AWS on zoph.me

Speeding Up IAMTrail: One Boto3 Process Instead of 1,500 CLI Invocations

Sat, 04 Apr 2026 07:37:00 +0200

The 46-Minute Problem

The IAMTrail detection engine fetches ~1,500 AWS managed IAM policies every run. The original approach was pure bash:

aws iam list-policies --output json |
    jq -cr '...' |
    xargs -P 16 -n3 sh -c \
      'aws iam get-policy-version --policy-arn $1 --version-id $2 | jq --indent 4 . > "policies/$3"' sh

Looks fine, right? Except each iteration spawns a full AWS CLI process. That means a fresh Python runtime, boto3 import, credential resolution, one single HTTP call, then exit. Times 1,500.

IAMTrail.com: The AWS Managed Policy Archive (Evolved from MAMIP)

Thu, 23 Oct 2025 13:37:00 +0200

📜 The Origins

Back in 2019, Scott Piper started a GitHub repository to track changes to AWS Managed Policies. It was a simple setup, manually triggered but it worked well and was incredibly useful. Using git diff or the Github.com UI, Scott and the community could easily see how policies evolved over time.

At that time, AWS didn’t publicly share the changes made to managed policies by the various “two-pizza” product teams inside AWS.

AWS CloudFormation Phishing Attack: A Growing Threat

Mon, 10 Feb 2025 13:37:00 +0200

✨ Introduction

It starts with an innocuous-looking email. The sender claims to be AWS Support, warning the recipient about an urgent security issue. A single button labeled “Launch Stack” is prominently placed, urging immediate action. What appears to be a standard security advisory is, in reality, the gateway to a sophisticated AWS account takeover attempt.

Threat actors are exploiting AWS CloudFormation StackSets in phishing campaigns designed to compromise AWS environments. Originally reported by Rami McCarthy back in 2022 and by Scott Piper in this blog post (2021), this technique continues to evolve, demonstrating how adversaries leverage AWS automation against its own users.

AWS Mixtape: Summer 2024

Sun, 01 Sep 2024 13:37:00 +0200

Busy Holidays? You’ll find below my preferred papers from this summer, 2024 🏖️

Cloud Security

Infrastructure

Engineering

That’s all, folks! 👋🏼

Thoughts on Indie AWS Consulting in 2025

Sun, 25 Aug 2024 13:37:00 +0200

Background

I started my career in the glass industry as a SysAdmin, specifically in a glass factory crafting fragrance bottles and bottles for pharmaceutical industries in the north of France. Since then, I’ve focused on IT security and cloud computing.

After many full-time positions for Microsoft, French Logistic Railroad, and IT consulting firms, I decided to run my AWS consulting boutique by myself 5 years ago.

Just at the beginning of the pandemic, what a visionary…

Proxy Logs: Preserving Client IPs in AWS PrivateLink

Sun, 18 Aug 2024 13:37:00 +0200

Purpose

Recently, I was working on a centralized explicit proxy service for one of my customers using a well-known Squid Internet proxy.

The infrastructure is built on top of a shared AWS account hosting all standard infrastructure services, such as Internet Proxy, SOCKS5 Proxy, DNS Resolvers, ADDC, Centralized logging, and much more.

Consumers are using the Internet Proxy service from multiple child AWS accounts and regions within the client AWS Organization thanks to AWS PrivateLink.

Over Architecting on Public Cloud

Sun, 04 Aug 2024 13:37:00 +0200

Following a post from my friend Julien Delange (Tech Ramblings) on software over-engineering, I want to share my thoughts about over-architecting in my preferred field of Public Cloud Architecture.

Background

I have been doing Cloud Architecture for more than ten years and have seen many different scenarios and use cases, from startups to GAFAM and multiple company verticals, from TV audience measurement to Gambling and Energy Producers. I also frequently challenge my fellow architects’ decisions.

About AWS Security Digest acquisition

Wed, 31 Jul 2024 13:37:00 +0200

📜 History

In late 2020, I was floored by the number of announcements, changes, re:Invent releases, and blog posts that AWS pushes every week.

