Hi team, I'm trying to update my CDK version from V1 to V2 in my packege.json, I changed the version from "^1.153.1" to "^2.25.0" but I have compilation errors when doing npm install ... for example ``` npm ERR! code ETARGET npm ERR! notarget No matching version found for @aws-cdk/aws-apigatewayv2-authorizers@^2.25.0. npm ERR! notarget In most cases you or one of your dependencies are requesting npm ERR! notarget a package version that doesn't exist. ``` how can I keep my existing code for my CDK stacks working with the V2 version or should I rewrite the CDK code? Thank you :)

We've tested with ec2 and Cloud9 and I connected to Studio 3t using ec2 ssh tunnel. And I follow the example of programming connection https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html There is a timeout error locally in NodeJS, so I am asking. Even if you try to access using .pem file locally in NodeJS, a timeout error occurs and asks. What is the reason and how can I improve it? I'm sharing the source below. Thank you in advance ``` var MongoClient = require('mongodb').MongoClient; var username = 'DBusername'; var password = 'DBpassword'; var client = MongoClient.connect( `mongodb://<DBusername>:<DBpassword>@<clusterendpoint>:27017/<DBname>?tls=true&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false`, { tlsCAFile: `./rds-combined-ca-bundle.pem`, }, function (err, client) { if (err) throw err; //Specify the database to be used db = client.db('DBname'); //Specify the collection to be used col = db.collection('CollectionName'); //Insert a single document col.insertOne({ hello: 'Amazon DocumentDB' }, function (err, result) { //Find the document that was previously written col.findOne({ hello: 'DocDB;' }, function (err, result) { //Print the result to the screen console.log(result); //Close the connection client.close(); }); }); } ); ```

Need to switch account from ADS employee to AWS employee and NOT have to pay/put in credit card. Can someone help?

I'm hosting a static website via S3 buckets and CloudFront. I've set it up so that the data is stored in the www bucket and the other, non-www, bucket routes to it. Typing in the ULR with the www works perfectly. The issue I'm running into is that when I type in the URL without the www, it routes to another site with a different, but similar URL. It's been like this for about a week and nothing I do seems to change it. I've redone the hosting zones and checked multiple times and none of it seems to work. I've done something like this before with other sites I've set up so I know what I'm doing works. I'm last as to how to go about fixing this so any help would be very much appreciated.

I recently registered a .co.uk domain thinking it could be hosted on Route 53. I later learned Route 53 isn't compatible with the storefront service that the domain was intended to point to. Cloudflare is compatible and I've moved NS authority to their platform and updated NS in Route 53. However, .co.uk domains are managed by Gandi and I also need to update NS records there. Simply updating on Route 53 didn't update Gandi. I don't have a Gandi account, how do I make these changes?

- I'm using Quectel modem BG95 with a host MCU to connect to AWS IoT core and publish to topics and subscribe to topics as well. - I used to get an error occasionally that closed the MQTT connection exactly while doing pub/sub operations and connection had to be re-established , but that was very rare. - However, since the last few days I have been running tests on multiple devices (using same IoT core endpoint) and have been getting this MQTT dis-connection on each pub or sub operation. I am attaching a log for review. - To me it seems a server side issue since I have tried it with multiple modems and previous versions of firmware. ``` [While publishing to topic] ;2022-05-08T02:29:41Z;28;-966233403;462863960;;RAK000121|-45,RAKTEST|-56 AT+QIDEACT=1 OK[ 2022-05-08T02:29:41Z ] [FARM_IP][INFO] MDM_SET_DEACTIVATE_PDP-else AT+QIACT=1 OK AT+QMTOPEN=0,"a5u9klmd2viw3z-ats.iot.us-west-1.amazonaws.com",8883 OK +QMTOPEN: 0,0 --- [Opening MQTT Connection] [ 2022-05-08T02:29:41Z ] [FARM_IP][INFO] Mqtt opened AT+QMTCONN=0,"0123qwer786" OK +QMTCONN: 0,0,0 --- [MQTT client connected] AT+QMTPUB=0,1,1,0,"fm/1011",72 --- [Publishing to the MQTT Topic] > ;2022-05-08T02:29:41Z;28;-966233403;462863960;;RAK000121|-45,RAKTEST|-56 OK +QMTSTAT: 0,1 --- [MQTT Connection Closed] ``` ``` [While Subscribing to topic] AT+QMTSUB=0,1,"imei/get_logs",0 --- [Subscribing to the MQTT Topic] OK +QMTSTAT: 0,1 --- [MQTT Connection Closed] [ ] [FARM_IP][INFO] Starting timer AT+QMTSUB=0,1,"imei/get_logs",0 --- [Subscribing to the MQTT Topic] OK +QMTSTAT: 0,1 --- [MQTT Connection Closed] ```

Hello, CX have below workflow and would like to know if we can increase the time out. ~~ VirtualGateway -> GatewayRoute -> Virtual Service->Virtual Node ~~ By default the timeout value is 15 sec in Virtual Node configuration according to this AWS doc[1]. Also I tried increasing this value in Virtual node listener but still have issues, Also, at the moment the only concern is where can we set timeouts in Appmesh other than virtual node configuration as per the above workflow? To be able to set a timeout greater than the default value we would need to setup a virtual router and a route with a timeout greater than the default. I tried according to this doc[2] but still receiving timeout error's at 15 sec. Links: [1]https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html [2]https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appmesh-route-httptimeout.html

Hey there, that is how my MediaConvert .m3u8 file should look in the end but I'm not getting the correct settings in MediaConvert to achieve this. ``` #EXTM3U #EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="audio_aac",NAME="eng",LANGUAGE="eng",AUTOSELECT=YES,DEFAULT=YES,URI="{ URL HERE }" #EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="audio_aac",NAME="cze",LANGUAGE="cze",AUTOSELECT=YES,URI="{ URL HERE }" #EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="audio_aac",NAME="fre",LANGUAGE="fre",AUTOSELECT=YES,URI="{ URL HERE }" #EXT-X-STREAM-INF:AVERAGE-BANDWIDTH=371017,BANDWIDTH=383038,CODECS="mp4a.40.2",AUDIO="audio_aac" { URL HERE } #EXT-X-STREAM-INF:AVERAGE-BANDWIDTH=374634,BANDWIDTH=384918,CODECS="mp4a.40.2",AUDIO="audio_aac" { URL HERE } #EXT-X-STREAM-INF:AVERAGE-BANDWIDTH=372814,BANDWIDTH=383420,CODECS="mp4a.40.2",AUDIO="audio_aac" { URL HERE } ``` I would appreciate any help!

