Friday, April 17, 2015

AWS IAM Managed Policy - Please let it not be restricted

Today's definition of Read Only user might be good only for today, given that there are several new AWS Services and Capabilities being released quite frequently. Today's read only user wouldn't be able use the new AWS Service which went live and opened for public use last night; this is purely due to the way IAM Policy document was constructed as it would have the citations of the each verb and AWS Service. Though the policy can be edited; it may have to be edited in multiple places for Role / Groups / User Profiles. 

There wasn't a placed holder which would define and hold the prolicy(ies)'s permissions together. The closest was to cookie cut the policies together. Long story short, though the READ-ONLY Group and READ-ONLY Role would have the same set of permissions there wouldn't a relationship/link which can be leveraged. Managed Policy was like God Sent to the AWS Cloud.

Things would further be messy when there are resource level permissions are being used. 

The best part of was the categorization of AWS Managed Policy and Customer Managed Policy. So all the changes can be effectively done at a single place.

I tried to sketch a picture of a scenario how we visualize the scenario (below). The whole idea is to effectively leverage the power of the indirection introduced between IAM entities and Attachment of the Managed IAM Policies. We would like to have a Manage IAM Policy Library [Mix of out of the box – AWS Managed Policies and Custom Managed Policies ]; and have them attached them to the IAM entities.


Having the possibility to only attach only 2 Managed Policies to an IAM Entity would be a major limiting factor ( in my opinion ) to get the full potential of the Managed Policies [ Version Control, Easy Attachment & Detachment ]. However functionality wise the limit of just 2 wouldn't stop to define an IAM Entity [concatenate all IAM policy document Content] but it would be pretty exciting to define any IAM Entity [ User, Role, Group ) with any number of the Lego Blocks from the Managed Library; again the best part is all of the Lego blocks are version control with rollback. The policy definition can be done in a single place with having to do an dependency check (or reverse engineering).


In short the current count of 2 wouldn't be adoption enabler against the traditional inline policies considering the possibilities & potential of the Managed Policies.


Wednesday, January 28, 2015

Resource Id for CloudTrail to view AWS Config CI logs

AWS Config is an Amazing way to track to the changes and relationship among the various AWS Services. It provides little bit of perspective of CDC - Change Data Capture functionality across the AWS Services used under the account.

Recently when I tried to look for changes in one of the AWS Config's Cousin [ CloudTrail ] to see the information about when CloudTrail logging was initiated etc. The Lookup by Resource ID accepts the CloudTrail Trail's Name -[What is CloudTrail Trail's Name ? ] I tried all possible combinations of CloudTrail, S3Bucket Name, empty; but none of them succeeded.



Turned out it is Default [ D in Upper Case ]; I got this information after contacting the AWS via. AWS Forums.

Hope this helps.

Friday, January 9, 2015

SOLVED : Request could not be satisfied - Amazon Directory Service

You can create a new Amazon Directory Service - AD Connector or Simple AD with/without On-Premises AD Settings. Once done, you need to provide Access URL by choosing a keyword; which will go along with the .awsapps.com. Post that you need to explicitly enable the Apps & Services [ Amazon Workspaces, Amazon Zocalo, AWS Management Console ] individually.



The AWS Management Console can take the URL as https://SimpleADdemo1.awsapps.com/console



While the Access URL and other necessary configurations are done; Nevertheless you would be prompted with error page [ CloudFront Error Page] stating - Request Could Not be Satisfied. as below.

The simple fix to solve that problem is to just wait for another couple of minutes; for the CloudFront to pick your AD apps's web artefacts and distribute it to its edge locations.


Tuesday, January 6, 2015

AWS Directory Service - AD Connector - A Short Overview

I really like the types of Services Amazon is concentrating these days - Directory Services, Zocalo, Containers, Lambda etc.; this clearly shows the length and breadth of Innovation Areas in AWS. Lets look into what is AWS Directory Service AD Connector, this time.

What is AD Connector ?

