DEV Community: neetu-mallan

License to Build: Crafting Games with Amazon Q CLI

neetu-mallan — Sun, 08 Jun 2025 15:33:52 +0000

It’s hard to find someone who hasn’t seen—or played—the iconic Chrome Dino game. You know the one: that pixelated little T. rex that appears when your internet vanishes, sprinting endlessly across a desert landscape, dodging cacti and flying pterodactyls. Simple, nostalgic, and strangely addictive.

So when the AWS Community Builders were invited to join a hands-on learning experience—“Build Games with Amazon Q CLI”—I knew exactly what I wanted to do. Among classics like Snakes and Ladders and Tic-Tac-Toe, I set out to recreate the beloved Chrome Dino.

What amazed me most wasn’t just that I could recreate these games—it was how I could do it. Amazon Q CLI took in straightforward prompts and returned fully functional games, complete with visuals, special effects, animations, sound—the works. And the best part? I didn’t have to write a single line of code.

Much like a seasoned developer, Amazon Q builds in phases—laying the groundwork first, then layering enhancements one step at a time. Watching it evolve a simple prompt into an interactive game felt a little like magic.

Setting Amazon Q CLI:

This document provides the necessary steps to install Amazon Q CLI on the system. https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-installing.html

Once the CLI is installed, verify the setup using the following command.

Time to get working

Just like 007 counts on Q—his brilliant tech whiz—to gear him up for each mission, I had my own digital sidekick: Amazon Q CLI. The moment I gave the word, Q jumped into action, smoothly installing the Pygame library.

Q create a dinosaur game similar to the Chrome Dino game.

As with any good mission, Q started with the basics—a foundational version of the game. It was simple, functional, and just enough to get things rolling. Like handing over a standard-issue gadget before revealing its hidden features.

Initial game snapshot:

Enhancements:

Q upgrade the plain dino into a proper pixelated T. rex—true to the original classic. As always, Q responded with precision, swapping out the basic form for a retro-styled reptile that looked ready to take on any mission the game could throw at it.

While testing the game, I noticed a curious glitch—each time my Dino successfully dodged an obstacle, everything would suddenly reset, almost like the game forgot it had just happened. It broke the flow of the run and felt a little jarring.

So, I shared this experience with Q, hoping it could help smooth things out. It analyzed the problem, adjusted the logic, and patched things up. Mission back on track.

Sound effects:

Q add some sound effects

And when I requested a space-themed twist on the classic desert run, Q didn’t just follow instructions—it improvised. The background transformed into a galactic expanse, the cacti morphed into sleek spaceships, and the birds into drifting asteroids. It was like asking for a pen and getting a laser-equipped grappling hook instead.

Q explain me the features of the game:

Q increase the difficulty over time by introducing multiple obstacles as the game progresses and increase the speed of the obstacles. Q understood the assignment—escalating the challenge with precision.

Final Game Video

Amazon Q didn’t just help me build a game—it equipped me for it. Every prompt I gave felt like issuing an order , and every response was packed with precision, creativity, and flair. No code. No delays. Just results.

In this mission, I wasn’t the agent in distress—I was the one in command. And Amazon Q? It was my very own Quartermaster.

JAWS Pankration 2024 - A speaker's perspective

neetu-mallan — Thu, 29 Aug 2024 05:29:46 +0000

Introduction:

Back in 2022 at the AWS Community event in Bangkok, when I first heard Hidetoshi San and Shun San present their talk about Jaws Pankration event held in 2021, I knew I had to be part of this incredible event.
Here’s a detailed account of my experience and the impressive organization behind JAWS Pankration 2024.

What is JAWS Pankration?

It's a 24-hour virtual event hosted by the Japan AWS User Group in a follow-the-sun format. It features AWS enthusiasts and experts from around the world sharing knowledge and best practices.
This year the event was conducted from 24th Aug,2024 3:00 AM (GMT) to 25th Aug, 2024 3:00 AM(GMT).

Event Page: https://jawspankration2024.jaws-ug.jp/en/

Submission and Selection:

The Call for Papers (CFP) was announced in late May, with a submission deadline of June 30. I submitted two topics and was thrilled to receive notification by July 10 that my session, "Cloudy with a Chance of Precision: Deploying Scalable Weather Forecasting Apps on AWS EKS," was selected.

This year the committee had received 146 submissions in response to the CFP for almost 70 available session slots. In the final list of sessions there were speakers from 25 countries, some even giving sessions in their native language.

The complete time table was posted on the Pankration website by 12th Jul, 2024:

https://jawspankration2024.jaws-ug.jp/en/timetable/

Preparation and Communication:

Slack Channel: Upon selection, I joined the event’s Slack channel for communication with the committee.

Swag Coordination: The team efficiently handled swag distribution, overcoming international shipping challenges and ensuring timely delivery. The swag included a Prairie card—a digital business card for easy networking.

The team published news articles for important announcements, one such about the use of Prairie card is available here:

https://jawspankration2024.jaws-ug.jp/en/news/la8ky_-d2yp/

Promotion: The committee provided promotional materials and a speaker map created using AWS Location services.

