Naming an AWS EC2 security group IP permissions rule - amazon-web-services

I am using the AWS PHP SDK version 3. I am able to create security groups using the API, as well as creating IP Permission rules. What I can't figure out is how give the IP Permissions rule a name.
Here's what I have:
$params =
[
'Description' => 'My Security Group',
'GroupName' => 'my_security_group',
'VpcId' => 'vpc-a9d2h3d7',
'TagSpecifications' => [
[
'ResourceType' => 'security-group',
'Tags' =>
[
['Key' => 'Name', 'Value' => 'My Security Group']
]
]
],
];
$Ec2Client->createSecurityGroup($params);
At this point the group is created
Then I create an IP Permissions rule:
$ip_permissions = [
'GroupName' => 'my_security_group',
'FromPort' => 0,
'ToPort' => 65535,
'IpProtocol' => 'tcp',
'IpRanges' => [['CidrIp' => 'xx.xxx.xx.xxxx/32', 'Description' => 'Main Office']],
];
$Ec2Client->authorizeSecurityGroupIngress($ip_permissions);
Through the AWS Console, I can see that the rule is created, but the Name column is empty. How do I create the Name through the API?

It would be same, by using TagSpecifications. But instead of security-group you need to have security-group-rule:
'TagSpecifications' => [
[
'ResourceType' => 'security-group-rule',
'Tags' =>
[
['Key' => 'Name', 'Value' => 'My Security Group Rule']
]
]
]
Full example in AWS CLI (don't have php):
aws ec2 authorize-security-group-ingress --group-id sg-00102bde0b55e29fe --ip-permissions FromPort=0,IpProtocol=tcp,IpRanges='[{CidrIp=10.10.10.10/32,Description="Main Office"}]',ToPort=65535 --tag-specifications ResourceType=security-group-rule,Tags='[{Key=Name,Value=MyName}]'

Related

Encountering error "Request has invalid Client token" but my credentials is correct

I'm having this error when I call the startDocumentTextDetection even I have the correct credentials because I was able to upload the my pdf in s3. I also allowed Textract to call other services on my behalf.
$client = new TextractClient([
'region' => env('AWS_DEFAULT_REGION'),
'version' => '2018-06-27',
'credentials' => [
'key' => env('AWS_ACCESS_KEY_ID'),
'secret' => env('AWS_SECRET_ACCESS_KEY')
]
]);
$result = $client->startDocumentTextDetection([
'ClientRequestToken' => 'DocumentDetectionToken',
'DocumentLocation' => [ // REQUIRED
'S3Object' => [
'Bucket' => 'XXXXX',
'Name' => 'HNlLrVxE4cDqyJh0RHmSfTGtZVKzOWUG75ycHfyE.pdf',
],
],
'FeatureTypes' => ['FORMS','TABLES'],
'JobTag' => 'HNlLrVxE4cDqyJh0RHmSfTGtZVKzOWUG75ycHfyE.pdf',
'NotificationChannel' => [
'RoleArn' => 'XXXXX', // REQUIRED
'SNSTopicArn' => 'XXXXX', // REQUIRED
],
'OutputConfig' => [
'S3Bucket' => 'XXXXXX',
],
]);

