วีดีโอ

definitely the best SSO explanation I have ever seen. I just subscribed by the way. I like d fact that you are so chilled

That's good stuff

Good one, thank you very much - helped me to understand how to work with security hub

Well explained. Spot on.

this is great as its helpful for pros already working in AWS.

Quick question. What is the advantage of using Terraform for the IAM management process over some bash/python scripting processes? I understand Terraform can do it, but is it the right tool for that process compared with the scripts versioned?

Could you share me the docker file please

what an amazing video

Thanks for your awesome video! I have a question, how to connect your PC to the Snowball device? just plug ethernet cable or need to set a local network to connect with? Thank you.

Great episode thanks. cloudonaut.io/tidying-up-after-failed-terraform-tests/

this is incredible! Thank you for this. Your demonstrations are practical realistic and well appliable. I hope you continue to make videos!

This is a wonderful video. Thanks cloudonaut.

Thank you for the great video. Any idea if it is possible to automate the process to auto refresh the temporary credentials? If we want to try out SSM with SSO, if we do aws configure sso and set up profile, every time it asks for approval from browser. Any way we can automate this to avoid browser approvals?

Thank you for creating such good video !!

Wow, this might be the problem we are facing, the SNS messages would sometimes arrive hours later. We have the same 1 second limit. I will test this soon. Very hard to find people talking about this throttling anywhere online

Best video on SSO. Is it possible to integrate third party tools ( Jenkins ) with users generated from SSO ( AD Entra ) , how can we get access keys for the new users to access AWS from jenkins on IAM Identity Center.

Hi, I have one question when we say that AMP provides high scalability can this not be achieved if we create a self managed Prometheus as daemon set that would scale itself depending upon the nodes it has to monitor ?

what about if we want to terraform apply(CI) on specific AWS account? would you create an SSO user like e.x. deployer from which you would run aws sso get-role-credentials to get temporary credentials and apply terraform?

The Organisation is created from the AWS root account so I guess the SSO should be activated from the AWS root account where the Organisation exists?

Guys, i keep hearing about Cloudformation with you guys, and i get that it is really popular for AWS. But how do you incorporate it with CI/CD, lets say via Gitlab

Super very informative, thank you

What advantage hyperenv provide over using webhooks to send notification to AWS lambda?

I just read your latest newsletter and now watching this video. What a journey from 2015 until now! Very inspiring! Cool that you guys planned your parental leaving a year apart! Following you now on LinkedIn! Super fan!

Very funny. Today, AWS announced that they have decided to remove the following controls from all security standards: * Athena.1 (“Athena workgroups should be encrypted at rest”) [1]. Athena workgroups send results to Amazon S3 Buckets. Amazon S3 now provides default encryption on new and existing buckets with S3 managed keys (SSE-S3). Bucket encryption cannot be removed, only changed to a different method [2]. * AutoScaling.4 (“Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1”) [3]. There are certain cases where a hop limit greater than 1 is required. For example, Amazon Linux 2023 AMI allows for a hop limit of 2 to support containerized workloads [4]. * CloudFormation.1 (“CloudFormation stacks should be integrated with Simple Notification Service (SNS)”) [5]. While integrating important CloudFormation stacks with SNS topics can be useful, it is not required for all stacks. * CodeBuild.5 (“CodeBuild project environments should not have privileged mode enabled”) [6]. There are certain cases where privileged mode is required for CodeBuild Docker projects. For more information, see the CodeBuild User Guide [7]. * IAM.20 (“Avoid the use of the root user”) [8]. The functionality of this control is incorporated into existing control CloudWatch.1 (“A log metric filter and alarm should exist for the usage of the root user”) [9]. * SNS.2 (“Logging of delivery status should be enabled for notification messages sent to a topic”) [10]. While logging of delivery status for important SNS topics can be useful, it is not required for all topics. In addition, the following controls will be removed only from the AWS Foundational Security Best Practices (FSBP) standard [11], but will still be included in the NIST SP 800-53 r5 standard: * S3.10 (“S3 buckets with versioning enabled should have Lifecycle configurations”) [12]. This security practice remains covered by controls S3.13 (“S3 buckets should have lifecycle policies configured”) [13] and S3.14 (“S3 buckets should use versioning”) [14], both of which belong to the FSBP standard. * S3.11 (“S3 buckets should have event notifications enabled”) [15]. While there are certain cases where event notifications for S3 buckets can be useful, this not a universal security best practice. * SNS.1 (“SNS topics should be encrypted at rest using AWS KMS”) [16]. Amazon SNS now stores messages and files using default disk encryption [17]. Security Hub will remove these controls starting March 16, 2024, in a process which can take up to a month. Once the controls are removed from your account, their findings will be archived within 5 days and will be deleted after 90 days. This does not require any action from your side. However, if you wish to stop receiving findings from these controls before they are removed, you may disable them by using the Security Hub console or API [18]." It's likely not because of us but we are happy to see some of the controls that we mentioned to be removed :)