Hi team, I'm looking for the best option to handle SES feedback loop in AWS? We have to handle bounces and complaints. if the user REPORT SPAM or if the email bounces (because you delete your email or the mailbox is full). **so we need to store feedback loop somewhere ** Thank you :)

Hi, We want to implement a pessimistic locking of code commit and wanted to find out steps to implement this. Would appreciate if anyone can provide guidance on this. Thank you

I am getting the errors: 1>error LNK2001: unresolved external symbol "__declspec(dllimport) void __cdecl Aws::InitAPI(struct Aws::SDKOptions const &)" (__imp_?InitAPI@Aws@@YAXAEBUSDKOptions@1@@Z) 1>error LNK2001: unresolved external symbol "__declspec(dllimport) public: __cdecl Aws::Client::ClientConfiguration::ClientConfiguration(void)" (__imp_??0ClientConfiguration@Client@Aws@@QEAA@XZ) . . . 1> fatal error LNK1120: 21 unresolved externals I am building my application with VS2019 but with the VS2015 runtime libraries (v140). 64 bit release and debug. Multi-threaded libraries (/MT) I used vcpkg to obtain the AWSSDK and I believe I built the SDK to match my configuration. I am linking with aws-cpp-sdk-s3.lib;aws-cpp-sdk-core.lib. I am defining USE_WINDOWS_DLL_SEMANTICS and USE_IMPORT_EXPORT in my code Any suggestions would be much appreciated. Thank you.

Hello, I have created a Lambda function that fetched the static/hash token from the environment variables in the Configuration section. When I try to export the Lambda function using the Action > Export function, a zip file is downloaded without any configuration-related data in it. Is there a way to export the environment variables from the Lambda functions?

One box stage in CICD pipeline is a stage before production stage. This stage also will receive the production traffic. The goal of this stage is to validate the new changes with very small prod traffic and keep the blast radius to minimal incase of issues. In server based deployment, this stage will contain only 1 machine to receive very small % of traffic. The code changes will be deployed to 1-box stage before production and leave it for some time to validate the behaviour of new change. If there is an issue in 1-box stage with the new code, the blast radius will be minimal and roll back is faster since the changes are deployed in only one machine. It is explained in "Backward compatibility and one-box testing" topic in this link - https://aws.amazon.com/builders-library/automating-safe-hands-off-deployments/ How do we setup the same in lambda ci-cd ? Any leads on this will be super helpful.

I have a few lambdas written in C#. There are some functions which can be reused among these lambdas. How can I achieve that?

How can I check the cost of network load balancer with cross-zone load balancing enabled on AWS console? Cross zone load balancing only.

In server setup, the connections to RDS DB (Aurora) instances has pool where the connections are bit long lived and cached. This will give us faster connectivity. I would like to understand the guidance on this scenario for serverless/lambda. With lambda there is no sessions and no connections are cached. I think it will create connections every time, it might impact the performance. Are there any workaround or solves/guidance for Lambda ? Is it okay to open the connection every time with the DB instances ? Any leads on this will be super helpful ?

Can we make the lambda function urls not accessible from public internet and accessible only with in the vpc ? I do understand using AWS_IAM we can reject the requests from malicious users. I am wondering about the ways to restrict the access within VPC, zero access from public internet.

I want to host a python code based service in Lambda behind API GW. AFAIK, there are 2 approaches to deploy the code to Lambda. 1. simply zip the code and upload to S3 and link with the lambda function 2. create ECR images and deploy it with lambda function. Are there any guidance on when to use ECR ? and when to use simple code zipping ? What are the pros and cons of each approach ? Some leads on this topic will be super helpful.

Hi team, I create a bucket with CDK and set the property **eventBridgeEnabled to true** ``` const bucket = new Bucket( this, "myBucket", { versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, **eventBridgeEnabled: true**, } ); ``` but when I go to the** s3 console** and check the properties tab/ EventBridge it's still **showing "off" instead of "on"** is there anything missing? Thank you.

Whilst new to the AWS environment, Amplify, and Cloud9, I didn't think I'd be running into issues this early on. I'm trying to install amplify in a new Cloud 9 environment, but for some reason, get this error off the bat. Any guidance or direction pointing would be highly appreciated: ``` Downloading release from https://d2bkhsss993doa.cloudfront.net/8.0.2/amplify-pkg-linux-x64.tgz node:internal/buffer:959 super(bufferOrLength, byteOffset, length); ^ RangeError: Array buffer allocation failed at new ArrayBuffer (<anonymous>) at new Uint8Array (<anonymous>) at new FastBuffer (node:internal/buffer:959:5) at createUnsafeBuffer (node:internal/buffer:1062:12) at allocate (node:buffer:410:10) at Function.allocUnsafe (node:buffer:375:10) at Function.concat (node:buffer:553:25) at Extract.<anonymous> (/home/ec2-user/.nvm/versions/node/v16.14.2/lib/node_modules/@aws-amplify/cli/lib/binary.js:124:37) at Extract.emit (node:events:538:35) at finishMaybe (/home/ec2-user/.nvm/versions/node/v16.14.2/lib/node_modules/@aws-amplify/cli/node_modules/readable-stream/lib/_stream_writable.js:624:14) ```

Hi team, I want to add a glue workflow as a target to my rule ``` import * as events from "@aws-cdk/aws-events"; const rule = new events.Rule( this, "object_created_event", { description: "description here....", ruleName: "newObj", enabled: true, eventPattern: { source: ["aws.s3"], detailType: ["Object Created"], detail: { bucket: { name: ["test_bucket"], }, }, }, } ); rule.addTarget(new targets.....); ``` I can't find glue workflow as a target on the targets list so that I can add it as a target to my rule. is there any other way to do it other than using ..addTarget method? thank you.

Hi team, I want to enable eventBridge notification on my S3 bucket via CDK, I saw it was added as a property to the bucket props as part of this PR : https://github.com/aws/aws-cdk/pull/18150 but I can't find it on the props ``` import { BlockPublicAccess, Bucket} from "@aws-cdk/aws-s3"; const myS3Bucket= new Bucket( this, "myS3Bucket", { versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, eventBridgeEnabled: true, -- error here ..... } ); ``` I have this error : `eventBridgeEnabled: boolean; }' is not assignable to parameter of type 'BucketProps'.` I even tried with CfnBucket but had same error ``` const bucket = new CfnBucket(this, 'MyEventBridgeBucket', { eventBridgeEnabled: true, }); ``` `Argument of type '{ eventBridgeEnabled: boolean; }' is not assignable to parameter of type 'CfnBucketProps'. Object literal may only specify known properties, and 'eventBridgeEnabled' does not exist in type 'CfnBucketProps'` I want to simply to add it in my first declaration so I can keep those properties : ``` versioned: false, publicReadAccess: false, blockPublicAccess: BlockPublicAccess.BLOCK_ALL, ``` how can I enable eventBridge on my S3 bucket via CDK ? Thank you!

