https://www.rainsbrook.co.uk/wiki/ 2026-05-01T02:44:49+00:00 https://www.rainsbrook.co.uk/wiki/ https://www.rainsbrook.co.uk/wiki/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2025-09-18T14:50:49+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:account&rev=1758207049&do=diff Account aws sts get-caller-identity will always work even if you have no credentials for anything else. THIS_ACCOUNT=$(aws sts get-caller-identity --query Account --output text) text/html 2025-12-19T10:47:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:apigateway&rev=1766141275&do=diff API Gateway Intro Lambda Test lambda to show different methods import json # Example data data = { "items": [ {"id": 1, "name": "Item 1", "price": 10.99}, {"id": 2, "name": "Item 2", "price": 15.99}, {"id": 3, "name": "Item 3", "price": 20.99}, ] } def lambda_handler(event, context): # Determine the HTTP method of the request http_method = event["httpMethod"] # Handle GET request if http_method == "GET": # Return the data in the res… text/html 2025-09-18T14:55:18+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:bash-read-in-values&rev=1758207318&do=diff BASH read in values to script #!/bin/bash CONTROL_ID=$1 if [ -z ${CONTROL_ID} ]; then echo "Please give control id as a parameter, eg ./check.sh IAM.x"; exit 1 fi echo "Set a profile with the AWS SSO:-" echo "aws configure sso --use-device-code" echo "profile name needs to be 'OrgDeployRole' " read -p "Is this set (y / n)? " yn case $yn in y|yes ) echo "ok, using control:- ${CONTROL_ID}";; n|no ) echo "exiting... You need to set this up."; exit;;… text/html 2026-01-21T11:51:23+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cli&rev=1768996283&do=diff Amazon Web Services CLI Initial install AWS cli tool is written in python, and as python3 is the most recent, this is what will be installed. The awscli tool is installed through pip3. Consider installing this in a virtual environment (Python Virtual Env ) # yum install python3 ... edited... Install 1 Package (+3 Dependent packages) Total download size: 11 M Installed size: 51 M Is this ok [y/d/N]: y Downloading packages: (1/4): python3-3.7.0-0.20.rc1.amzn2.0.1.x86_64.rpm … text/html 2026-01-09T11:12:28+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation-index&rev=1767957148&do=diff AWS Cloud Formation Code Examples Deploy CloudFormation from cli Using !Ref S3 and !Join Parameters, Mappings, and !Refs Cloud Formation Mappings and Output Section Example from course for best practice example AWS Lambda Function with Tags YAML AWS IAM policy in YAML VPC Parameter store IAM Policy Tags Set numeric value to string Force an string value instead of integer (join two strings with nothing, “”):- !Join ["", ["00", "1002899"]] Outputs and Exports… text/html 2025-05-30T09:38:50+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation-lambda&rev=1748597930&do=diff lambda yaml cloudformation AWSTemplateFormatVersion: 2010-09-09 Parameters: var1: Type: CommaDelimitedList Description: general variable Resources: LambdaRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' LambdaPolicy: Type: 'AWS::IAM::Pol… text/html 2026-02-17T10:23:47+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation-parameters-mappings-refs&rev=1771323827&do=diff Parameters, Mappings, and !Refs Parameters --- Parameters: ParameterTest: Type: String Description: Enter t2.micro, m1.small, or m1.large. Default is t2.micro. Resources: BasicParameter: Type: AWS::SSM::Parameter Properties: Name: TestPara Type: String Value: !Ref ParameterTest Description: SSM Parameter test. Tags: Environment: DEV 000 text/html 2025-10-16T15:06:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation-s3&rev=1760627186&do=diff S3 buckets S3 is an Object store not a filesystem although at first glance, it can seem like one. Although S3 buckets are tied to a region, the name for a bucket must be globally unique. This can pose a problem in deploying code developed in Dev to Prod as if bucket names are hard coded, there will be a conflict beween Prod and Dev on deployment. Editing code between deployments to change a bucket name is not a great idea, but introducing a limited amount of randomness to the name can avoid th… text/html 2025-05-30T09:41:32+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation-terraformstate&rev=1748598092&do=diff Cloudformation for Terraform State Files and