Questions tagged with AWS Config
Content language: English
Sort by most recent
Instance launch failed
This account is currently blocked and not recognized as a valid account. Please contact aws-verification@amazon.com if you have questions.
* **Initializing requests
* Succeeded
* Creating security groups
* Succeeded
* Creating security group rules
* Succeeded
* Launch initiation
* Failed**
asked 12 days ago
Hi, I'm a newbie taking the AWS Cloud Architect course on Coursera and currently on Course 1, Module 4, Exercise 7. I believe I followed all the instructions to a T and have tried it twice now and continue to get stuck on the following Task within the assignment:
Task 5: Testing the application
In this task, you will stress-test the application and confirm that it scales.
Return to the Amazon EC2 console.
In the navigation pane, under Load Balancing, choose Target Groups.
Make sure that app-target-group is selected and choose the Targets tab.
You should see two additional instances launching.
Wait until the Status for both instances is healthy.
My Status never goes to "healthy" state and keeps failing, "Unhealthy", "Draining" (Target deregistration is in progress)
Can someone tell me why this would happen and where i should check to correct this?
Thank you in advance.
Hey guys,
Hope you are doing well today!
I have a question regarding AWS config, I want to deploy the service and download the HIPAA conformance pack.
I wanted to have your guidance in order to know what are the minimal user permissions I'll need in order to deploy and maintain this service?
Thanks in advance!
Dear All,
Can you assist me in obtaining the backup report for an Amazon EC2 instance, I am trying to get it but it is not working properly. The following are the queries I am using.
SELECT
configuration,
configuration.Status,
configuration.CreationDate,
configuration.CompletionDate,
configuration.BackupVaultName,
configuration.RecoveryPointTags,
configuration.BackupSizeInBytes,
configuration.ResourceName,
configuration.Lifecycle,
accountId,
resourceId,
awsRegion,
resourceName,
resourceType
WHERE
resourceType IN ('AWS::Backup::RecoveryPoint','AWS::EC2::Instance')
AND
configuration.CreationDate = date(-24h)
Hi,
I need help to use a function that concatenates a parameter with a static value within a remediation rule.
I have the following custom Conformance Pack, where I want to define the *AutomationAssumeRole* as a parameter.
```
Parameters:
ParamAutomationAssumeRole:
Default: ComplianceRemediation
Type: String
Resources:
Ec2SecurityGroupAttachedToEni:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: ec2-security-group-attached-to-eni
Scope:
ComplianceResourceTypes:
- AWS::EC2::SecurityGroup
Source:
Owner: AWS
SourceIdentifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI
Ec2SecurityGroupAttachedToEniRemediation:
DependsOn: Ec2SecurityGroupAttachedToEni
Type: "AWS::Config::RemediationConfiguration"
Properties:
ConfigRuleName: ec2-security-group-attached-to-eni
ResourceType: "AWS::EC2::SecurityGroup"
TargetId: "AWSConfigRemediation-DeleteUnusedSecurityGroup"
TargetType: "SSM_DOCUMENT"
TargetVersion: "1"
Parameters:
GroupId:
ResourceValue:
Value: "RESOURCE_ID"
AutomationAssumeRole:
StaticValue:
Values:
Fn::Sub:
"arn:aws:iam::${AWS::AccountId}:role/${ParamAutomationAssumeRole}"
```
Based on this [doc](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-join.html), I could use the "Fn::Sub:" function, but the Conformance Pack deployment fails with the following error:
I'm not sure what I'm doing wrong here. Any help is much appreciated.
Thanks!
We are running an email processing application for one of our client, here they send the emails via smtp to our servers and before delivering the emails to the final MTA we are supposed to do some process on the incoming SMTP packet like adding tracker information. Currently we are doing this on an stand alone server at a data center in US which has Intel Xeon E3-1270v6 - 4c/8t - 3.8 GHz/4.2 GHz with SSD drives and 64 GB RAM.
Here we are able to process very easily 130 - 150 mails per second.
Now when we moved this to AWS EC2 on a c6a.4xlarge the same process is hardly processing 50 - 60 mails per second.
Is there any throttle on AWS or have we selected a wrong EC2 instance ?
Please guide.
**Context**
Recently I came across a scenario where, due to rolling out Fargate infrastructure and [ Fargates dynamic task networking nature ](https://docs.aws.amazon.com/AmazonECS/latest/userguide/fargate-task-networking.html) it resulted in a significant increase in cost due to a near-continuous stream on Configuration Item updates for the `AWS::EC2::Subnet` Config Resource.
