atheiman

IDENTITY_CENTER_INSTANCE_ARN="$(aws sso-admin list-instances --output text --query 'Instances[0].InstanceArn')"
IDENTITY_STORE_ID="$(aws sso-admin list-instances --output text --query 'Instances[0].IdentityStoreId')"

for acctid in $(aws organizations list-accounts --query 'Accounts[][Id]' --output text); do
  echo "acct:$(aws organizations describe-account --account-id "$acctid" --output text --query 'Account.[Id, Email, Name]')"
  for psarn in $(aws sso-admin list-permission-sets-provisioned-to-account --account-id "$acctid" --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --output text --query 'PermissionSets[]'); do
      echo "  permissionset:$(aws sso-admin describe-permission-set --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --permission-set-arn "$psarn" --output text --query 'PermissionSet.[Name]')"
      for groupid in $(aws sso-admin list-account-assignments --account-id "$acctid" --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --permission-set-arn "$psarn" --output text --query 'AccountAssignments[?P

atheiman

1. build accounts - this can be terraform executed in the mgmt acct
2. multi-account terragrunt run-all

   template/
     terragrunt.hcl
     main.tf
   111111111111/
     customization.tf
   
   

mkdir generated

atheiman

Copy the contents of notepad-bookmarklet.html and paste into your browser as a URL. Then bookmark the page.

atheiman

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect":"Deny",
      "Action": [
        "ec2:AssociateClientVpnTargetNetwork",
        "ec2:AssociateRouteTable",
        "ec2:AssociateSubnetCidrBlock",
        "ec2:AssociateTransitGatewayMulticastDomain",

atheiman

##################################################################################
#
#   Conformance Pack:
#     Operational Best Practices for NIST 800-171
#
#   This conformance pack helps verify compliance with NIST 800-171 requirements.
#
#   See Parameters section for names and descriptions of required parameters.
#
##################################################################################

atheiman

#!/usr/bin/env python

# Usage example:
#   CONFIG_CONFORMANCE_PACK_TEMPLATE=Operational-Best-Practices-for-NIST-800-171.yaml ./config_conformance_pack_region_validator.py

import boto3
import botocore
import json
import os
import time

atheiman

4 * 2 = 8
3 * 2 = 6
Error processing num b - ValueError("invalid literal for int() with base 10: 'b'") - Traceback (most recent call last):
  File "/Users/aheiman/tmp/script.py", line 8, in <module>
    print(f"{num} * 2 = {int(num) * 2}")
ValueError: invalid literal for int() with base 10: 'b'

5 * 2 = 10
Error processing num f - ValueError("invalid literal for int() with base 10: 'f'") - Traceback (most recent call last):
  File "/Users/aheiman/tmp/script.py", line 8, in <module>

atheiman

Amazon CloudWatch Agent for Linux

1. Attach needed IAM permissions to the EC2 instance profile IAM role:
   • CloudWatchAgentServerPolicy AWS managed IAM policy
   • Additional permissions likely needed (to download config from SSM parameter and to set CW Logs retention):

     {
       "Effect": "Allow",
       "Action": [
         "ssm:GetParameter"

atheiman

Generate a private key and self-signed TLS certificate using the Terraform TLS provider.

# Download this terraform file into the current directory
curl -O https://gist.githubusercontent.com/atheiman/0944ece7399af7dd951b1bfe23fae847/raw/main.tf

# Modify "locals" in main.tf as needed

# Generate the key and cert
terraform init -upgrade

atheiman

---
apiVersion: v1
kind: Namespace
metadata:
  name: echoserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echoserver