Lock Table Terraform requires a state bucket and lock table before it can do any work, but you can't create these in Terraform because it needs them to do anything.... vicious circle. I've used Cloud Formation to create these, then Terraform will work as expected. text/html 2025-05-30T09:43:05+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation_big_example&rev=1748598185&do=diff BIG Example From a course. $ aws cloudformation get-template --stack-nameMyStack --query TemplateBody --output text AWSTemplateFormatVersion: "2010-09-09" Description: > Template to build the Web Tier Parameters: VPCID: Description: VPC ID from the Base Networking Stack Type: String PUBSUBA: Description: Public Subnet A ID Type: String PUBSUBB: Description: Public Subnet B ID Type: String AppNamePram: Description: MyApp Type: String AppVerPram: … text/html 2025-05-30T09:43:38+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation_mappings_outputs&rev=1748598218&do=diff Cloud Formation Mappings Adding in Mappings, Parameters, UserData and an Outputs section. Parameters: ServiceName: Description: "Stack Name" Type: String InstanceTypePara: Type: String Default: t2.micro AllowedValues: - t2.micro - m1.small - m1.large Description: EC2 instances SSHkey: Description: AJS ssh key Type: AWS::EC2::KeyPair::KeyName Mappings: RegionMap: eu-west-1: AMI: ami-07d9160fa81ccffb5 # Amazon Linux AMI … text/html 2025-05-30T09:44:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudformation_refs&rev=1748598246&do=diff Create a ec2 instance and security group tied together with ''!Ref'' and an s3 bucket. Resources: Ec2Instance: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: ami-07d9160fa81ccffb5 # Amazon Linux AMI in Ireland Tags: - Key: Name Value: AJS - simple EC2 example - Key: email Value: myname@company.co.uk - Key: BuiltBy Value: CloudFormation - Key: JoinTest Value: !Join [ ":", [… text/html 2025-06-25T15:40:41+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:cloudwatch&rev=1750866041&do=diff Cloudwatch Put values in to Cloudwatch This was to make metrics available to EC2 autoscaling $ aws cloudwatch put-metric-data --metric-name current-jobs-reserved --namespace asid_ident --value 0 $ aws cloudwatch put-metric-data --metric-name current-jobs-ready --namespace asid_ident --value 0 text/html 2025-09-02T10:04:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:codebuild&rev=1756807441&do=diff AWS codebuild Python in Lambda buildspec.yaml version: 0.2 phases: install: commands: - echo "Installing boto3 with pip" - pip install boto3 build: commands: - echo "Running reports.py" - python3 -c 'from reports import lambda_handler; lambda_handler({}, {})' - echo "Finished reports.py" text/html 2025-05-30T09:44:47+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:deploy_cloudformation_from_cli&rev=1748598287&do=diff Deploy CloudFormation from cli This bash script uses aws cli to deploy a stack compared to using the web GUI to create a stack. Main advantage is for automation and repeatability:- #!/bin/bash #Written Andrew Stringer 01/03/2021 #Purpose to deploy a cloudformation stack from the cli. STACK_NAME='mystack-a' TEMPLATE_BODY='file://mystack-a.yaml' REGION='eu-west-1' PROFILE=$1 TAGS="Key=Name,Value=${STACK_NAME} Key=Build_Method,Value=CloudFormation Key=CostCentre,Value=12345 Key=Owner,Value=MY_… text/html 2022-05-16T17:10:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:dynamodb-local&rev=1652721059&do=diff Local install of AWS DynamoDB Notes Note, the local install still relies on keys and connecting to IAM on the AWS mothership, so it is not really an isolated setup. <https://medium.com/@vikramaroskar/setting-up-local-dynamodb-as-a-service-1908919d4347> Install to /usr/local/bin/dynamodb/ Start DynamoDB as service root@test-pythonwebserver:~# cat /etc/systemd/system/dynamodb.service [Unit] Description=Dynamo DB Local Service [Service] User=root # The configuration file application.properti… text/html 2025-10-13T11:01:39+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:dynamodb&rev=1760353299&do=diff Dynamo DB CLI examples Local install of AWS DynamoDB List Tables:- $ aws dynamodb --profile nonprod_admin list-tables { "TableNames": [ "lifecycle-exceptions", "github_sync" ] } $ aws dynamodb list-tables --profile nonprod_admin | jq .