It was painful that you are unable to change the instance profile for existing EC2 instance. A good news is that you CAN now via AWS CLI!!
Here is a step by step example.
SSSG Ninja is my new open source project – It is a all-in-one managemenet tool for SSSG (Site Shield Security Group), it not only makes recommendations but also can do the jobs for you. If you are interested to try, it can be found in my Github repo.
Here are current supported features:
Client –ssh only–> Jumpbox00 –ssh only–> Jumpbox01 —http only-> Internal network
Here is how to ssh to jumpbox01, and visit websites in internal networks from Client.
1) Ensure you have a private key that is trusted by both jumpbox00 and jumpbox01. For example, jb.pem under ~/.ssh/, then run the following command:
2) Add the following two lines in ~/.ssh/config
3) For convenience, create a command or alias. For example, I created a command /usr/local/bin/double_jump
ssh -i ~/.ssh/jb.pem -A -t jchen@jumpbox00 -L 12345:localhost:12345 ssh -A -t jchen@jumpbox01 -D 12345
4) Make the above command executable
sudo chmod a+x /usr/local/bin/double_jump
Now run double_jump, it will open a ssh session to jumpbox01. Set socks proxy in your browser to localhost:12345, it allows client to visit the websites in the internal network.
AWS Trusted Advisor recently added a new check ‘Exposed Access Key’ in Security category. This to checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key.
By default Trusted Advisor run checks every 24 hours. For such critical check, we probably want to run it more frequent, say every 30 minutes. Currently, AWS trusted advisor does not support custom schedule. Per the conversation I had with the AWS support, they are working on event trigger notification feature for Trusted Advisor.
While waiting that feature becomes available. I have added this feature into AWS keyWatcher v0.3, and create a cronjob to let it run every 30 minutes.
Here is how it works:
I found this bug in CloudTrail when working on the AWS keyWatcher project. I noticed that some CloudTrail logs do not have access key id field. Then I opened a ticket with AWS support, and they forwarded it to the CloudTrail service team. Here is the response which confirms it is a bug:
Briefly speaking, they've confirmed this being a bug. In fact, we do expect accessKeyId to be present in this case. We were also able to replicate the issue that you observed - called CreateBucket and GetBucketTagging from the console but did not find the accessKeyId field in the log events. We apologize for any trouble or confusion that this might have caused to you. At this stage, we are not able to give an ETA of when exactly this bug will be fixed. But we are already investigating the issue with high priority.