Speaker Map: https://speakermap.jawspankration2024.jaws-ug.jp/

The commitment and the technological innovation shown in planning and execution of each stage of this event was phenomenal.

Technical and Logistical Details:

Translation Environment: This year, the team built a solution utilizing AWS IVS and Translate services for real-time translation and distribution. A demo site helped us practice before the event.

All speakers were supplied with instructions for connecting to the final streaming env and a do's and don'ts list.

Translation Architecture published by Jaws Team:
https://jawspankration2024.jaws-ug.jp/en/news/7__wsyicbqsy/

An awesome 30 second video was created by the team to be played just before the speaker introduction and after the presentation was completed.

https://x.com/jawsdays/status/1826598303662023076

Final Preparations: We were required to complete our sessions within 15 minutes and allowed 5 minutes for Q&A. I prepared my presentation, ensuring all AWS resources(ECR,EKS,ALB) were correctly set up and running

Event Day:

Pre-Talk: On August 24, 2024, my talk was scheduled for 2:30 PM IST. The event started at 8:00 AM IST. I joined the Speaker waiting room via Voice Ping at 2:00 PM IST, where I was welcomed by Ai Hayakawa San speaking in Japanese, at my end I could see the Japanese text being translated real time into English.

Live Session: On logging into the Zoom, Masanori San welcomed me and after few system checks, friendly conversation & a countdown, I delivered my presentation within the stipulated time. The meticulous planning by the team made the session delivery a breeze.

Post-Talk: For answering any Q&A , I re-joined the "Ask The Speaker" room in Voice Ping where I could experience the real time translation magic again while catching up with Shun San!

The entire event broadcast allowed subtitles in viewer's preferred language.

On the same day, an accurate summary of my talk was published by the Pankration team powered by Amazon Bedrock.

Conclusion:

The dedication and innovation shown by the JAWS Pankration team were remarkable. The event’s execution and the support provided to speakers exemplify excellent organisation. I’m grateful for the opportunity to participate and contribute to this fantastic global event.

In the subsequent blog posts, I would be documenting technical details behind the preparation for my talk on the event day. So stay tuned!

Resetting RDS retention period using Step Functions & Lambda

neetu-mallan — Mon, 24 Apr 2023 02:52:38 +0000

What is Retention Period?

Retention Period on RDS Instances decides how long automated backups have to be stored.
While creating a DB instance, by default the automated backup frequency is set to 7 days, it means a backup of the instance is stored till 7 days.
In our case, lot of times folks who created the instance forgot to reset this in case the backups weren't needed.

The retention period can be set to 0 in which case no backups will be taken for the DB instance especially in Dev envs where we had no need to store backups of databases.

When we took the clean up task every week manually, we saw that the process to set this retention period to 0 was tedious as we had to wait for the instance to start in case it was in stopped state then modify it, wait for the modification to complete & then stop the instance.

Repeat this over for a lot of instances & you could easily spend half a day doing this.

To automate this, I thought of going with a Serverless solution comprising of Step Functions, Lambda & Eventbridge scheduler.

Prerequisites:

Role for the step Functions to invoke the said Lambda functions & to perform start, stop & modify actions on the RDS instances

IAM Role for Lambda functions to allow sending callback response to Step Functions(sendTaskSuccess & sendTaskFailure)

The Step Functions has the foll. states-

Lambda Invocation
Map state
A Choice State.
Workflow 1 when the DB is in stopped state
Workflow 2 when the DB is in starting/rebooting/backing-up state.
Workflow 3 when the DB is in available state.

Lets go over each state using a short demo:

1.Lambda Invocation : [AWS SDK Integrations]

Lambda Invocation State

2.Map & Choice states :

Map & Choice States

3.DB is in Stopped State:

Workflow 1 Explanation

In the Lambda function we discussed in the demo, the SDK waiter API is implemented for the instance as shown in the below code snippet.

In the same function to perform the modify action I had to introduce a lag of a few seconds before calling the waiter API, this is because after firing the modify_DB_instance SDK call, the operation is started after a lag of few seconds.

Note: If the lag is not introduced, as the DB is in available state, the waiter call will be skipped and the token returned thus moving to the next state without applying the modification.

Lets see how the execution flow works for a single DB instance in Stopped state.

Demo: Step Function execution for Instance in Stopped state

The entire execution for the single instance takes around 14 minutes.

4.DB is in starting/rebooting states:

Workflow 2 Explanation

Let's see how the execution flow works for a single DB instance in Rebooting state.

Demo for Instance in Rebooting State

The entire execution for the single instance takes almost 5 minutes.

5.DB is in Available State:

Workflow 3 Explanation

Lets see how the execution flow works for a single DB instance in Available state.

Demo: Step Function execution for Instance in Available state

The entire execution for the single instance takes almost 3 seconds.

We can introduce a Eventbridge schedule to execute this step function twice a week or once a month to automate the process further.

I have shown a single use case of setting RDS Retention Period to 0 using Step Functions but this can be adopted for other use-cases too where we need to perform a bulk-modify action on RDS instances.

