Coin Graham coingraham

## KMS-SNS.template
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  MySNSTopic:
    Type: "AWS::SNS::Topic"
    Properties:
      DisplayName: "KMSTopic"
      KmsMasterKeyId: "alias/aws/sns"
      Subscription:
        - Endpoint: "myemail@domain.com"
          Protocol: "email"

## aws_client_vpc_endpoint_setup_notes.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                coingraham
                / aws_client_vpc_endpoint_setup_notes.md
            
            
              Created
              June 15, 2022 02:54
                — forked from mlimotte/aws_client_vpc_endpoint_setup_notes.md
            
              
                AWS Client VPN Endpoint Setup tips and checklist
              
          
    Overview

We have remote developers who occassionally need access to AWS servers QA and Staging databases (RDS mysql instances). The AWS servers (EC2, fargate) are in a private VPC. The RDS databases are in different VPCs, they have the "publicly accessible" attribute set, which means they get a pubilc DNS, but only a handful or IPs are whitelisted for that access; developers should get access over a VPN.
This is summarized as:
laptop --ClientVPN--> VPC _A_ --VPC Peer--> RDS in VPC _B_

I choose the Cliet VPN Endpoint so that AWS would manage the remote side of the tunnel.  I choose Viscosity (on a Mac) as our VPN client because it's easy to use and support split-dns and split-routing.  It's affordable, but not free.  Split DNS is important so that Amazon hostnames can be resolved to their internal IP addresses.  Split routing is important so that only the AWS destined traffic goes over the VPC tunnel and other internet traffic can go direct to internet.

  
## namespace_to_name.py
{'a4b': 'Alexa for Business',
 'access-analyzer': 'AWS IAM Access Analyzer',
 'account': 'AWS Account Management',
 'acm': 'AWS Certificate Manager',
 'acm-pca': 'AWS Certificate Manager Private Certificate Authority',
 'activate': 'AWS Activate',
 'airflow': 'Amazon Managed Workflows for Apache Airflow',
 'amplify': 'AWS Amplify',
 'amplifybackend': 'AWS Amplify Admin',
 'amplifyuibuilder': 'AWS Amplify UI Builder',

## lastname.ldif
dn: CN=lastname, CN=Schema, CN=Configuration, DC=xxxxxxxx, DC=com
changetype: add
attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
attributeSyntax: 2.5.5.3
isSingleValued: TRUE
searchFlags: 1
lDAPDisplayName: lastname
adminDescription: This attribute contains the object's Last Name
objectClass: attributeSchema
oMSyntax: 27

## state.json
{
  "Comment": "A description of my state machine",
  "StartAt": "CopyObject",
  "States": {
    "CopyObject": {
      "Type": "Task",
      "End": true,
      "Parameters": {
        "ServerSideEncryption": "AES256",
        "Bucket.$": "$.destination_bucket",

## link
https://www.brighttalk.com/webcast/11073/346099?utm_source=2nd+Watch,+Inc.&utm_medium=brighttalk&utm_campaign=346099

## guard-duty-custodian.yaml
policies:

 - name: ec2-guard-remediate
   resource: ec2
   mode:
     role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
     type: guard-duty
   filters:
     # Filter for medium and high severity events
     - type: event

## README.md

      
              4 files
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                coingraham
                / README.md
            
            
              Created
              January 16, 2020 15:52
                — forked from nitrocode/README.md
            
              
                Cloud custodian iam policy in terraform
              
          
    CloudCustodian IAM Policy

Extracts perms from cloud-custodian repo, sanitizes extracted data, and transforms into terraform
Dependency is ripgrep and git which can be installed using brew
brew install rg git

The code will

  
## install.py
import sys
!{sys.executable} -m pip install numpy

## assume.py
import boto3
import sys

assume_role = sys.argv[1]

# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')

# Call the assume_role method of the STSConnection object and pass the role
	AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	MySNSTopic:
	Type: "AWS::SNS::Topic"
	Properties:
	DisplayName: "KMSTopic"
	KmsMasterKeyId: "alias/aws/sns"
	Subscription:
	- Endpoint: "myemail@domain.com"
	Protocol: "email"
	{'a4b': 'Alexa for Business',
	'access-analyzer': 'AWS IAM Access Analyzer',
	'account': 'AWS Account Management',
	'acm': 'AWS Certificate Manager',
	'acm-pca': 'AWS Certificate Manager Private Certificate Authority',
	'activate': 'AWS Activate',
	'airflow': 'Amazon Managed Workflows for Apache Airflow',
	'amplify': 'AWS Amplify',
	'amplifybackend': 'AWS Amplify Admin',
	'amplifyuibuilder': 'AWS Amplify UI Builder',
	dn: CN=lastname, CN=Schema, CN=Configuration, DC=xxxxxxxx, DC=com
	changetype: add
	attributeID: 1.3.6.1.4.1.42.2.27.5.1.60
	attributeSyntax: 2.5.5.3
	isSingleValued: TRUE
	searchFlags: 1
	lDAPDisplayName: lastname
	adminDescription: This attribute contains the object's Last Name
	objectClass: attributeSchema
	oMSyntax: 27
	{
	"Comment": "A description of my state machine",
	"StartAt": "CopyObject",
	"States": {
	"CopyObject": {
	"Type": "Task",
	"End": true,
	"Parameters": {
	"ServerSideEncryption": "AES256",
	"Bucket.$": "$.destination_bucket",
	policies:

	- name: ec2-guard-remediate
	resource: ec2
	mode:
	role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
	type: guard-duty
	filters:
	# Filter for medium and high severity events
	- type: event
	import boto3
	import sys

	assume_role = sys.argv[1]

	# create an STS client object that represents a live connection to the
	# STS service
	sts_client = boto3.client('sts')

	# Call the assume_role method of the STSConnection object and pass the role