We have implemented Dynatrace and we need to add our AWS account to pull CloudWatch logs.
The problem: We have a corporate proxy and firewall which is super locked down and seems to block whichever requests Dynatrace is trying to make to AWS to authenticate with the key and secret.
The infra guys has allowed a bunch of AWS domains per region to read CloudWatch logs, but we still can't authenticate (see image below).
I have set up a Dynatrace security gateway in AWS which our local gateways are able to access. We are successfully getting logs form OneAgents through the SGW. The problem is getting the CloudWatch logs/integration going.
The error in the image below leads me to believe that Dynatrace is not able to communicate to the AWS auth servers at all.
Any advice would be appreciated.
I'm just a dev
We are not allowed to open the amazon domain.
#corporate-devlife
Related
I have an docker image with an API that publishes provided request body to a SNS topic. Now I am able to perform this operation locally, but when I deploy this image to ECS through ECR, I get following error form AWS Go SDK(v2) after ~1 min of request initiation.
https response error StatusCode: 0, RequestID: , canceled, context canceled
I have verified following things:
ECS service (as well as EC2 as I am using EC2 launch type) has a role that grants full access to SNS
SNS access policy allows all requests from current AWS account.
I am able to publish to same topic after logging into EC2 instance.
API request has 5 min timeout.
I am using default VPC.
For the sake of experiment, I am not using HTTPS and attached security group allows all traffic on port 80. I tried everything but didn't find what's wrong. I would appreciate your great help, thanks.
i want to connect my simple REACTJS contact form to my AWS SES email to receive emails
I did some researches about this but did not find a useful tutorial or article to follow it
is there anyone who can help!?
THANKS
There is a tutorial to do just what you asked for: https://www.youtube.com/watch?v=HiHflLTqiwU
In short: You set up an AWS IAM user with limited permissions to AWS SES. The user has only programmatic access to the AWS console. You will use the secret key and key ID in your React app later on, so make sure to save it. Also, make sure you are familiar with the SES pricing
Then, go ahead and configure AWS SES to your needs.
Your React App will need to run with an ExpressJS backend. Add the JavaScript AWS SDK to your project. It is needed to connect to AWS and interact with SES. Here the link to the AWS SES SDK documentation
The tutorial is great. However, there are some things to look out for:
Make sure you don't check in your access key and secret to a VCS.
The AWS access key will never be renewed. This can be ok but should be avoided
Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account. Rotating IAM credentials is also an important part of security best practices in IAM. (Source)
You send e-mails through a public, unauthenticated POST request to your express backend. Anybody with their browser's devtools open can see the POST request. including the headers, the request body, and repsonse. With Postman, or a similar tool, anybody can spam your contact endpoint. To avoid that you can setup rate limits, put an API Gateway, with quotas in the middle instead of calling SES directly, etc.
We have started a PHP beanstalk application, first we tested the API as public and it was working, then we tried to make the API private to be called through a VPC Endpoint following the tutorial and instructions but no luck.
We have created the Endpoint and resource policy to income the API
We have attached the Resource policy to the API
While troubleshooting, API can be invoked from the same EC2 instance (curl -X GET https://*** ) and it was successful, but the issue is from beanstalk application it never hits the API, there are no CloudWatch logs either
Here is the code we use to invoke the API from cloud watch "https://API-ID-vpce-*****.execute-api.eu-west-1.amazonaws.com/Pro/calc/?test="
We already allowed the HTTPS inbound and outbound on security groups
Honestly we have tried everything since 10 days with no luck
Appreciate your support into this
Kind Regards
Based on the comments.
The cause of the issue remains undetermined. In this case a support ticket will be placed with AWS support for assistance.
We're working with AWS and wish to log all incoming http requests from our API Gateway to the EC2 box in their entirety (i.e. not truncated at 1024 bytes). As we know the logging for API Gateway is not configurable our next thought was to place a lambda between the api gateway and EC2 which would intercept the requests, log them to S3, and then forward the request to EC2.
My question is two fold:
How does one submit an API Gateway 'event' to an EC2 instance manually? I've gone over the boto3 documentation and there doesn't seem to be a good way to do this out of the box.
Is this a logical way to log requests in their entirety, or are we missing a built in connector between lambda -> ec2 or request logging in general?
def lambda_handler(event, context):
#pass event to the ec2
#log event (done)
#return response
You can enable CloudWatch logging for API gateway. By enabling you can find the logs for your requests in the cloud watch.
Create an IAM role that gives permissions for the API gateway to write logs to cloud watch
set the IAM role to your API
set the desired log levels INFO/ERROR
you can also choose to log the full request/responses
To enable access logs, you also need to create a log group and provide the arn.
The detailed steps can be found in the reference below.
Hope this helps.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/
I am settings up a AWS SFTP using Cognito as the identify provider. I have a working Gateway API and can run tests on that successfully.
When I come to connect to the SFTP instance the username and password are rejected. I've checked the log files and there are not entries indicating that any calls to the Gateway API were made at all. This to me suggests something wrong with the IAM role associated with the SFTP instance and therefore the Gateway API is not being called. From my reading the configuration appears to be correct.
I'm working from the following blog page.
https://agilevision.io/blog/aws/2019/02/06/integrate-aws-sftp-with-custom-identity-provider.html
Can anyone suggest what might be wrong.