Hi team, I want to create a glue trigger via the CDK and associate it with a workflow, after 5 eventBridge events => glue workflow as destination fire my glue trigger of type = "EVENT"=> glue trigger call the job the trigger is of type "EVENT" I want to add the following config to my trigger via CDK : ``` "EventBatchingCondition": { "BatchSize": 5, "BatchWindow": 900 } ``` but did not find any object allowing me to add this config to the CfnTrigger. this is my CDK code : ``` const glueEdwWorkflowTrigger = new glue.CfnTrigger( this, "trigger", { name: "trigger", workflowName: myWorkFlow.name, type: "EVENT", predicate:{conditions:[{}]}, actions: [ { jobName: myCfnJob.name, arguments: {}, }, ] } ); ``` how can I add EventBatchingCondition (BatchSize) info to my CfnTrigger? so that my trigger is fired after 5 event bridge events thanks a lot.

Hi team, I want to create a glue trigger via the CDK and associate it with a workflow, the trigger is of type "EVENT" I want to add the following config to my trigger via CDK : ``` "EventBatchingCondition": { "BatchSize": 5, "BatchWindow": 900 } ``` but did not find any object allowing me to add this config to the CfnTrigger. this is my CDK code : ``` const glueEdwWorkflowTrigger = new glue.CfnTrigger( this, "trigger", { name: "trigger", workflowName: myWorkFlow.name, type: "EVENT", predicate:{conditions:[{}]}, actions: [ { jobName: myCfnJob.name, arguments: {}, }, ] } ); ``` how can I add EventBatchingCondition info to my CfnTrigger? thanks a lot.

**Context: **i've created an ELB and have connected to a target group which inturn is connect to an ASG **ASG - Working:** I could see that ASG is working fine aka it creates an instance automatically as per the scaling policy. **Target Group - Working:** I could also see that the target group is indicating the instance as Healthy **ELB - Not Working:** whereas, when I try to hit the ELB's public URL from a browser, I don't see it working, it fails with a timeout error and I've enabled logging for ELB but don't see the logs appearing in S3 buckets (although there's a file created by ELB, which means I've given proper access to it) I literally don't know how else to track a request from ELB and I'm not seeing the logs generating in my application/instances as well. but, when I try to hit the public URL of my instance, the application does work any inputs would be helpful!

I am using Amazon Connect Streams API [https://github.com/amazon-connect/amazon-connect-streams/blob/master/Documentation.md]() and we have different call status in Amazon Connect `e.g. call connected, call missed/no answered!` how can i get call status of the following call dispositions (`busy, connected, in progress, ringing, no answered`) from within Streams API?

I have an API that uses a leaky bucket algo for token restoration. What's a good serverless pattern for being able to consume the API in the most efficient way, while maximizing the use of allocated tokens? Ideally, I want to have an SQS that we can then process in a throttled way. Currently, we just execute Lambda on schedule and read from the queue, but this results in unnecessary executions when the queue is empty. Thanks.

Hello, We are looking for migrating existing 3 tier angular java and db2 application into server less AWS architecture. What are the best practices we should consider? Any reference or pointers for documentation would help. This is what we are thinking as part of POCs to start with, 1. POC 1 - Migration of DB2 to Aurora (Not sure, which one we should go with, Aurora provisioned or server less) 2. POC 2 - Angular - AWS s3 Java - Lambda and API gateway DB2 - Aurora Thanks in advance.

I have enabled Customer Profile in my Aws Connect instance. When I have enabled Customer Profiles it provides default fields in Customer Profiles to store our customer's data. **Problem** I just want to know how I can customize these default fields and want to transform it into my desired/required fields. Please tell me how I can achieve this.

Hi, I'm making some experiments regarding the impact of JAR size on Lambda Cold Starts and response times. I have created 3 JARs of different sizes. | JAR Size | Response time| | --- | --- | | 10mb| 1s| | 64mb| 6s| | 100mb| 12s| In Cludwatch logs I can see that init durations for all these Lambas is on average ~620ms, but for every lambda the response time is different and I don't know why. The code is the same(there is no logic -> all of them are returning a String), differences in size are due to different maven dependencies that I added. All of them are from AWS SDK. Is this normal?

Hi there, I'm trying to write a lambda layer in Go using the `google/gopacket` package for capturing network traffic packets. This uses the libpcap C library underneath, and I used https://github.com/lambci/yumda to produce a separate lambda layer that provides the libpcap.so shared library In my layer, I've added the code as outlined here: https://pkg.go.dev/github.com/google/gopacket@v1.1.19/pcap#hdr-Reading_Live_Packets However I am receiving the following error: ``` panic: vinternal_1: You don't have permission to capture on that device (socket: Operation not permitted) ``` I've also tried passing different network IDs, e.g. `"eth0"`, however I am still receiving the same error I am wondering if I do not have access to the right permissions/capabilities when using the .zip method. I had previously tested the custom lambda container image approach, and it worked, but I would prefer to use the zip file approach to avoid heavy deployment processes. Any ideas how I can get the right permissions in a zip-file lambda layer, to allow libpcap to capture packets on the lambda-managed network interface? Thanks :)

Hello Dears, I have a database (mysql aroura) is connected to lambda function, that get the data from database and calculate some functions, Also have API is connected to lambda function. When I try to test the API, it gives me the error : 2022-04-11T17:03:41.088+03:00 Copy 2022-04-11T14:03:41.088Z 3f4e3132-b311-4c58-a141-ef31a411b173 INFO TypeError: Cannot read property 'location' of null at Runtime.getBusesStationEtaData [as handler] (/var/task/controllers/trackingController.js:392:16) at Runtime.handleOnce (/var/runtime/Runtime.js:66:25) 2022-04-11T14:03:41.088Z 3f4e3132-b311-4c58-a141-ef31a411b173 INFO TypeError: Cannot read property 'location' of null at Runtime.getBusesStationEtaData [as handler] (/var/task/controllers/trackingController.js:392:16) at Runtime.handleOnce (/var/runtime/Runtime.js:66:25) undefined INFO Env: dev db: iot_bus_serverless Can you please help ? Thanks!

Randomly (some times) when I send a post to the service I get this 503, the service is light, I don't believe it's a performance problem, probably something related to the network, but I don't know what. I'm using an alb on top of an ec2, does anyone have any troubleshooting. **~~~~*this return isn't from my microservice running on ec2*~~~~** ``` <html> <head> <title>503 Service Temporarily Unavailable</title> </head> <body> <center> <h1>503 Service Temporarily Unavailable</h1> </center> </body> </html> ```

I have 5 crons which have separate destination lambdas. All lambdas do same work except they just pass a different parameter to a common downstream. Currently there is no way to pass additional parameter alongside cron so that I can have 1 lambda as destination for 5 crons instead of 5 different ones. Can you add this feature?