Issues generating CloudFront signed URLs; always Access Denied

I’m having issues generating signed URLs with CloudFront. Whatever I try, I just get an “Access Denied” response.
I’ve created a distribution in CloudFront, and a CloudFront key pair ID. I’ve downloaded the private and public keys for that key pair ID.
In a simple PHP script, I’m trying the following:
use Aws\CloudFront\CloudFrontClient;
$cloudfront = new CloudFrontClient([
'credentials' => [
'key' => '[redacted]', // Access key ID of IAM user with Administrator policy
'secret' => '[redacted]', // Secret access key of same IAM user
],
'debug' => true,
'region' => 'eu-west-1',
'version' => 'latest',
]);
$expires = strtotime('+6 hours');
$resource = 'https://[redacted].cloudfront.net/mp4/bunny-trailer.mp4';
$url = $cloudfront->getSignedUrl([
'url' => $resource,
'policy' => json_encode([
'Statement' => [
[
'Resource' => $resource,
'Condition' => [
'DateLessThan' => [
'AWS:EpochTime' => $expires,
],
],
],
],
]),
'expires' => $expires,
'key_pair_id' => '[redacted]', // Access key ID of CloudFront key pair
'private_key' => '[redacted]', // Relative path to pk-[redacted].pem file
]);
But when visiting the generated URL, it just always gives me an error in the browser with a code of “AccessDenied”.
What am I doing wrong?
Discovered what the issue was. The objects in my S3 bucket weren’t publicly-accessible, and I hadn’t added an Origin Access Identity, so CloudFront couldn’t pull the objects from my origin (my S3 bucket) to cache them.
As soon as I added an Origin Access Identity and added it to my S3 bucket’s policy, my objects immediately became accessible through my CloudFront distribution via signed URLs.
Relevant documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai

Ruby AWS SDK (v2/v3) Tag spot instances

According to this link it is possible to tag spot fleet instances. Tags are automatically propagated to the launched instances. Is it possible to do the same for normal spot instances? My approach so far
ec2 = Aws::EC2::Resource.new({region: region, credentials: creds})
launch_specification ={
:security_groups => ['ccc'],
:ebs_optimized => true,
:image_id => "image_id",
:instance_type => "type",
:key_name => "key",
:placement => {:group_name => "ggg"},
:user_data => ""
}
resp = ec2.client.request_spot_instances(:instance_count => count,
:launch_specification => launch_specification,
:spot_price => price.to_s,
:type => 'one-time',
:dry_run => false
)
resp.spot_instance_requests.each do |sir|
ec2.create_tags({
dry_run: false,
resources: [sir.spot_instance_request_id],
tags: [
{
key: "owner",
value: "ooo",
},
],
})
end
Tags are created for for the spot_instance_request, but are not propagated to the launched instances.

Sending on behalf of users with Amazon SES

Sometimes it's necessary to send an email with the reply-to address of another user. For example, if a LinkedIn user sends a connection of theirs a LinkedIn message, it makes sense to send that email from the user that sent the message, so that clicking 'reply' actually replies to the person who sent the message.
Is there a way to do this with Amazon SES?
You can pass ReplyToAddresses parameter in $ses->sendEmail() (documentation PHP V2, assuming other languages and versions will have similar structure, search for it)
$sesClient->sendEmail([
'Source' => 'sender#mail.ru',
'Destination' => 'dummy#clie.nt',
'Message' => [
'Subject' => [
'Data' => 'Spammer attack',
],
'Body' => [
'Html' => [
'Data' => 'Le Attacke!',
],
],
],
'ReplyToAddresses' => [
'reply#ema.il',
'sender#mail.ru',
'dummy#clie.nt',
]
]);

Elasticsearch AWS with Elastica

Is it possiple to Connect to an Amazon Elasticsearch with Elastica and the "AWS Account access policy"?
When i use "Allow open access to the domain" it works.
$elasticaClient = new \Elastica\Client([
'connections' => [
[
'transport' => 'Https',
'host' => 'search-xxxxxxxx-zzzzzzzz.us-west-2.es.amazonaws.com',
'port' => '',
'curl' => [
CURLOPT_SSL_VERIFYPEER => false,
],
],
],
]);
But in dont know how to set the "Authorization header requires" when i use the "AWS Account access policy".
I am using the FriendsOfSymfony FOSElasticaBundle for Symfony. I solved that problem using AwsAuthV4 as transport like this:
fos_elastica:
clients:
default:
host: "YOURHOST.eu-west-1.es.amazonaws.com"
port: 9200
transport: "AwsAuthV4"
aws_access_key_id: "YOUR_AWS_KEY"
aws_secret_access_key: "YOUR_AWS_SECRET"
aws_region: "eu-west-1"
This is not implemented yet as it needs more then just setting the headers. Best is to follow the issue here in the Elastica repository for progress: https://github.com/ruflin/Elastica/issues/948