Questions tagged with AWS Account Management

after creating my ec2 instance I downloaded the key and tried to use putty to ssh into the server but it gives me network error in northern Virginia region but successful in Ohio

My app is in beta, so it's not really being used, I received a spike in my bill because of app sync and open search service. I can't figure out why this charge is happening or who triggered it. Could someone help me?

I am in the process of developing a mobile app and have selected a developer from China to help me. Is there any restrictions on having someone from another country access my account? I realize I will need to create another user id and set them up with the appropriate roles to restrict what they can do but, don't want to run into any issues where Amazon thinks someone is accessing my account that is not authorized

Hi Team I need to know what strategy we should use when we try to upgrade an agent on a running ec2. In order to follow cloud standards what i did is. i created an AMI and that has got my agent installed, so any new ec2 made by that AMI is having the agent installed. But when i want to upgrade the agent. how should i go about it? Which is the best option here: 1. Code deploy 2. Code pipeline 3. Lambda. or what else should be a good approach to follow? Thanks

I am selling my site and need to transfer the AWS account to the buyer's business (the buyers do not use AWS for their other sites - but they want my site to continue with AWS). I cannot figure out how to do it. Do I need to pay for support and what level? This is Amazon's advice on transfering ownership of a site: https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/ "To assign ownership of an AWS account and its resources to another party or business, contact AWS Support for help: Sign in to the AWS Management Console as the root user. Open the AWS Support Center. Choose Create case. Enter the details of your case: Choose Account and billing support. For Type, choose Account. For Category, choose Ownership Transfer. For all other fields, enter the details for your case. For Preferred contact language, choose your preferred language. For Contact methods, choose your preferred contact method. Choose Submit. AWS Support will contact you with next steps and help you transfer your account ownership." I have done all this but have not yet been contacted (24 hours). The text seems to suggest that advice on transfering ownership is a necessary aspect of transfering an AWS root account to a company, and that such advice is provided free by Amazon, since nothing is said about pricing. If on the other hand AWS clients must pay for a support package to transfer ownership, which package? The $29 Developer package or the $100 Business package or some other package? How quickly does Amazon AWS respond? How quick is the transfer process? I am finding this very frustrating.

hello we have a support case that remained unassigned for 24 hours now, how can we escalate ?

I want to connect AWS AD with AWS SSO. I've synced the AD users with SSO and I'm able to login to the SSO application. But unable assume the role associated to the user and access the account. Giving 403 error.

esteemed, I am facing a problem and would like some support from cloudfront, my internet provider asn 265463 with block of 168.197.12.0/22 cannot access the following domains that are hosted on cloudfront, https://www.kabum.com.br/ and https://www.tse.jus.br/ And I get the following response: Request blocked. What can I do to get unlocked?

Hi, I bought a domain with AWS. I'm not receiving the verification email, and as a result, my domain has been suspended. When I go to the domain, I click on "Send email again" in the "Your domain might be suspended" dialog, and it says that it sent me an email, but it never arrives. I've been trying this button for 24 hours now, no result. This is broken functionality that is now impacting the domain that I paid AWS for. Please resolve this ASAP.

Hello, This is rather non-tech question. I would like to know if I am bale to change some preferences on amanzon.jobs account. I particularly want to know where I can find the relocate option. Thank you

I need to understand how the the request features work - PUT, COPY, POST, LIST, GET, SELECT, Lifecycle Transition - for billing purposes? What does it actually mean and what it does?

Hi Everyone, I've mentioned lines of error that may help you better understand my issue. I'm trying to use RDP and while connecting to Remote Desktop it gives the following error that I'm unable to get into my Machine: Remote desktop cannot connect to the computer because of the following reasons: 1: remote access to the server is not enabled 2: the remote computer is turned off 3: the remote computer is not available on the network Please help me in troubleshooting the error so that I can continue using services

i've created the instance in awsa and after that i can't open WHM. instance type : t2. medium aws market place: cpanel and whm for linux

Hi, I am not able ssh to any of the EC2 instances. I have checked the security group & firewall rule is in place to allow SSH traffic. Could you please check if my account is suspended. My registered mail id is "kumar.deepak.k@gmail.com" Thanks, Deepak Kumar

Does Amazon provide marketplace seller registration to Indian companies with Indian address? If yes , then please suggest as we did not find any guide for same.

My AWS account is compromised - I don't really understand how this would happen for a platform like AWS, where many people have their business on it. There are 1000x increases on billing due to the account being compromised. Billing dashboard shows continuing thousands of dollar charged even though turning off hundreds of instances started because of the account being compromised. I have already: * Reset password * Deleted all customized IAM roles * Removed all other IAM users AWS has provided any updates on the billing adjustment. What should I do? I would literally be bankrupt because of billing of a compromised account.

Hi, I am currently using SNS to send transactional SMS messages to several users I'm in the Sandbox test so when I add new number I don't receive the verification code for a specific mobile number of certain telecom provider in Morocco but for other provider I received the code. Any idea on why is this happening?

I want to terminate all services that im using. I have deleted some of it but there is still something that keeps me charging. It foresees that i will be charged for another 5,81 dollars and says there is 7 services that i am currently using but i cant find those. Can anybody help me about that?