What did I learn from this exercise?
Callback pattern are a powerful feature of Step Functions. I had spent some time adding wait states after calling the start/modify SDK API call but quickly realised that this time could not be predicted as it varied based on the DB engines. Thats when callback pattern came to my rescue

Please find the code in my github repo:

https://github.com/neetu-mallan/retentionperiodreset

What Resources did I use?

To learn & understand the step functions I have gone through the AWS documentation:

https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html

https://www.youtube.com/watch?v=jXxKRd_9nC0 -- this Step Functions Crash course by Manoj Fernando really helped me in understanding how step functions help in practical use cases.

The below 2 links helped me understand the callback pattern implementation:

https://docs.aws.amazon.com/step-functions/latest/dg/callback-task-sample-sqs.html

https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html

Chronicles of a First Time AWS Women In Tech Event Speaker

neetu-mallan — Mon, 12 Sep 2022 08:25:57 +0000

"If you can speak , you can influence. If you can influence you can change lives" - Anonymous

In early July, when I received the email from Ridhima Kapoor inviting me to speak at the AWS Women in Tech Day Event 2022, I was genuinely surprised as I did not feel I had done anything worthy of getting this opportunity (my impostor syndrome kicking in). I was also humbled by the kind of support that the AWS Community lends its members. I grabbed the opportunity with both my hands & sent back a positive reply to Ridhima.

Other than the fact that it was my first in-person event, it was also the first time I was stepping out of my house for a meetup post the pandemic.

The content that's going to follow is basically a set of steps I adhered to upto the Event Day.

Getting over the nerves prep

To get over the initial jitters of "Where to start from" I decided to go over AWS Machine Learning Hero Brooke Jamieson's video which I had come across few months ago. It's a humorous take where Brooke describes her own experiences when she started as a speaker in Tech conferences. I must have gone over it 4–5 times.
She provides references to some common problems which though seem mundane while watching, you see the relevance when preparing the content such as selection of font size, presentation template , colour palette, speaker bio etc.

Video Link : How to be a Tech Conf Speaker

As I was working with a Keynote presentation, I also checked out a few beginner to advanced videos on animations on Keynote

Video Link: Beginners Tutorial for Keynote ,
Intermediate Tutorial for Keynote

I did not go over the tech conference videos by other speakers as I was worried it could influence me to emulate the speaker.

Selection of topic

Selecting the topic of your talk is crucial.
You should be both comfortable & confident with the content.
Also pay attention to who will be the audience & whether you need to deliver for a beginner, intermediate or expert level.
Be sure to select something which interests you. I had selected "Fundamentals of Data Encryption" as Security in AWS was something I was interested in.

Presentation Deck Prep

Start working on your deck at least 2 weeks before the event. So you have enough time to rehearse & make changes to the content.
Check whether you will be getting a pre designed template for your talk. I had received a pre defined one from the organising team even though I had spent some time on choosing the slide deck of my own prior to it.
Else you might have to decide on the slide colour & design.If that's sorted, you can move on to font selection, look & feel of your content.
Ensure the header, sub header sections are differentiated in font. Also, that the font is big enough for even the back benchers in the room to view.
Avoid clutter in the deck.
I usually prefer less theory on the slide & more of pictures or animation that helps audience understand better.
Decide on how much content you want to fit into each slide & the number of slides you want to put in.
Think from the perspective of the audience, what would they like to see for the subject of your choosing
Get your deck reviewed by peers or your mentors, I had received some useful feedback for my slides.
One such feedback was that the slides should be self explanatory so I had to include labels over arrows & pictures where needed.
Remove content if it cannot be correlated with the topic.

Presentation Prep

If you are a first time speaker & low on confidence, prepare your speech, write it down on a paper, don't mug it up, if you understand the content you won't have to.
Rehearse in an empty room or before the mirror & finally with a friend. Get feedback & apply it.
No matter the actual words in your speech go with your gut & change the narrative if you need to.
Time yourself during rehearsals , if your talk is set for 30 mins, check whether you complete well within the time. If there is a QnA session post your talk be mindful of the session as well.
Also in QnA if you are not sure of the answers, be honest & tell the audience you would get back to them.

Facing your doubts

A week before the event I was having some self doubts that's when I spoke to Bhuvaneswari Subramani a very active member of our AWS Community & a seasoned speaker.
Her words gave me a new perspective – she encouraged me to think about my purpose of giving the talk, how big this opportunity & the stage was.
She advised me about how to overcome stage fright, trying the WonderWoman pose before my talk(I swear it does help), communicate with the audience & smile while speaking. Her pep talk washed over my fears & I started rehearsing with a renewed zeal.

The main event

Having rehearsed enough, on the day of the event I was able to witness the meticulous planning & preparation behind the scenes of the event. Hats off to Ridhima Kapoor, Rohini Gaonkar & the entire organising team.
I could get essentials such as mic check & stage etiquette ensured much before the start of the event.

