Questions tagged with Management & Governance

Is it possible to have different login URLs for different IAM users or for different stacks of the same root account? e.g. user IAM 1 -> linkA userIAM2 -> linkB or Stack1 -> linkA Stack2 ->linkB what I need is: to deploy an application with different settings for different end-users, if possible with different login links. Then give the user a chance to see their stack and fleet belong. Do you have any suggestions on how to do that? Thanks in advance.lg...

I'm trying to use aws s3api put-object/get-object with server side encryption with customer keys. I'm using Powershell, but I don't believe that is the source of my issue. On the surface, sse-customer-key-md5 appears to be a pretty simple input: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error. put-object works when I don't use --sse-customer-key-md5: >aws s3api put-object ` --bucket abc ` --sse-customer-algorithm AES256 ` --sse-customer-key "testaes256testaes256testaes25612" ` --region us-east-1 ` --key test.pdf ` --body C:\test.pdf > { "SSECustomerKeyMD5": "ezatpv/Yg0KkjX+5ZcsxdQ==", "SSECustomerAlgorithm": "AES256", "ETag": "\"0d44c3df058c4e190bd7b2e6d227be73\"" } I agree with the SSECustomerKeyMD5 result: >$key = "testaes256testaes256testaes25612" $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider $utf8 = new-object -TypeName System.Text.UTF8Encoding $hash = $md5.ComputeHash($utf8.GetBytes($key)) $EncodedString =[Convert]::ToBase64String($hash) Write-Host "Base64 Encoded String: " $EncodedString Base64 Encoded String: ezatpv/Yg0KkjX+5ZcsxdQ== Now I resubmit my put request with the --sse-customer-key-md5 option. Before anyone jumps on the base64 encoding, I've tried submitting the MD5 hash in Base64, Hexidecimal (With and without delimiters), JSON of the MD5 hash result, and upper case and lower case versions of the aforementioned. None work. Has anyone gotten this to work and, if so, format did you use? >aws s3api put-object ` --bucket abc ` --sse-customer-algorithm AES256 ` --sse-customer-key "testaes256testaes256testaes25612" ` --sse-customer-key-md5 "ezatpv/Yg0KkjX+5ZcsxdQ==" ` --region us-east-1 ` --key test.pdf ` --body C:\test.pdf > aws : At line:1 char:1 + aws s3api put-object ` + ~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError An error occurred (InvalidArgument) when calling the PutObject operation: The calculated MD5 hash of the key did not match the hash that was provided. Thankslg...

AWSTemplateFormatVersion: '2010-09-09' Description: 'Creating QuickSight data source' Resources: QuickSightDataSource: Type: AWS::QuickSight::DataSource Properties: AwsAccountId: !Ref AWS::AccountId Name: Testing Data Source Type: ATHENA DataSourceId: testing-data-source DataSourceParameters: AthenaParameters: Workgroup: primary Permissions: - Actions: - quicksight:DescribeDataSource - quicksight:DescribeDataSourcePermissions - quicksight:PassDataSource Principal: !Sub - 'arn:aws:quicksight:us-east-1:${Account}:user/default/my-user-name' - Account: !Ref AWS::AccountId QSDataSet: DependsOn: QuickSightDataSource Type: AWS::QuickSight::DataSet Properties: AwsAccountId: !Ref 'AWS::AccountId' DataSetId: 'QSDataSet-test' ImportMode: SPICE Name: Dataset-test Permissions: - Actions: - 'quicksight:CreateDataSet' - 'quicksight:DeleteDataSet' - 'quicksight:DescribeDataSet' - 'quicksight:DescribeDataSetPermissions' - 'quicksight:PassDataSet' - 'quicksight:UpdateDataSet' - 'quicksight:UpdateDataSetPermissions' Principal: !Sub - 'arn:aws:quicksight:us-east-1:${AWS::AccountId}:user/default/my-user-name' - Account: !Ref 'AWS::AccountId' PhysicalTableMap: downtime_data_json: DataSourceArn: !GetAtt QuickSightDataSource.Arn InputColumns: - Name: downtime Type: INTEGER Schema: XXX??? I have data source & data tables in Athena and want to refer that in above template. I am not finding DatasourceArn, the above template throwing error as Model validation failed (#: extraneous key [DataSourceArn] is not permitted)". can anyone please help me out to hash out this.lg...

QSDataSource: Type: AWS::QuickSight::DataSource Properties: AwsAccountId: !Ref 'AWS::AccountId' DataSourceId: '????' Name: '????' SslProperties: DisableSsl: false Type: ATHENA Hello, I am trying to create datasource in quicksight as Athena resource type, but not able to understand what to mention at 'DataSourceId' and 'Name'. If anyone can provide Sample/Example template would be helpful.lg...