In the EC2 instance details, i am finding this error "User is not authorized to perform: compute-optimizer:GetEnrollmentStatus on resource: * with an explicit deny in a service control policy" under Amazon Compute Optimizer section. Because of this while I am connecting to EC2, it is showing error as "verify that your iam policy is correctly configured to use ec2 instance connect."

Hello: I have a lightsail instance running that I can't locate in the console. I connect from the internet to it (and of course I pay for it), but with the new presentation of the aws consoles I can't locate it. In fact it says that I have no instances running. Can someone help me locate it? Thank you

We were not able to login into my EC2 instance through putty and giving error "Network error: Software caused connection abort". We saw on AWS console that EC2 instance was running but still not able to login and also saw that CPU utilization for some period is showing nothing and suddenly showed utilization after few minutes. After that we restarted the EC2 instance and we were able to connect it . Can anyone help me to know why this has happened?

I have received an email that my account is required further verification and until that its blocked. I have replied to aws-verification@amazon.com but they are not replying too fast. is there any way to contact them instantly. My company is Dubai based and I can visit their off if there any have

Hi - I need simple instruction on renewing a certificate as per email: Greetings from Amazon Web Services, You have an SSL/TLS certificate from AWS Certificate Manager in your AWS account that expires on Apr 07, 2022 at 23:59:59 UTC. This certificate includes the primary domain app.digitalbz.com and a total of 1 domains. AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed before Apr 07, 2022 at 23:59:59 UTC. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable. To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below. You can find the CNAME records for your domains by expanding your certificate and its domain entries in the ACM console. You can also use the Describe Certificate command in the ACM API[1] or the describe-certificate operation in the ACM CLI[2] to find a certificate’s CNAME records. For more information, see Automatic Domain Validation Failure in the ACM troubleshooting guide[3].

I have created a Cloudwatch Metric Filter for response latency We have regions in us-west-2 and us-east-2 and I have put separate Metric filters in each region's different Cloudwatch Log groups. I want to be able to query and add all response latencies between *both* regions so I can calculate aggregate values like Averages. How can I do this? Log Insights can't see different region Log Groups so I can't directly use this. I heard Metric Math may be able to. Is there a way?

How do I navigate to this page Auditing AWS Security training

Hi I would like to find out ways to remove accounts from Organization. These accounts have no outstanding charges, and the root user/email has been deactivated as they were temporary participants to the organization. That said these root users are no longer in our organization and no longer reachable. No one could no longer log in to the accounts to remove itself from the organization. Please provide assistance to remove these for us?

Hello I currently have a Redshift Cluster and I need to my apps point to a subdomain instead of the Redshift cluster HOST. This redshift cluster is inside a VPC with gateway endpoint type. How do I create a route53 record inside my already existing hosted zone to do this? Already tried adding a CNAME record and poiting directly to the Redshift host,a but since its inside a VPC does not work.

The Thanos documentation says: "Put Prometheus in the same failure domain. This means same network, same datacenter as monitoring services." But what if the accounts are split and if Prometheus resides in one account (e.g. in the workloads OU) and Thanos, the connected S3 and Grafana are in another account (e.g. "monitoring" in the infrastructure OU)? Are these then also already considered as different failure domains? Should Prometheus also move to the monitoring account? *(I would not consider the latter so favorable because of the transfer performance of the metrics, if that matters at all. Shrug.)* Would it help to have shared VPCs? What is the recommended setup and organization here? Many thanks for the help!

I am trying to create a cloud cluster using AWS within MATLAB. I am experiencing an error. I created a Root User / IAM account successfully. I go to MATLAB and try to create the cloud cluster. I see four panels where I have to fill in details. They are "Requirement", "Billing", "Create Cluster", and "Finish". I succeed in the first two but got stuck at the third. The "MathWorks Account ID" is filled in fine. The "External ID" is filled in fine. The "Role ARN" is filled in fine. When I press "Next", I get the error "Verify permissions for the lAM Role. Changes to AM entities may not be reflected immediately." What am I doing wrong?

Hi I was running two instances on Lightsail, one of those was a Database. Today my chief told me that I needed to restore a local backup of the database because the application running on the instance was not working anymore. So I logged into the account, went to Lightsail and discovered that actually both the instances were gone. Couldn't see or access them anymore. Now the weird part: since I wasn't sure I was on the right account I obviously searched for them on others, without success. At the same time they needed the application, so I started over with a new instance. Then I tried to create again the database and I used the same name of the desappeared instance and discovered that "**I must use unique names for the resources**". But actually There's only one other database listed and it had a completely different name. It seems that the name I was trying to use is still flagged and that's should be a proof that the instance was there. Moreover, if I run this command: ``` curl -k http://18.194.243.249//latest/dynamic/instance-identity/document ``` (The IP is the one of the vanished instance) I get: ``` <a href="/latest/dynamic/instance-identity/document">Moved Permanently</a>. ``` What happened? IS there any way I can track the actions on the account?

How do I disable access or display of a directory (folder) for a specified IAM user?

I want to create a Lambda layer for public use. I am wondering if there are any costs associated with hosting a layer on my account that millions potentially could use? The layer would be a Puppeteer for NodeJS.

