I am trying to delete a AWS WAF WebAcl that was created using Firewall Manager few months ago, but someone has removed the Firewall Manager policy, probably without ticking the "delete all policy resources" checkbox, so after this the webAcl remains existing, but I can't delete it.
When I try to remove the webAcl I got the following error message:
Error You don't have permissions to delete the resource because it's managed by Firewall Manager.
Since the firewall manager policy doesn't exist anymore, I don't have any idea on how to delete this resource. I also opened a case with AWS support from another account that I pay for developer support and the guy said that only their service team could solve this, but I can't believe the only way to delete a webacl is paying them for it.
https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_DeletePolicy.html
I tried to remove the webAcl, but seems to be impossible since the source was a firewall manager policy. By checking Cloudtrail logs I couldn't find who deleted the policy (probably it was more than 90 days ago). I also tried removing it via CLI and asking for help to the AWS support (maybe they could send me a doc to solve it), but no way.
There are any way that I can solve this?
Thanks!!
Related
We are not able to enable AWS inspector in our account in us-west-2. Our observation is that we are able to enable it in the other regions.
We use cloudformation to setup the infrastructure. Looking at the error we thought that this might be due to some conflicting stacks/stacksets in our account. So, we went ahead and deleted all those. However, even after a day, the issue still persists.
We are getting following error message -
Two state changes cannot be made at the same time. Wait till current status change completes.
Has anyone faced this issue? Is there a way to resolve this?
amazon inspector need some policies to be enabled , first
go to IAM policy
choose create new policy
choose inspector2 as the service
choose the action BatchGetAccountStatus the next
attach the new policy to your user account
if not enabled see the needed permission in inspector landing page and make this steps for add this permission
My free AWS tier is going to expire in 8 days. I removed every EC2 resource and elastic IP associated with it. Because that is what I recall initializing and experimenting with. I deleted all the roles I created because as I understand it, roles permit AWS to perform actions for AWS services. And yet, when I go to the billing page it shows I have these three services that are in current usage.
[1]: https://i.stack.imgur.com/RvKZc.png
I used the script as recommended by AWS documentation to check for all instances and it shows "no resources found".
Link for script: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-listec2resources.html
I tried searching for each service using the dashboard and didn't get anywhere. I found an S3 bucket, I don't remember creating it but I deleted it anyway, and still, I get the same output.
Any help is much appreciated.
ok, I was able to get in touch with AWS support via Live chat, and they informed me that those services in my billing were usages generated before the services were terminated. AWS support was much faster than I expected.
I would like to load one of my tables in RDS directly onto S3 using INTO OUTFILE S3 ....
I am following the directions here: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.SaveIntoS3.html
One of the steps requires that I associate an IAM role with my cluster. But for some reason, that option is grayed out:
As a result, when I try to use INTO OUTFILE S3 ... I still get this error message: S3 API returned error: Missing Credentials: Cannot instantiate S3 Client.
I am 99% certain that it worked for me in the past by just following the rules but I can't seem to reproduce it.
Does anybody know how to fix this?
Thanks a ton!
I believe this is a UI bug, my account does not show this new UI. In general, adding roles is a cluster level action. Your screenshot is sensored heavily, so I can't make out if you were trying this on a cluster or on an instance.
The workaround as you've figured out already is to use the AddRoleToCluster Api. If you do think it's a UI bug, do post on AWS Forums or open a support case so that someone addresses it. Cheers.
Found the solution. The console is sometimes not displaying things properly. Use the command in the CLI and it should work fine. Here it is:
PROMPT> aws rds add-role-to-db-cluster --db-cluster-identifier [ENTER_YOUR_CLUSTER] --role-arn [ENTER_THE_ROLE]
Taken from: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraSettingUp.html
AWS won't let you delete a VPC if there are instances in it.
If I create a non TF-managed instance in a VPC (that I did create with terraform) and then do a terraform destroy TF hangs waiting.
I can then go to AWS console and manually delete the VPC and get a useful response from AWS as to why it cant be deleted and a list of the offending resources I can manually delete.
Is there a verbose switch where Terraform would spit out these messages from the AWS API? I assume the AWS API returns this info, but perhaps it only does that when deleting via the console?
I haven't found any info on how to make the TF destroy command return this info so assuming it's probably not possible but wanted to confirm.
You can get more information from terraform by setting the TF_LOG variable before executing terraform. There are a few levels of logging, which should look familiar if you are familiar with syslog severity levels (i.e. INFO, WARN, ERROR ,etc..). Setting this variable is a very useful debugging strategy.
Setting TF_LOG=DEBUG should at least let you determine which AWS api calls are being called. In my experience with terraform, it's not uncommon for an api call to fail; and terraform sometimes won't report an error, hangs, or does report an error but the information is archaic at best. This is something the terraform community is working on. And there are current github issues open to similar behavior
If after setting the TF_LOG environment variable, the api call is indeed failing, I suggest that you open a github issue with terraform; and please format it using the issues contributing guidelines
Has anyone come across the below error before?
The service role arn:aws:iam::20011470201:role/deploy doesn't have permission to perform the following operation: autoscaling:DescribeLifecycleHooks
I have code-deploy set-up between by bit-bucket account and my Amazon AWS instance.
I am able to deploy to the test server everyday without issue.
But when i try to add the instance of our production server to the list of instances, i get the above error
Note: I have added this instance and successfully deployed the code in the past , i'm not sure why i get this error now.
Any directions/hints on how to solve this would be appreciated.
Not sure how i missed it, but the policy i had defined was missing the "autoscaling:DescribeLifecycleHooks", once i added this to the existing permission everything worked fine.
Then again, the policy has not changed in well over a year, not sure why aws did not complain about this earlier
We currently rolled out a fix for permission issues between CodeDeploy and AutoScaling. Previously CodeDeploy doesn't require autoscaling:DescribeLifecycleHooks to describe or create a lifecycle hook to AutoScaling, when customer's deplyoment group contains AutoScaling groups. But now we started to require this permission, which is actually the right way and also expected. Adding the proper permission fixes the problem.
Thanks,
Binbin
I see that you fixed this. Can you paste an example config here so noobs like me know just how to place this bit of code? Oh, and I can't comment on your accepted solution yet, not enough points...