompt to develop like this and gave all kinds of information in replit.

After building the project, i have downloaded the code and then build the application code locally.

npm init -y npm run build

Then i have created a S3 bucket and upload assets folder and index.html of that build project. [S3 has all public access blocked]

For static web hosting, i had to enable the "Static website hosting" from S3--> Properties.
So, if that option is enabled then a weblink you will get and try to open it and found that your app is available on that link.[If public access enabled]

Now the main part, CDN configuration. I have created an CDN with Default config.[CDN takes time to be created fully]
I have configured altenate domain name with my domain 'mizaniftee.xyz'

Then i have configured the SSL from AWS ACM. Records were automatically added in my hosted zone.

N.B: If you want to use CDN with your wildcard domain then it couldn't be added manually. like i wanted to forward mizaniftee.xyz to CDN URL but couldn't. here www.mizaniftee.xyz was doable

As i have set S3 as private, so i had to add some permission in s3 bucket by which CDN could access the files.
going to s3--> Permissions then add below

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::s3_Bucket_name/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::YOUR_ACCOUNT_ID:distribution/DISTRIBUTION_ID"
                }
            }
        }
    ]
}

Now i could easily access my portfolio website with my domain which is serving through CDN to s3 bucket Files.

How to Create & Setting Up IAM Identity Center

Md. Mizanur Rahman — Wed, 27 Nov 2024 15:52:37 +0000

IAM Identity Center is the AWS solution for connecting your workforce users to AWS managed application.
Identity Center Permission Sets are basically templates of IAM roles that will be provisioned in the account. When you assign a permission set to an account, the role is created and a trust policy to handle the federation is configured automatically.
It also supports SSO[Single Sign-On] as well as you could integrate 3rd party like AAD[Azure Active Directory] to this.

Getting Started:

First Go to that account Console with https://Account_Number.signin.aws.amazon.com/console

Then Search IAM Identity Center and Press on Enable. You can Enable in any region as you wish.

N.B- Though you have enabled IAM Identity Center, you could also use specific account console as you have used before. Like https://Account_Number.signin.aws.amazon.com/console but for that you need to have IAM Role for that Or Root Account Holder.

After Enabling, Got Successful Message

Now, Edit the Instance name as it will be showed when you want to access through AWS Access Portal.

If you want to customize your access portal URL and provide the URL to the USER. Go to Dashboard

So, Link will be like that https://mizanzone.awsapps.com/start. And After login, we could see the Mizan tech Account For that specific account.

Permission & Others:

You need to create permissions sets. There are some predefined sets like below:

Here session is = aws access portal session after login.
Relay State: No need right now [it will forward to that URL what is set in the section]
You could set Custom Permission set there. Like only Ec2-admin/ S3-Access as You want per requirements.

You will create groups and set users to that group.

Now we will create users and assign to the required groups. Please create users with mail-wise for the company. So that anyone could use their mail as Username.

After Creating the IAM Identity center, Root user will create another user to work with him in the same account or in the identity center.

N.B: You could add multiple AWS Accounts under Same organization. Just need to send invite from AWS Organization page.After that, all the Accounts will be listed under IAM Identity Center AWS Account

So, You need to assign permission sets & Groups to the accounts of that AWS Organization. What Permission set and groups are added in the AWS Account, only those could access that account permission wise.

When we have multiple accounts that time all the accounts will be listed above.
Now, we will use Access portal URL [https://mizanzone.awsapps.com/start/] and after login, we will get views like that

References:

How to Update Aurora Global Database Version

Md. Mizanur Rahman — Sun, 15 Sep 2024 16:09:32 +0000

From time to time we need to update our database version to latest to get the new changes. it could be a major change or minor change.
For minor changes, AWS has provided a option "Auto Minor Version Upgrade" feature for Single RDS, Multi AZ & Aurora single Cluster.
But that feature doesn't apply to the following kinds of Aurora Global clusters:

Clusters that are part of an Aurora global database
Clusters that have cross-Region replicas

So, we need to follow some process to update that global DB.

First, Remove all secondary Regions from the global cluster.

Just Select the secondary cluster and go to “Actions“
So, that secondary cluster will be a regional cluster and a seperate cluster.

Upgrade the engine version of the primary Region to desired version, as applicable from Portal or CLI or Terraform[any IAC]

Now, if "Enable Deletion Protection" is enabled then please disable that option for secondary cluster.
Now delete that secondary region cluster/ you could use as another cluster if needed. if you don't delete then either you have to add with another DB identifier or you will get thise error.

After Deletion, please select the Global Database and go to "Actions" and "select Add AWS Region". [check references no-3]
If you use Terraform code then run "terraform apply" and it will take time to create those instances.

References:

AWS RDS Proxy For Aurora Global Database [MYSQL]

Md. Mizanur Rahman — Wed, 17 Jul 2024 10:12:52 +0000

Using Amazon RDS Proxy, you can allow your applications to pool and share database connections to improve their ability to scale.
It does so in an active way first by understanding the database protocol. It then adjusts its behavior based on the SQL operations from your application and the result sets from the database.

Quotas/Limitation:

you can have up to 20 proxies for each AWS account ID
Each proxy has a default endpoint. You can also add up to 20 proxy endpoints for each proxy.
Each proxy can have up to 200 associated Secrets Manager secrets
RDS Proxy must be in the same virtual private cloud (VPC) as the database. The proxy can't be publicly accessible
Each proxy can be associated with a single target DB cluster [For Primary need 1 and For Secondary Need another 1]
can't use RDS Proxy with an RDS for MySQL DB instance that has the read_only parameter in its DB parameter group set to 1.