One fine morning The port 80 (HTTP )and Port 443 (HTTPS) of two of my existing EC2 instances in the ap-south-1 Region stopped working. However, I could still SSH into the instances. I stopped and started the instance the ports worked for a few minutes and then fell off again. Each time starting and stopping gets the ports to respond for a few minutes before falling off again. To Troubleshoot and do a root cause analysis, I launched a new Ec2 with Linux Ubuntu 20.04 in the ap-south-1 Region . Same thing, The port 80 (HTTP )and Port 443 (HTTPS) fails off after 5 to 10 minutes post launching. On Stopping and Starting the EC2 Instance, This again works for few minutes and then the Port 80(HTTP) and Port 443 (HTTPS) falls off again. The EC2 instances gets totally isolated from the internet and no inbound or outbound traffic works from these ports. On Doing the same thing for a different region (Ohio), there is no problem and it works. Can there be any technical issue or you think there is some problem with the underlying hardware or VM network issue for my account? Please help!

Hello, **Amazon has rejected my request to increase daily sending quota limits.** The Amazon SES Quota on my home page shows I'm in Sandbox mode and have a daily quota of 200 mails. It also states: "Please request Amazon to raise your SES Sending Limits to be able to send to and from any email address as well as raise your daily sending quota from 200 to any number you need." **I put in a detailed request via the support centre ticketing system for a daily quota of 50 000, and provided the additional background info on request:** "I will send emails to my list received from advertisements once per day (excluding test emails), I will maintain my recipient list through granting them the option to voluntarily unsubscribe from my newsletter every day and by eventually remove a series of inactive subscribers from my email list every 30 days to prevent unnecessary spam and bounces. My email newsletters are a series of 6 repeated fond communications with the subscriber per week, with one inactive day. And all of these communications entail an introductory, soft and hard pitch promotion of my affiliate offer. A screenshot example of a snippet of my email swipes is attached in a PDF file below." **They Replied as follows** "Hello, Thank you for submitting your request to increase your sending limits. We are unable to grant your request at this time because we do not have enough information about your use case. If you can provide additional information about how you plan to use Amazon SES , we may be able to grant your request. In your response, include as much detail as you can about your email-sending use case and how you intend to use Amazon SES. For example, tell us more about how often you send email, how you maintain your recipient lists, your website or app(please include any necessary links), and how you manage bounces, complaints, and unsubscribe requests. It is also helpful to provide examples of the email you plan to send so we can ensure that you are sending high-quality content. You can provide this information by replying to this message. Our team provides an initial response to your request within 24 hours. If we're able to do so, we'll grant your request within this 24-hour period. However, if we need to obtain additional information from you, it might take longer to resolve your request." **I'd be grateful for some guidance on how to proceed. I felt I'd given enough context, and I can't conceive that the volume of mail I'm now pushing via a legacy server that is going to be taken offline would have an influence on Amazon services.**

Hi, I'm using the GO SDK V2 to fetch all the EIPs of an account. My goal is to get the number of EIPs in a specific account. I couldn't find a paginator option for this API call `DescribeAddresses`. There is a paginator/next token option for the `DescribeAddressesAttribute` API call, but for this option, I could not retrieve all the EIPs addresses of the account. Actually without attribute passed, I got an empty result `[]`. I have a couple of questions: 1. Is there a way to use pagination for `DescribeAddresses`? 2. Is there a parameter for `DescribeAddressesAttribute` to make this call to retrieve all EIPs? 3. What is the maximal number of EIPs in an account? 4. What is the maximal number of results that can be returned from `DescribeAddresses`? Thank you, Ori Adler

Hi All, I have not used my Amazon account for a while. I think it was free-tier to begin with. I wanted to start re-using it. I logged on and find I have no access to Billing. I also have no access to Organizations. I can assign privileges to IAM users. I had an existing user under IAM and I gave it Administrator and BillingAccess privileges. I logged on with that user, but when it browses to Organizations or Billing, it also gets permission denied issues. Example with root account accessing "Account": You Need Permissions You don't have permission to access billing information for this account. Contact your AWS administrator if you need help. If you are an AWS administrator, you can provide permissions for your users or groups by making sure that (1) this account allows IAM and federated users to access billing information and (2) you have the required IAM permissions. I get the same error when IAM user with billing permissions accesses "Billing". I cannot even create a support case using root account. It says I have no access and I was placed in support plan Basic, but then there is no way to create a case. When I click "Create case": An error occurred when we tried to process your request User: arn:aws:iam::ID:root is not authorized to perform: support:DescribeServices with an explicit deny in a service control policy User: arn:aws:iam::ID:root is not authorized to perform: support:DescribeSeverityLevels with an explicit deny in a service control policy You don't have the necessary IAM permissions to view that support case. Learn more Then under "Create case" the various case options are grayed out. Thanks!

On 26th Feb, I received a mail from AWS ragrding Irreular activity so I immediately followed the steps mentioned in that email, I deleted the access key, changed my password. I couldn't see any new user,roles and ploicies in IAM at that time but now I can see 30 roles and policies applied. I have deleted the roles and policies and other amazon resources whic were producing the bill. I made this account only for educational purpose, I cant afford to pay such an amount $(2845+3431). I'm a student. Today I generated a support ticket 9763861881 and reopend the ticket which got generated on 26th Feb for irregular activity. Please assist.

Hello, I would like to use a module from one repository while running my main file from a different repository - both in CodeCommit in the same AWS account. I read that if both repositories exist I can use sys.path. The question is can I clone both repositories to the same EC2 instance (on which I run my main function)? Thanks.