Post the start of the event I got so inspired by the talks of all the speakers that I completely trashed my rehearsed speech & went with an impromptu talk connecting with the audience, in the process I realised how much I loved being on the stage.
This was quite a memorable experience for me, all thanks to the support & encouragement of the AWS community members – Ridhima Kapoor, Rohini Gaonkar, Bhuvaneswari Subramani, Sridevi Murugayen, Vivek Raja P.S.
The event updates have already been documented by Bhuvaneswari ma'am in her blog , for those who have missed, you can find the link below

A Trip Back in Time- blog by Bhuvaneswari Subramani

Automating the selection of named profiles from the .aws/credentials file

neetu-mallan — Fri, 09 Sep 2022 02:57:55 +0000

While working continuously on the AWS CLI, I found it tedious to switch between users by manually exporting the AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY as these credentials need to be set in every session of the shell. So I have created a bash script to automate this selection in which you can provide a named profile & based on the access key ID & secret access key the above environment variables would be set automatically.

To understand more on named profiles, please go through the AWS documentation link:

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html

The .aws/credentials file created follows a format shown below:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

In case I do not specify any named profile, the default profile would be applied as below

aws ec2 describe-instances

else if I want a specific profile to be applied to my command I can :
aws ec2 describe-instances --profile user1

This will list the ec2 instances for the user profile of user1.

You can automate this so that every time you open a shell you just provide the named profile to the script & it will set the access credentials for you that will be valid for the entire session.

While working on this automation I came across Ben Kehoe's article regarding the same & this worked as an inspiration to write my own script:

https://ben11kehoe.medium.com/aws-configuration-files-explained-9a7ea7a5b42e

I have placed the bash script my GitHub repository:

https://github.com/neetu-mallan/AutomateCLINamedProfileSelection

Check the README.md file to understand what the script does:

https://github.com/neetu-mallan/AutomateCLINamedProfileSelection/blob/main/README.md

Write IAM Password Policy to enforce login passwords

neetu-mallan — Wed, 07 Sep 2022 05:17:58 +0000

In this blog we will learn how we can create a IAM Password policy & enforce every user to adhere to it. All the steps would be performed in the AWS CLI.

In the previous blog post, I had mentioned how to create a role & assign it to a user.

IAM user role with PowerUserAccess

I have used the same user here after renewing the session token(a session token created by a assume-role API call expires in 60 mins) The user has a createUser API access after assuming the role.

Step 1: Create an admin user for administrative purposes using command
aws iam create-user --user-name IAMAdmin --tags Key=Desc,Value=IAMUserForAccount

Step 2:Use the —query option to filter the query at the client side for specific policy names

aws iam list-policies --query ‘Policies[?PolicyName==AdministratorAccess]' —-use backticks for the string you are trying to search.

Attach the AdministratorAccess policy to the IAMAdmin user:
aws iam attach-user-policy —user-name IAMAdmin —policy-arn arn:aws:iam::aws:policy/AdministratorAccess

To filter policies using —query option refer to the below link to get understanding of how server side & client side filtering works & how JMES Syntax helps us to query info like getting Policy Arn's.

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html

Step 3: Create access keys for the admin user
aws iam create-access-key --user-name IAMAdmin --output text

STep 4: To create a password policy with 90 days expiration , mix of numbers, symbols,upper, lowercase & prevent reuse of password
aws iam update-account-password-policy --minimum-password-length 32 --require-symbols --require-numbers --require-lowercase-characters --require-uppercase-characters --allow-users-to-change-password --max-password-age 90 --password-reuse-prevention 1

To check if the IAM password policy has taken effect:
aws iam get-account-password-policy

Step 5: Generate a random password string that conforms to your policy needs

RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 32 --require-each-included-type --output text --query RandomPassword)

Step 6:Create a login profile adhering to our random password for the user IAMAdmin
aws iam create-login-profile --user-name IAMAdmin --password $RANDOM_STRING

Lets try creating a group & ensure that the any new user attached to the group will adhere to the password policy.

Step 7: Create a new group called QualityAssurance
aws iam create-group --group-name QualityAssurance

Attach the EC2ReadOnly Policy to this group
aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess --group-name QualityAssurance

Step 8: Create a new user for this group
aws iam create-user --user-name Ben

Step 9:Add the user Ben to the QualityAssurance group
aws iam add-user-to-group --user-name Ben --group-name QualityAssurance

Step 10: Generate a random password string that violates our policy needs

RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 16 --require-each-included-type --output text --query RandomPassword)

Step 11:Create a login profile adhering to our random password for the user named Ben
aws iam create-login-profile --user-name Ben --password $RANDOM_STRING

The step 11 fails with the error: Password policy violation : Password should be minimum length of 32 which proves that the password policy is enforced.

Lets generate random password which conforms to the IAM password policy & assign it to the user
RANDOM_STRING=$(aws secretsmanager get-random-password --password-length 32 --require-each-included-type --output text --query RandomPassword)

Step 12:Create a login profile for the user named Ben with the new random password
aws iam create-login-profile --user-name Ben --password $RANDOM_STRING

As Ben has EC2ReadOnly access, opening the EC2 console does not give any errors as opposed to the S3 access below

Thus creating a password policy & assigning it at the account level helps to ensure that any user created in the account follows the policy thus enabling security with user credentials.

This exercise has been inspired by the 2nd recipe in the AWS Cookbook.I have experimented further with the content.

Happy Learning!!

