Questions tagged with Amazon EC2

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

CloudFront - API Gateway as Reverse HTTP Proxy to CloudFront - ALB - EC2

I'm trying to set up an API Gateway as a simple proxy, using the Proxy option. The back-end is a endpoint hosted by an Cloudfront as reverse proxy for ALB + application running on EC2. User -> Cloudfront -> API Gateway Proxy Integration -> CLoudFront -> ALB -> Internal APIs hosted by EC2s. Cloudfront and API gw proxy located is in AWS account A and CloudFront + ALB + EC2 is located in account B. When I use API gateway console to test method, request hits the targeted internal api without any problem. Test execution log: ``` Execution log for request 849015fb-12c9-4619-bc96-363ecb6e9e94 Fri Nov 18 17:33:08 UTC 2022 : Starting execution for request: 849015fb-12c9-4619-bc96-363ecb6e9e94 Fri Nov 18 17:33:08 UTC 2022 : HTTP Method: POST, Resource Path: /api/v2/test/apply Fri Nov 18 17:33:08 UTC 2022 : Method request path: {} Fri Nov 18 17:33:08 UTC 2022 : Method request query string: {} Fri Nov 18 17:33:08 UTC 2022 : Method request headers: {} Fri Nov 18 17:33:08 UTC 2022 : Method request body before transformations: Fri Nov 18 17:33:08 UTC 2022 : Endpoint request URI: https://example.com/ext/v2/test/apply Fri Nov 18 17:33:08 UTC 2022 : Endpoint request headers: {x-amzn-apigateway-api-id=u041f78dig, User-Agent=AmazonAPIGateway_u041f78dig, X-Custom-Header=xxx} Fri Nov 18 17:33:08 UTC 2022 : Endpoint request body after transformations: Fri Nov 18 17:33:08 UTC 2022 : Sending request to https://example.com/ext/v2/test/apply Fri Nov 18 17:33:08 UTC 2022 : Received response. Status: 400, Integration latency: 55 ms Fri Nov 18 17:33:08 UTC 2022 : Endpoint response headers: {Content-Length=0, Connection=keep-alive, Date=Fri, 18 Nov 2022 17:33:08 GMT, Server=nginx, X-Custom-Header=4100adeb, X-Cache=Error from cloudfront, Via=1.1 c022ca80d7b946eb138dfd2e55c98980.cloudfront.net (CloudFront), X-Amz-Cf-Pop=IAD12-P4, X-Amz-Cf-Id=xxx} Fri Nov 18 17:33:08 UTC 2022 : Endpoint response body before transformations: Fri Nov 18 17:33:08 UTC 2022 : Method response body after transformations: Fri Nov 18 17:33:08 UTC 2022 : Method response headers: {Content-Length=0, Connection=keep-alive, Date=Fri, 18 Nov 2022 17:33:08 GMT, Server=nginx, X-Custom-Header=4100adeb, X-Cache=Error from cloudfront, Via=1.1 c022ca80d7b946eb138dfd2e55c98980.cloudfront.net (CloudFront), X-Amz-Cf-Pop=IAD12-P4, X-Amz-Cf-Id=xxx} Fri Nov 18 17:33:08 UTC 2022 : Successfully completed execution Fri Nov 18 17:33:08 UTC 2022 : Method completed with status: 400 ``` You can count 400 as success, because it returned from internal api running on EC2. When I'm trying to invoke cloudfront-account-a.com/api/v2/test/apply I'm getting 403 error from CF with the following headers: ``` access-control-allow-origin: * access-control-expose-headers: * content-length: 915 content-type: text/html date: Fri, 18 Nov 2022 17:11:43 GMT referrer-policy: strict-origin-when-cross-origin strict-transport-security: max-age=31536000 via: 1.1 a27022837959b6f70545c8d6d0de9d04.cloudfront.net (CloudFront), 1.1 f0f1092b2ad1f0e573a4fcbefe4fb620.cloudfront.net (CloudFront), 1.1 6bc1c280aeef9bbdeb102c7f4e4f773e.cloudfront.net (CloudFront) x-amz-apigw-id: xxx x-amz-cf-id: xxx x-amz-cf-pop: IAD12-P4 x-amz-cf-pop: IAD79-C1 x-amz-cf-pop: IAD89-C1 x-amzn-remapped-connection: keep-alive x-amzn-remapped-content-length: 915 x-amzn-remapped-date: Fri, 18 Nov 2022 17:11:43 GMT x-amzn-remapped-server: CloudFront x-amzn-requestid: 4d928828-e650-492f-b165-0654c97acab5 x-cache: Error from cloudfront x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block ``` What I'm doing wrong? Is it even possible to proxy request in the way I'm trying to do?
1
answers
0
votes
45
views
IP
asked 20 days ago

Can I Use NVMe Reservation on a Multi-Attach Enabled Volume?