I thought the AWS Service is for one year cost free. Why produces the Service every day costs? In this moment i dont use the service nevertheless there are costs! How can i cancel my account?

I was charged 80 for some services which I was not aware of. When trying to delete anything, I was always get error Network interface is currently in use. How can I delete this?

I see that the AWIS API is being retired on 15th Dec 2022, but it is unclear if the actual data will be kept updated until then. For example will the web traffic history be added to for each of the days and months upto 15th Dec?

Hi, I wanted if it's possible to create a whole Organization (and accounts) in an account which is already a part of a parent Organization. Will look something like this: ROOT-ACCOUNT - OU 1 - SubAccount_1 (Another Tower Control?) - OU_2 - SubSubAccount_1

I have a question about my instances. I did switch off some of them because I didn't use. But now I cannot enter them, as there is a notification "You have been disconnected because another connection was made to the remote PC". Is it because I switched it off? But I read that it should not affect the business. What it may be? Thank you in advance

Hi All, I have an AWS environment where all the resources (VPC’s, EC2, Route53, etc) were created and administered by the root account and I’m trying to move away from this so administration of the environment can be delegated to others. I’ve setup AWS SSO with our IdP (Okta), created a AWS Account for the user and linked it with an SSO User, created the permission set “AdministratorAccess” and assigned it to the AWS account. I’m able to sign-in to AWS via the IdP, can see the permission set assigned it AdministratorAccess, but I cannot access/view any of the resources that were created by the root account. I’ve been going through all the IAM, policy and access documentation and cannot figure out how to provide access to the resources. I assumed assigning the AdministratorAccess permission set was sufficient, but I’m clearly mistaken or missing something. Any assistance would be greatly appreciated. Thanks!

I was able to add new users to AWS SiteWise for a long time, then suddenly the 'create user' button disappeared. I still have the same Portal Administrator access that I've always had. Any idea how to get that button back??

I lost access to my S3 buckets, Lambda functions, and CloudFront distributions after the Account Manager of the Organization I'm a member of "Enabled all features" in the organization. Strangely he can't see them either in his account so it's not a matter of him adjusting the permissions on the services. How can I regain access to what I've lost?

Hello , I have used dummy emails to create few member accounts as part of my IAC code testing and since they are dummy emails i do not have root email credentials to login and delete those member accounts , what do i need to do in this case ? i have access to the management account though. Thank you and appreciate your help !

Trying to change some of the AWS account names because of some SSO related tasks. They are following the following link, but wondering whether there is any potential risks that they need to be aware. Any suggestion? https://aws.amazon.com/premiumsupport/knowledge-center/change-organizations-name/

I have few member accounts in my organizations which I want to remove. I have completed steps like payment details and other stuffs to make it act like a standalone account but still I am unable to remove this account from Organizations. It throws me error like this "**admin (#138550646085): ConstraintViolationException This operation requires a wait period. Try again later."** Please note that this account is not delegated administrator account.

I have a service I am trying to unsubscribe multiple queues from my SNS console; I notice they all have individual ARN's which correspond to different owners, however I cannot prod further into any of those owner's details. How can I check their ARN to make sure the right service owner's queue is the right one I am unsubscribing from.

(Probably this bug happened after I erased cookies from my browser.) When I open in AWS Console CloudFront support or billing or try to register as an IQ expert I see error 400. Also, CloudFront says: > There seems to be a problem with your session. > Please try again in a few minutes or login again. > If the problem persists try clearing your browser cookies. Logging again with or without erasing my cookies again does not help. "Enhanced tracking protection" in my Firefox is off for AWS Console. I can't even contact support to tell them about the trouble.

Hi Team, I have an AWS Pipeline in my DEV account, I created a second Pipeline In my PROD account. I followed this articles : 1 - https://prashant-48386.medium.com/cross-account-codepipeline-that-use-codecommit-from-another-aws-account-9d5ab4c892f6 2- https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html to make the PROD Pipeline use the Repository of the DEV account. how can I Build the source from a specific git tag, not from a branch name? when I put the tag number on the Pipeline source stage it fails. I tried to edit the source stage in the pipeline and select 'full clone' option but I had this error : `remote repository is empty for primary source and source version 63sdsde73f2e1f6sdsd7564f742csdsds91ssd1f7sdsa` as I used a remote repository in another account (DEV). I tried also to do this in my Buildspec : ``` ... git-credential-helper: yes .... build: commands: - echo Build started on `date` - git config --global user.name $REPO_NAME - git config --global user.email "$REPO_NAME@xxxx.xxx" - git clone code_conit_remote_repo_dev_account_url/$REPO_NAME --branch=$TAG_VERSION - cd $REPO_NAME ``` git clone https://codecommit.region.amazonaws.com/xx/xx/xx/$REPO_NAME --branch=$TAG_VERSION but I had this error : `fatal: unable to access 'https://codecommit.region.amazonaws.com/xx/xx/xx/myRepoName/': The requested URL returned error: 403` `Command did not exit successfully git clone https://codecommit.region.amazonaws.com/xx/xx/xx/$REPO_NAME --branch=$TAG_VERSION exit status 128` Thanks for your help.

I have a single account right now that has my development and production deployments in it (Load Balancer + ECS Fargate + Postgres RDS), and they are separated in different VPCs and share no resources. Should I keep building down this path, or is it a better idea to split my deployment into multiple AWS accounts? What are the pros and cons of each scenario? It is currently only two people building in this account, but likely will grow to be many more.