[][] | grep -i 'dev\|test\|nonprod' "dev-access" "dev-accounts" "dev-historic" "dev-accounts-data" "ami-builder-dev-account-contacts-data" "ami-builder-dev-pager-duty-service-data" "sharedservices-statefiles-nonprod" text/html 2025-01-03T16:29:09+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ebsvolumes&rev=1735921749&do=diff EBS Volumes Elastic Block Storage (EBS) volumes are block storage (as opposed to object stores such as S3) and are typically attached to EC2 instances. Show encryption status of EBS Best practice is for EBS volumes to be encrypted. This script will show the volume status for each volume in the account and what it is attached to (if any). It is possible to have a volume attached to multiple ec2 instances but EBS does not handle file locking etc, so this is unusual. text/html 2025-05-28T09:16:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ec2&rev=1748423815&do=diff EC2 Listing instances root@ftphost02:~/.aws# aws ec2 describe-instances --output table --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value' ------------------- |DescribeInstances| +-----------------+ | Node1 | | FTP | +-----------------+ root@ftphost02:~/.aws# aws ec2 describe-instances --output table --query 'Reservations[].Instances[].[join(`,`,Tags[?Key==`Name`].Value),State.Name]' ---------------------------- | DescribeInstances | +--------------+--… text/html 2025-05-30T09:35:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ec2_auto-scaling-group-launch_configurations&rev=1748597729&do=diff AWS Auto Scaling Groups / Launch Configurations In AWS in order to build an auto scaling group, we need to configure a Launch Configuraton, this is a template which defines common parameters for each ec2 instance launched in to an auto scaling group. text/html 2024-03-12T12:08:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ecr&rev=1710245331&do=diff ECR $ aws ecr describe-repositories --profile nonprod_admin | jq .[][].repositoryName "ubuntu1804-infradevtools-container" Brain Dump FIXME $ aws ecr create-repository --repository-name web2048 { "repository": { "repositoryUri": "356565822870.dkr.ecr.us-west-2.amazonaws.com/web2048", "imageScanningConfiguration": { "scanOnPush": false }, "encryptionConfiguration": { "encryptionType": "AES256" }, "registryId": "356… text/html 2024-03-12T13:25:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ecs&rev=1710249908&do=diff Amazon ECS cluster $ aws ecs create-cluster --cluster-name web2048 { "cluster": { "status": "ACTIVE", "defaultCapacityProviderStrategy": [], "statistics": [], "capacityProviders": [], "tags": [], "clusterName": "web2048", "settings": [ { "name": "containerInsights", "value": "disabled" } ], "registeredContainerInstancesCount": 0, "pendingTasksCount": 0, … text/html 2024-08-27T19:21:56+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:iam-assume-role-in-other-account&rev=1724786516&do=diff IAM - Assume role in other account Framework to assume a role in a different account. #!/bin/bash # Reads in a list of account numbers, assumes a set role # (with the required policy to perform whatever...) and does whatever. FILENAME='accountlist.txt' export AWS_DEFAULT_REGION='eu-west-2' while read -r ACCOUNT; do echo "Using ${ACCOUNT} to get who I am:-" aws sts get-caller-identity echo "Changing role." # get credentials to use in remote account aws sts as… text/html 2024-03-15T11:06:14+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:iam-key-age&rev=1710500774&do=diff iam-key-age # Written 24/09/2021 by Andrew Stringer # Prurpose is to detect users with AWS IAM access keys older than a certain number of days (accesskey below) # Should be run once per week via CloudWatch Events. # Uses the "email" value in Tags, so these need to be set for users. import boto3, os, time, datetime, sys, json from datetime import date from botocore.exceptions import ClientError # age of keys accesskey = 180 AWS_REGION = 'eu-west-2' iam = boto3.client('iam') email_list = []… text/html 2024-10-30T15:42:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:iam-policy-yaml&rev=1730302928&do=diff AWS IAM policy in YAML This reads Account Number in from Parameter Store and uses it with a !Join, IAM policies normally are in JSON, but in CF can be written in YAML, and CF translates to JSON on the fly:- --- AWSTemplateFormatVersion: 2010-09-09 Description: Security-Hub-Report Parameters: AccountNumber: Type: AWS::SSM::Parameter::Value<AccountNumber> Default: 56788765 Description: AccountNUmber Resources: Type: AWS::IAM::Policy Properties: PolicyName: Silly-Policy … text/html 2025-09-01T16:21:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:iam&rev=1756743661&do=diff IAM Get unused security groups #!