Setting up Command auto completion for AWS CLI

neetu-mallan — Mon, 15 Aug 2022 12:56:22 +0000

Once you have installed the AWS CLI, it has the feature to auto complete the commands for you at the press of a TaB key. I am using a MAC & the commands here are pertaining to the Mac OS & the zsh shell is used.

To enable this, execute the foll. commands

Check the location of aws_completer
which aws_completer
Check the shell using command echo $SHELL
/bin/zsh
Find the profile script of shell
ls -a ~/

In my case its the zsh & this shell does not have a profile script .zshrc created by default even if you are using the shell

Create the file using command:
Touch ~/.zshrc
Add the path of the aws_completer to this:

PATH="/usr/local/bin/aws_completer:${PATH}"
export PATH

Add the below command to the .zshrc file so that the command completion works every time you open the shell

autoload bashcompinit && bashcompinit
autoload -Uz compinit && compinit

To enable command completion run the below command
complete -C '/usr/local/bin/aws_completer' aws
Execute the command below to reproduce the above changes in current shell
source ~/.zshrc

Verify the command completion using the

aws i(TAB key press)

For other OS's , please refer to the below documentation by AWS
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-completion.html

AWS CLI: Creating IAM User & Role with PowerUserAccess

neetu-mallan — Mon, 15 Aug 2022 12:55:30 +0000

Having used the AWS Management Console for a while now, I wanted to switch over & use Developer Tools, to begin with AWS CLI quite extensively.

To start with I have created a new Free-Tier Account having a Root User.

To use AWS CLI, install it on your local machine steps using the : https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Step 1: Create access keys for Root User.

Though not a good practice, this step helped me to create the IAM user from scratch on the CLI. I have deleted the access keys once the IAM user was created & generated & assigned its own access keys.Download the csv file from the Management console & store it in a secure location on your computer.

Step 2: Setting up the CLI to use the access keys of the root user & create an IAM user
Execute the below commands:

Provide the access keys to setup the CLI to operate using root user credentials

aws configure

Create group named "Developers", an IAM user named "Neetu" & attach it to the group.

aws iam create-group --group-name Developers

aws iam create-user —user-name Neetu

aws iam add-user-to-group --user-name Neetu --group-name Developers

aws iam get-group --group-name Developers

generate access keys for the IAM user & store it in a file on your local system

aws iam create-access-key --user-name Neetu > access_keys_iamuser.txt

Attach a permissions policy to the IAM User to be able to Create a role & attach itself a role policy. Replace the resource name with the ARN of the IAM user.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::XYZ:role/*"
}
]
}

Delete the access keys of the root user

aws iam delete-access-key --access-key-id

Replace with the access key ID from the credentials csv you download

Re-run the aws configure command this time with the IAM users credentials
Create a role policy json file to allow the IAM user to assume a role

{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "PRINCIPAL_ARN"
},
"Action" : "sts:AssumeRole"
}
]
}

Store the ARN of the IAM user in an environment variable using the below command, this will correspond to the ARN of the IAM user

PRINCIPAL_ARN=$(Aws Sts get-caller-identity —query Arn —output text)

echo $PRINCIPAL_ARN to check if the variable is properly configured

Replace this ARN in the assume-role-policy-template.json & rename the file

sed ‘s|PRINCIPAL_ARN|${PRINCIPAL_ARN}|g’ assume-role-policy-template.json > assume-role-policy.json

Create a role with the trust relationship with the principal ARN as the user

ROLE_ARN=$(aws iam create-role --role-name PowerUserAccessRole --assume-role-policy-document file://assume-role-policy.json --output text --query Role.Arn)

This command creates a role by the name of "PowerUserAccessRole" which has the Sts:AssumeRole policy attached to it.

Note: Do not forget file:// even if you have provided the complete path of the assume-role-policy.json as the command then gives Malformed/Invalid JSON error which is not intuitive.
(Complete Error: when calling the CreateRole operation: This policy contains invalid Json)

Assume the role & get the temporary credentials using the command which is generated with an expiry time:

aws sts assume-role --role-arn $ROLE_ARN --role-session-name DeveloperAccess

{
"Credentials": {
"AccessKeyId": "",
"SecretAccessKey": "",
"SessionToken": "IQoJb3JpZ2luX2VjEA0aCXVzLWVhc3QtMSJGMEQCIAQEX4oH3oDqi7DZcdyjN8UdhxWfP7cOvMdYjztyQ9H7AiAl88n2FIIw0zQco+C/ncvHTskgacVgubhrBNupFD8SdCqbAgh1EAAaDDY1MjU2OTkwNTIwNiIMv6opwh02jCFt+WFgKvgBDaKG1CICFrAXUbrEYE2/STYd8BqNvJxnbw5nI8hImVZNWiJW7yhqbisU02r1G2TIh9bHnwjaYXw0PTyiFPNqYF81ZdkcelWR00qWUCpAgvY7v1lRsNLgxvokk9eJNpRqjqHlfEwd6MlUcuntFQ8v3UU9hVJRL9gzB3+v5Uaq8KiUJdzYVas76eSMzi7XWtbQv18ZavZOAPOUqigBIS8wuo1IXSaDHFO/AvhbaXvlGgBJdE++rxfptI822oigOxuokmEAXXVdImBeo7hI3xh2naPhhUnxjMDtnzoSa+jAipfLxclvIOrigT4SaRdp3o3YNxdBS3KQyCUw4YfZlwY6ngFKdr+QZt4qEEtWbbEsxs5Nj5zVu1/z9DeiTPbsiTT9yVFDO9X8/6Ln/IyNtq5E/DUKisLLj4KAWykxjRC/tdNv+ZjdklK6424MBEE6LXQPbxkfnoZjsKPI2/kUgp7L6mzMmQSvEGTpICeJHB3BVqrOtN0VGeiSO8YEnJtBUsEpzM0kiN+1ZzE0NSsufsjYmmBZ7Oypn4zUhTxLvnj06w==",
"Expiration": "2022-08-12T13:13:21+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAZP4BSRA3LG6JASGGG:DeveloperAccess",
"Arn": "arn:aws:sts::652569905206:assumed-role/PowerUserAccessRole/DeveloperAccess"
}
}

