AWS - Not able to enable AWS Inspector in us-west 2 - amazon-web-services

We are not able to enable AWS inspector in our account in us-west-2. Our observation is that we are able to enable it in the other regions.
We use cloudformation to setup the infrastructure. Looking at the error we thought that this might be due to some conflicting stacks/stacksets in our account. So, we went ahead and deleted all those. However, even after a day, the issue still persists.
We are getting following error message -
Two state changes cannot be made at the same time. Wait till current status change completes.
Has anyone faced this issue? Is there a way to resolve this?

amazon inspector need some policies to be enabled , first
go to IAM policy
choose create new policy
choose inspector2 as the service
choose the action BatchGetAccountStatus the next
attach the new policy to your user account
if not enabled see the needed permission in inspector landing page and make this steps for add this permission

Related

I can't find and disable AWS resources

My free AWS tier is going to expire in 8 days. I removed every EC2 resource and elastic IP associated with it. Because that is what I recall initializing and experimenting with. I deleted all the roles I created because as I understand it, roles permit AWS to perform actions for AWS services. And yet, when I go to the billing page it shows I have these three services that are in current usage.
[1]: https://i.stack.imgur.com/RvKZc.png
I used the script as recommended by AWS documentation to check for all instances and it shows "no resources found".
Link for script: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-listec2resources.html
I tried searching for each service using the dashboard and didn't get anywhere. I found an S3 bucket, I don't remember creating it but I deleted it anyway, and still, I get the same output.
Any help is much appreciated.
ok, I was able to get in touch with AWS support via Live chat, and they informed me that those services in my billing were usages generated before the services were terminated. AWS support was much faster than I expected.

How to setup AWS sagemaker - Resource limit Error

I'm trying to set up my first SageMaker Studio so my team and myself can run some post processing scripts in a shared environment but I'm having issues.
I've followed the steps in this video(https://www.youtube.com/watch?v=wiDHCWVrjCU&ab_channel=AmazonWebServices) which are:
Select Standard setup
Select AWS Identity and Access Management (IAM)
Under permissions - Create and select new execution role
Under Network and storage - Select VPC, Subnet and Security group
Hit the submit button at the bottom of the page.
In the video, he clicks submit and is taken to the control panel where he starts the next phase of adding users, however I'm greeted with this error.
Resource limit Error
I've checked my Registered domains under route 53 and it says No domains to display, I've also checked my S2 and I have no instances so I have no idea where the 2 domains being utilized are.
My dashboard, image and Notebooks are all empty so as far as I know there's nothing setup on this Sage Maker account.
Could anyone tell me how to resolve this error?
AWS Sagemaker now supports multi-domain <announced in the Re-Invent 2022, Tested in US-EAST-1 >
enter image description here
You can have maximum 1 studio domain per region, by the default limits. Though, it seems like you have two domains already provisioned. Try to delete all the domains through the AWS cli and recreate with the AWS Management Console.
Unfortunately, AWS Management Console cannot visualize more than one Studio domain.

GCP: How to completely delete a custom role

I have been working with GCP IAM and during writing a script that creates and deleted custom roles on demand I (accidentally) created 300 roles which are the max quotas of roles allowed in GCP, and now I can't create new roles.
I have tried to delete them but it only changes their status to deleted and doesn't really delete the role.
Is there a way to completely delete the roles I have created so I will be able to release the quotas?
the best solution I'm looking for is using GCP API in python because I still need to create a script that creates and deleted custom roles on demand.
If the status of the custom roles that you want to be deleted is already "deleted", the quotas it consumes will be released after 7 days. The reason that it is still showing is because there is an option for undelete. Here is what shows on the official GCP documentation:
When a role is deleted, its bindings remain, but are inactive. You can undelete a role within 7 days. During this 7-day period, the role will show as Deleted in the Cloud Console, and will not appear in programmatic list commands (unless showDeleted is set in the request).
After 7 days, the role is scheduled for permanent deletion. At this point, the role no longer counts towards the limit of 300 custom roles per organization or 300 custom roles per project.
You can check this link for a better explanation with regards to the topic and the code needed for it.
You don't need any script. just go to the console IAM --> Roles and from there use the filter and choose Type: Custom. After that click on the primary checkbox to select all the results and remove them

AWS kibana/ES trying to create policy but getting "authorization exception"

I created an AWS ES cluster via terraform, VPC version.
It got me a kibana instance which I can access through a URL.
I access it via a proxy as it is in a VPC and thus not publicly accessible.
All good. But recently I ran out of disk. The infamous Write Status was in red, and nothing was being written into the cluster anymore.
As this is a dev environment. I googled and found the easiest possible to fix this:
curl -XDELETE <URL>/*
So far so good, logs are being written again.
But I now thought I need to fix this. So I did some more reading and was wanting to create a Index State Management Policy. I just took the default one and just changed the notification destination.
But when hitting "Create Policy" I get:
Sorry, there was an error
Authorization Exception
Which is quite odd as AWS just created a kibana instance with no user management whatsoever - so I would assume to have all rights.
Any idea?
Indeed we had to ask support and the reason it was failing was that - as this is a dev environment and not production - we had no master nodes and also no UltraWarm storage. The sample strategy I was trying to install moves from hot to warm - which apparently actually means UltraWarm, and thus needs that UltraWarm storage enabled.
A bit of an inappropriate error message though.

The service role arn:aws:iam::20011470201:role/deploy doesn't have permission to perform the following operation: autoscaling:DescribeLifecycleHooks

Has anyone come across the below error before?
The service role arn:aws:iam::20011470201:role/deploy doesn't have permission to perform the following operation: autoscaling:DescribeLifecycleHooks
I have code-deploy set-up between by bit-bucket account and my Amazon AWS instance.
I am able to deploy to the test server everyday without issue.
But when i try to add the instance of our production server to the list of instances, i get the above error
Note: I have added this instance and successfully deployed the code in the past , i'm not sure why i get this error now.
Any directions/hints on how to solve this would be appreciated.
Not sure how i missed it, but the policy i had defined was missing the "autoscaling:DescribeLifecycleHooks", once i added this to the existing permission everything worked fine.
Then again, the policy has not changed in well over a year, not sure why aws did not complain about this earlier
We currently rolled out a fix for permission issues between CodeDeploy and AutoScaling. Previously CodeDeploy doesn't require autoscaling:DescribeLifecycleHooks to describe or create a lifecycle hook to AutoScaling, when customer's deplyoment group contains AutoScaling groups. But now we started to require this permission, which is actually the right way and also expected. Adding the proper permission fixes the problem.
Thanks,
Binbin
I see that you fixed this. Can you paste an example config here so noobs like me know just how to place this bit of code? Oh, and I can't comment on your accepted solution yet, not enough points...