Drunk on technology https://nerdydrunk.info/ 2026-04-21T10:18:15+00:00 https://nerdydrunk.info/ https://nerdydrunk.info/_media/wiki:favicon.ico text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:blogs?rev=1658400099&do=diff Useful AWS Blog Entries aws blog Blog Entries Centralized multi-account and multi-Region patching with AWS Systems Manager Automation. <https://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws-systems-manager-automation/> Automate deployment of IAM policies across multiple accounts with CloudFormation. <https://aws.amazon.com/blogs/mt/supercharge-multi-account-management-with-aws-cloudformation/> Monitor use of root account. <https://aws.amazon.com/blo… text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:client-vpn?rev=1658400099&do=diff AWS Client VPN aws sso Description * <https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html> * <https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/> * <https://aws.amazon.com/blogs/apn/how-to-integrate-aws-client-vpn-with-azure-active-directory/> * <https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4> * <https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentic… text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:cloudshell?rev=1658400099&do=diff AWS CloudShell aws Description The AWS CLI in AWS CloudShell can be configured to use cross account IAM roles for a custom profile. This could be helpful if you need to script running commands on multiple AWS accounts. To configure this you need to add a custom profile with a credential source of ECS Container. text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:cloudwatch?rev=1658400099&do=diff AWS CloudWatch aws linux Current Amazon has made it much easier to use the Amazon CloudWatch Agent by making it open source (<https://github.com/aws/amazon-cloudwatch-agent/>), available via package managers, and including a configuration wizard. Here are my notes on my initial testing. * Update EC2 instance role to include new IAM policy text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:gateway_load_balancer?rev=1658400099&do=diff AWS Gateway Load Balancer aws vyos gwlb Description * <https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances/> * <https://github.com/aws-samples/aws-gateway-load-balancer-code-samples/tree/main/aws-cli> * <https://github.com/aws-samples/aws-gateway-load-balancer-code-samples/tree/main/aws-cloudformation/distributed_architecture> Diagram Testing Network Below are the networks and route tables tha… text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:n2wcpm?rev=1658400099&do=diff N2WS CPM aws linux n2ws cpm letsencrypt As of 2018-03-11 I have was having issues with using a Lets Encrypt SSL certificate on my N2WS CPM server. I found that the apache server was not providing the intermediary certificate when provided in a chained format in “SSLCertificateFile /opt/n2wsoftware/cert/cpm_server.crt text/html 2022-07-24T13:19:56+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:roles_anywhere?rev=1658668796&do=diff AWS Roles Anywhere aws python First you need a certificate authority CA Option 1 Use <https://github.com/OpenVPN/easy-rsa> to create certificate authority and certificates. AWS Client VPN has a good example of how to use it <https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual>. CA Option 2 Create OCI Certificate Authority Create certificate signing request (CSR) with extension text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:route53?rev=1658400099&do=diff AWS Route53 aws dns route53 When using Route53 to host a zone that is managed by a different registrar you will need to add the AWS name servers to the other registrar. When adding the NS records AWS will list the name servers with the ending “.”, some registrars will not accept the NS record with the ending text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:s3policy?rev=1658400099&do=diff S3 Bucket Policy aws If account 111111111111 owns S3 bucket “examplebucket” and wants to allow admin users in account 222222222222 list and write access the following policy can be used. If non admin users in account 222222222222 need list or write access that would have to be granted via user policy in account 222222222222. text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:sso-abac?rev=1658400099&do=diff AWS Single Sign-On ABAC aws okta azure-ad g-suite saml Prerequisites / Assumptions * An external IdP (Azure AD, Okta, G-Suite) is already integrated and working with AWS SSO * AWS SSO and permission sets are being used to access AWS accounts * <TAGNAME> is IdP attribute name (Department) text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:tgw_appliance_mode?rev=1658400099&do=diff AWS Transit Gateway Appliance Mode aws vyos tgw Description While I was looking through some API changes for EC2 (<https://awsapichanges.info/archive/changes/12caed-ec2.html>) I noticed mention of “Appliance Mode” for the Transit Gateway. I also found the VPC Transit Gateway documentation (<https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html>) that related to this and has a very nice summary. I decided to expand on the summary and perform my own testing. text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:vpc-inbound-routing-multiple-interface?rev=1658400099&do=diff VPC Inbound Routing Multiple Interface This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing. With this deployment you can still use the public IP or EIP to access the Apache instance. I also have a text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:vpc-inbound-routing-single-interface?rev=1658400099&do=diff VPC Inbound Routing Single Interface This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing. With this deployment you can still use the public IP or EIP to access the Apache instance. I also have a text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:vpc-to-vpc-vpn?rev=1658400099&do=diff AWS VPC VGW to VPC VGW Site to Site VPN aws vpn First off, DO NOT DO THIS! This design uses only AWS VPC Virtual Private Gateway VPNs for establishing connectivity. There are much better, and more affordable, ways of establishing connectivity between two VPCs such as VPC peering, Transit Gateways, and Transit VPC. This was a test to see how AWS VPC networking has evolved from when I first started using AWS in August 2016 to its current state as of September 2020. When I first started with … text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:vpn-full-tunnel?rev=1658400099&do=diff AWS VPN Full Tunnel aws cisco asa ubiquiti edgerouter routing Description The following configuration will route all traffic, including internet traffic, from the office, over the site to site VPN to AWS, and egress from AWS. This can be useful if centralized content filtering needs to be done and will be located in AWS. This also works for VPCs that are attached to the Transit Gateway. text/html 2022-07-21T10:41:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://nerdydrunk.info/aws:vpn?rev=1658400099&do=diff AWS VPN aws cisco asa ios routing velocloud sd-wan Cisco ASA I have found that if the VPN isn't configured in the following way then only the Inside interface subnet or the AnyConnect client subnet can exclusively pass traffic across the site to site VPN to AWS. This is due to AWS only supporting one security association for the VPN and is a good example of what behavior to expect with only one security association.