Chris Farris

Anyone who follows my blog (and that’s none of you) would notice I rarely find time to post. Since moving my blog from Linode to AWS EC2 a few years ago I’ve spent way more time patching WordPress than writing in it. MySQL would run out of memory and crash, leaving my blog down for days on end. I never use the bloggy features of Wordpress since the only folks who ever commented were spammers.

New employer uses Terraform, so I’ve finally had a reason to grok Terraform and what it can do. I’m not convinced it is better than CloudFormation. Here are my thoughts on it. Pros Terraform can manage more than just AWS Resources. Useful if you need to orchestrate across multiple clouds, but I’d fear the dependency issues there. At my ex-job I’d have been very interested in how Terraform could control both AWS and Chef.

AWS provides the ability to set a password policy on an account that will require a user to change their password after a certain period of time. However there is no method by which you can notify a user it is about to expire, nor is there anything that would expire an access key that hasn’t been rotated. I wanted something that would implement policy that would deny any usage if the password was past-due (even if they hadn’t logged in for awhile) and would de-activate a key if it was older than the date set in the password policy.

When creating a new AWS Account, I typically do the following: Create the CloudTrail Create a Deploy Bucket Create Generic Alert topics for the account and subscribe my email and cell Create a stack to send certain cloudwatch events to a slack channel Configure requireMFA Configure Password & API Key Expiration Warning All of these are done via automation of course

Note: The deploy stack script has been superceeded with cft-deploy, which you can get from pypi via pip install cftdeploy. deploy_stack.rb is not being updated. Deploying Cloudformation templates via the CLI is a complex process that lack repeatability. Typing out long command lines, and then having to execute other commands either before or after the stack runs results in lots of custom scripting. Rather than go down that route, I created a tool that takes a yaml manifest file that allows you to specify all the details around your stack deployment in one data-driven place.

When I’m creating a new AWS account, I find it helpful to have a generic set of SNS topics that ping me and my team if something goes wrong. The following CloudFormation template can be used for that purpose. It requires a few parameters and includes an optional Lambda that will send the alerts to a Slack Channel. Three Topics are created for critical, error and info-level alerts. Critical alerts will send me a text and email, while error only sends an email.

When AWS announced Lambda at the 2014 re:Invent, my immediate thought was “Cool, you can now program the cloud itself”. Since then, everyone has jumped on the “serverless” bandwagon for building apps. After this year’s re:Invent I’m inspired to get back to using Lambda to program the cloud.

One of the sessions I attended was on Security Automation. I’ll have more to say on that later. However, it gave me the idea for a setup that would require users to have MFA enabled, or otherwise be blocked from doing anything with their IAM User in the AWS account.

Get rid of the annoying network stores: defaults write com.apple.desktopservices DSDontWriteNetworkStores true stop telling me shit I already know: defaults write com.apple.LaunchServices LSQuarantine -bool NO Put Screenshots in their own Directory on the Desktop mkdir ~/Desktop/Screenshots defaults write com.apple.screencapture location ~/Desktop/Screenshots

• Set a Login Message: sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Room17: Unauthorized Access Prohibited" * Disable saving to iCloud defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool FALSE * Disable Dashboard `defaults write com.

I passed the AWS Certified Solutions Architect – Professional Level exam this morning. The combination of all the reading and Vegas’s dry air has given me major eye aches.

My VP, Michael Koetter, gave a presentation in the Media Track at re:Invent on the AWS-based Content Supply Chain we’re building. You can check it out here: Plus a Link to SlideShare.net where you can see one of my diagrams: http://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-turners-cloud-native-media-supply-chain-for-tnt-tbs-adult-swim-cartoon-network-cnn-mae302