Then, I decided to automate part of my weekly routine to stay up to date. The idea was to get a digest email summary of what was going on. It was very helpful for my job as an Indie AWS Security Consultant.

A few weeks later, I decided to open my weekly digest to external subscribers, as I believed it could interest folks in the same field. Here we were with the ASD Newsletter in January 2021.

Brewing the Best in AWS Security: Top Reads of the Year

Sun, 17 Dec 2023 13:37:00 +0200

As we welcome 2024, I’m excited to share a special post for the AWS Security Digest Newsletter. It’s been a remarkable year, and your engagement has made it even more so.

🔗 I’ve compiled the top 5 most-clicked links from our 2023 editions.

These links represent the most intriguing, informative, and impactful topics in the AWS Security landscape.

1️⃣ Enabling Just-In-Time (JIT) Access for AWS S3 Buckets
2️⃣ Actionable AWS Security Best Practices [Cheat Sheet]
3️⃣ AWS Security Foundations For Dummies
4️⃣ Bare minimum AWS Security Alerting and Configuration
5️⃣ AWS ImdsPacketAnalyzer

👨‍🍳 Why a Chef? You might wonder about the image. In our newsletter, we ‘cook’ complex AWS concepts into digestible insights, much like a chef preparing a gourmet meal. This theme has been a fun and integral part of our journey.

Elevate your AWS Security with basic alerting

Sun, 12 Feb 2023 13:37:00 +0200

As businesses continue to adopt cloud computing and move their operations to the cloud, it’s crucial to ensure the security of their cloud environment. Amazon Web Services (AWS) is the leading cloud platform, but with the ease of use comes the responsibility of securing the data, applications, and services deployed on the cloud.

AWS provides a vast array of security services, but it can be challenging to keep track of all the activities and changes happening in your AWS account. That’s where the AWS Security Survival Kit (ASSK) comes in. This comprehensive and free open-source kit sets up basic proactive monitoring and alerting on common suspicious activities in your AWS account.

Introducing Subnet-Watcher: Observability for your AWS Subnets

Sun, 08 Jan 2023 13:37:00 +0200

Are you tired of manually checking your AWS subnets to make sure they’re not approaching the free remaining IP limit? Look no further than Subnet-Watcher, an open-source tool I’ve developed at zoph.io.

Subnet-Watcher allows you to automatically check your subnets for a variety of metrics, such as whether they have the correct number of available IP addresses, or the number of detached ENIs. It also allows you to take action if any of these conditions are not met, such as sending an email notification and automatically recording a CloudWatch Metric.

Update on being Independent [3 years later]

Sat, 07 Jan 2023 13:37:00 +0200

TL;DR

Key takeaways:

Building trust and relationships with a community of experts is crucial for success.
Continuously staying up-to-date with the latest trends and best practices in your field and maintaining a curious mindset is important for delivering innovative solutions.
Diversifying your business streams, such as through a SaaS product or newsletter, can help to increase success and growth.
Being a freelancer offers autonomy and independence, but it’s important to also consider the scalability of your business.

As my business as an independent AWS consultant enters its fourth year, I am proud to reflect on the growth and success I have achieved over these past few years.

How to deal with unused assets on AWS?

Sun, 29 May 2022 13:37:00 +0200

💸 Rational

Using the public cloud will let you do experiments, iterate, test new services and new capabilities; it will unleash the potential of your teams to do innovation and, in the end, reduce the time to market with innovative products.

Cloud computing comes with a promise: “Pay as you go”.

In fact, this statement is partially true. However, it is only accurate if you take care – really care – of your active assets on your Cloud Service Provider (CSP).

The day when the AWS Support got access to your S3 data

Wed, 22 Dec 2021 13:37:00 +0200

Update from: 2021-12-23

Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update

https://aws.amazon.com/security/security-bulletins/AWS-2021-007/

You will find below details about the security incident that led to this unattended access for millions of AWS customers.

On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy, used by a mandatory role AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action s3:getObject, which gives AWS Support teams access to all customer Amazon S3 data.