What is the best way to scale cross-account AWS KMS–encrypted Amazon S3 bucket access using ABAC? Tag Name – scaling-cross-account-kms-encrypted-s3-access-using-ABAC

I have changed instance type . Afteward I can't connect my new instance by instance and ssh . I have created new key pairs but it did not help me. If connect by instance . I have occured by this error ."There was a problem connecting to your instance Log in failed. If this instance has just started up, wait a few minutes and try again. Otherwise, ensure the instance is running on an AMI that supports EC2 Instance Connect."

The basic steps to migrate from an IPv4 network to an IPv6 network? and if it affects any service

I keep getting SafeMode activated message on my Wordpress website, even after I have tried to transfer connection or create a new connection. My brother has helped my set up the hosting and we did it following the instructions on AWS Lightsail. So we set it up with the IP address 18.168.98.182 and I first logged in to my dashboard via this link http://18.168.98.182/wp-admin/ . I have installed jetpack and woocommerce payments plugins. Then I’ve got my own domain name beadembroideryart.com and I think this created a duplicate page or something like that. Now I login to my dashboard via http://beadembroideryart.com/wp-admin/ . But the problem is that every now and again I get a notification SafeMode activated transfer your connection from 18.168.98.182 to beadembroideryart.com or create new one. When I click transer connection it goes away for a short time and comes back again in a while. When I do a new connection it’s the same and the only difference is that I need to set up my payments again from the start. I don’t know what am I doing wrong as there is no other option to choose from. Does this mean that the IP doesn’t redirect to the domain and this causes a duplicate connection conflict for WooCommerce Payment detection?

I'm new user in AWS. I have website and want to send newsletters. I've found, that Amazon SES have good pricing and I wish to migrate. BUT when I send request for production access, because from sandbox you can only test, I really don't know, WHO can work under sandbox. So, I sent my request by first time and result is deny in 2 seconds, than I send another one reply to this case, and result deny in few hours. I've done all steps from SES Docs, I verified domain and clearly described my process. I prefer to make some complaints on AWS and SES service, I will contact first with AWS sales, than I will contact with other services and I will share my AWS experience on reddit, quora, Facebook and many other social. My case id xxxxxxxxxx *Edit: Removed case ID — Kita B.

We had put off switching to Websockets as the old MQTT based subscriptions had been working without issues. However, given the 12/31/2021 deadline for the mandatory switch to Websockets, we went ahead and switched to the latest AppSync client in late December. Functionally, there haven't been any noticeable changes (negative or positive). However, the monthly cost has almost tripled. Our query/mutation/subscriptions counts are roughly in the same range as prior to the switch. Is there a reason we experienced this bump? Perhaps there's a way to track this down in the billing cost explorer? Any help is much appreciated!

Hello Team, our SUSE 15 SP3 instance(r4.2xlarge) is stucked in "status check 1/2" during reboot after upgraded it latest version. Here are some logs as well. Please share some solutions. **"cloud-init[1276]: ci-info: | Device | Up | Address | Mask | Scope | Hw-Address | [ 41.805561] cloud-init[1276]: ci-info: +--------+------+-----------+-----------+-------+------------+ [ 41.810798] cloud-init[1276]: ci-info: | lo | True | 127.0.0.1 | 255.0.0.0 | host | . | [ 41.816025] cloud-init[1276]: ci-info: | lo | True | ::1/128 | . | host | . | [ 41.820613] cloud-init[1276]: ci-info: +--------+------+-----------+-----------+-------+------------+ [ 41.824672] cloud-init[1276]: ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++ [ 41.828212] cloud-init[1276]: ci-info: +-------+-------------+---------+-----------+-------+ [ 41.832368] cloud-init[1276]: ci-info: | Route | Destination | Gateway | Interface | Flags | [ 41.837993] cloud-init[1276]: ci-info: +-------+-------------+---------+-----------+-------+ [ 41.842556] cloud-init[1276]: ci-info: +-------+-------------+--------[ 0.000000] Linux version 5.3.18-150300.59.49-default (geeko@buildhost) (gcc version 7.5.0 (SUSE Linux)) #1 SMP Mon Feb 7 14:40:20 UTC 2022 (77d9d02)" ** Thanks, Bhupendra +91-XXXXXXXXXX Edit: Removed personally identifiable information (phone number) per Community Guidelines.

I followed the article about how to setup OICD for IAM: * https://aws.amazon.com/blogs/apn/using-bitbucket-pipelines-and-openid-connect-to-deploy-to-amazon-s3/ * https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/ Works like a charm, however Security Hub now reports a `cross-account access` violation. Same happens when I setup a SSO group in our organisation, attach one of the predefined roles and attach it to the account. What am I missing here? Do I need to manually modify these permissions? In the case of the SSO am actually not sure how, as the group is intended to provide access to multiple accounts.