After 3 hours of wasting time, hop-limit=2 fixed the issue. Thank you so much for sharing.

I'm trying to wrap my head around the fact that we still need our own prometheus server with AMP... AMP supposedly allows for easy scalability and provision of resources, but then I need to handle the Prometheus server anyway. So why should I use it? It's a legit question, I don't get it and I wanted a simple solution to monitor my services running on EC2/Beanstalk. But it looks like I could be better off not using AMP.

how do you set the credentials?

Scary? Overreacted... man really so many steps to make that work...

The Cloudformation template didn't work. Do I need to provide a sub domain? I ran it with the command below bucket_name=my-unique-bucket hosted_zone=us-west-2 sub_domain=my-unique-domain stack_name=my-unique-stack-name aws s3 mb s3://$bucket_name --region us-west-2 npm i aws cloudformation package --template-file example.yaml --s3-bucket $bucket_name --output-template-file packaged.yaml aws cloudformation deploy --template-file packaged.yaml --stack-name $stack_name --parameter-overrides HostedZoneId=$hosted_zone SubDomainNameWithDot=$sub_domain --capabilities CAPABILITY_IAM aws cloudformation describe-stacks --stack-name $stack_name --query "Stacks[0].Outputs[?OutputKey=='Url'].OutputValue" --output text

aurora serverless very useful info. Serverless v2 removing scaling down to zero capability to save $ is now missing.

awesome video

Hey Man, can I connect with you on LinkedIn?

Thanks, informative.

Great podcast!!

Real AWS news good and bad. Thanks

Wonderful session, much better than normal presentation by AWS where they described things in a too much sugar way. Do you know if as a buyer you can run a marketplace solution using boto3 api call?

Great demo @cloudonaut. Thank U.

If generating a token is the same procedure , then anyone can generate a token and use it? kindly explain me if i am wrong?

heavily awesome even after 2 years <3 <3

is dnssec applicable for domains in which one domain redirected to another domain

@wuffgang Check out Mike's approach for accessing DynampDB: cloudonaut.io/dynamodb-entity-store-cleaner-typescript-code/.

Great video, thanks. If I want to allow access to my EC2 server only by passing through the VPN created with AWS Client VPN, how could I do it?

One remark. You don't do Linting only in pipeline unless you pay for cloud costs by yourself :) Linting should be done at very early stage so you should have scripts to lint you code locally and then next step is to lint code during push and last is lint before merge. So linting in build is as well OK but before that you have bunch of tests before you will trigger build.

hello and thank you for the tutorial. This method works great for me when I use SSH, but when I use SCP it throws me 'ssh: Could not resolve hostname' you know what it could be?

Fabulous analysis. Thanks so much. I like the pitfalls. We are in the midst of integraiting AWS Security Hub to ServiceNow Incidents. so if you have any great insights to that integration, please let me know.

The AWS Client Endpoint was already created, you mentioned you need 2 hours to do it (probably the 2nd time you do it you spend less time). Anyway, I was looking for a guide to create it. Thanks anyway

Is there an updated version of this content. Currently there isn’t an option to enable and disable encryption. SSE-S3 is default

Hello, could you please add timecodes with topics discussed? It's hard to understand which topics are discussed and when it happens (when it starts)

AWS now has added VPC Reachability Analyzer on Organizations to find out connectivity between multiple AWS Accounts with transit gateway in between.

Great video, How much data did you load? How much time did it take you to finish upload?