Resources: AssetModel: Type: AWS::IoTSiteWise::AssetModel Properties: AssetModelName: Testmodel AssetModelDescription: Testmodel AssetModelProperties: - LogicalId: MyLogicalId_for_Accumulator_Level Name: Accumulator Level DataType: INTEGER DataTypeSpec: Accumulator Level Type: TypeName: Measurement Unable to create Measurement definition in Asset Model properties (IoT_Site_Wise) through AWS Cloud Formation Template. Tried to create in many ways by changing Logical id, Datatype, Name etc. Please help me to create Measurement definitions. It will be a great help if anyone can provide sample template for Measurement creations.lg...

AWS commands thar are part of batch program initiated by 'nt authority\system' is unable identify the existing aws profile present in my user directory(.aws)lg...

Hi Everyone, I would like to know about the Effect of **Service Control Policies** created in AWS Master Account's organization. I have enabled Amazon GuardDuty in the Master account and added one of our member accounts as "**Delegated Administrator Account**" to manage GuardDuty Findings from all the member accounts. The question is what would happen to the Delegated Administrator Account (for GuardDuty) when I create and apply a Service control policy in the AWS master account's organizations? Since SCP's will take effect on all the member accounts of the master account, "Delegated Administrator Account (for GuardDuty)" is also a member account of the AWS master account. Will access get denied when making modifying the GuardDuty configuration from the Delegated admin account (for GuardDuty) as well? Ref Link: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_guardduty.html Thanks, Swapnil Pawarlg...

Hi, I need to speak with some member of verification team. I'm sorry but It's really really frustrating because my account has been closed and my team is blocked from working on projects. I'm the CEO of a software development house registered in USA who has already signed a contracts to delivery projects using AWS but verification team has closed our account. I'm gonna share all details in a moment. But just to summaries, I have responded to their emails, and ready to provide more documents or information, or pay whatever it takes, but I need a way forward. The last email I received from verification team was: > Hello, We have closed your Amazon Web Services account. We took this action because our records show that this account is related to previously closed accounts. Due to the proprietary nature of our business, we are unable to discuss other accounts with you. Sincerely, Amazon Web Services Sincerely, Amazon Web Services To contact us again about this issue, please reply to this email. Yes, we did have a previous account that got locked because we weren't able to clear around $300 outstanding payment within 90 days. We wanted to clear that payment but verification team said the account was closed and it cannot be recovered now. It wouldn't be a problem if we created a new account against a new email. And that's what we didi. We really spent a lot of time trying to speak to Support about that in vain. This is unfair. Please tell us what to do in order to figure this out and make it work. We need to do huge deployments on AWS for multiple clients and we're willing to pay whatever to do that.lg...

Hello, i created many buckets for testing and i have the same result, when i contacted the support they said "I tried to list the s3 buckets on your account but there is no s3 bucket created", but i created 3 of them. I use laravel 8 and an package who many peoples use, i have no error when a seek my user (IAM), but if a write name of my bucket or an bucket name who doesn't exist i have the same result. i've this errors : --- ``` Aws\S3\Exception\S3Exception Error executing "HeadObject" on "https://mybucketname.s3.eu-west-3.amazonaws.com/images/1/6PepdkQG3ZkfbBWjVr0jhoUotprRc5hMiNC78RE7.png"; AWS HTTP error: Client error: `HEAD https://mybucketname.s3.eu-west-3.amazonaws.com/images/1/6PepdkQG3ZkfbBWjVr0jhoUotprRc5hMiNC78RE7.png` resulted in a `404 Not Found` response NotFound (client): 404 Not Found (Request-ID: BG0058D586NR6CPC) - ``` i already seek on many forum, and contacted the support but this not really helped me :( My question is: Why the support don't see my buckets, and how can i a bucket who i can use?lg...

It seems that only AWS Certifications are accepted in rePost profile and not AWS Accreditations although they are officially awarded by AWS after trainings and published also on Credly. Would it be possible to accept them in the Profile as well?lg...

Hello Is there an ip-block for whitelisting to access our cloud resources within Grafana? For example, if we have an RDS instance and want to use that as a data-source within Grafana. We use known IPs for access and would need the IP or ip-block to whitelist to allow this connection to happen. Thanks in advance. -Srinivaslg...

Q: How to enable AWS Systems Manager for Multi Account and Multi Region? Requirement: I need to implement AWS Systems Manager. Customer has 400+ Accounts and multiple Regions with Two Payer Accounts w/ two Organizations. There is no Landing Zone or Control Tower enabled. But Customer has a proposal to enable Control Tower. Questions: 1. SSM (ex: enabled in central account) can discover EC2 Instances across all accounts, all regions (accounts belong to different organizations)? 2. What is the best way to install SSM Agent is it through CloudWatch Events Rule or via Config Rules? 3. How do we update Instance Profile in all EC2 Instances across all accounts? Regards, Anillg...