Serverless AWS WebRedirect

Sun, 07 Nov 2021 13:37:00 +0200

Rationale

Lately, I was looking for a small automation to deploy a simple web redirect for a domain name hosted on Amazon Route 53. I didn’t find anything relevant, so I’ve decided to do it by myself. The goal was to have a subdomain redirect to a totally different domain and path using minimal effort and infrastructure.

From: asd.zoph.io
To: http://awssecuritydigest.com

Schema

Tradeoff

It does not support https, but you can use http as an entrypoint, and then redirect traffic to https as needed.

How to deal with custom recorder of AWS Config?

Sun, 15 Aug 2021 13:37:00 +0200

Disclaimer: I’m not a REGEX expert :smile:

Lately, I was working for one of my customers on a custom configuration of AWS Config recorder.

My customer wanted to record all resources using AWS Config, except for a few of them:

'AWS::EC2::Subnet'
'AWS::EC2::VPC'
'AWS::EC2::SecurityGroup'

Unfortunately, the AWS API and Console do not allow you to do this; you have to manually cherry-pick which resource you want to record.

The trade-off of this method is that if a new AWS Config resource type is released, it won’t be recorded until you manually select it in your AWS Config recorder settings.

Does AWS drink its own champagne? 🍾

Tue, 06 Apr 2021 13:37:00 +0200

TL;DR: AWS Managed Policies are safe. Currently.

:arrows_counterclockwise: Previously in Policy Validation

Before the AWS Access Analyzer (AA) Policy Validation release, a few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs and CloudSplaining (Salesforce).

The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scraping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules. Isn’t it?

Keeping you posted on AWS Security

Fri, 22 Jan 2021 13:37:00 +0200

Since my last post on how to deal with information overload and reading pipeline, I’ve created a free digest newsletter about AWS Security.

The goal of this curated AWS Security Digest is to condense what happened last week, from the most relevant sources:

🔦 A highlight of the week
👮 Changes since last week on AWS Managed IAM Policies
💌 Curated cloud security newsletters
👀 AWS API changes
🔒 IAM permissions changes
🆙 Most upvoted posts on r/AWS
🔗 Top shared links on Twitter (by cloudsec folks)
🐦 Most engaged tweets from the community

This is an ongoing side project, so more content will be added over time.

How to deal with information overload?

Sat, 19 Dec 2020 13:37:00 +0200

Disclaimer

This post contains affiliate links.

Introduction

As you know, in Information Technology, things are evolving fast. Too fast to stay up to date without losing your mind to information overload/fatigue.

To remediate that, I will give you my daily/weekly routine and tips to stay focused on your tasks/objectives without missing anything interesting, and to assimilate it at your own pace.

Daily Routine

In the morning, I’m reading my Brew. Mailbrew gives you the ability to craft your own newsletter based on your most interesting content, like tweets with the most engagement from your favorite Twitter accounts, Newsletters, most upvoted Sub-reddit posts, daily calendar schedule, most interesting Hacker News posts and so on. Crafted just by you and for you.

AWS Starter Kit - 2020 Edition

Fri, 10 Jul 2020 13:37:00 +0200

This post was updated in July 2020. It was originally my first post on this blog in December 2016. 👴

I’m often asked by many colleagues, friends, or Twitter followers where to start with Amazon Web Services (AWS). In this post, I will try to explain where you should start in 2020.

I’ll try to write this post as I wish I had when I got into this technology in 2016.

Turn your AWS DevSecOps Pipeline into a bunker

Thu, 18 Jun 2020 13:37:00 +0200

This post was co-authored by Teddy Ferdinand. Who is working as Cloud Security Architect 🐻

Introduction

In this series, we will talk about the emergence of the DevSecOps movement, and more especially, what the benefits are of introducing a DevSecOps approach to your existing CI/CD Pipelines.

CI/CD Pipeline

To give you some context, you will find in the diagram below a standard DevOps CI/CD Pipeline.

DevSecWhat?