The above commands help us to create a IAM user & follow the principle of least privilege to assign a PowerUserAccessRole to the user. Temporary credentials are generated so that the IAM user can perform limited functions till the session token expires.

The inspiration for this article is the first recipe in the AWS Cookbook which I have improvised further to get a better understanding of using AWS CLI

Creating EC2WebServerInstance using CloudFormation

neetu-mallan — Sat, 09 Jul 2022 12:04:59 +0000

Drawing inspiration from Drew Firment's challenge to play in the cloud sandbox. I had decided to begin my AWS builder journey through the project- "Use CloudFormation to Launch an EC2 Web Server".

This was a real fun activity with loads of learnings. Quite a CloudFormation novice that I am, I did have a fair share of hiccups that I have mentioned in the Troubleshooting section. For the exercise I have followed the online tutorial given in the AWS documentation walkthrough https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer-walkthrough-createbasicwebserver.html#working-with-templates-cfn-designer-walkthrough-createbasicwebserver-resourceproperties .

It was really satisfying seeing the above congratulatory message post the successful launch of the web server. I could really experience the power of cloud!!!

Troubleshooting guide:
1.While uploading the completed CloudFormation Template to create a stack. I faced the error- "Failed to retrieve external values". This was due to incorrect placement of the access key name while declaring the parameters for the WebServerInstance
EC2InstanceKey: <--- Mention the actual key name created in the AWS region you are using
Description: Name of an EC2 KeyPair to enable SSH access to the instance.
Type: 'AWS::EC2::KeyPair::KeyName'
ConstraintDescription: must be the name of an existing EC2 KeyPair.
Subsequently, while referring this key in the WebServer Instance use the exact name as given below
KeyName: !Ref EC2InstanceKey

Public Route Table resource creation failed while creating the stack. Here, the error shown in the Events section of CloudFormation was self explanatory. The VPCId had been missed in the properties of the table in the template.
AMI ID: Mention the appropriate AMI ID as per the latest architecture. The script present in the walkthrough tutorial has older versions of AMI,as a result the EC2 Instance Connect was not working and neither could I connect to the EC2 Public IPV4 address.

Rather than opting for the static declaration of AMI ID and instance types as in the walkthrough, one can opt for passing dynamically with the help of SSM Parameter store.

4.Explicitly specify the Subnet-Route Table association using the AWS::EC2::SubnetRouteTableAssociation type. I had not used as it was not mentioned in the walkthrough due to which I had to map the internet gateway to the route table post the stack creation.This led to the EC2 instance not being connected to the internet and same behaviour post the addition too.

My sincere thanks to Drew. Moving to the next challenge. Onwards and Upwards!!! #AWS

The CloudFormation template is present at the below GitHub link:

https://github.com/neetu-mallan/CloudFormationTemplate/tree/master

Creating a EKS cluster using Managed Nodes(EC2 instances)

neetu-mallan — Sat, 09 Jul 2022 11:28:30 +0000

For the past few weeks I have been learning Kubernetes fundamentals, as part of the hands on lab, I will be creating an EKS Cluster in my AWS account using Managed Nodes. I would be making use of the AWS Console to create the cluster & the CLI to create nodes & communicate from my local system using kubectl tool with the remote nodes to deploy the container images.

Pre-requisites:

AWS account Setup the AWS CLI & kubectl tools in your local machine.
AWS CLI: Install the CLI tool & check the successful installation using the below command

kubectl : Install the kubectl tool & then check the successful installation using the below command

Code repository:
https://github.com/neetu-mallan/ManagedNodeEKSCluster/tree/master

To create the cluster, follow the below steps:

VPC & Subnet creation: Create a custom VPC, 2 public & 2 private subnets, Internet Gateway, NatGateway etc. using the below command.

aws cloudformation create-stack \
--region ap-south-1 \
--stack-name VPCForEKSCluster \
--template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml

Create a cluster IAM role The below command creates a STS role which can be assumed by the EKS service.

Command:
aws iam create-role \
--role-name EKSClusterRole \
--assume-role-policy-document file://cluster-role-trust-policy.json

3.Attach the AmazonEKSClusterPolicy to the IAM role created above

Command:
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \
--role-name EKSClusterRole

Cluster Creation: Create a cluster using the AWS Management Console, make sure to select the VPC, subnets, security groups as created on Step 1.