Both SNS and Pinpoint can send SMS text messages, but neither supports MMS (Multimedia Messaging Service). Are there any plans to do so?

I would like to collect Redis metris i.e both default and custom metrics. I have installed and configured CloudWatch agent on EC2 and managed to capture host-level metrics. The Redis cluster is managed by sentinel. Is there a way to collect from the Redis cluster?

Is there an Open Source .NET Framework that abstract out AWS CDK calls like sending message to EventBridge, logging etc...? The purpose is to focus on the business logic and not on infrastructure. [MassTransit](https://masstransit-project.com/quick-starts/sqs.html) is such a framework but does not work with EventBridge.

When using AWS SAM CLI to debug Lambda function locally, the process in VS Code goes like this: 1. Click Run / Press F5 2. (SAM initializes in background, spins up docker container) 3. VSCode opens a new tab called "index.js" with the entry point in it, and the debugger attaches and pauses. 4. You must press Run / F5 again at this point, and close the "index.js" tab if you're not using it. Is there any way to get this tool to skip step 4? I don't want it to open a new tab with entry point code in it - I'm not looking at that code or debugging it. It would also be really nice if the debugger just continued automatically following the attach. I find myself pressing F5 and closing index.js thousands of times per day. Am I doing this wrong, or does everyone have to suffer through this?

I'm trying to build an infrastructure using `CodePipeline` and `CodeBuild`. I've a .NET project with targetFramework set as `.Net Core 6`. When the CodeBuild process triggers the build, it throws an error ``` /root/.dotnet/sdk/5.0.202/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.TargetFrameworkInference.targets(141,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 6.0. Either target .NET 5.0 or lower, or use a version of the .NET SDK that supports .NET 6.0. ``` If I switch the targetFramework to .Net Core 3.1 or 5, it works fine. Has anyone faced this issue before? If yes, how did they overcome it?

hi, i have deployed a .jar file with micro-services but when i call a endpoint i get "white label page"... this is the basic url http://springbootawsexample-env.eba-m3vumyh7.us-east-1.elasticbeanstalk.com/ but i am from italy and micro-services are for italy Who can help me? Thanks

Hello! I wish to run some short lived tasks on AWS Lightsail Containers. The container boots, performs some work which may take anywhere from a handful of seconds to serveral hours, and then it exits once complete. Is AWS Lightsail Containers suitable for this workload? In the documentation I got the impression that it was intended for long-lived HTTP services that do not terminate. Thanks, Louis

Hello! I wish to run some "background workers" on AWS Lightsail Containers. The container boots, connects to a work queue system (such as AWS SQS or RabbitMQ) and continues running as it performs work from the queue. At no point does it start a HTTP interface, and due to limitations of the programming language and libraries used I am unable to add one. Is AWS Lightsail Containers suitable for this workload? It looks like a great service, but I could not determine if the HTTP interface was always required. Thanks, Louis

Hi, Currently, I'm doing load testing using Gatling and I have one issue with my lambdas. I have two lambdas one is written in Java 8 and one is written in Python. I'm using Gatling for my load testing and I have a test where I'm doing one request with 120 concurrent users then I'm ramping them from 120 to 400 users in 1 minute, and then Gatling is doing requests with 400 constants users per second for 2 minutes. There is a weird behavior in these lambdas because the responses are very high. In the lambdas there is no logic, they are just returning a String. Here are some screenshots of Gatling reports: [Java Report][1] [Python Report][2] I can add that I did some tests when Lambda is warm-up and there is the same behaviour as well. I'm using API Gateway to run my lambdas. Do you have any idea why there is such a big response time? Sometimes I'm receiving an HTTP error that says: i.n.h.s.SslHandshakeTimeoutException: handshake timed out after 10000ms Here is also my Gatling simulation code: public class OneEndpointSimulation extends Simulation { HttpProtocolBuilder httpProtocol = http .baseUrl("url") // Here is the root for all relative URLs .acceptHeader("text/html,application/xhtml+xml,application/json,application/xml;q=0.9,*/*;q=0.8") // Here are the common headers .acceptEncodingHeader("gzip, deflate") .acceptLanguageHeader("en-US,en;q=0.5") .userAgentHeader("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0"); ScenarioBuilder scn = scenario("Scenario 1 Workload 2") .exec(http("Get all activities") .get("/dev")).pause(1); { setUp(scn.injectOpen( atOnceUsers(120), rampUsersPerSec(120).to(400).during(60), constantUsersPerSec(400).during(Duration.ofMinutes(1)) ).protocols(httpProtocol) ); } } I also checked logs and turned on the X-ray for API Gateway but there was nothing there. The average latency for these services was 14ms. What can be the reason for that slow Lambda responses? [1]: https://i.stack.imgur.com/sCx9M.png [2]: https://i.stack.imgur.com/SuHU0.png

Hi team, I created an HttpAuthorizer via CDK and attached to it the lambda function authorizer but I don't find a way to allow the API gw to call my lambda authorizer. on the console we have the option: "automatically authorize API gw to call your function" I even create an API role and give it permission to call my lambda authorizer but there is no way to link it to the HttpAuthorizer. is there a way like a boolen to enable API gw to call my lambda authorizer or to link the apiRole directly to the HTTP authorizer ? Thank you!!

I deployed a Docker service on Lightsail. It works fine for requests that can be processed quickly but times out (gateway timeout, code 504) for requests that take a bit longer to process. What is the timeout limit on Lightsail Container instances and can I increase it? Thank you.

The team comprises of 4 developers who would be working on features parallelly. The resources being used are **EventBridge**, **ECS**, **Fargate** etc... My questions are: 1. Is there any framework and CLI available to create **EventBridge** and other resources locally on developers' laptop? 2. Should the developers use the same **EventBridge** from the AWS Environment during the development? This can create conflicts between developers if they share some code. 3. Should the developers create their own environment with **EventBridge** in their AWS account during development? This can avoid conflicts. 4. Should the developers use the same AWS environment but create their own resources with different names?

I have a UI application which is not responsive sometimes. As a result, the user clicks the *submit* button multiple times. I'm planning to integrate this application with **EventBridge**. It is possible that the application can send the same message from the UI multiple times. We want to filter out the duplicate messages that come from the UI. Is there any **AWS framework CDK** which is written with *de-duplication* in mind and can be used along with *EventBridge*?

The [Saga Pattern](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/implement-the-serverless-saga-pattern-by-using-aws-step-functions.html) is a preferred way to do distributed transaction with Lambdas. The orchestration will work with lambdas. Please review the picture in the above link as well as this [image](https://ibb.co/56NL9Xy). My question is about if I use a **Cron Job** instead of one of the Lambdas to process **ProcessPayment**. Please see this [image](https://ibb.co/56NL9Xy). This **Cron Job** will retrieve the customers who have a flight and rental car and charge them *every 5 hours instead of immediately*. This 5 hours delay in the steps would block the whole function to be delayed for more than 5 hours. If that happens for a few hundreds customers, we will have* hundreds of transactions waiting to be committed or rolled back*. What is the right way to add *distributed transactional ability with Saga Pattern & Step functions* if we use functions that *don't run in sequential order and immediately*?