DevSecOps could be defined as a shift from a central internal security team to the inclusion of security practices in the existing DevOps teams: DevSecOps 🎉

Update on being Independent [6 months later]

Mon, 01 Jun 2020 13:37:00 +0200

This post is the second part of a series about my journey as an Independent AWS Cloud Architect.

Status

As I already told you in the first part, I started my own business in early January 2020.

After the first 6 months of being an Independent AWS Architect in France, I’m very happy with this move, no regret, and I don’t see any upcoming U-turn to come back as a full-time employee.

GitHub Actions with AWS: Hands-On

Sun, 29 Mar 2020 13:37:00 +0200

Hi Folks,

Lately, I was experimenting with GitHub Actions (GHA), as it has been a buzzword since General Availability (GA), but I didn’t take the time to try it before. I’ve done it for you folks. 🙌

Context

GHA was released on GA in November 2019, the main features are:

Automate development workflows (CI/CD): build, test, deploy
Hosted runners / self-hosted runners
Automate the management of your GH Community: PR, Code Reviews, or Issue Tracking
Built-in secrets store

[MAMIP] Monitor AWS Managed IAM Policies

Sat, 22 Feb 2020 13:37:00 +0200

This article was originally posted in September 2019. Updated in February 2020.

Disclaimer

Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing.

Purpose

When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scenes. It’s also interesting to monitor new AWS service releases ahead of the announcements to get spoiled.

This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS), using the “Watch” feature on GitHub, RSS or a dedicated Twitter Account.

Easily reduce by 70% your AWS Fargate bills

Sun, 16 Feb 2020 13:37:00 +0200

Quick post today about cost saving on AWS. As you know, two of my preferred subjects on Public Cloud are Security and FinOps!

Recently, AWS introduced a way to reduce AWS bills by up to 70% using Spot instances with the AWS Fargate service.

It’s really easy to use. If your workload is interruption-proof, batch jobs, or CI/CD containers, don’t hesitate to use it to drastically reduce your workload costs.

Using Terraform, you just have to specify capacity_providers and/or default_capacity_provider_strategy on your aws_ecs_cluster resource.

qTweet - SQS to Twitter Speaker

Wed, 05 Feb 2020 13:37:00 +0200

qTweet is a dead simple AWS SQS to Twitter serverless speaker :speaker:.

Publish message :love_letter: to SQS (FIFO), Lambda function will handle publishing it to Twitter. Automagically. :tada:

To be honest, my plan is to automate the tweet of certain information using this queue in multiple side projects.

As usual, I’m sharing this with you folks as I was not able to find an equivalent in GitHub / Open source projects. I hope it could be useful to someone else.

CloudWatch Synthetics - Canary testing

Sun, 02 Feb 2020 13:37:00 +0200

Canary What?

In software testing, a canary (also called a canary test) is a push of programming code changes to a small number of end-users who have not volunteered to test anything. The goal of a canary test is to make sure code changes are transparent and work in a real-world environment.

Canary tests, which are often automated, are run after testing in a sandbox environment has been completed. Because the canary is only pushed to a small number of users, its impact is relatively small should the new code prove to be buggy and changes can be reversed quickly.

On being Independent

Wed, 01 Jan 2020 13:37:00 +0200

In December 2019, I’ve decided to switch from a long-time (15 years) habit of Full-Time Employee (FTE) contracts to running my own business as an Independent AWS Cloud Architect.

This decision came to me after a few disappointments from my past experiences as a traditional employee/consultant, and I had been thinking about this switch for several years.

It was the perfect time for me to start this new challenge:

I’ve no plan to take a homebuyer’s loan for the next few years.
I’m confident regarding my AWS skills now, even if I still have a lot to learn.
My network is now large enough to easily get new opportunities (friends, ex-colleagues, acquaintances, social network).
My wife is working and has an FTE job.

I will focus on value delivery to my customers as a freelance consultant, in the following areas: Modern Cloud Architecture Design, Security Assessments, Reliability, Automation, Cost-Effectiveness, Training and so on.