The nitty gritty seems to be attributed to the following:
* As seen in the above resource Fargate will assign an ENI to each task (1:1 relationship) with a primary Private IP address.
* The impact on the `AWS::EC2::Subnet` resource Configuration Item is that: (1) the `Configuration.AvailableIpAddressCount` will change as a result and (2) the `Relationships` metadata will change to be updated with the most current ENI information, which is again 1:1 depending on the number of tasks you have running at any point in time.
When you have a high volume task operating context this results in a significant increase in cost (see the [Config Pricing calculator](https://aws.amazon.com/config/pricing/) for Configuration Item pricing) if you don't keep your eye on things.
**Response**
In response to this, instead of tracking all resource types by default in AWS Config, I explicitly specified which resource types to include which did not include the `AWS::EC2::Subnet` resource type. This seems to have mitigated the issue from the standpoint of "stopping recording" but it is not ideal because I'd like to be able to track resource changes to Subnets and action them as needed based on findings.
**Questions**
* Has anyone else come across this issue? I'm wondering if maybe I''m overlooking a setting somewhere to tune this such that it reasonably controls cost.
* Is this a bug or are feature requests open somewhere with AWS to find a solution to this? I haven't found anything yet but very well could have missed something.
I've been trying to setup multi-account config aggregation and recording at org level.
I'd been trying to do it with Terraform, but ended up re-doing it via the console, and also while logged in under the root account for the org, to make sure there weren't delegation issues.
I've got the config aggregator setup, logging to S3, and I'm seeing events come in and getting written, but only from the org account itself. I see the sub-accounts in the aggregator and the status shows up "Ok" for each of them (this was true even previously, when I'd set it up from an IAM account with admin privs), however, I'm not yet seeing any configurations or events coming through. Resources from the org itself are showing up fine.
* Config aggregator is using a custom role based on `AWSConfigRoleForOrganizations` as well as an `sts:AssumeRole` policy attachment
* The recorder has "Use an existing AWS Config service-linked role" (`AWSServiceRoleForConfig`) selected currently
https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data-troubleshooting.html mentions "Enable AWS Config in the source account", but based on the other docs, it seems like that should not actually be necessary with this type of setup?
Presumably since the recorder and aggregator are in the org account, as well as the target bucket, the other accounts within the org don't need any permissions for the bucket, right?
Also, will all the stuff from sub accounts show up under `[bucket]/AWSLogs/[org account ID]/Config/us-east-2/2023/2/24/ConfigHistory/` if that's where the aggregator itself is? or would I expect them to show up in the same structure as cloudtrail logs etc. where they're under the org ID and then sub account ID (`[bucket]/AWSLogs/o-XXXXXXXX/[sub account id]/Config`)?
Aggregator menu view in console
Detail of one sub account's status
Aggregator main page only shows the org account.
# when I do this command "agc account activate", the following error was generated:
==\\
2023-02-18T22:00:44-08:00 𝒊 Activating AGC with bucket '' and VPC ''
Bootstrapping CDK... [--o-] 2.0s
2023-02-18T22:00:47-08:00 ✘ '\\\\wsl.localhost\Ubuntu\home\jeffzz\\.agc\cdk'
2023-02-18T22:00:47-08:00 ✘ CMD.EXE was started with the above path as the current directory.
2023-02-18T22:00:47-08:00 ✘ UNC paths are not supported. Defaulting to Windows directory.
2023-02-18T22:00:47-08:00 ✘ The system cannot find the path specified.
2023-02-18T22:00:47-08:00 ✘ error="exit status 1"
Error: an error occurred invoking 'account activate'
with variables: {bucketName: vpcId: publicSubnets:false customTags:map[] subnets:[] amiId:}
caused by: exit status 1
==\\
would greatly appreciate any help!
Hi all,
I've a question regarding the new released features of **AWS Control Tower** and **AWS Config**.
What is the difference between **AWS Control Tower Proactive Controls** and **AWS Config Proactive Compliance** and why should I use one instead of the other ?
and if there is a way to use **AWS Config Proactive Compliance** with CloudFormation ?
Thanks
we have EKS clusters being deleted on 7th Feb and this change can be found on CloudTrail. How ever in the AWS config log it only appears on 9th Feb. Please help to clarify the delay.
