AWS on Tibor Hercz - Writing about Cloud, architecture, AWS, GCP and software engineering.

AWS ECS Auto Scaling

Fri, 12 Jul 2024 00:00:00 +0000

When I first started using AWS ECS, I was a bit confused about how to scale the service. I thought (and hoped) it was one simple setting, but it turned out to be a bit more complicated and requires various settings to be configured. This article summarizes the settings needed to enable auto-scaling for an ECS service.

Golang JWT authorizer for AWS API Gateway

Wed, 05 Jul 2023 00:00:00 +0000

When using AWS API Gateway you can use the AWS Lambda authorizer for HTTP APIs to authorize the requests. In this blog I will show you how to validate a JWT token signed with KMS in a Lambda using the Golang runtime. For the examples I am using API Gateway V2 with HTTP APIs with the v2 authorizer payload format version and for the resources I am using Terraform.

How to: Deploy Terraform to AWS with GitHub Actions authenticated with OpenID Connect

Sun, 14 May 2023 00:00:00 +0000

In the past it was very common to use AWS credentials (access token and secret) in your GitHub actions pipeline. This poses a security risk because most of the time these AWS credentials are long-lived credentials with a lot of permissions. If these credentials get leaked or misused the damage done could be huge.

Improve your AWS user management and security with AWS IAM Identity Center (SSO)

Tue, 02 May 2023 00:00:00 +0000

I have seen a lot AWS environments and noticed that it is very common that companies use AWS IAM users to log in and access the API. This can cause security issues and is time-consuming to manage but is very easy to improve by setting up AWS IAM Identity Center (Successor to AWS Single Sign-On).

Steps to take after leaking AWS credentials

Wed, 26 Apr 2023 00:00:00 +0000

So you leaked your AWS credentials onto the world wide web, and you are wondering what to do to minimize the damage. There are multiple steps that should be taken, but I do think that the order of these steps matter.

What happens when you leak AWS credentials and how AWS minimizes the damage

Wed, 05 Apr 2023 00:00:00 +0000

I heard multiple times that AWS scans public GitHub repositories for AWS credentials and informs its users of the leaked credentials.

So I am curious to see this for myself, so I decided to intentionally leak AWS credentials to a Public GitHub repository. And show you the steps I took and how I got informed about the leaked credentials.

How to interconnect on-premises network and multiple AWS VPCs

Thu, 16 Mar 2023 00:00:00 +0000

Creating a large network, connecting multiple VPC and an on-premises data center together can be done in multiple ways. In this article I will explain how to do this by using Transit Gateway and Direct Connect on a high-level.

How to view AWS accounts attached to IAM Identity Center (SSO) groups

Wed, 23 Nov 2022 00:00:00 +0000

The AWS IAM Identity Center (Successor to AWS Single Sign-On) web console can be hard to navigate when trying to view the AWS accounts attached to an AWS IAM Identity Center (Successor to AWS Single Sign-On) group. This involves a lot of going back and forth between pages to get this seemingly simple information. Having done this multiple times and wasting an equal amount of time. I took the time to create a simple Go tool aws-iam-identity-center-explorer making use of the AWS SDK to retrieve this information and output it in a JSON structure.

CloudFormation Custom Resource: Transit Gateway Peering Accepter

Mon, 11 Jul 2022 00:00:00 +0000

A Transit Gateway Peering Attachment must be accepted by the owner of the attachment. Even if both Transit Gateways are in the same account. To automate this with CloudFormation I have created a custom resource.

Best practices for S3 web hosting and explaining why

Thu, 03 Feb 2022 00:00:00 +0000

There are a lot of very good resources explaining how to set up a S3 website. But not explaining why you should choose one option over the other.

In this article I will not explain step by step how to set up a S3 website. If you are looking for that, I have added some links at the bottom of this article. Instead I will give you the best practices and support those with an explanation.

S3 website: Why your domain and bucket name must be identical

Mon, 31 Jan 2022 00:00:00 +0000

When setting up S3 website hosting you can use a Route53 alias for connecting the domain to the website bucket. This approach forces you to set identical names for the S3 bucket and domain name. In this article I will explain to you why the domain name and bucket names must be identical.

Scheduled scaling for EC2 Auto Scaling

Thu, 23 Dec 2021 00:00:00 +0000

Scheduled scaling for EC2 Auto Scaling can help out with predicable load by specifying capacity changes on a schedule. For example when a busy period is expected or to save money for your development environment scaling them down outside office hours.

How to bootstrap an AWS account with Terraform state backend

Sat, 06 Nov 2021 00:00:00 +0000

If you want to create an infrastructure CI/CD pipeline for AWS using Terraform, you want to keep the state in a remote backend. When provisioning an environment with Terraform that includes the state backend resources, you will need two actions to set up the remote state backend. In this blog I will present you with a CloudFormation template with which you can bootstrap the AWS account. This will decouple the state backend resources from the Terraform template. This allows you to use the remote backend straight away from your CI/CD pipeline.

How to access your AWS Secret Manager secrets in an Elastic Kubernetes Service cluster

Wed, 03 Nov 2021 00:00:00 +0000

By using the Kubernetes Secrets Store CSI Driver you can provide pods with secrets from the AWS Secret Manager. This allows you to use the features the Secrets Manager has to offer within your EKS cluster.