AWS Security Toolbox (AST)

Mon, 16 Dec 2019 13:37:00 +0200

In my day-to-day job, I was wasting time reinstalling and dealing with the dependencies of all my favorite tools for AWS Security Audits and Assessments.

So, lately, I’ve decided to start another pet project trying to solve this issue and provide a simple Docker container with all the security-related tooling for your AWS Assessments.

I’ve decided to open-source it. After some discussion with my peers, they were interested in this kind of stuff to avoid wasting hours installing a myriad of apps and Python dependencies on their own laptop or customer machine.

Serverless job scheduling using AWS Fargate

Sun, 22 Sep 2019 13:37:00 +0200

I was wondering if I could schedule simple bash scripts using AWS Fargate for some trivial batch operations.

To be completely honest, it is also an excuse to learn more about AWS Fargate, and to convert a legacy bash script based on EC2 Spot instances to a container world.

In this post, we will see how to schedule a bash script job once a day. To do so, we will deploy the corresponding AWS infrastructure (even if it’s serverless, yes :wink:) using Terraform.

Automate your SQL & NoSQL databases with AWS Managed Services

Sun, 15 Sep 2019 13:37:00 +0200

Disclaimer: This article was written with my co-author: Sandro aka Khrarec. thx dude.

Introduction

With the rise of cloud managed services comes a very important one: the databases. So, what’s a managed database service?

Basically, a database is a server-side software like MySQL, MariaDB, PostgreSQL, or for NoSQL, Redis, MongoDB, etc. But when you install and build your database server that way, it means you have to manage the configuration, which is sometimes very tricky. You might make some mistakes that can kill performance.

[FR] AWS re:Inforce 2019

Mon, 15 Jul 2019 13:37:00 +0200

re:Inforce 2019

Il s’agit de la première édition de cette conférence AWS dédiée à la sécurité de ce Cloud Service Provider (CSP). AWS est actuellement en train de proposer de nouveaux événements et summits sur des sujets spécifiques, en plus de l’événement annuel, le re:Invent.

Cette conférence aura lieu chaque année dans une ville différente des États-Unis, il est question de Houston pour l’année prochaine.

https://reinforce.awsevents.com/

J’ai eu l’occasion de participer au re:Cap du re:Inforce proposé par AWS France, voici en synthèse, les éléments à ne pas manquer.

AWS Transfer for SFTP

Mon, 10 Jun 2019 13:37:00 +0200

Info: This is our first post in a series of co-authored articles with @kharec.

Serverless SFTP with AWS Transfer for SFTP

Sometimes in the web world, we need to quickly deploy a space to share data with programs or with other humans.

One of the numerous solutions is an SFTP space out there. But you know: create the server, configure the service, partition the users, the permissions, the folders, etc. It gets heavy faster than a speeding bullet!

Enable Default Encryption for EBS (Worldwide)

Mon, 10 Jun 2019 13:37:00 +0200

Following the announced new opt-in option regarding the default encryption of EBS volumes a few days ago, I’ve made a small Python script to enable this feature on all AWS regions within an AWS account. Quick and ~~Dirty~~ Simple.

This is an example. Use it at your own risk, and test it before applying to production, as usual :)

import boto3

AWS_REGION = 'eu-west-1'
session = boto3.Session(region_name=AWS_REGION)
ec2 = session.client('ec2')

def main(event, context):
    ec2_regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]
    # For all AWS Regions
    for region in ec2_regions:
        conn = boto3.client('ec2', region_name=region)
        print ("Checking AWS Region: " + region)
        status = conn.get_ebs_encryption_by_default()
        print ("===="*10)
        result = status["EbsEncryptionByDefault"]
        if result == True:
            print ("Activated, nothing to do")
        else:
            print("Not activated, activation in progress")
            conn.enable_ebs_encryption_by_default()

if __name__ == '__main__':
    main(0,0)

That’s all folks!

My Pet Projects

Thu, 30 May 2019 13:37:00 +0200

In this article, I will describe my current pet projects. These are mainly excuses to learn something new, or exercises to go deeper into particular technologies, but could be (I hope) useful for you too.