/bin/bash #Get all security groups and check against network interfaces thety are allocated to. echo "" > security_groups.txt for SG in $(aws ec2 describe-security-groups --profile nonprod_admin | jq --raw-output '.[][] | [.GroupId, .GroupName, .Description ] | @csv') do echo $SG #echo $SG | tee security_groups.txt | cut -f1 -d | aws ec2 describe-network-interfaces --filters Name=group-id,Values=${SG} --profile nonprod_admin done # Clean up our temporary me… text/html 2025-09-18T15:01:27+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:jq-the-json-army-toolkit&rev=1758207687&do=diff JQ - the toolkit for slicing JSON jq - json parser text/html 2024-05-28T09:21:41+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambda-general&rev=1716888101&do=diff AWS Lambda Lambda CLI $ aws lambda list-functions --profile nonprod_admin | jq .[][].FunctionName | grep -i 'dev\|test' in lambda python, read tags in from Lambda environment:- import os TAGS = [{"Key": k, "Value": v} for k, v in json.loads(os.environ["TAGS"]).items()] create_something Tags=TAGS text/html 2025-05-30T15:05:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambda-layer-howtouse-boto3&rev=1748617555&do=diff How to use a Lambda Layer Terraform to deploy a lambda function with a layer, this deploys Boto3 as a layer, a bit strange but I needed the functionality to create an “Additional Checksum” with an s3 copy, this was not included in the version of Boto3 deployed with Lambda/Python. text/html 2025-06-16T15:37:09+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambda&rev=1750088229&do=diff AWS Lambda AWS Lambda How to use a Lambda Layer Lambda Layers Lambda based Lambda Layer generator text/html 2025-11-20T10:59:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambdabased-lambdalayer-orig&rev=1763636348&do=diff Orig layer gen to check and edit..... # more layer-create.py import json # import urllib.request import os import shutil import sys import subprocess import zipfile import boto3 import botocore from os import listdir from os.path import isfile, join def lambda_handler(event, context): # https://stackoverflow.com/questions/58648739/how-to-check-if-python-package-is-latest-version-programmatically?noredirect=1&lq=1 # https://www.digitalocean.com/community/tutorials/how-to-use-subpro… text/html 2025-06-16T15:38:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambdabased-lambdalayer&rev=1750088280&do=diff Lambda based Lambda Layer generator This idea follows on from Lambda Layers created from a BASH script. Simply put, it doesn't seem like a cloud native way of working. Spinning up either a Linux VM (if you are stuck using windows) or ec2 instance just to build a Lambda layer is an overkill and probably difficult to build with regard to running and automating. I had the idea to use Lambda to build and import the layer, it could be triggered regularly from CloudWatch events and to allow the laye… text/html 2026-01-05T14:55:15+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:lambda_layers&rev=1767624915&do=diff Lambda Layers Script to create boto3 lambda layer with latest version of boto3 and push to AWS. See here for a Lambda based Lambda Layer generator. How to use a Lambda Layer. #!/bin/bash printf "Build script for AWS boto3 Lambda Layer. \n" printf "=======================================. \n" printf "Updating system. \n" sudo yum update -y printf "\n" printf "Update python3 pip. \n" python3 -m pip install --upgrade pip printf "\n" printf "aws cli version is:- " aws --version printf "\n"… text/html 2025-07-01T13:37:55+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:list_accounts_in_org&rev=1751377075&do=diff list_accounts_in_organisations.sh #!/bin/bash # Lists just the accounts in an organiation, # suitable for redirecting to a file to iterate over # for processing something in all accounts. # This gives a text output, the default is json, --output table is also valid. aws organizations list-accounts --query 'Accounts[*].[Id]' --output text # Using jq to parse the JSON aws organizations list-accounts | jq -r '.Accounts.