- Attach needed IAM permissions to the EC2 instance profile IAM role:
CloudWatchAgentServerPolicyAWS managed IAM policy- Additional permissions likely needed (to download config from SSM parameter and to set CW Logs retention):
{ "Effect": "Allow", "Action": [ "ssm:GetParameter"
atheiman
/ cloudformation.gitlab-ci.yml
Last active
March 14, 2025 10:55
GitLab CI CloudFormation Deploy Job
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .cloudformation: | |
| stage: cloudformation | |
| variables: | |
| AWS_DEFAULT_REGION: '' | |
| CFN_ASSUME_ROLE_ARN: '' | |
| CFN_TEMPLATE: cloudformation/template.yml | |
| CFN_STACK_NAME: 'MyStack' | |
| CFN_DEPLOY_EXTRA_ARGS: '' | |
| image: | |
| name: amazon/aws-cli |
atheiman
/ ecs-fargate-sleep-task.sh
Created
February 26, 2025 18:22
Run an ECS Fargate task running `sleep` and exec into the task. This can be used to get a Linux shell in a subnet without launching an EC2 instance.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Prerequisites: | |
| # - ECS Fargate cluster | |
| # - ECS task IAM role: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html | |
| # Be sure to include ECS exec permissions: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#ecs-exec-required-iam-permissions | |
| # - (optional) ECS task execution IAM role: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html | |
| aws ecs list-task-definitions | |
| # Register a task definition for alpine image running "sleep 600" so you can exec into the container for 10 min |
atheiman
/ config_aggregator_query.py
Last active
December 4, 2024 01:19
Example of querying AWS Config aggregator using Python and boto3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # Example usage: | |
| # | |
| # ~ $ export AWS_PROFILE=organization-management-account | |
| # ~ $ export AGGREGATOR_NAME=my-config-aggregator | |
| # ~ $ python ~/tmp/config_aggregator_query.py | |
| # 53 resources inspected | |
| # |
atheiman
/ config_aggregator_rule_compliance_query.py
Created
October 15, 2024 21:52
Query an AWS Config aggregator for rule compliance and write the results to a CSV file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import boto3 | |
| import botocore | |
| import os | |
| import datetime | |
| import re | |
| import csv | |
| from functools import lru_cache | |
| sts = boto3.client("sts") |
atheiman
/ config_evaluation.py
Last active
December 4, 2024 01:19
AWS Config custom rule for resource tag compliance evaluation. Deployed as CloudFormation stacks.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # See documented events sent by Config here: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_example-events.html | |
| # | |
| # It is much easier to write evaluations for rules using ConfigurationItemChangeNotification and | |
| # OversizedConfigurationItemChangeNotification. These notifications include the resource as recorded | |
| # by Config. The Lambda function can review the resource config json and submit an evaluation for | |
| # the resource. | |
| # | |
| # ScheduledNotification events are not specific to a resource, the event only includes | |
| # the account id and rule name. Lambda functions must list all the resources in the account using | |
| # service apis, call the appropriate apis to evaluate the resources config, and then submit |
atheiman
/ config_tag_compliance.tf
Last active
December 4, 2024 01:18
Terraform to deploy a Config custom rule w/ Lambda function to evaluate resource tag compliance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = ">= 5.0" | |
| } | |
| } | |
| } | |
| data "aws_partition" "current" {} |
atheiman
/ 1-config.tf
Last active
December 4, 2024 01:18
AWS Config custom policy rule using Guard to evaluate tag compliance. Deployed as an OrganizationConfigRule w/ Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = ">= 5.0" | |
| } | |
| } | |
| } | |
| resource "aws_config_organization_custom_policy_rule" "required_tags" { |
atheiman
/ config-aggregator-search.sh
Last active
November 20, 2024 14:39
Get all EC2 instances from an AWS Config Aggregator using AWS CLI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # batch-get-aggregate-resource-config only accepts 100 resource identifiers. If you need to get the configuration | |
| # of more items, use python + boto3: https://gist.github.com/atheiman/9830de25a3fb54a06b86953a2675bbd1 | |
| AGGREGATOR_NAME='MyConfigAggregator' | |
| aws configservice batch-get-aggregate-resource-config \ | |
| --configuration-aggregator-name "$AGGREGATOR_NAME" \ | |
| --resource-identifiers "$( | |
| aws configservice list-aggregate-discovered-resources \ | |
| --configuration-aggregator-name "$AGGREGATOR_NAME" \ | |
| --resource-type 'AWS::EC2::Instance' \ |
atheiman
/ User_Data.md
Last active
November 15, 2024 09:40
EC2 User Data examples for Windows and Linux
Add a local rdp user via user data at launch of a Windows EC2 instance. Note that this includes a password passed in thru both the user data and powershell command line and is a bad security practice because they can be viewed later. At a minimum, you should connect to the instance immediately after launch and change the password interactively. Also, delete the userdata from the instance after launch. More secure would be to connect the instance to a domain for authentication or use AWS native tooling to connect to the instance (e.g., AWS Session Manager).
<powershell>
# Be sure to set the username and password on these two lines. Of course this is not a good
# security practice to include a password at command line.NewerOlder