Thursday, April 30, 2015

Presented AWS & Cloud 101 at RMK Engineering College

Friday, April 17, 2015

AWS IAM Managed Policy - Please let it not be restricted

Today's definition of Read Only user might be good only for today, given that there are several new AWS Services and Capabilities being released quite frequently. Today's read only user wouldn't be able use the new AWS Service which went live and opened for public use last night; this is purely due to the way IAM Policy document was constructed as it would have the citations of the each verb and AWS Service. Though the policy can be edited; it may have to be edited in multiple places for Role / Groups / User Profiles. 

There wasn't a placed holder which would define and hold the prolicy(ies)'s permissions together. The closest was to cookie cut the policies together. Long story short, though the READ-ONLY Group and READ-ONLY Role would have the same set of permissions there wouldn't a relationship/link which can be leveraged. Managed Policy was like God Sent to the AWS Cloud.

Things would further be messy when there are resource level permissions are being used. 

The best part of was the categorization of AWS Managed Policy and Customer Managed Policy. So all the changes can be effectively done at a single place.

I tried to sketch a picture of a scenario how we visualize the scenario (below). The whole idea is to effectively leverage the power of the indirection introduced between IAM entities and Attachment of the Managed IAM Policies. We would like to have a Manage IAM Policy Library [Mix of out of the box – AWS Managed Policies and Custom Managed Policies ]; and have them attached them to the IAM entities.

Having the possibility to only attach only 2 Managed Policies to an IAM Entity would be a major limiting factor ( in my opinion ) to get the full potential of the Managed Policies [ Version Control, Easy Attachment & Detachment ]. However functionality wise the limit of just 2 wouldn't stop to define an IAM Entity [concatenate all IAM policy document Content] but it would be pretty exciting to define any IAM Entity [ User, Role, Group ) with any number of the Lego Blocks from the Managed Library; again the best part is all of the Lego blocks are version control with rollback. The policy definition can be done in a single place with having to do an dependency check (or reverse engineering).

In short the current count of 2 wouldn't be adoption enabler against the traditional inline policies considering the possibilities & potential of the Managed Policies.

Wednesday, January 28, 2015

Resource Id for CloudTrail to view AWS Config CI logs

AWS Config is an Amazing way to track to the changes and relationship among the various AWS Services. It provides little bit of perspective of CDC - Change Data Capture functionality across the AWS Services used under the account.

Recently when I tried to look for changes in one of the AWS Config's Cousin [ CloudTrail ] to see the information about when CloudTrail logging was initiated etc. The Lookup by Resource ID accepts the CloudTrail Trail's Name -[What is CloudTrail Trail's Name ? ] I tried all possible combinations of CloudTrail, S3Bucket Name, empty; but none of them succeeded.

Turned out it is Default [ D in Upper Case ]; I got this information after contacting the AWS via. AWS Forums.

Hope this helps.

Friday, January 9, 2015

SOLVED : Request could not be satisfied - Amazon Directory Service

You can create a new Amazon Directory Service - AD Connector or Simple AD with/without On-Premises AD Settings. Once done, you need to provide Access URL by choosing a keyword; which will go along with the Post that you need to explicitly enable the Apps & Services [ Amazon Workspaces, Amazon Zocalo, AWS Management Console ] individually.

The AWS Management Console can take the URL as

While the Access URL and other necessary configurations are done; Nevertheless you would be prompted with error page [ CloudFront Error Page] stating - Request Could Not be Satisfied. as below.

The simple fix to solve that problem is to just wait for another couple of minutes; for the CloudFront to pick your AD apps's web artefacts and distribute it to its edge locations.

Tuesday, January 6, 2015

AWS Directory Service - AD Connector - A Short Overview

I really like the types of Services Amazon is concentrating these days - Directory Services, Zocalo, Containers, Lambda etc.; this clearly shows the length and breadth of Innovation Areas in AWS. Lets look into what is AWS Directory Service AD Connector, this time.

What is AD Connector ?

  • AD Connector is SaaS-like offering - Plug and Play Service; fully managed by Amazon
  • Make use of existing Active Directory Running On-Premises / Cloud to Authenticate and Authorize AWS Console and AWS Resources; this means you don't need to create & manage IAM users from AWS Console, but make use of the AD which is already configured in your data center.
  • Continue using centralized credentials, users, access, policy from the same Corporate Directory; but this time for the AWS Console & AWS Resources.
  • The Directory Synchronization, Availability, Connectivity, Federation are taken care by the service
  • The MFA authentication can also be enabled if required.

What are the Prerequisites ?

  • VPC with 2 Subnets in different Availability Zone
  • Hardware VPN Connection to AWS VPC 
  • Firewall & Ports opened for 53 (DNS), 88 (Kerberos), 389(LDAP) - TCP / UDP appropriately
What are your Responsibilities ?
  • Creation of IAM Roles to map the Active Directory Users / Groups
  • Ensure the Uptime & Connectivity of the On-Premises Active Directory

What are the AWS Resources created by AD Connector in the Account ?

I was able to observer the following automatically created in my account when successfully finished creating & configuring AD Connector.
  • 2 ENIs ( Places in the specified Subnets )
  • 2 Security Groups ( Each having All Traffic enabled between themselves )

Can it be used for AD already running in EC2 ?

  • Yes, Actually this post illustrates that exact use case.


Installation & Setup

  • Once the Active Directory Domain Services are installed in the EC2 instance; you will need the details like user name & password, Net BIOS name, Directory DNS name.
  • The important thing to note here is to use the PRIVATE IP of the EC2 Instance ( for this scenario )
  • Once the the Setup is completed you get to see the status.

The access URL would be configured as the entry point to AWS Console ( and / or Amazon Workspaces, Amazon Zocalo ). Once done, you need explicitly enable the AWS Management Console Access.

You would now be prompted with a dialogue box to start the wizard for IAM Role and AD User Association

Click on New Role - this would be an IAM Role

Both new IAM Role Creation and Modifying existing Role(s) can be done in this step

When choosing on the Create New Role, you would notice similar predefined IAM Role templates as in Identity and Access Control in AWS Management Console.

On Navigation to the next step ; you can search for existing Users / Group which is populated from your Active Directory.

Now, the specified IAM Role and AD User ( or Group ) are associated. With this your AD users can start using AWS Management with the same AD credentails.

When you login to the Access URL - you would be prompted to enter the Organization Name (public endpoint - without the in the URL), user name and password ( from your AD )

AWS Management Console

Saturday, December 20, 2014

Packt $5 eBook Bonanza

Following the success of last year’s festive offer, Packt Publishing will be celebrating the holiday season with an even bigger $5 offer. 

From Thursday 18th December, every eBook and video will be available on the publisher’s website for just $5. Customers are invited to purchase as many as they like before the offer ends on Tuesday January 6th, making it the perfect opportunity to try something new or to take your skills to the next level as 2015 begins.

With all $5 products available in a range of formats and DRM-free, customers will find great value content delivered exactly how they want it across Packt’s website this Xmas and New Year.
Find out more at