Aws // Tony Metzidis

Why GCP is More Usable for Developers

Teams should consider many qualities when choosing a cloud provider like AWS, GCP (Google Cloud Platform) or Microsoft Azure. Product offerings, familiarity, pricing, and usability – among others.

Compared to AWS, Google Cloud Platform (GCP) is more usable for developers due to it’s core design approach surrounding resources, projects, APIs and Identities (IAM). This project-first approach avoids common bad practices like spaghetti namespaces, excessive permissions, and accidental exposure. Moreover, GCP includes much more advanced logging & alerting tools, comparable to Splunk and Data Dog, right out of the box.

Nov 2, 2024

3 min read

Cloud Aws

Snooze to Save Money

Cloud instances bill by the hour (or the minute) – and right now you’re burning money. Use snooze to auto-shutdown your instances in 45 minutes.

Add snooze to your ~/.bashrc

alias snooze='sudo shutdown -c ;  sudo shutdown -h +45 &'
snooze

When you want to extend your session, run snooze

Broadcast message from ec2-user@ip-172-31-43-250
	(/dev/pts/1) at 2:50 ...

The system is going down for halt in 45 minutes!

How does this work?

shutdown -c cancels the shutdown, and shutdown -h +45 schedules a shutdown in 45min.

May 18, 2020

1 min read

Aws Bash Beginners

Using AWS IOT To Arm Blink Cameras

Blink security cameras are an affordable home security camera system. Although they lack a formal public API, inventive devs have reverse-engineered their private API to allow for better integration.

Here we’ll use AWS IOT Core, Lambda and node-blink-security to arm and disarm Blink security cameras using an AWS IOT Button.

Activating Your IOT Button

The IOT Button must be configured to your account, which includes joining it to your wifi access point, and installing the client certificates.

Dec 16, 2017

3 min read

Iot Lambda Security Tutorial Aws

Free SSL Certificates using ACM (AWS Certificate Manager)

2016 may be the year of free SSL, and AWS ACM (AWS Certificate Manager) is a great offering for Cloudfront & ELB users (most web apps).

Not only is it free, but it’s also the simplest certificate management platform

request a new certificate in minutes
no server config needed
no certificate , chain or private key management
automatic certificate rotation

Here’s how to create a certificate and then install it onto your cloudfront distribution.

Feb 16, 2016

1 min read

Aws Ssl Security

Using the AWS EC2 Container Registry with EC2 Container Service

AWS announced recently that it’s EC2 Container Registry (ECR) is now available. ECR simplifies hosting private images. Previously, you had to manually push your docker.io credentials to each EC2 instance – likely a deliberate pain-point encouraging you to use ECR. With ECR, EC2 container hosts can easily fetch private images using IAM authentication.

Here are some of the gotchyas and stumbling blocks to help you get your repository up quickly and painlessly.

Jan 6, 2016

2 min read

Aws Docker Ecr Ecs

Securing Your Network Using Auto-Updating Security Groups

We all know that no ports should be open to the internet for development purposes, but for convenience it’s common to find a security group with port 22 (SSH) open to 0.0.0.0/0 . Even narrower ingress rules can create backdoors.

Here we’ll show you how to create an auto-updating security group that adds your active WAN IP address when you connect. This way, only your active IP is authorized.

Create the “development” security group with no ingress

aws ec2 create-security-group --group-name=development --group-description="ssh access for my dev machine"

Create a limited role that can only update this security group

Since you may want to embed this script on your router or elsewhere, it’s important to generate a restricted access key that can only do one thing Create a user and add this policy

Dec 17, 2015

2 min read

Aws Security Security-Groups

Delegating Admin Credentials using IAM Roles and Cloudwatch Alerts

It’s hard to strike the right balance with admin rights–either the rights are too strict and people can’t get work done or they’re too lenient and you have security issues.

As a compromise, AWS provides the AssumeRole feature which lets admins temporarily escalate their role to perform a task.

It’s important when setting this up that you alert the team when it’s used. Here we’ll talk about how to set up the roles, give teams access to the roles and create an alert system when the roles are assumed.

Dec 12, 2015

2 min read

Aws Cloudwatch Alerts Monitoring

HTTP Redirects with Cloudfront & S3

Redirects can account for a significant share of direct traffic so taking a few minutes to optimize them is worthwhile.

Using Cloudfront & S3 for redirects will improve responsiveness, reduce server load and improve management (since they are managed via aws-cli or the console).

Let’s say you have a typical .htaccess redirect like this.

RewriteEngine On
### re-direct to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Or worse, it could look like this in your index.php

Aug 18, 2015

2 min read

Aws Cloudfront S3 Http

Opsworks -- Quickly Listing Hosts on the Command Line

Here’s a great example of using the aws-cli to speed up your life. Uses jq and aws-cli

  # bash / zsh function
  function opsworks-hosts-prod () {
  	aws opsworks describe-instances --stack-id=fffff-fffff-ffff-fff-fffffff | jq '.Instances[].PublicDns' | grep -v null | sed s/\"//g
  }
  # usage
  $ opsworks-hosts-prod
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com
  XXXXX.compute-1.amazonaws.com

Aug 11, 2015

1 min read

Aws Opsworks Cli

First Things First, on AWS

I was chatting with a buddy who was moving his web sites from dedicated hosting to AWS. Let’s just say the FTUE isn’t great. That triggered a quick brain-dump of what you should do when you first get started with AWS.

understand pets v cattle. In aws all resources should be “cattle”, not pets. Periodically terminate instances to test this.
activate cloudtrail (in all regions). Use Loggly to index cloudtrail (free or ~$20/mo)
create restricted IAM users. Never use your root acct. Activate MFA.
Use IAM ec2-instance roles instead of stored credentials whenever possible.
Get familiar with IAM management ( use managed policies, groups & the policy tool) .
Start using opsworks. Avoid launching EC2 instances directly through the console–quickly becomes a management nightmare.
activate trusted advisor (and pay for the $100/mo upgrade)
start creating cloudwatch alerts.
Activate librato ($30/mo) and send cloudwatch to librato
use loggly or cloudwatch logs
get familiar VPC & security groups . Use POLP when creating Security groups
understand regions & AZs – get familiar with cross-region latency.
use multi-AZ RDS and extend the backup retention
use the AWS forums – activate your forum account

Aug 7, 2015

1 min read

Aws Secuity Tutorial

Opsworks before-migrate.rb

Opsworks is a convenient, powerful and free service provided by AWS to simplify the management of EC2 nodes. The real power of the system is exposed through customizing various stages of the instance lifecycle by creating custom-tailored chef-solo recipes.

While Amazon provides a powerful deployment layer for PHP applications, it stops short once the PHP code has been checked out of git. For Laravel or other composer apps, you’ll have to customize your deployment. The most elegant and straightforward method is through custom deployment hooks. Here’s how to build a before_migration.rb script to build a Laravel app.

Jun 9, 2015

1 min read

Chef Opsworks Aws Devops