i am trying to create a firewall manager policy using terraform. During the process i came across 2 resource groups for creating a rule group i.e. wasfv2_rule_group and wafregional_rule_group. i am confused to understand the difference between these 2 resources when creating an fms policy.
Since when i am creating a waf policy via console we don't see any difference between rule group for a region or without region.
Can someone please elaborate how these differ from one another and point to some documentation.
Thanks.
Related
We've shared AWS accounts among multiple teams and even though we ask not to create identical VPCs, there is always a case.
So my question is, how can we achieve this via policies (or if there is another way), that we define the set of CIDRs in AWS account policy so that when somebody creates a VPC with a CIDR that belongs to one of those, it throws an error?
Thank you.
when somebody creates a VPC with a CIDR that belongs to one of those, it throws an error?
No there is no such IAM policies. You have to develop your own custom solution for that. For example, trigger a lambda function based on CloudTrial events for creating VPC, and have the lambda function verify the CIDRs.
I am new in AWS so have couple of AWS VPC creation using CloudFormation service questions.
1. Scenario: I have created the yaml file and executed that in the stack. the VPC, route table and all the subnets get created successfully. now I have deleted one of the subnet manually (through console). Now I want that subnet back, so I was trying to run the "update" stack using the "current template" (though I have not made any modification in the template). it is showing me that there is no modification in the template error.
Question 1: How to install the deleted resource through template stack without modifying it.
2. Scenario: When we create VPC, we get default route table and NACL created.
Question 2: Why can't we use the default route table and NACL through cloudformation.
Question 3: is there any command from where we can get the default route table and NACL ID in cloudformation. (for eg : there is command where we can associate the subnets to routetable. something like that).
Thanks in advance.
It can be tricky indeed when stuff has changed outside of cloudformations state. Unlike some other IaC tools, it doesn't 'correct' the state of resources when they have deviated from the given state.
Remove the subnet resource from the template, update the stack with the removed resource, add the subnet back and again update the stack.
It's actually best practice to create new route tables and NACLs and associate them with the corresponding subnets, so there is actually no need to modify the default resources.
You can create a cloudformation custom resource to query for the id's and pass them to other resources. However this is not recommended due to answer 2. Ask yourself: what am I trying to achieve here? Is it really necessary?
I am having an interesting problem with AWS. The project I'm working on create's set of various AWS service instances in one predetermined zone. For example, one VPC, one firewall, one S3 bucket, RDS instance..
Now if one of these fails to be created for the lack of the general available resources in the region I have to go through nasty deletion and switch to another region.
Is there something in AWS API that can tell if there is enough resources to create instance of something without actually creating it?
if one of these fails to be created for the lack of the general available resources in the region I have to go through nasty deletion and switch to another region
Not a direct answer to your question (and I would have put it as a comment, but I lack reputation to comment... hint hint), but if you were to use CloudFormation, one of the very nice features of it is that if any one resource fails to create, it will roll back the entire stack. The other nice thing about CloudFormation is it will give you consistent infrastructure across your multiple regions. Have you explores using CloudFormation to deploy your resources.
I have several EC2 instances in my AWS amazon account. I have one specific EC2 instance that I want an outsourcer to use (stop,start, manage security group, resize disk space, etc).
I tried to do it with IAM policies, but from what I see, the DescribeInstances allows the user to see all instances in my account. And when I try to edit the policy for a specific resource it shows error because it DescribeInstances is not a resource-level policy, so it must have Resource '*'.
I was thinking maybe allow him access to a different region, and put the instance there. Another option is using organizations (a little complex, but looks promising, would be happy to understand if this is the way to go).
Am I missing something? What is the best solution to achieve what I need?
If you want to give the outsourcer permission to call AWS services in your account, then from a security perspective, it would be much safer to put those resources in a child account.
That way, you are guaranteed that their credentials are not able to impact any of your other resources and services.
The alternative would be way too complex to manage. For example, security groups can be associated with many instances and one instance can have many security groups. That would not be possible to code within an IAM policy.
I am trying out the tutorial for amazon VPC - Virtual private cloud.
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html#Case2_Launch_NAT
I have followed these steps....
Navigate to https://console.aws.amazon.com/vpc
Create a VPC.
Create security groups as outlined by the article.
I have created the NATSG security group as required by the article.
When I try to change the security group of the instance to run under the NATSG group it gives me an error - saying it encountered an error without any description.
Any pointers would be appreciated.
I am not facing the issue any longer - it appeared to be an ongoing issue at the time, I can currently switch security groups properly.
The one change I have made over the past 2 years is switch all my manual interactions with AWS to be programmatic using boto3 or cloudformation, which has eliminated a lot of errors.