Don’t hesitate to issue enhancements, bug fixes (PR), or just give it a try and share your thoughts.

Instance Watcher

:construction_worker: Tech: Lambda, Python, Serverless Application Model (SAM), SES

This app will scan your AWS Account against all EC2 regions worldwide and notify you by email when you have some running EC2 instances. It’s useful for non-production environments that you need to monitor. Use case: labs/training, sandbox accounts.

My DevOps toolbox for AWS practitioner

Thu, 14 Feb 2019 22:31:32 +0200

In this post, you will find my best tools to work with if you are playing around with AWS services.

Please let us know yours in the comments below :punch:

Last Update: 2019-02-14

General :construction:

Description	Links
Use multiple AWS Accounts on the same browser using Firefox Containers	Firefox Containers
Facilitate your switch role experience with this AddOn	FF - Extend Switch Roles - Chrome - Extend Switch Roles
Easy way to know your current public ip, using AWS Service	What is my Public IP
Check if any website is hosted on AWS	Is It on AWS?
Test the reachability of EC2 worldwide	EC2 Reachability
A great reference for IAM, needs to be updated	Cloudonaut IAM Reference
AWS Transfer costs are a nightmare, this is intended to help a bit	AWS Transfer Costs
Want to know the current inter AWS Region latency?	Inter-Region Latency
THE REFERENCE (don’t forget the associate Slack)	AWS Open Guide

FinOps :dollar:

Description	Links
Compare all existing EC2 instances, and pricing on a single view, with search capabilities	ec2instances.info
Well known AWS Calculator, a new version is coming	AWS Calc

Infrastructure as Code (IaC) :memo:

Description	Links
Great post if you plan to use VSCode with CFN	VSCode
Linter for CFN, and really up-to-date!	cfn-lint
PyCharm is my preferred IDE for Terraform with this plugin	Terraform

Security / Governance / Hardening :flashlight:

Description	Links
Cloud Governance, Security and compliance made easy	Cloud Custodian
Entirely nuke an AWS Account (warning), for example, training accounts	aws-nuke
Store your AWS credentials encrypted, with other cool features like login	AWS-Vault
Least Privileges tool from 0xdabbad00, using Athena and CloudTrail	CloudTracker
Map / Audit your AWS environments, and much more, Thanks again Scott	CloudMapper

Schema :triangular_ruler:

Description	Links
Schema / Design your Architecture (with new AWS icons)	Draw.io
Same, with some advanced paid features ($)	CloudCraft

See ya Folks.

From Plumber to Blogger

Tue, 29 Jan 2019 22:31:32 +0200

Previously I wrote an article on my blog’s pipeline. It was quite complex for this dead simple use case:

Publish a static website from markdown files
Automate build to convert markdown into html static pages using Jekyll
Be able to preview articles with a draft subdomain

A few months ago, during re:Invent'18, AWS launched a new service called AWS Amplify Console. I didn’t pay attention to this new service until a few days ago, when trying to find some optimizations around my blog.

[FR] Re:Invent 2018

Thu, 27 Dec 2018 22:31:32 +0200

Retour sur une semaine incroyable et riche en annonces comme à l’accoutumée pour cette nouvelle édition du salon annuel Amazon Web Services (AWS) à Las Vegas.

Dans cet article, nous allons revenir sur les principaux lancements de cette année, des plus importants aux plus inattendus.

Quelques chiffres avant de commencer, AWS est un business avec un CA de 27Mds$, avec une croissance de 46-49%. Cette année, le re:Invent c’est 50 000 participants annoncés, répartis sur les 5 principaux casinos de Las Vegas.

AWS re:Invent'18 - re:Cap

Sun, 02 Dec 2018 22:31:32 +0200

Pre-re:Invent'18 Launches 🚀 (November 2018)

re:Invent'18 (Nov. 26-30, 2018 - Las Vegas, NV)

🚀 = Launch

How do I prepare AWS Certifications

Sun, 05 Aug 2018 22:31:32 +0200

Updated on: 2019-04-20

Currently, I’ve successfully passed the following AWS Certifications: AWS Solutions Architect - Professional, AWS Security Specialty, AWS Developer Associate, AWS Architect Associate and AWS SysOps Associate.

