$ aws ec2 describe-images --owners 309956199498 --query "reverse(sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId])[:2]" --filters "Name=name,Values=RHEL-7.?*GA*" --region ap-southeast-2 --output tableLink to JMESPath cheatsheet: https://gist.github.com/magnetikonline/6a382a4c4412bbb68e33e137b9a74168
| ################################################# | |
| # This query can be used as a guide for scoping a role down to permissions it actually uses. | |
| # Note that API calls dont have a 1:1 mapping to IAM permissions but the output is a good guide on what is required | |
| # for the role to work based on previous data | |
| # For my use case - I had S3 data events being logged so I list S3 bucket and Key down to 2 levels as well | |
| # Change line 15 as needed. | |
| ################################################# | |
| fields eventName,userIdentity.arn | |
| | parse @message '"resources":[*]' as resource |
| { | |
| "eventVersion": "1.08", | |
| "userIdentity": { | |
| "type": "IAMUser", | |
| [...] | |
| }, | |
| "eventTime": "2021-08-12T05:06:27Z", | |
| "eventSource": "s3.amazonaws.com", | |
| "eventName": "PutObject", | |
| "awsRegion": "ap-southeast-2", |
| { | |
| "allowed": false, | |
| "explicitDeny": true, | |
| "matchedStatements": { | |
| "items": [ | |
| { | |
| "statementId": "AllowUserAgent", | |
| "effect": "DENY", | |
| "principals": { | |
| "items": [] |
| #! /bin/bash | |
| apt-get update | |
| apt-get install -y nginx | |
| service nginx start | |
| sed -i -- 's/nginx/Google Cloud Platform - '"$HOSTNAME"'/' /var/www/html/index.nginx-debian.html | |
| # allow for load testing with loader.io replace text with code provided by loader.io | |
| echo "loaderio-a78c247b33950ae8d1007c254b91c8be" > /var/www/html/loaderio-a78c247b33950ae8d1007c254b91c8be.txt |
| # aws cloudformation list-types --type RESOURCE --visibility PUBLIC --provisioning-type NON_PROVISIONABLE --filters Category=AWS_TYPES|grep -i TypeName > /tmp/ccapi-notcompatible.txt | |
| # | |
| "TypeName": "AWS::AmazonMQ::Broker", | |
| "TypeName": "AWS::AmazonMQ::Configuration", | |
| "TypeName": "AWS::AmazonMQ::ConfigurationAssociation", | |
| "TypeName": "AWS::ApiGateway::Deployment", | |
| "TypeName": "AWS::ApiGateway::DocumentationPart", | |
| "TypeName": "AWS::ApiGateway::GatewayResponse", | |
| "TypeName": "AWS::ApiGateway::RestApi", | |
| "TypeName": "AWS::ApiGateway::VpcLink", |
| aws --region=us-east-1 iam simulate-principal-policy \ | |
| --context-entries ContextKeyName=aws:RequestedRegion,ContextKeyValues=us-east-1,ContextKeyType=string \ | |
| --policy-source-arn=arn:aws:iam::123456789:role/OrganizationAccountAccessRole \ | |
| --action-names s3:PutObject |
| package main | |
| /* | |
| Notes: | |
| This demonstrates how to use the native fedauth functionality with AWS RDS Proxy for MS SQL server. | |
| Connection string is simple as the access token is retrieved via the token provider in NewConnectorWithAccessTokenProvider. | |
| How to use (make sure you have an active IAM user api key or role via the regular methods): | |
| 1. Create an RDS MS SQL Server (Express is fine for cheapness) |
| using Microsoft.Data.SqlClient; | |
| using Amazon.RDS; | |
| /* | |
| This code is a sample for generating an RDS auth token to use for IAM authentication with MS SQL server. | |
| ref: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html | |
| Below steps assumes you stored DB user creds in secrets manager when deploying RDS. |
| import struct | |
| import pyodbc | |
| import boto3 | |
| # IMPORTANT: Install Microsoft ODBC drivers first for your platform - see: https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/install-microsoft-odbc-driver-sql-server-macos?view=sql-server-ver16 | |
| # Just an install is enough for pyodbc to see them. | |
| # Also, on M1 mac need to use 4.0.34 release of pyodbc | |
| # pip3.11 install pyodbc==4.0.34 | |
| # v4.0.35 is broken |