Hi, We are planning to use AWS SSO as main method to access EC2 instances with the use of the SSO attribute: SSMSessionRunAs = ${path:userName} and the AWS SSO username identical to the username in /etc/passwd on the Amazon Linux instance. I've read documentation about AWS SSO but don't see anything about this use case. We confirm that it works but also, is this supported? Thanks in advance, + Joe

Hi Team, I have an app IAM user that has S3FullAccess permission I used the access key and secret access key of my IAM app user to create an s3 resigned URL for getObject, when I copy the generated pre-signed URL on a browser I get an error message : ``` <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>HFDGssffscSDQ4DEF</RequestId> <HostId>OXsT4/6tYWsdssyo0dxtFa7sdsdsThdFqsdsd4L+9CmiKP2tFyGsdsL8Pr0E0rkDgzHsddsMjdsdsdwc=</HostId> </Error> ``` I'm not sure why I have access denied even though my user has the right permissions? Default encryption (Enabled) = AWS Key Management Service key (SSE-KMS) any ideas, Thanks

As the title says. One, out of the three DKIM CNAME records provided by the Easy DKIM setup agent does not resolve after 72 hours. I'm utilizing `https://dmarcian.com/dkim-inspector/` tool to query. On the third CNAME `Name` the query consistently returns an empty value, where it should resolve to the public key, aka 'p' tag. As such, it appears that the SES Domain verification process has not completed, however it has not failed. It says in the dashboard, "Verification Pending" The domain is registered and administered via google domains. I've verified there are no misplaced characters, etc in my domains DNS config. My initial assumption is that keys may be rotated, and thus at any given time one key may intentionally return a blank. However, I could not find documentation to support my theory. And it's been 4 days, and I'm getting the same result on this particular CNAME query. Anyone have any ideas? Thanks in advance!

**How to reproduce this bug?** 1. Open Visual Studio 2019 professional. 2. Make sure AWS Tool kit for Visual Studio has been installed. 3. Go to **View->AWS Explorer (or press CTRL+K,A)** 4. Refer to Credentials and click on **"Add AWS Credential Profile"** 5. On the lower section of the opened dialog click on https://aws.amazon.com/developers/access-keys/ (where it says *"account information can be found..."* That link is referring you to 404 page pointing on: *"Sorry, this URL does not exist or is no longer available."*

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization. We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty. Is there any out of box solution or recommended approach? I am considering two approaches: 1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient. 2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ I favor second approach, but maybe there are some other options. thanks

Hello, I'm supporting a client that have moved over to AWS Control Tower. They have leveraged AWS SSO with OKTA and have initiated in building their environment. They queried if it was possible to disable command line or programmatic access for users with various roles. Their ask was to ensure their users would only be able to access their AWS environment through the management console. Is there any way to either restrict or limit CLI or programmatic access while keeping their required access to the management console? Regards,

Hi, We used to use SES for transactional and marketing emails. One time there was a misconfiguration of our email list due to which mails were sent to the wrong email ids. This was a mistake that happened from our side. Because of this our account was paused as the bounce rate went high. After this we removed all our older email lists, and basically started work on generating a new email list from scratch. We have still not been able to access SES and denied entry. Please let me know what else we can do to be able to use SES AGAIN. Thanks, Kartik

Hello ! When trying to provision a voice connector, I receive the following error: "Your service has been restricted. If you feel like you have received this message in error, please submit a support request in the upper right with the category “Voice Calling”". Why did I have this problem please ? Thank you !!

Hello Guys! I have found a serious gap in the AWS process and the AWS support team doesn't want to help. How I can escalate my problem other than describing it here? I am really tired already. **My story:** I am * running a small IT company, that delivers AWS-based projects (among others). * Some time ago I decided to create an AWS organization under which I have created accounts for 2 of my team members. I have provided their personal email addresses while creating their accounts (that was my biggest mistake). * A few months ago one of my team members got schizophrenia, he lost access to his email account, started behaving aggressively, stopped working and communicating with us. * I wanted to remove his account from my organization, but: a) I cannot remove his account from my organization until I will provide valid credit card details for his account to make it fully stand-alone (btw. there is 0 spent on this account). b) The problem is that I cannot provide my credit card details because my colleague can potentially create a lot of expenses on my cost. c) Also when I will provide my credit card details and remove his account from my organization I will have no option to access this account anymore and delete these credit card details. * Another thing I explored was to close this account (since I have created it I should be able to do it): a) I cannot close the account if I don't have root access. b) I cannot change the email for the root account to recover the password even if I assume "OrganizationAccountAccessRole" role. c) The account can be closed from the root account only, or by the owner of the email associated with the root account. AWS support doesn't want to help. They "truly apologize" but this decision is out of their scope, leaving their hands tied". Their advice is to provide credit card details, remove the account and pray for that guy not to start using this account on my costs. This is something that I obviously cannot accept. Here is the full response: > Hello, I'm following up in behalf of our team. At this point, we want to apologize for any inconvenience this situation may cause. Unfortunately, we're unable to proceed with your request to close member accounts on this account. The initial requirements for accounts to function as standalone accounts can not be bypassed. To complete your account information, you can sign in to the member account with the Management Account Access role. The accounts you created using AWS Organizations have an IAM role called "OrganizationAccountAccessRole". This role has full administrative permissions, and the administrator of the management account can access the member account, complete the sign up requirements and then remove the account from the organization. *Note that if you created an account as part of an organization, you might need to delete the delegated administrator role assigned to your account. This IAM role is not deleted automatically* We recommend you use the IAM role to maintain the security settings you implemented on the account. For information about the IAM role, see the following documentation: https://aws.amazon.com/premiumsupport/knowledge-center/cannot-remove-member-organization/ For information on what happens to member account when you close them, see: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html See the AWS API and AWS CLI documentation here: https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html https://docs.aws.amazon.com/cli/latest/reference/organizations/deregister-delegated-administrator.html From my end, I understand this outcome is not the desired one but please note that this decision is out of my scope, leaving my hands tied looking to accomplish your request. Please remember that the Billing & Accounts team is a bridge of communication between our customers and other internal teams. Once again, my truest apologies. We value your feedback. Please share your experience by rating this correspondence using the AWS Support Center link at the end of this correspondence. Each correspondence can also be rated by selecting the stars in top right corner of each correspondence within the AWS Support Center. Best regards, XYZ Amazon Web Services I will appreciate your advice on what else I can do to solve this problem. Thanks a lot!