Create kubeconfig file. This config file helps you to communicate with the remote cluster using the kubectl tool

aws eks update-kubeconfig --region ap-south-1 --name MyCluster

As shown in the command output in the above screenshot, if we try to print the contents of the config file, we can see that it creates an entry for the Cluster created in Step 4 in our local .kube folder.
Be sure to change the region name & cluster name as per your AWS account.

Run the "kubectl get svc" command to ensure the config is working fine & you are able to connect to the cluster.

Note: In my case, I faced an issue wherein I was getting the "exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1", the config file was updated with the api version v1alpha1 which was no longer valid. I had to update the aws cli & rerun the update-kubeconfig command mentioned above to fix the issue.

a. Create an IAM Role for the nodes to interact with AWS resources.

aws iam create-role \
--role-name EKSNodeRole \
--assume-role-policy-document NodeIAMRole.json

Assign the specific policies to the EKSNode Role using the below commands:

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy --role-name EKSNodeRole
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly --role-name EKSNodeRole
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --role-name EKSNodeRole

Add Nodes to Cluster:

There are 2 options here- we can go for Fargate(Serverless) & Managed(EC2) nodes.
I am choosing the EC2 Managed nodes for the below exercise

Go to the Compute tab under the cluster & click on Add NodeGroup. I have created a NodeGroup "DemoWorkerNodes" as shown below. The cluster & node group creation can take a couple of minutes.

]

Troubleshooting pointers: Initially I changed the Instance Config from t3.medium to t2.micro but 3 of the 5 containers were not starting. I had to delete the node group & re-create using t3.medium as default EC2 config & then the deployment worked fine.
Commands to be used to troubleshoot:
kubectl get pods
kubectl describe pod pod-name
kubectl logs pod-name .... replace pod-name with the name of your pod.

Run the kubectl get nodes command to check that we can see the nodes created through the node group in our local system too.
This ensures that all the config done above works & we are able to connect to the remote nodes locally.

Deploy the containers using the kubectl create command onto the nodes from your local machine as shown below:

Once done, copy the load balancer services external IP as shown in the screenshot & open them in the web browser to see the successfully deployed application.

Note: Clean up your account post the successful deployment. Delete the node groups & then the EKS cluster & the associated IAM roles.

Hands-On Idea:
AWS EKS Official Documentation & KodeKloud Kubernetes Beginner's Course https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html

Triggering a Lambda function using SQS to populate DynamoDB

neetu-mallan — Wed, 15 Jun 2022 07:49:32 +0000

This post is intended for beginners who want to understand how event driven architectures communicate in AWS. The repository holding the python scripts to be used is mentioned at the end of the

Log into your AWS console with your IAM credentials, select the region closest to you & follow the below steps:

1. Creating a SQS(Simple Queue Service):

Create a simple SQS queue called "DynamoDBMessages" which will receive a number of messages from the EC2 instance running in our account.

No need to change the access policy or the configuration we can keep it as default

2. Lambda execution role:

We need to grant access to the Lambda service so that the function created in the next step can access the SQS queue to check for messages, DynamoDB in order to write the messages from the queue to the DB table & access to write to CloudWatch Logs.

3. Lambda function:

This function will be triggered by an event whenever the messages are placed on DynamoDBMessages Queue created in step 1.

Provide the function name & select the runtime as Python 3.9 as we will be running the function written in Python.
The architecture can be default as x86_64. Click on Create Function.

Once the Function Overview screen open click on "Add Trigger", select SQS in the trigger configuration & select the queue we created above.

Select the Code tab & change the contents of the lambdafunction.py to the code attached (filename= lambda_function.py) in the repository given below:

Next, Deploy the code by clicking on Deploy.

4. Create a DynamoDB table:

Create a table by the name of Messages as shown below:

5. Create a EC2 Instance:

This instance will execute the code which will send messages to SQS. Be sure to select instance type t2.micro which is free tier eligible.

Select the EC2 Instance once its in the running state & click on Connect, alternatively we can also use the AWS CLI. You can run the scp command to move the send_message.py file to the EC2 Instance from your local once you are able to SSH into the instance(This requires the KeyPair pem file created at the time of instance creation)

To run the below command, install boto3 & faker packages on the EC2 instance as this will not be pre-installed. Next, you might face "No Credentials Error" thrown by boto3 package. To overcome this, there are three options,

Run aws configure & give the access key id, key, region, format.
Edit the credentials file in the /.aws folder. Create the folder/file if not present & then enter the above access key & region details. The above two options are not safe as any other user having access to this EC2 instance can get hold of these credentials. Alternatively STS service can be used to get temporary credentials for package execution on EC2.

Once the above steps are complete, run the below command to trigger sending of the messages to DynamoDBMessages queue.

The SQS queue name created should follow the -q option in the above command.

Press Ctrl+C once you see an adequate number of messages being sent.

Check the DynamoDB table "Message" for the messages sent from the EC2 -> SQS -> Lambda -> DynamoDB.

For any errors one can also check the CloudWatch Logs, under the Lambda log group.