[].Id' text/html 2025-09-25T14:51:45+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:organisations&rev=1758811905&do=diff Organisations Get Root ID With text output:- OrgRoot=$(aws organizations list-roots --query 'Roots[0].Id' --output text) Using JQ:- OrgToot=$(aws organizations list-roots | jq -r .Roots.[0].Id) Get a list of OU's in an organisation OU_IDs=$(aws organizations describe-organization --query 'Organization.Id' --output text) text/html 2024-11-07T12:27:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:parameterstore&rev=1730982471&do=diff AWS Parameter Store (SSM) AWS Cli Set a parameter #aws ssm put-parameter --name "test123" --type "String" --value "MyValue" #{ # "Version": 1, # "Tier": "Standard" #} Note:- If the Value contains a URL, it will create an error:- $ aws ssm put-parameter --name "/repo/testpar3" --value "https://server/repo3.git" --description "repo_backup" --type "String" Error parsing parameter '--value': Unable to retrieve https://server/repo3.git: Could not connect to the endpoint URL: "https://server… text/html 2026-04-17T13:38:53+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:query-with-jq&rev=1776433133&do=diff Query with jq Just a fabricated joke to have a page starting with Q STANDARDS=$(aws securityhub list-standards-control-associations --security-control-id ${CONTROL_ID} | jq -r .StandardsControlAssociationSummaries.[].StandardsArn) Seriously, jq is a really useful Linux command to process and extract values from JSON formatted data - See text/html 2025-05-28T10:02:58+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:region-loop&rev=1748426578&do=diff AWS loop through regions cat region_loop.sh #!/bin/bash REGIONS=('us-east-1' 'us-east-2' 'us-west-1' 'us-west-2' 'eu-west-1' 'eu-west-2') for REGION in "${REGIONS[@]}"; do echo "${REGION}" done $ ./region_loop.sh us-east-1 us-east-2 us-west-1 us-west-2 eu-west-1 eu-west-2 text/html 2021-01-25T11:02:41+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:route53&rev=1611572561&do=diff Route 53 DNS text/html 2024-06-04T10:39:08+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:s3&rev=1717497548&do=diff S3 # create path in s3 for backup to export to print("Create s3 path") s3session.put_object(Bucket=bucket_london, Key=('redis_elasticache'+'/')) $ aws s3 ls --profile nonprod_admin | grep -i 'dev\|test\|nonprod' $ for B in $(aws s3 ls --profile nonprod_admin | grep -i 'dev\|test\|nonprod' | cut -f3 -d' '); do echo -n ${B}": " aws s3 ls --summarize --human-readable --recursive s3://${B} --profile nonprod_admin | grep -i total | tr -d '\n' echo "" done cdn-frontend Total Objects: 98 … text/html 2024-11-25T18:20:04+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:securityhub&rev=1732558804&do=diff Security Hub AWS Security Hub monitors your account and suggests security improvements you can make, these scan results are called Findings and are assessed against well known security standards from AWS, CIS and NIST and others. $ aws securityhub describe-standards { "Standards": [ { "StandardsArn": "arn:aws:securityhub:eu-west-2::standards/aws-foundational-security-best-practices/v/1.0.0", "Name": "AWS Foundational Security Best Practices v1.0.0", … text/html 2022-01-27T16:01:44+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ses&rev=1643299304&do=diff SES $ aws ses list-configuration-sets --profile nonprod_admin | jq .[][] | grep -i 'dev\|test\|nonprod' "Name": "dev-ses-config" text/html 2025-07-09T12:49:58+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:sns&rev=1752065398&do=diff SNS Amazon Simple Notification system, uses “Topics” which users subscribe to, similar to MQTT. $ aws sns list-topics --profile nonprod_admin | jq .[][].TopicArn | grep -i 'dev\|test\|nonprod' "arn:aws:sns:eu-west-1:123456789234:AMI-lifecycle-test-ajs" "arn:aws:sns:eu-west-1:123456789234:dev-api-jwt-authoriser-dlq" "arn:aws:sns:eu-west-1:123456789234:dev-approval-workflow-approval-dlq" text/html 2022-01-27T16:00:58+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:sqs&rev=1643299258&do=diff SQS Simple Queue service $ aws sqs list-queues --profile nonprod_admin | jq .