We have noticed that in some cases some users are getting the same sms repeatedly. We can see from our logs that the request was made to PINPOINT just once and even the callback we received is a single one. Are these kinds of cases common? What are the possible scenarios?

I'm using the following scenario to explain the problem. I have an ecommerce app which allows the customers to sign up and get an immediate coupon to use in the application. I want to use **EventBridge ** and a few other resources like a Microsoft SQL Database and Lambdas. The coupon is retrieved from a third-party API which exists outside of AWS. The event flow is: Customer --- *sends web form data* --> EventBridge Bus --> Lambda -- *create customer in SQL DB* --*get a coupon from third-party API* -- *sends customer created successfully event* --> EventBridge Bus Creating a customer in SQL DB, getting the coupon from the third-party API should happen in a single transaction. There is a good chance that either of that can fail due to network error or whatever information that the customer provides. Even if the customer has provided the correct data and a new customer is created in the SQL DB, the third-party API call can fail. These two operations should succeed only if both succeed. Does EventBridge provide distributed transaction through its .NET SDK? In the above example, if the third-party call fails, the data created in the SQL database for the customer is rolled back as well as the message is sent back to the queue so it can be tried again later. I'm looking for something similar to [TransactionScope](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/servicebus/Azure.Messaging.ServiceBus/samples/Sample06_Transactions.md) that is available in Azure. If that is not available, how can I achieve distributed transaction with EventBridge, other AWS resources and third-party services which have a greater chance of failure as a unit.

Hi team, I want to create an API gw lambda authorizer and attach it to the HTTP API this is the piece of code I did : ``` // create api gw authorizer const apiGwAuthorizer = new HttpLambdaAuthorizer( "ApiGwLambdaAuthorizer", myLambdaFuncAuth, { responseTypes: [HttpLambdaResponseType.SIMPLE], identitySource: ["$request.header.my-header"], resultsCacheTtl: Duration.seconds(300), } ); //attach the authorizer to the ANY route myhttpapi.addRoutes({ integration: new HttpLambdaIntegration( "authorizer-lambda-integration", authorizerLambda ), path: "/ANY /{proxy+}", authorizer: apiGwAuthorizer , }); ``` but when I deploy the CDK this authorizer created but it's not associated with the API GW the API GW is passed as parameter from other stack in this stack Not sure what I miss here, is it because the route 'ANY /{proxy+}' already exists?

Hi, I'm doing some load testing on my serverless app and I see that it is unable to handle some higher loads. I'm using API Gateway. Lambda(Java 8) and DynamoDB. The code that I'm using is the same as this from this [link]([https://github.com/Aleksandr-Filichkin/aws-lambda-runtimes-performance/tree/main/java-graalvm-lambda/src/lambda-java). In my load testing, I'm using Gatling. The load that I configured is that I'm doing a request with 120 users, then in one minute I ramp users from 120 to 400, and then for 2 minutes I'm making requests with 400 constant users per second. The problem is that my stack is unable to handle 400 users per second. Is it normal? I thought that serverless will scale nicely and will work like a charm. Here is my Gatling simulation code: ```java public class OneEndpointSimulation extends Simulation { HttpProtocolBuilder httpProtocol = http .baseUrl("url") // Here is the root for all relative URLs .acceptHeader("text/html,application/xhtml+xml,application/json,application/xml;q=0.9,*/*;q=0.8") // Here are the common headers .acceptEncodingHeader("gzip, deflate") .acceptLanguageHeader("en-US,en;q=0.5") .userAgentHeader("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0"); ScenarioBuilder scn = scenario("Scenario 1 Workload 2") .exec(http("Get all activities") .get("/activitiesv2")).pause(1); { setUp(scn.injectOpen(atOnceUsers(120), rampUsersPerSec(120).to(400).during(60), constantUsersPerSec(400).during(Duration.ofMinutes(2)) ).protocols(httpProtocol) ); } } ``` Here are the Gatling report results: [Image link](https://ibb.co/68SYDsb) I'm also receiving an error: **i.n.h.s.SslHandshakeTimeoutException: handshake timed out after 10000ms ** -> This is usually approx 50 requests. It is happening when Gatling is starting to inject 400 constant users per second. I'm wondering what could be wrong. It is too much for API Gateway, Lambda and DynamoDB?

Hi Team, I have 2 CDK stacks one in the Front end project and the second in the Backend project. the first stack needs resources ref from the second stack (and vice versa can be true) I have a lambda function in the backend stack that needs to call another lambda in the front end stack, If I deploy the backend CDK stack first, how can I make a reference/call to the second lambda in the front end stack? If I use event bridge or SNS I still need to have the name of the target lambda which is the lambda created by the CDK front end or I need the SNS ref to be shared between the 2 stacks for pub/sub. any idea how to solve this :) Thank you.

Hi team, I want to create a secret via CDK that contains 2 passwords (API keys) secretName = ApiKeys keys/values = - key: password1, value: auto-generated password (current) - key: password2, value: auto-generated password (previous) the CDK syntax I found allows only to create a secret with one secret inside it, is there a way to create a secret in a secret manager with many generated secrets inside it? any snippet code would be helpful. Thank you.

How to trigger cloudwatch event from lambda upon creation of a record in database. My use case is I want to run a cloudwatch event that is scheduled for 5 mins for one time. As soon as a record is created in DynamoDB by Lambda, this cronjob should be triggered by same lambda and which will invoke target function after 5 mins as scheduled in cronjob.

The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate. The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works. FWIW: We are Azure AD as the IdP. We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC. We are using ClusterRoleBinding to test with Cluster Admin users. Authentication works. However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the ```X-AMZN-OIDC-*``` header. We had some success with: ``` alb.ingress.kubernetes.io/configuration-snippet: auth_request_set $token $upstream_http_authorization; proxy_set_header Authorization $token; proxy_pass_header Authorization; ``` Is this the best way to do this? Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an ```Authorization: Bearer <token>```, rather than in a separate header?

Hi team, I want to modify a custom header value in a CF origin with lambda. this lambda should read the value from the secret manager and update the value of the custom header in Cf accordingly. is this achievable via a lambda function? Thank you!