GitHub Repository:

https://github.com/neetu-mallan/SQSLambdaDynamoDB/tree/master

Networking basics - Part 1

neetu-mallan — Fri, 15 Apr 2022 19:16:07 +0000

As a part of my prep for AWS SAA-C02, I started learning the basics of how networking works in the cloud. This post has been written for sharing my learnings with my fellow community members from AWS User group Madurai.

Understanding Networking is essential to understand the way AWS Services communicate
internally as well as with the on premises infrastructure.
Let's begin with the most fundamental model of networking.

OSI model (open systems interconnection)

This is a 7 layer model which conceptualises movement of information from one point to another either in LAN or situated in different parts of the world.

The above abstracted model depicts a network stack, the bottom 3 layers form the Media layer - show the movement of data one point to another.
The remaining layers form the Host layers - show how information is segmented,converted into an understandable format between each layer of the model.
The information sent by the sender(web browser) flows through these layers & reaches the receiver (network card) & is sent back over the same stack to the sender.

Let's understand the important layers that perform specific functions to interact with each layer above & below it.

Physical Layer :

This layer specifies how raw bit streams should be transmitted & received between a device & a shared medium such as a Ethernet cable, fibre optic cable or Wifi.It defines characteristics such as pulse rates, modulation , the voltage levels,etc.

-The physical layer operates at the LAN level.
-Converts binary 1s & 0s to electrical, optical or radio signals

Why the need for Layer 2?

Let's take an example of a ethernet hub connecting multiple devices on a LAN

It acts as a broadcast medium.
Data transmission from one device is sent to all other devices
Cannot uniquely identify devices. Thus one to one communication is not possible

No collision control. As all devices can broadcast simultaneously, collision happens & there can be loss or scrambling of data.

Data Link Layer :

This is an important Layer of the OSI model , it allows meaningful communication between the higher layers & Layer 1. It removes the drawback of the physical layer by allowing device to device communication.
For Data Link Layer to function a fully functional physical layer should exist.It means that Layer 2 is built upon Layer 1.

This Layer introduces MAC address to identify devices & frames for effective communication.

What is MAC address?

Media access control (MAC) address are 48 bit hexadecimal addresses given to a network card.
Its a combination of OUI (Organisationally Unique Identifier)that identifies the network card manufacturer & NIC (Network Interface controller).

What is a frame?
A frame is a container sent over a shared medium to the Layer 1. Layer 1 does not understand the Frame it simply transfers & receives them in the form of electrical/optical/RF signals over the shared medium.

Lets take an example of a Ethernet frame

Here the ET denotes the Ethernet type which is the protocol used by Layer 3 to send the payload.
The destination & Source MAC uniquely identify the communicating devices. To broadcast the data to all devices the destination address can be mentioned as FF:FF:FF(all FF’s).
FCS denotes the Frame Check Sequence, its used for error detection & control.

Description of the above diagram:

Step 1: At the Source, Layer 3 sends the payload ,say in the form of a IP packet.
Step 2:This packet is encapsulated by Layer 2 into a frame as shown above & sent to layer 1 in the form of raw bits
Step 3: Layer 1 sends these bits over the shared medium to the destination Layer 1 & subsequently to Layer 2.
Step 4: Layer 2 retrieves the frame from the bits checks if the destination address is its own, extracts the IP packet & gives it to the layer 3 on the destination end , the protocol to be used in this Layer 3 is determined by the ET type.

In the OSI model,the lower layers are abstracted, it means that the devices at Layer 2 are unaware of the Layer 1. This is similar to when a user enters url in the browser & hits enter he/she is unaware of what layers the request passes through to get a corresponding response.

How does Layer 2 overcome Collision detection?

Layer 2 uses CSMA/CD (Carrier Sense Multiple Access & Collision detection) network protocol to transmit data to Layer 1.

Lets understand how this works with the example of a Switch which is the network device that functions at the Data link layer

In Layer 2, switches are intelligent devices which maintain a MAC address table as shown in the diagram above. This allows a unicast (1:1)communication.
Initially this table is empty, as say PC A starts transmitting a frame the switch makes an entry in the table for the port PC A is connected to.

In the above diagram suppose that PC A transmits a frame with destination MAC address of PC C.
Step 1.: The switch receives the frame, stores & analyses it to find the destination system & its port based on the MAC address.
Step 2: It checks if there is a carrier on the communication channel ie if there is a transmission from PC C at the same time.
Step 3: If no, frame is sent to PC C. This is how the switch implements the CSMA protocol.
Step 4: If two devices for some reason transmit frame at the same time, switch ensures that the collision only limits to the port it occurs on rather than broadcasting it to other devices as in layer 1.
Step 5: In case a collision occurs, the switch implements a back off time wherein no communication occurs on the affected port. After the back off period,a retry is done to send the frame.

This is how, Switches operating at Layer 2 help to overcome the drawbacks of Layer 1.

Layer 2 works well at the LAN,WAN level & the internet is a combination of multiple interconnected Layer 2 networks but what if we want to connect multiple devices around the world.
Then we need the layer 3 (Network Layer) which we will talk about in the part 2 of this series.