This post isn’t an overview of the AWS Cost Explorer service, but just a quick example of how to detect costs for your AWS account and its services.

So, when I came back from the vacation, I noticed that we’ve paid more than usually for the AWS CloudWatch for August — almost 50 dollars per day (included to the Others on the graph below):


AWS Lambda allows running a code without the need to create and manage servers, also known as the serverless approach.

AWS Lambda will determine how much CPU and memory is needed to run a function, and when it’s necessary it will perform autoscaling.

A code to be running is organized in lambda functions and can be triggered with triggers. Results can be checked using CloudWatch Logs.

As a trigger, you can use almost any AWS service such as API Gateway, SQS, Application LoadBalancer, CloudFront, Kinesis, or an external event, for example, a webhook from Github.

In this post, we will…


To access a database server, that has no public access (as it must be — access only inside an AWS VPC), Tableau suggests using its tool called Tableau Bridge.

The idea is to have a Bridge service running in a network, which has access to a database server via its Private IP. Also, Bridge will perform data encryption during its transitioning via the Internet.

In general, Tableau made a lot of documentation about its Bridge, but it’s a bit incomplete, as for me.

For example, the very first question for me was — does the Bridge service needs to be…


One of mine website stopped working with the “Connection reset” error.

NGINX configs seem to be correct, and other sites on the same server are working.

NGINX also gave nothing, no errors, PHP-FPM also are good.

Let’s check the website with the curl:

$ curl -Iv https://example.setevoy.org.ua/
* Trying 139.59.205.180:443…
* Connected to example.setevoy.org.ua (139.59.205.180) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to example.setevoy.org.ua:443 …

Private Hosted Zone in AWS Route53 allows to limit access to DNS records of a domain, thus making it inaccessible for the DNS Enumeration (or DNS brute-force), when an attacker checks for available records in a domain to know endpoints list to check them for vulnerabilities.

For such attacks, there is a lot of utilities such as DNSEnum, DNSRecon, Fierce, or even a well-known Nmap with the dns-brute script.

The idea behind using private domain zones is that they can be reached from inside of only a limited set of VPCs in an AWS account, but they can not be…


In the first post — AWS: Web Application Firewall overview, configuration, and its monitoring — we spoke about its main components, created a WebACL and Rules for it, and did basic monitoring.

Also, we’ve configured WebACL’s logs collection with AWS Kinesis, but now it’s time to see them Logz.io, as CloudWatch Logs isn’t available for it yet.

So, in this post, we will configure logs sending to an AWS S3 bucket via AWS Kinesis, and then will configure Logz.io to grab those logs from S3 and will speak about logs content and how they can be used for debugging.

Contents


AWS WAF (Web Application Firewall) is an AWS service for monitoring incoming traffic to secure a web application for suspicious activity like SQL injections. Can be attached to an AWS Application LoadBalancer, AWS CloudFront distribution, Amazon API Gateway, and AWS AppSync GraphQL API.

In case of finding any request that sits WAF’s rules, it will be blocked, and its sender will get a 403 response.

AWS WAF consist of four main components:

  • Web ACL: Access Control Lists, which holds a list of rules to check incoming requests
  • IP Sets: list of IP ranges, that can be attached to an ACL


AWS CloudTrail is a service for auditing AWS accounts events and is enabled by default.

It saves all actions that were done by a user, IAM role, or an AWS service via AWS Console, AWS CLI, or AWS SDK.

CloudTrail will write information about every API call, log in to the system, services events, and is an indispensable instrument for AWS account security.

Such events will be stored for 90 days, but you can configure a trail, that will store selected events to an AWS S3 bucket and can send them to AWS CloudWatch, and in CloudWatch we can configure…


Recently, AWS blocked our AWS Simple Email Service because of its low bounce rate.

This can be checked in the AWS SES > Reputation Dashboard, our account currently has Under review status:

Arseny Zinchenko (setevoy)

Cloud Infrastructure and DevOps engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store