Posts

Sun, Feb 23, 2025 AWS / Hugo / CICD

Time flies - summer is almost over in New Zealand. Even though it has only been three weeks, my six-week summer break is already beginning to feel like a distant memory.

About nine months ago, I started this blog and decided to host my blog site on Amazon S3 and utilise Amazon CloudFront for the content delivery. My initial capital investment was simply 1 US dollar for the domain name wkhoo.com registration.

For nine months, my monthly AWS bills were either $0 or $0.01 (for S3 storage cost although my usage is well under the free tier limit; probably due to decimals round up but weird), all because I am reaping the benefits of AWS 12 months Free Tier program and have been staying within the limits so far.

Read More

Thu, Dec 19, 2024 AWS / Observability

Amazon Managed Grafana is a powerful tool for monitoring and visualisation, and integrating it with an identity provider (IdP) such as Microsoft Entra ID using SAML provides a secure and streamlined access management. Deploying Amazon Managed Grafana and configuring SAML integration are pretty straightforward.

Recently, I needed to configure group-based access control using the SAML group attribute and Grafana team sync, but I faced some challenges getting it to work. Both the AWS and Microsoft documentations do not clearly elaborate the steps to successfully enable the group attribute sync to Grafana team.

Read More

Sun, Nov 24, 2024 AWS / Landing Zone

A landing zone, typically set up using AWS Control Tower, is a well-architected, multi-account AWS environment that is scalable and secure. AWS Control Tower automates the configuration of the landing zone following AWS best practices, which include networking settings, identity and access management (IAM) policies, logging and monitoring settings, and security guardrails. Decommissioning an AWS Control Tower landing zone is a complex task that involves shutting down a multi-account AWS environment while ensuring no critical resources or data are lost.

In this post, I will walk through the necessary steps to decommission a landing zone focusing on key considerations for ensuring compliance, security, and cost management.

Read More

Sat, Nov 9, 2024 AWS / Networking

This is a spin-off from my previous blog post Centralised SSM VPC Endpoints Cost-Benefit Analysis where we explored how the centralised SSM VPC endpoints architecture could help organisations to minimise costs by creating the endpoints in one VPC and sharing the endpoints with the other VPCs, therefore reducing the number of endpoints required and the associated endpoint-hour charges.

In this blog post, I will illustrate how you can scale the centralised SSM VPC endpoints solution across AWS accounts.

Read More

Sat, Sep 21, 2024 AWS / Cost Optimisation

When using AWS services, it is important to access these services securely. One way to do this is by using VPC endpoints. A VPC endpoint is like a private doorway between your VPC and AWS services. This means that you can access AWS services such as S3, DynamoDB or Systems Manager within your VPC without leaving the AWS network. This improves security and ensures your data stays private.

There are two types of VPC endpoints - interface endpoints (powered by AWS PrivateLink ) and gateway endpoints. Gateway endpoints can be used to access S3 and DynamoDB services privately. There is no additional charge for using gateway endpoints. For interface endpoints, there is an hourly running cost incurred along with data processing charges.

For AWS environment with multiple VPCs, deploying separate interface endpoints in each VPC can get expensive. Each endpoint has a small cost to run per hour per Availability Zone (AZ). If your workloads span across multiple AZs, you would need an endpoint per subnet and the cost could quickly add up.

Read More

Sun, Aug 18, 2024 AWS / Networking / Security

Using the SSM Session Manager port forwarding feature is straightforward and requires minimal setup if you already manage your EC2 instances with AWS SSM. However, using it out-of-the-box without addressing the security and access controls can pose a risk. Once the SSM agent is installed and running on your EC2 instances, and connected to AWS SSM service, you can easily access any instance within your AWS account.

Read More

Sun, Aug 4, 2024 AWS / Security

In this blog post, we will walk through how to set up single sign-on (SSO) between AWS IAM Identity Center and Microsoft Entra ID, and how attribute-based access control (ABAC) can be leveraged to manage permissions based on user attributes (tags).

I will demonstrate how we federate AWS IAM Identity Center with Microsoft Entra ID and utilise user attribute value to control access to AWS EC2 instances.

Read More

Sun, Jul 21, 2024 AWS / Security

When it comes to managing permissions and access control in AWS, two popular authorisation models are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). Both models have their unique strengths and can be used to enhance security by following best practices. In this blog post, let’s explore these models and how they can be used effectively.

Read More

Fri, Jun 28, 2024 AWS / Networking / Security

Problem statement

Do you have application servers reside in private subnets, or behind layers of firewall and NAT gateway that you need to get remote access to perform application troubleshooting or debugging connectivity issues?

Do you need a method to gain access to your servers, whether to provide temporary remote access to third-party vendors or when migrating servers to the cloud, you want to connect to your Amazon EC2 instances to perform some operational or validation tasks?

Read More

Sun, Jun 9, 2024 Terraform

Overview

As a Cloud DevOps engineer, you sometimes need to import an existing cloud infrastructure into Terraform. Terraform has a capability to import existing cloud resources. It allows you to take your cloud resources created through ClickOps and import them into Terraform state file to be managed under Terraform IaC.

Read More