My web app processes photos on a large scale. A user might upload 20,000 images at once to be processed. I upload them to S3 and then process them. Like Lambda allows, I need to be able to trigger the processing of the photos via API Gateway, have multiple instances running at once that are isolated from each other, and when the instance is done running it stops with the ability to scale to 0 when there is no demand (like at night time) or scale to virtually unlimited if there are 10,000 that upload photos at the same time. Lambda would be perfect for this but with the 15 minute limit it will not work as some jobs could take up to 2 hours to finish. Is there another AWS service that would allow me to do what I need but not have the time limit? I looked into Fargate and Batch but they do not seem to really work for the requirements.

Hi team, I have a lambda authorizer that validates the **value ** of a header: x-origin-verify (custom header added in Cloud Front distribution) which is in secret manager. in my Scenario, the value x-origin-verify on the secret manager is rotated each hour. how can I update the value of the custom header x-origin-verify in Cloud Front with the latest value rotated from the secret manager? in my CDK can I just reference the value in a secret manager? or that will work only one time otherwise what is the best way to update the custom header (x-origin-verify) value in CF distribution as soon as this value is rotated on the secret manager. otherwise, how can I implement that using lambda at edge? an example for it would be very helpful Thank you :)

We have a website deployed on the AWS instance and was working fine already. The website has faced attacked on 22-March and 23-March and went down due to some files and folders has been deleted by attack. We were not sure reason behind this. I would request to please let us know steps require from our end to prevent such incidents. We have already added security rules in .htaccess file. Website is built on PHP language.

I need to run a container/code that will zip files from S3. I am zipping a lot of files so it could take up to 1 hour to zip all the files which means Lambda is not an option. This leaves me to use Fargate. However, based on my understanding, Fargate will have a pod running at all times. I want to use API Gateway that will "invoke" a Fargate pod, run the code, then terminate the pod when the files are done being zipped. That way each zip function will have its own isolated environment and I will only be charged for the time that I need to zip files and not all the time the pod is running. Is this possible and if so how would one go about it? Or is there another AWS service that would be better suited? Thank you

Hi All, I have a situation, where the service A (spring cloud application on Tomcat) to be deployed on EC2 (auto scaling group) using CHEF (deployment time ~10 mins). The servers are behind the NLB (cross zone load balancing enabled, sticky session disabled). Now the issue is, as soon as a server is brought in-service, the NLB passes the health check before the CHEF build completes; which means, the target becomes healthy but the service A deployment still in progress. This is causing an issue to other service B (running on different EC2 on diff ASG) which is trying to connect to service A. The Service B connection to service A fails if the request from NLB landed on the EC2 of service A in question. Since there is no option with TCP health check to set the health check path, one of the root causes I could think of is, as soon as Tomcat gets deployed, the NLB gets the health check response, which is sufficient to make the target healthy, whereas the service is still getting deployed on tomcat. Is there a way to handle this situation? Except replacing NLB with ALB. (*PS: application uses Spring Cloud Netflix patterns - Eureka, Config, zuul etc)

The only way I can connect is when I have to start my Server folder from my local computer

I try to connect to my cluster DocumentDB on AWS from AWS C9 with [this tutorial][1]. But every time I try to connect I get connection failed after 6 attempts: (scr_env) me:~/environment/sephora $ mongo --ssl --host xxxxxxxxxxxxx:xxxxx --sslCAFile rds-combined-ca-bundle.pem --username username --password mypassword MongoDB shell version v3.6.3 connecting to: mongodb://xxxxxxxxxxxxx:xxxxx/ 2022-03-22T23:12:38.725+0000 W NETWORK [thread1] Failed to connect to xxx.xx.xx.xxx:xxxxx after 5000ms milliseconds, giving up. 2022-03-22T23:12:38.726+0000 E QUERY [thread1] Error: couldn't connect to server xxxxxxxxxxxxx:xxxxx, connection attempt failed : connect@src/mongo/shell/mongo.js:251:13 @(connect):1:6 exception: connect failed Indeed it seems to be missing the VPC configuration. So I tried to do with [this documentation][2]. But I do not know how to install the mongo shell on my AWS Cloud9. Indeed, it seems that I cannot create the repository file with the `echo -e "[mongodb-org-4.0] \name=MongoDB repository baseurl=...`. returns: `mongodb-org-4.0.repo: No such file or directory`. Also, when I tried to install the mongo shell with `sudo yum install -y mongodb-org-shell` which I did not have, and which I installed, it returns `repolist 0`. [1]: https://www.youtube.com/watch?v=Ild9ay9U_vY [2]: https://stackoverflow.com/a/17793856/4764604

Hi team, I asked this question many times and each time a got an answer that doesn't match my scenario description :) . **Please Kindly read carefully the scenario :) :) ** I have an HTTP API GW (not REST GW), I want to secure this GW by preventing users to bypass the CF and hitting it directly. Since HTTP GW don't support WAF the scenario described here doesn't work for my case : https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/ because this assumes that : 1 - the Origin of the CF distribution is the API GW (but in my case my Origin is an S3 bucket) 2- the API GW support WAF to be able to read the rule and block request that doesn't have that specific header (but in my case my HTTP GW doesn't support WAF) due to those 2 facts, I ended up that I can't use the solution proposed in the above article (because HTTP GW doesn't support WAF and thus cannot read the WAF rule to block the request that doesn't have the header injected by CloudFront). please is there a solution to secure HTTP API GW and prevent hitting it directly? **users => CloudFront(with s3 bucket as Origin and WAF linked to it) => Http GW (not REST GW, NO WAF linked to it) => NLB => fargate cluster.**

Hello everyone, I am working on a poc to measure response time of Step function for various number of concurrent requests. Two approaches i have taken : (1) Execute Step function from API gateway (2) Execute step function from aws sdk java v2 I am using apache benchmark tool to trigger 500, 1000, 3000 and 5000 requests with 200 concurrent requests for each. The response time for api gateway scenario I am get is around 200 to 300 ms but for aws sdk I am getting response time in the range of 200 to 400 ms. I was expecting it to be other way around as sdk call should not be going through as api gateway and directly hitting the Step function StartSyncExecution api but strangely for sdk latency is more. For single request , aws sdk (avg res = 90 ms ) does perform better that apigaeway approach (avg res = 150 ms) I have created a rest service using spring boot and aws sdk to invoke the step function and testing this in one of the EC2 machine.I have used express work flow of Step function and it is orchestrating two api calls through lambda. No other logic is present inside Step function. Tried changing the tomcat max thread pool to 500 and used ApacheHttpClient to change max Http connection to 300 (from default of 50) but still it does not help. It actually worsens the latency and makes it > 1 sec. Any suggestions would be appreciated for optimization

I've seen some aws blog posts about cutting node module bundles by 50%+ moving to version 3 and then further cuts with optimizations. Is the cpu/clock time savings linear? How about memory? I am not familiar with more bare metal concepts. TIA.