[][] | grep -i 'dev\|test\|nonprod' "https://eu-west-1.queue.amazonaws.com/123456781234/AJS-testQueue" "https://eu-west-1.queue.amazonaws.com/123456781234/dev-archive-data-queue" text/html 2025-03-19T15:36:04+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:ssm&rev=1742398564&do=diff Simple Systems Manager (SSM) Session Manager Web gui way to get ssh console. <FIXME> <https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html> text/html 2026-03-31T15:18:09+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:sso&rev=1774970289&do=diff Automating SSO AWS sso has changed, so if you are running this on a headless system over ssh for example, use aws configure sso --use-device-code. This will produce an option to open a browser and approve access there. $ aws configure sso --use-device-code <cr> SSO session name (Recommended): test123 SSO start URL [None]: https://d-1a2345ab23.awsapps.com/start/# SSO region [None]: eu-west-1 SSO registration scopes [sso:account:access]: Attempting to automatically open the SSO authorization p… text/html 2025-05-30T09:48:15+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:start&rev=1748598495&do=diff AWS Amazon Web Services Pages in this namespace: * account * apigateway * bash-read-in-values * cli * cloudformation-index * cloudformation-lambda * cloudformation-parameters-mappings-refs * cloudformation-s3 * cloudformation-terraformstate * cloudformation_big_example * cloudformation_mappings_outputs * cloudformation_refs * cloudwatch * codebuild * deploy_cloudformation_from_cli * dynamodb * dynamodb-local * ebsvolumes * ec2 * ec2_auto-scaling-group-launch_configuration… text/html 2022-01-27T15:57:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:statemachine&rev=1643299046&do=diff StepFunctions and State Machine List state machines $ aws stepfunctions list-state-machines --profile nonprod_admin | jq .[][].name | grep -i 'dev\|test\|nonprod' "dev-approval-workflow" "dev-get-accounts" "ami-lifecycle-dev-ami-statemachine" Core Step Function text/html 2026-01-07T11:59:38+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:sts&rev=1767787178&do=diff AWS Security Token Service Who am I?? Deep philosophy the AWS way, use sts get-caller-identity:- $ aws sts get-caller-identity --color on { "UserId": "AERRTT%ESSXXXXPZZZZZP:User1234", "Account": "987667892345", "Arn": "arn:aws:sts::987667892345:assumed-role/AWSReservedSSO_PLATFORM-Administrator_d4a391q2z49ade26/User1234" } text/html 2026-01-14T11:23:58+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:tags&rev=1768389838&do=diff Tags CLI response = iam_client.tag_role( RoleName='MyRole', Tags=[ { 'Key': 'Repo', 'Value': 'MyRepo' }, { 'Key': 'CliCreated', 'Value': 'true' }, ] ) text/html 2025-09-18T15:07:26+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:timestream&rev=1758208046&do=diff Timestream AWS Timestream is a specialised database optimised to record a stream of time based events such as logging IOT events. Example Lambda import json import boto3 import time from datetime import datetime ''' # Sample Event data { "awsAccountId": "12348765", "actionType": "NewRequest", "status": "Approved" } ''' def get_current_time_year_month(): yearmonth = datetime.now().strftime('%Y-%m') daytime = datetime.now().strftime('%d-%H:%M:%S') return yearmonth, daytime … text/html 2025-09-18T14:09:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:vpc-parameterstore&rev=1758204550&do=diff VPC Parameter store --- Parameters: VPCName: Type: String Description: VPC Name for test. Resources: BasicParameter: Type: AWS::SSM::Parameter Properties: Name: test-VPC-Name Type: String Value: !Ref VPCName Description: SSM Parameter test. Tags: Environment: Test text/html 2025-07-31T13:08:06+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:vpc&rev=1753967286&do=diff Virtual Private Cloud (VPC) FIXME intro blurb on VPC, AZ, subnets, IG / NAT gateway [VPC with two AZ and subnets] Show unused Security Groups #!/bin/bash #Get all security groups and check against network interfaces thety are allocated to. echo "" > security_groups.txt for SG in $(aws ec2 describe-security-groups --profile nonprod_admin | jq --raw-output '.[][] | [.GroupId, .GroupName, .Description ] | @csv') do echo $SG #echo $SG | tee security_groups.txt | cut -f1 -d | aws ec2 describe-… text/html 2025-05-30T09:42:15+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.rainsbrook.co.uk/wiki/doku.php?id=aws:yaml-in-aws&rev=1748598135&do=diff YAML YAML == Yet Another Markup Language Start of file Syntax Quotes Single quotes allow you put (with some limitations) any character in your string, similar to BASH these won’t be expanded but treated as literals, “\n” is returns just the string \n.