Hi, What is going on with AWS new account registration? We are trying to register a new account for our company to make some services live. Its been 2 weeks since we have registered a new account and its stuck in verification process on AWS side. AWS called us for verification and that call was unfortunately missed and they suspended our account. Since then we are trying to reach AWS for re-activation of the account. We also have submitted the verification documents as well. But there is no response from AWS. I want to know why AWS is putting these type of restrictions on new account registration? I also find out that they have implemented the restriction of 1 vCPU for new account. This seems insane to me for a business account. If there is such a process AWS is willing to incorporate for new account then I wonder how businesses can rely on their services. Verification process taking 2 weeks and still we are nowhere. We are AWS customer for last 3-4 years but now this attitude is making us think to consider other cloud providers. I hope for AWS official can look into this matter. Thanks

Just done creating a cluster and connecting to it... Now when I try to list the s3 bucket via: aws s3 ls bucketname, It give me ERROR message like: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied. I was wondering if someone has the same issue and how I should resolve it. I am a IAM user, not the account manager.

I understand in AWS, "Access key ID & Secret access key" is similar to "Username and password". While using/configuring CLI, "Access key ID & Secret access key" is saved in "credentials" file. So it is similar to saving "Username and password" in a plain text file. In CLI, technically we can use only "Access key ID & Secret access key", but not "Username and password". Apart from this, is there any advantages exists of using "Access key ID & Secret access key" over "Username and password" ?

Can my customer create a private group that is only viewable by their own employees?

Hi! I'm trying to use the EC2 Serial Console but doesn't work. I did all configuration follow the documentation and when I try to connect I get the message "EC2 service page is currently unavailable" with the title "AWS: 500 Server Error". Does it a bug? What can I do to use the EC2 Serial Console in my EC2 Instance? Thanks! Att, Marcos Meira

Hello, we tried to use "yubikey 5 NFC" and "yubikey BIO" as MFA device for our users (we used WebAauth), but we are not asked to provide pin-code, as we have read in yubikey official website : `WebAuthn on the service provider end , PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.` . Is there possibility to "force" AWS to "ask" for pin-code?

Hi, i'm wonder what is the way to register a third party app in AWS account. I'm looking for something similar to Azure app registration, where i can register a certain app and give it specific permissions to use the Azure api. I managed to do so by creating a IAM user and give it the desired permissions, but I'm not sure if it's the best way to do it. The goal is to use read only permissions to get some reports for the AWS account (via AWS CLI/AWS API). This is an AWS CLI request for example: ``` aws iam get-account-summary ``` Azure equivalent: [Azure app registration](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) Thanks

Hi Team, I requested for AWS certificate where i had mentioned one domain name which is a DNS name for my back end application. Now I want to add another URL to this certificate which is ELB hosted URL so that I can make back end https call using AWS ELB URl. Is it possible to edit the existing certificate? Note: when I used AWS URL for https connection I am getting err_cert_common_name_invalid.

Hi all, I was doing a Udemy course to work with EKS. After I finished, I deleted EC2 instances created by EKS, removed EKS cluster. Deleted elastic IP and load balancer. Now I want to clean up everything else. However, I can't delete Security groups, VPSc, Subnets, Network ACLs. Most of them say that I have associated networks interfaces. I try to delete the interfaces with ui and console but it says that they are in use. Detach also doesn't work and I have already released elastic IPs. I also went to ColoudFormation and tried to remove the stack there. What else I'm missing??

I want to report an extremely bad experience giving the AWS Solution Architect Associate (SAA-C02) exam on 01/22/2022. Apologies if this is not the right place to post this experience as I did not find any other forum to post exam-related experiences. I appeared for AWS Certified Solutions Architect - Associate (CONFIRMATION NUMBER: G81923108) on 01/22/2022. I was able to start the exam after 30 minutes of struggle in getting the PSI software loaded and working. I followed all the guidelines and requirements of the proctor and gave my full 130-minute attention to the exam. After completing the exam, I submitted the exam for the result and was very happy to see the screen "Grade: PASS. Congratulation! You have successfully passed the AWS Certified Solutions Architect .... Within 5 business days, you will receive an email stating your exam result ......" After that, I thought that the exam is now over, as I sat for another 30 seconds and did not see any notification from Proctor or any other dialog on the PASS result screen. I took the photo of the screen from my mobile to keep it for my records so that I don't lose my result and have proof. Right then I saw a screen stating your exam is terminated due to a violation of taking photos and within 10 seconds screen closed. I called PSI and explained the matter that I completed the exam and saw the result on the screen as "PASS". Only after that, I take the picture. They opened a ticket but says you need to contact AWS for resolution. This is a very frustrating situation as after 9 days, today 02/01, and I gave exam on 01/22, there is no update on the AWS certification page and also no update on the PSI website related to the result. It's not acceptable for AWS/PSI to make candidates suffer and lose belief in the certification process.