A number of Lambda API calls allow for a RevisionId argument to ensure that the operation only continues if the current revision of the Lambda function matches, very similar to an atomic Compare-And-Swap operation. However, this RevisionId appears to be useless for performing some atomic operations, for the following reason: Suppose I want to update a function's code and then publish it, in 2 separate steps (I know it can be done in 1 step, but this does not interest me, because I cannot set the description of a published version in 1 update/publish step...it must be done in 2 steps). The [update_function_code](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html#Lambda.Client.update_function_code) call returns a RevisionId that corresponds to the "in progress" update of the function. This RevisionId cannot be used because it will change once the function becomes active/updated. This new RevisionId can only be obtained by [get_function](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html#Lambda.Client.get_function). Update code -> RevisionId A (in progress) -> RevisionId B (updated/active) -> Get Function -> RevisionId B -> Publish Function There exists a race condition due to the fact that I must call `get_function` in order to get the current RevisionId before I continue with publishing my function. This race condition makes it impossible create an atomic sequence of operations that includes a `update_function_code` operation, because the RevisionId that it returns cannot be relied on, and has to be refreshed with a `get_function` call. Concurrently, another operation could change the RevisionId, and you wouldn't know, because you're depending on `get_function` to return an unknown RevisionId.

Hi Team, does the http API support API key ? I only sow examples for API key injection with REST API not HTTP API

Hi team, is it possible to use a wildcard in REST API GW or we need to define each endpoint one by one ? Thanks

Hi team, Is it possible to prevent users to hit directly my HTTP API GW if my HTTP GW doesn't support WAF AND my CF distribution doesn't have a custom origin (that can support WAF), my CF origin is an S3 bucket. so I don't have any way to prevent users hit directly HTTP API GW.

Hi team, I want to secure my Http API GW (not REST API GW) with WAF, as the HTTP API GW doesn't support the WAF I read this article to do the workaround : https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/ but in my case the origin of my distribution is an S3 bucket (static website hosting is not enabled) that host Angular APP : **users **=> **CloudFront **(with angular App in s3 bucket as Origin : this s3 bucket is not configured with static website hosting because content is served from CloudFront not directly from S3) => A**PI GW** = > **NLB **=> **fargate cluster** is there a way to use the method explained in the above article when my origin is an S3 bucket with no static web hosting enabled ? my objective is to protect my HTTP API GW with WAF, the solution on the article is perfect with custom header and secret manager but not applicable in my case because my DF distribution has S3 as origin.

Running a step function state machine accessing an AWS HttpApi to run a lambda using a docker container of ~3 GB size. Fails 20% of the time with #503 error, the rest of the time I get the exact results I expect. It's not a container warm up I believe. Logs for API and lambda (non-container and container) don't show any problems. I have maximized the step functions time out, the retries for the specific lambda, the memory for the lambda (10GB). I have also tried to ping the container and wait 30 seconds in the step functions to no avail. *** Edit: Should have mentioned concurrency for the API is at max (believe it is automatic for HttpApis) Any advice would be appreciated. I don't want to use ECS fargate due to cost and relative complexity. Thanks!

Hi team, I using HTTP API Gateway (not REST API GateWay), is there a way to make the HTTP Api Gateway to use/support WAF ? Thank you.

Are there any plans to support OpenAPI 3.1? It's critical for our business to use many features of JSON-Schema, like Schema validation.

I received the following issue when connecting to Amazon Athena from the IDE (client desktop). However, I see a query running in the Athena console under the specified workgroup. [Simba][AthenaJDBC](100123) An error has occurred. Exception during column initialization: Details: Unable to execute HTTP request:Connect to [Athena us-east-1-amazonaws.com……..] failed: Connection timed out: connect[Execution ID:xxxxxxxx-xxxx...........]

I have a Lambda function running Python 3.8 and am trying to run a test event using the JSON event object. When I try to put a float in the JSON, it tells me that my JSON is not formatted properly. How do you pass floats or are only strings allowed?

I have a springboot microservice which runs on AWS EKS. * I am generating a .tfvars (Terraform runtime parameters) file inside this microservice * I would like to checkin this file on Bitbucket I have a couple of queries here: * If I create a .tfvars file (or any file), where would that file be saved by Springboot? 1. Will the file be stored in the file system of the container? 2. Or is it mandatory to use an EFS to store this file? * Would I be able to clone a Bitbucket repository to checkin my .tfvars file? 1. Will the clone be stored in the file system of the container? 2. Or is it mandatory to use an EFS to store cloned repos?

Hello, I am integrating my custom Kafka cluster with AWS Lambda using Kafka trigger (Cloudformation EventSourceMapping). If I reset the password on my Kafka cluster and subsequently update the secret that is used in the EventSourceMapping, the EventSourceMapping does not refetch/refresh the secret. Instead the EventSourceMapping is still trying to use the old secret version (with old password) which results in error: ``` Last processing result: PROBLEM: SASL authentication failed. ``` As a result of this problem, no events are delivered to the lambda function. Since I am passing the ARN of the secret to the EventSourceMapping and am granting Lambda the permissions to get this secret, I would expect that the EventSourceMapping would automatically refresh/refetch the secret periodically. Instead what I need to do is delete the EventSourceMapping (trigger) and recreate it again (with the same configuration). This is unacceptable as we are using multiple Lambda integrations with our Kafka cluster and deleting/re-creating all of them after the password (and aforementioned secret) has changed is ineffective

Hi, I have deployed 2 applications in AWS ECS by using Grpc to communicate with each other. However, everytimes the client tried to connect to the server, it complains that the connection is refused. I am using DNS(Route 53) and NettyChannelBuilder to build the connection. I have exposed the client and server port when creating the task. Another thing that I have tried is to create ALB in the server, I also got the same error (Connection refused. No further information). Tried deploying appMesh, it stucks at PRE_INITIALIZING state. May I know what should I do to fix the issue? Note; There is no problem when I deployed the 2 applications in company VM.

Here's some part of my StepFunction: https://i.stack.imgur.com/4Jxd9.png Here's the workflow for the "Parallel" node: ``` { "Type": "Parallel", "Branches": [ { "StartAt": "InvokeEndpoint01", "States": { "InvokeEndpoint01": { "Type": "Task", "End": true, "Parameters": { "Body": "$.Input", "EndpointName": "dummy-endpoint-name1" }, "Resource": "arn:aws:states:::aws-sdk:sagemakerruntime:invokeEndpoint" } } }, { "StartAt": "InvokeEndpoint02", "States": { "InvokeEndpoint02": { "Type": "Task", "End": true, "Parameters": { "Body": "$.Input", "EndpointName": "dummy-endpoint-name2" }, "Resource": "arn:aws:states:::aws-sdk:sagemakerruntime:invokeEndpoint" } } } ], "Next": "Lambda Invoke" }, ``` I would like to access the `EndpointName` of each node inside this Parallel block and add it as one of the keys of that particular node's output, without modifying the existing output's body and other headers.(in the above json, `EndpointName` can be found for first node inside the Parallel at `$.Branches[0].States.InvokeEndpoint01.Parameters.EndpointName`) Here's output of one of the node inside the Parallel block: ``` { "Body": "{xxxx}", "ContentType": "application/json", "InvokedProductionVariant": "xxxx" } ``` and I would like to access the API Parameter and make it something like below: ``` { "Body": "{xxxx}", "ContentType": "application/json", "InvokedProductionVariant": "xxxx", "EndpointName": "dummy-endpoint-name1" } ``` How do I do this?