Hi, I want to use Amazon EBS Multi-Attach to share data between multiple EC2 instances. In the [UserGuide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html), it says > Multi-Attach enabled volumes do not support I/O fencing. I/O fencing protocols control write access in a shared storage environment to maintain data consistency. Your applications must provide write ordering for the attached instances to maintain data consistency. I've googled *"I/O fencing"* and found that NVMe Reservation is a good way (compared to "power fencing", which means powering off the error node) to implement I/O fencing. However, I failed to use NVMe Reservation on a Multi-Attach Enabled Volume. The details are as follows. - EC2: r5b.large, ubuntu-22.04 - EBS: io2, 100GiB, 6000 IOPS, enabled Multi-Attach I run following command in ec2 instance: ``` > sudo nvme list ``` and get ``` Node SN Model Namespace Usage Format FW Rev --------------------- -------------------- ---------------------------------------- --------- -------------------------- ---------------- -------- /dev/nvme0n1 volxxxxxxxxxxxxxxxx Amazon Elastic Block Store 1 8.59 GB / 8.59 GB 512 B + 0 B 2.0 /dev/nvme1n1 volxxxxxxxxxxxxxxxx Amazon Elastic Block Store 1 107.37 GB / 107.37 GB 512 B + 0 B 2.0 ``` then run ``` > sudo nvme resv-register -n 1 --crkey=0x0 --nrkey=0xa1 --rrega=0 /dev/nvme1n1 ``` and get ``` NVMe status: INVALID_OPCODE: The associated command opcode field is not valid(0x2001) ``` I googled this error message and find that it may be caused by the driver not supporting. To confirm that, I run ``` > sudo nvme amzn id-ctrl /dev/nvme1n1 -H ``` and get ``` ... oncs : 0 [8:8] : 0 Copy Not Supported [7:7] : 0 Verify Not Supported [6:6] : 0 Timestamp Not Supported [5:5] : 0 Reservations Not Supported [4:4] : 0 Save and Select Not Supported [3:3] : 0 Write Zeroes Not Supported [2:2] : 0 Data Set Management Not Supported [1:1] : 0 Write Uncorrectable Not Supported [0:0] : 0 Compare Not Supported ... ``` The fifth bit indicates that "not supporting reservation". So does **NOT** AWS Multi-Attach Enabled Volume support NVMe Reservation? Or there are other ways to solve this problem?
1
answers
0
votes
26
views
Robert
asked 20 days ago

AWS Inspector V2 and AWS Inspector Classic findings are different

I am using Ubuntu 20.04 EC2 Instances and was investigating the difference between AWS Inspector Classic and AWS Inspector V2. There seemed to be many differences but the main one was the actual findings. With Inspector Classic a number of CVE would be found while with Inspector V2 the same instance once scanned would say `No Findings`. ### Inspector Classic finds 53 CVE's ![Enter image description here](/media/postImages/original/IM7H1iE2k8S2iL21F4CODGEQ) ### Same instance with InspectorV2 Just show `No findings` ![Enter image description here](/media/postImages/original/IMLgoOIjGzSqm7eZcT5bGH4Q) ------- With Inspector Classic I did attach a rule called `Common Vulnerabilities and Exposures-1.1`. I'm not sure what Inspector V2 actually checks against either. During my search to make this work did find that I needed the following Systems Managers manager Association needed to work `InspectorInventoryCollection-do-not-delete`. It's working now and show success for all ec2 instances. I am unsure if the `InvokeInspectorSsmPlugin-do-not-delete` Association needs to work as well. Not quite sure what this is used for but it shows skipped for all instances and when I look at the detailed status output on a specific instances is just says `InvalidPlatform`. Not sure if this is related. Can InspectorV2 actually be used to check Ubuntu 20.04 CVE's. If so how. Is there some special IAM or SSM config/setup that needs to be applied?
1
answers
0
votes
25
views
profile picture
dili
asked 22 days ago