  • AD Connector is SaaS-like offering - Plug and Play Service; fully managed by Amazon
  • Make use of existing Active Directory Running On-Premises / Cloud to Authenticate and Authorize AWS Console and AWS Resources; this means you don't need to create & manage IAM users from AWS Console, but make use of the AD which is already configured in your data center.
  • Continue using centralized credentials, users, access, policy from the same Corporate Directory; but this time for the AWS Console & AWS Resources.
  • The Directory Synchronization, Availability, Connectivity, Federation are taken care by the service
  • The MFA authentication can also be enabled if required.

What are the Prerequisites ?

  • VPC with 2 Subnets in different Availability Zone
  • Hardware VPN Connection to AWS VPC 
  • Firewall & Ports opened for 53 (DNS), 88 (Kerberos), 389(LDAP) - TCP / UDP appropriately
What are your Responsibilities ?
  • Creation of IAM Roles to map the Active Directory Users / Groups
  • Ensure the Uptime & Connectivity of the On-Premises Active Directory

What are the AWS Resources created by AD Connector in the Account ?

I was able to observer the following automatically created in my account when successfully finished creating & configuring AD Connector.
  • 2 ENIs ( Places in the specified Subnets )
  • 2 Security Groups ( Each having All Traffic enabled between themselves )

Can it be used for AD already running in EC2 ?

  • Yes, Actually this post illustrates that exact use case.

Architecture 



Installation & Setup

  • Once the Active Directory Domain Services are installed in the EC2 instance; you will need the details like user name & password, Net BIOS name, Directory DNS name.
  • The important thing to note here is to use the PRIVATE IP of the EC2 Instance ( for this scenario )
  • Once the the Setup is completed you get to see the status.



The access URL would be configured as the entry point to AWS Console ( and / or Amazon Workspaces, Amazon Zocalo ). Once done, you need explicitly enable the AWS Management Console Access.


You would now be prompted with a dialogue box to start the wizard for IAM Role and AD User Association


Click on New Role - this would be an IAM Role



Both new IAM Role Creation and Modifying existing Role(s) can be done in this step


When choosing on the Create New Role, you would notice similar predefined IAM Role templates as in Identity and Access Control in AWS Management Console.

On Navigation to the next step ; you can search for existing Users / Group which is populated from your Active Directory.



Now, the specified IAM Role and AD User ( or Group ) are associated. With this your AD users can start using AWS Management with the same AD credentails.




https://ADConnectorEndPoint.awsapp.com/console




When you login to the Access URL - you would be prompted to enter the Organization Name (public endpoint - without the .awsapps.com in the URL), user name and password ( from your AD )


AWS Management Console



Saturday, December 20, 2014

Packt $5 eBook Bonanza

Following the success of last year’s festive offer, Packt Publishing will be celebrating the holiday season with an even bigger $5 offer. 




From Thursday 18th December, every eBook and video will be available on the publisher’s website for just $5. Customers are invited to purchase as many as they like before the offer ends on Tuesday January 6th, making it the perfect opportunity to try something new or to take your skills to the next level as 2015 begins.

With all $5 products available in a range of formats and DRM-free, customers will find great value content delivered exactly how they want it across Packt’s website this Xmas and New Year.
Find out more at http://bit.ly/1w1Vkps

Saturday, November 22, 2014

Amazon Zocalo - The Silver Lining for Enterprises

Amazon Zocalo is now Amazon WorkDocs

Introduction


Zocalo is the new and fully managed self-service Document collaboration and Management Service introduced by Amazon Web Services which encompasses administration, mobile / PC apps fully out of the box with support to offline document access. Zocalo also readily allows enterprises to link up their corporate Active Directory for Access and Authentication.



Key Features & Overview


Amazon Zocalo’s key capabilities can be categorized as Storage, Administration, Document Management & Feedback, and PC & Mobile Support.

Storage


All the documents are stored in a reliable infrastructure and is fully managed by Amazon Web Services. There is essentially no limit on the amount of data and number of documents you can
store in Zocalo. The explicit storage limit for each user can be optionally enforced by an administrator.

Administration


The administration of Zocalo site for users and storage comes out of the box. The administration portal is web based and can be accessed from all popular latest browsers. Administrators can create new users or alternatively link up your Corporate Active Directory and sync it to Zocalo, enable / disable the users, set explicit limits to the storage for user’s account.