Hey, After discovering ml.inf machines not supporting multi-model servers (MMS), we were forced to re-deploy our models. Currently, we are struggling to use MMS with EI accelerators. Is it an issue on our side, or are these accelerators not supported on MMS? ClientError: An error occurred (ValidationException) when calling the CreateModel operation: Your Ecr Image pytorch-inference-eia:1.5.1-cpu-py3 does not contain required com.amazonaws.sagemaker.capabilities.multi-models=true Docker label(s). Thanks!

I'm in the process of setting up a prototype mesh with mTLS. I've gotten to the point where I have my services coupled with envoy sidecars and the sidecars are receiving certificates from SPIRE. I've been following along with this [article ](https://aws.amazon.com/blogs/containers/using-mtls-with-spiffe-spire-in-app-mesh-on-eks/) and am now running into an issue. In their steps, they perform a curl command from a container outside of the mesh and get some TLS negotiation messages. When I try to do the same thing, I get the following: ``` bash-4.2# curl -v -k https://grpc-client-service.grpc.svc.cluster.local:80/ * Trying 10.100.152.100:80... * Connected to grpc-client-service.grpc.svc.cluster.local (10.100.152.100) port 80 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Closing connection 0 curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol ``` Any advice on where I should start to troubleshoot this issue? Here's a rough overview of my setup: There are two pods that represent a client and a server service. The client has a web interface that allows the user to input text. The client takes the input text and submits that to the server service. The server service responds with an echo message that has some extra formatting so you know it came from the server. I've got both pods wrapped in virtual services that connect directly to virtual nodes. I was able to successfully test this with a basic mesh setup prior to adding the SPIRE workload parameters to the services. Within the envoy sidecars, I can see that the SPIRE server is indeed issuing certificates.

Hi, I'm relatively new to AWS glue and was having trouble in the following transformation codes: ``` DataSource4 = glueContext.create_dynamic_frame.from_catalog(database = "beta", table_name = "[table_name]", transformation_ctx = "DataSource4") Transform9 = ApplyMapping.apply(frame = DataSource4, mappings = [("project_unique_id", "int", "(src) project_unique_id", "int")], transformation_ctx = "Transform9") Transform9DF = Transform9.toDF() Transform3DF = Transform3.toDF() Transform12 = DynamicFrame.fromDF(Transform3DF.join(Transform9DF, (Transform3DF['project_unique_id'] == Transform9DF['previous_project_id']), "leftanti"), glueContext, "Transform12") ``` The job is failing with error : raise AnalysisException:(s.split(': ',1)[1], stackTrace) 'Cannot resolve column name "previous_project_id" among ((src) project_unique_id);' on checking the tables, both columns "project_unique_id" and "previous_project_id" are filled with NULL values, could that be the reason for the above error?

Hi ))) I am developing a chalice application with a lot of lambdas, SNS, S3 and so on... I would like to know of someone already find out a way to debug such application under VS CODE (Mac OS environment) It is quite long to debug such application with AWS Any idea ? Thanks guys

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

I am using an infrastructure setup as described in the title. This setup is also somewhat shown in this picture: https://d2908q01vomqb2.cloudfront.net/1b6453892473a467d07372d45eb05abc2031647a/2021/02/04/5-CloudMap-example.png In the official AWS blog here: https://aws.amazon.com/blogs/compute/configuring-private-integrations-with-amazon-api-gateway-http-apis/ the following is stated about using such setup: > As AWS Cloud Map provides client-side service discovery, you can replace the load balancer with a service registry. Now, connections are routed directly to backend resources, instead of being proxied. This involves fewer components, making deployments safer and with less management, and reducing complexity. My question is simple: What load balancing algorithm does HTTP API GW use when distributing traffic to resources (the Fargate tasks) registered in a service registry? Is it round-robin just as it is with ALB? Only thing I was able to find is this: > For integrations with AWS Cloud Map, API Gateway uses DiscoverInstances to identify resources. You can use query parameters to target specific resources. The registered resources' attributes must include IP addresses and ports. API Gateway distributes requests across healthy resources that are returned from DiscoverInstances. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html#http-api-develop-integrations-private-Cloud-Map

I deployed an API Gateway REST API and a Lambda function using Terraform. REST API testing tool threw below error when I invoked the HTTP endpoint. lambda add-permission was applied. "message": "Internal server error". And CloudWatch shows this error: [ERROR] Runtime.ImportModuleError: Unable to module 'my-lambda': No module named 'my-lambda'

Hey re:Post community I got a question regarding how its supposed to be a setup. Recently I configure an FTDv Cisco firewall in AWS, which is working for any Outbound traffic from my VPC, but heres something Im not sure exactly how its done. I got an SFTP Server in my VPC which I need to send files too from the internet, but instead of assigning a Public Address like AWS does already, I want that Inbound traffic to go through my FTDv Firewall. However as far as Im reading you can only have 1 EIP per Interface, so I have no way to do the NAT on the FTDv if I only have the EIP of the outside interface. Is there a way to do this like have a pool of addresses assigned to the FTDv so I can use IPs from that pool to configure NATs for my SFTP Servers Inbound traffic? Thanks in Advance!

Hi team, I have 3 AWS accounts: DEV, STG and PROD my code commit repositories are in the DEV account. I don't want to duplicate those repositories on the STG and PROD accounts. So that my repositories in the DEV account be the single point of truth. and I can be able to create a release from the STG or the PROD using the DEV repositories. Is there a best way/architecture to achieve this? without doing a workaround on the build spec (like using keys and doing git pull ... on the build spec of STG and PROD). I followed points 1 and 2 o this tutorial : https://docs.aws.amazon.com/codecommit/latest/userguide/cross-account.html after that, I can see DEV repositories in PROD account **with switch role** but I can't create a codeBuild/ code pipeline project ... because the role switched give only permission to DEV repos, but I want to create the codeBuild in PROD not DEV using the DEV repos (even I give to the role switched more permissions the codeBuild created from PROD was actually created in DEV not in PROD) Just want to create a new code deploy for fargate in PROD that relies on tags / repos generated from DEV account, so when creating the code deploy in PRD account I can select DEV repos/ tags as source. can we use the RAM service to share repos ? appreciate any help.