Transactions By RDS Proxy:

Connection reuse can happen after each individual statement when the Aurora MySQL autocommit setting is turned on.
Conversely, when the autocommit setting is turned off, the first statement you issue in a session begins a new transaction. For example, suppose that you enter a sequence of SELECT, INSERT, UPDATE, and other data manipulation language (DML) statements. In this case, connection reuse doesn't happen until you issue a COMMIT, ROLLBACK, or otherwise end the transaction.
Entering a data definition language (DDL) statement causes the transaction to end after that statement completes.

Failover:

Without RDS Proxy, a failover involves a brief outage. During DB failovers, RDS Proxy continues to accept connections at the same IP address and automatically directs connections to the new primary DB instance. [When Failover happens, the secondary cluster becomes primary]

When the database writer is unavailable, RDS Proxy queues up incoming requests.

IP Address Capacity For RDS Proxy:

Aurora Global DB and RDS Proxy should be in same VPC should have a minimum of two subnets that are in different Availability Zones.
Following are the recommended minimum numbers of IP addresses to leave free in subnets for proxy based on DB instance class sizes.

In this case, assume the following:

Aurora DB cluster has 1 writer instance of size db.r5.8xlarge and 1 reader instance of size db.r5.2xlarge.
The proxy that's attached to this DB cluster has the default endpoint and 1 custom endpoint with the read-only role.

In this case, the proxy needs approximately 63 free IP addresses (45 for the writer instance, 15 for reader instance, and 3 for the additional custom endpoint).

Database Credentials in AWS Secrets:

For each proxy that we will create, we will first use the Secrets Manager service to store sets of user name and password credentials. Need to create a separate Secrets Manager secret for each database user account that the proxy connects to on the Aurora DB cluster.

To do this, you can use the setting Credentials for other database, Credentials for RDS database, or Other type of secrets.
Fill in the appropriate values for the User name and Password fields, and values for any other required fields.

{"username":"db_user",
"password":"db_user_password"}

IAM Policy to access:

After you create the secrets in Secrets Manager, you create an IAM policy that can access those secrets.

You could create IAM Role automatically when you create the rds proxy.
You could create policy first, then create role and add assign that role when creating the proxy

Role Creation:

then go for "next"

Policy Creation:
Use inline policy and add below

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws:secretsmanager:us-east-2:account_id:secret:secret_name_1", "arn:aws:secretsmanager:us-east-2:account_id:secret:secret_name_2" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-2:account_id:key/key_id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] }

Configuration Points: [Main Points]

Idle client connection timeout: Default time 1800s(30m) where a connection could be idle.A client connection is considered idle when the application doesn't submit a new request within the specified time after the previous request completed.
Connection pool maximum connections: Specify a value from 1 through 100. This setting represents the percentage of the max_connections value that RDS Proxy can use for its connections.
Like our Prod DB max connection is 4000, so what percentage we will set , rds proxy will use that [percentage*4000]/100
Connection borrow timeout: If proxy use all available connection then can specify how long the proxy waits for a database connection to become available before returning a timeout error. We can specify a period up to a maximum of five minutes.
VPC security group: must configure the Inbound rules to allow your applications to access the proxy. We must also configure the Outbound rules to allow traffic from our DB targets.

Endpoint for RDS Proxy:

Each proxy handles connections to a single Aurora DB cluster. If Global DB has a Primary & Secondary Cluster, so you need two RDS Proxy in this regard.
Add Reader Proxy Endpoint in RDS Proxy will create a read endpoint that points to Aurora DB Cluster Reader.
Default [Read/Write] Proxy endpoint works with Write instance

You could connect directly to DB or through RDS Proxy, but if we connect with RDS Proxy then you need to create secrets for every user.

COST:

RDS Proxy pricing correlates to the number of vCPUs for each database instance in your Aurora cluster.
If Aurora cluster that has a db.r6.large writer instance (2 vCPUs) and a db.r6.large reader instance (2 vCPUs $0.015 per vCPU-hour)
So, Monthly bill → 2,880 vCPU-hours (4 vCPU x 24 hours x 30 days)==$43.20

References:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy-network-prereqs.html

Monitoring user login through Cloudtrail for IAM Identity Center[AWS]

Md. Mizanur Rahman — Thu, 07 Sep 2023 15:29:56 +0000

AWS IAM Identity Center helps you securely create or connect your identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.

As there is no lockout/notification system for wrong login attempt in IAM Identity Center, so we will discuss how to configure a system by which we could be notified/get wrong login info.

Config Procedure:

Create a Cloudtrail in that AWS account where the IAM Identity center is configured
Enable Cloudwatch log + Cloudwatch log group + S3 Storage location
Create Cloudwatch Logs Metric Filter
Create SNS and send alarm notifications.

Creating Cloudtrail:

Event in Cloudtrail

Create Cloudwatch Metric Filter:
Now we have to go to Cloudwatch group and set the metric by which Cloudwatch alert will be generated.

Add below pattern

{ $.eventSource = "signin.amazonaws.com" && $.serviceEventDetails.CredentialVerification = "Failure" }

After setting the pattern, you could test the pattern at the time of metric creation.

Now we need to put some values for the metric

Save the changes, so metric will be created and it's time to create a cloudwatch alarm.

Now we set like below to set the threshold values for login attempts.

Set conditions **per requirements and press "next**"

it's time to set notification policies with SNS.

Before that we need create a **SNS **with email endpoint to get the alert to the mail.

How to create SNS:

Create SNS with email subscription

First create a topic with **standard **type. Give a name and description.

After creating the "topic", go to that topic.

Create a "Subscription" where protocol "Email" and set the *endpoint * [email address]to which we want to get the email.

So, we will get alert mail like below if any wrong attempt for login crosses the threshold value.