Document Management & Feedback

The documents can be accessed and reviewed directly out of the Zocalo web portal. The document management features of Zocalo doesn't stop at merely just document access over web or devices; but also leverages the collaboration by allowing the documents to be shared, requesting the documents for comments or review with optionally setting a deadline with reminders. With the built in Versioning Capability in Zocalo, naming the files with v1, v2, v3 would be a distant past and provides easy access to older or other versions. Documents can be uploaded using the web portal or synced via the PC / Mac using Zocalo sync applications.

The documents can also be shared externally outside of the corporate with fine grain control for
each file by setting access control like read-only, download disabled etc. The external access permissions to the documents can be revoked any time.

Any type of file can be stored in Zocalo. Zocalo supports instant access and review support for Microsoft Office files (Word, Excel, and PowerPoint), pdfs, images, text files. The files can be downloaded to your local machine and optionally documents can also include the reviewed comments along with it.

You can create, edit your files as usual using the standard applications,once when the document is ready it can be released as a newer version and notify the contributors.

System & Mobile Support


While the Zocalo portal for file access and review can be accessed through web-portal, Amazon Zocalo Service extends its offering over the major tablet platforms - iPad, Android Tablet and Amazon Kindle Fire; the apps can be downloaded from the respective apps market place for free. Using the mobile apps one can perform the same functionality of document sharing, review and comments which is possible using the web interface; the best part is to have the documents and files available offline; even during no network access and you can still review the documents and it would sync the new reviews as and when the tablet connects back to the internet.

The documents can be uploaded to Zocalo via the portal using the browser, you can also sync the files from your local machine using the Sync application for free. There are sync clients for PC (Windows 7) and Mac (OS X 10.7 +).


Zocalo for Enterprise


There are several reasons why Zocalo makes a good candidate for Enterprise Document Management and Storage viz.

Region Specific

The Zocalo site would be created in the specified Amazon Region like US-East-1 (Virginia), the documents and data would never leave the specific region. This is one of the major requirements
for the data to be stored only in the territory where the business is operated.

Access Logs


Zocalo bring along the reports of the details of the activity of the users in a Zocalo site like document viewed, downloaded, document ownership transfers etc. These types of logs are mandatory for several compliance standards. Integrate with Existing Active Directory Zocalo can be easily linked to the Corporate Active Directory; this solves the problem of not introducing yet another access management.


Amazon Zocalo is now Amazon WorkDocs

Make use of Direct Connect to access Corporate Active Directory



Amazon Direct Connect (DX) is a service offering which would enable enterprises to directly connect to Amazon’s Data Centers over a dedicated line, this enables the communication
between Enterprise and Amazon Zocalo to be more secure, faster and reliable with guaranteed bandwidth.

Compliments with Amazon Workspaces

Amazon workspaces is a fully managed desktop computing service (VDI - Virtual Desktop Infrastructure) which provides cloud-based desktops with access to documents, applications over laptops, iPad, Kindle Fire, Android tablet etc. Every Amazon Workspaces account is topped up with a FREE Zocalo account with storage of 50 GB per month; additional storage can always be upgraded for a reduced monthly subscription fee. 

Leverage Enterprise Productivity along with Existing Investment of Office Suite - Microsoft Office


Nothing would change or be removed from the corporate applications and tools ecosystem to bring in Zocalo to the enterprise. Rather Zocalo would form a creamy layer with enhanced collaboration for Microsoft Office Word, Excel, PowerPoint files.

Share Zocalo Documents Contents Externally with ease 

Inviting an external 3rd Party legal firm to review the documents is just a click away for which the access can be read-only / download-disabled. The access can be revoked any time.

Zocalo Cost overview


The charges are prorated for average usage for the month, if a user is removed / disabled / added in the middle of a given month. Beyond 200GB the pricing works out in a pay as you go model per GB per month for that particular user.



If you use Amazon Workspaces, you will get Zocalo free for every account of 50GB per month, additional storage can be added in the pay as you go model.

Amazon Zocalo is now Amazon WorkDocs