In this post, I will show you how I prepare for AWS Certifications.

To start, please find below the current Certification roadmap:

Why AWS Certifications?

It is always a benefit to validate your knowledge with the official certification path from the vendor. It’s a recognition for your skills like all other IT certifications, but AWS certifications are well recognized in the IT area.

Stress website with a Beehive (with machineguns 🔫)

Sun, 18 Mar 2018 22:31:32 +0200

Warning I deny any responsibility for using this article to launch an assault on a website that you don’t own.

TL;DR

In this article, you will find a procedure to launch a distributed load test of ApacheBench (AB) on your website. I will use BeesWithMachineGuns.

Requirements

Boto / awscli
Python 2.6 - 3.6
paramiko

Installation

aws configure with your credentials
sudo pip install https://github.com/newsapps/beeswithmachineguns/archive/master.zip

Launch ssh-agent, add your key:

Copy your EC2 ssh-key pair to your instance, in /home/ec2-user/.ssh/. This key will be used to launch bees.

Using Athena & QuickSight for ALB-ELB Access Logs Analysis

Sun, 18 Feb 2018 22:31:32 +0200

In this article, I will describe how to use Athena and QuickSight to do BI/DataViz on your current Load Balancer Access Logs on AWS: ELB and ALB.

From AWS: “Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.”

In a few minutes, you will be able to query your access logs, even if you have a huge amount of logs, with this serverless service. I will show you how to use the AWS DataViz product called QuickSight to get some great visuals.

[FR] Backup Jeedom sur AWS S3

Fri, 12 Jan 2018 22:31:32 +0200

Dans cet article, nous allons voir comment sauvegarder vos backups Jeedom dans le Cloud Amazon.

Ok, mais combien ça coûte Amazon Web Services (AWS) ?

Je pars du principe que vous avez un backup par jour pendant 1 an à sauvegarder, chaque backup fait 100 Mo (le double de ma sauvegarde actuelle)

La première année pendant le FreeTier : 0,74$/mois
La deuxième année après le FreeTier : 0,86$/mois

Evidemment il n’y a aucun intérêt de garder autant de versions, un mois est à mon sens largement suffisant.

[Deprecated] Jekyll CBCD Pipeline to the Cloud

Mon, 20 Nov 2017 22:31:32 +0200

Update 29/01/2019 Since AWS Amplify is out, please find a newer version here.

Update 09/02/2018 I’ve updated this article to remove the EC2 used for draft check (for cost saving). I’m now using an S3 bucket with a custom _config.yml.

Requirement: Before reading this article, please find these how-tos to publish a simple static Jekyll website to S3 using ACM SSL and CloudFront CDN. here, here, or here.

I know, you will tell me, why are you using such a workload to publish a simple blog? It sounds crazy! Why not use Medium instead? The answer is to get my own custom blog platform, and to play with AWS tools and services.

Update Route53 with home public IP or from EC2 Metadata

Fri, 10 Nov 2017 22:31:32 +0200

In this post, you will find how to update AWS Route53 from your current public IP (ISP) and how to use EC2 instance metadata to change your DNS A Record.

Requirements

To use this script, you will need:

awscli (pip install awscli)
dig (apt-get install dnsutils)

Update Route53 with your current home Public IP

First, I was facing an issue with my current ISP with a non-static IP address, so I found a useful script to update AWS Route53 daily from my Raspberry Pi.

Create your own Twitter bot in 10 minutes

Mon, 12 Jun 2017 22:31:32 +0200

Update November 2017: Since November 2017, I’ve updated my GitHub repository with a manual to use this bot with a Lambda function (Serverless). It’s more efficient and cost-effective than running a full-time EC2 instance.

This dead simple Node.js Twitter bot will retweet statuses based on your current search criteria, follow users based on the same criteria, and favorite tweets too.