When I use AWS SSO to switch to AWS account I am able to see only my user name and current assumed role in account (AWSPowerUserAccess/martin@example.com), but I don't see account name or account alias name. So I am not able to simply verify in which account I am switched, is it production, is it development? If I want to check current account I have to go to IAM Console and check its alias (if I have reuired permissions) or I have to go to SSO index and switch to desired account again. Is it possible to configure SSO to show account name together with user and role in navigation bar? We were previously using [roles switching](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) where we were able to use Display Name for account. thanks

Once I log onto AWS Console Home, I select EC2 under Compute services and open as a new tab (I am using Google Chrome as my browser). Normally I would see a list of EC2 instances that we have running. Today I get a blank screen. The Tab says "EC2 Management Console", but not even the page headers load. Any ideas on what's going on? I get the same issue with "S3 Management Console" and "Route 53 Management Console". The only one that I normally use that is still functioning is "Managed Services Console" under Customer Enablement.

Hi, One of my cust has an AWS Organization & control tower with about 15 accounts. I wanted to enable Guardduty to about 10 accounts in them. Is it better to do at individual account level or in AWS org. Are there any cost implications if done from AWS org. Thanks.

Hello, is there possibility to force "session access keys" that were created by "aws sts get-session-token" to expire?

I have an **S3 bucket** that works perfectly with root credentials (`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`) to upload files to the bucket. I have created an **IAM user**. I tried to give this **IAM user** the privilege of uploading files to this bucket by creating this **policy** and attaching it to that bucket: { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::122xxxxxxxx28:user/iam-user-name" }, "Action": "s3:*", "Resource": "arn:aws:s3:::bucket-name" } ] } However, when I try to upload a file, I get this error: ``` > PUT > https://bucket-name.s3.region-code.amazonaws.com/images/60ded1353752602bf4b364ee.jpeg?Content-Type=image%2F%2A&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIARZARRPPIBMVEWKUW%2F20220128%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Date=20220128T123229Z&X-Amz-Expires=300&X-Amz-Signature=dfdc3d92f6e52da5387c113ddd793990d1033fdd7318b42b2573594835c01643&X-Amz-SignedHeaders=host%3Bx-amz-acl&x-amz-acl=public-read > 403 (Forbidden) ``` This is how the upload works: 1. I generate a presigned-url in the backend: ```js var getImageSignedUrl = async function (key) { return new Promise((resolve, reject) => { s3.getSignedUrl( "putObject", { Bucket: AWS_BUCKET_NAME, Key: key, ContentType: "image/*", ACL: "public-read", Expires: 300, }, (err, url) => { if (err) { reject(err); } else { resolve(url); } } ); }); }; ``` 2. Then the file is uploaded in the frontend using that url: ```js await axios.put(uploadConfig.url, file, { headers: { "Content-Type": file.type, "x-amz-acl": "public-read", }, transformRequest: (data, headers) => { delete headers.common["Authorization"]; return data; }, }); ```

error when signed in to the console - The new Console Home is currently unavailable. Try refreshing the page. Need help badly in this regard please.

It’s not In the dashboard and I have searched it in the new search bar for cases and it’s not with the resolved cases nothing. A red box appears and it says ‘invalid Case ID’

I've been learning AWS for about 6 months now, have learned to disable Cloudwatch metrics when I create Lambdas so I no longer get charged for those, but I started getting charged again starting Jan. 20 2022, $.03, then $.05 per day since for something according to Cost Explorer which adds up to $.43, but I currently show a bill for $.44. I'm having trouble tracking down what exactly is causing the charge. AWS Service Charges is where I see where I exceeded the 10 free alarms per month by 4.430 alarms and a charge of $.44. When I click over to Cloudwatch, I see 16 alarms triggered on 12/20/2021-12/22/2021, but none after that...so I not connecting what I am being charged for...confused. Those alarms were for DynamoDB read/write capacity maybe autoscaling I think? There is a policy, that AWS will not let me disable, on my tables to allow Cloudwatch alarms, which is only getting triggered on 2 of my 5 tables, something that reads "ConsumedReadCapacityUnits < 150 for 15 datapoints within 15 minutes." Not sure if this is the charge. Can someone help me figure this out before I have to shutdown my AWS account for runaway spending? Thanks.

Hello, with my billing Dashboard, I'm getting 0.5 dollars daily for usage of Ec2-ELB for two days, even without any declared loadbalancer or accessing to my account. How I can find the source of this consumption I looked in EC2 load balancer I don't find any ELB Can you please advise ?

After AWS raised our quota limit for Sending Text Messages, we received email with instructions "Before you can send messages, you must update your account spend limit using the Amazon SNS console or API using the following instructions. (http://docs.aws.amazon.com/sns/latest/dg/sms_preferences.html) After following the steps, entering the spend limit and clicking on save changes, we are getting this error: Couldn't set text messaging attributes. Error code: AuthorizationError - Error message: You are not authorized to perform actions for the provided bucket policy Allows "Action": "s3:PutObject", "s3:*"