I’m using this to learn the Node.js language and Git.

Actual Features:

awless a powerful alternative to AWS CLI

Wed, 17 May 2017 22:31:32 +0200

Yesterday, I was attending a meetup from the great French AWS Users Group, and Henri showed us a great new project he is working on, called: awless.

awless is a great alternative to the official AWS CLI. It’s written in Go, and available under the Apache license on GitHub.

awless will enhance your experience with the CLI with key features like: autocompletion, offline mode (--local), template support, revert capabilities, etc.

Using a well-known syntax: subject, verb, complement, it drastically simplifies daily operations with the CLI, for example:

Direnv with multiple AWS Accounts

Tue, 10 Jan 2017 22:31:32 +0200

If you are working closely with AWS, with multiple customers and multiple accounts, you will love this app: Direnv.

Direnv will let you switch environment variables depending on the current folder you are browsing. It will be especially useful when you are juggling multiple AWS CLI ACCESS_KEY variables across customers. Then you don’t need to run aws configure each time you need to switch credentials.

When you leave the path, direnv will unload variables, then you avoid any mistakes.

AWS Starter Kit

Tue, 13 Dec 2016 13:37:00 +0200

This post was updated on 2020-07-11.

You will find in this post a few links and videos to help you on your journey to AWS Cloud.

AWS on zoph.me

Speeding Up IAMTrail: One Boto3 Process Instead of 1,500 CLI Invocations

The 46-Minute Problem

IAMTrail.com: The AWS Managed Policy Archive (Evolved from MAMIP)

📜 The Origins

AWS CloudFormation Phishing Attack: A Growing Threat

✨ Introduction

AWS Mixtape: Summer 2024

Cloud Security

Infrastructure

Engineering

Thoughts on Indie AWS Consulting in 2025

Background

Proxy Logs: Preserving Client IPs in AWS PrivateLink

Purpose

Over Architecting on Public Cloud

Background

About AWS Security Digest acquisition

📜 History

Brewing the Best in AWS Security: Top Reads of the Year

Elevate your AWS Security with basic alerting

Introducing Subnet-Watcher: Observability for your AWS Subnets

Update on being Independent [3 years later]

TL;DR

How to deal with unused assets on AWS?

💸 Rational

The day when the AWS Support got access to your S3 data

Serverless AWS WebRedirect

Rationale

Schema

Tradeoff

How to deal with custom recorder of AWS Config?

Does AWS drink its own champagne? 🍾

:arrows_counterclockwise: Previously in Policy Validation

Keeping you posted on AWS Security

How to deal with information overload?

Disclaimer

Introduction

Daily Routine

Sign In

AWS Starter Kit - 2020 Edition

Turn your AWS DevSecOps Pipeline into a bunker

Introduction

CI/CD Pipeline

DevSecWhat?

Update on being Independent [6 months later]

Status

GitHub Actions with AWS: Hands-On

Context

[MAMIP] Monitor AWS Managed IAM Policies

Disclaimer

Purpose

Easily reduce by 70% your AWS Fargate bills

qTweet - SQS to Twitter Speaker

CloudWatch Synthetics - Canary testing

Canary What?

On being Independent

AWS Security Toolbox (AST)

Serverless job scheduling using AWS Fargate

Automate your SQL & NoSQL databases with AWS Managed Services

Introduction

[FR] AWS re:Inforce 2019

re:Inforce 2019

AWS Transfer for SFTP

Enable Default Encryption for EBS (Worldwide)

My Pet Projects

Instance Watcher

My DevOps toolbox for AWS practitioner

General :construction:

FinOps :dollar:

Infrastructure as Code (IaC) :memo:

Security / Governance / Hardening :flashlight:

Schema :triangular_ruler:

From Plumber to Blogger

[FR] Re:Invent 2018

AWS re:Invent'18 - re:Cap

Pre-re:Invent'18 Launches 🚀 (November 2018)

re:Invent'18 (Nov. 26-30, 2018 - Las Vegas, NV)

How do I prepare AWS Certifications

Why AWS Certifications?