CloudFormation Template for Route53 Health Check IP Ranges

Route53 Health Checks – It is always good to make use of the eco-system of AWS services which are already used extensively – CloudWatch, Security Groups, SNS Notifications, EC2, VPC etc.
Route53 Health Check’s differentiator is by Amazon publishing the list of IPs from where the heath Check Pings are being triggered. Best of all there is a simple AWS CLI call which would give the list of the CIDR IPs.

aws route53 get-checker-ip-ranges

I wrote a small CloudFormation template which would ask you the VPC and Port Range [ for TCP ] and create a security group for only the specified list of IP range where the Route 53 health checks would be triggered.

There are other variants as well HTTP OnlyHTTPS OnlyTCP Only

Security Group for All [ HTTP, HTTPS, TCP ]

AWS, Cloud, IAM, Managed Policy, Wishlist

AWS IAM Managed Policy – Please let it not be restricted

Today’s definition of Read Only user might be good only for today, given that there are several new AWS Services and Capabilities being released quite frequently. Today’s read only user wouldn’t be able use the new AWS Service which went live and opened for public use last night; this is purely due to the way IAM Policy document was constructed as it would have the citations of the each verb and AWS Service. Though the policy can be edited; it may have to be edited in multiple places for Role / Groups / User Profiles. 

There wasn’t a placed holder which would define and hold the prolicy(ies)’s permissions together. The closest was to cookie cut the policies together. Long story short, though the READ-ONLY Group and READ-ONLY Role would have the same set of permissions there wouldn’t a relationship/link which can be leveraged. Managed Policy was like God Sent to the AWS Cloud.

Things would further be messy when there are resource level permissions are being used. 

The best part of was the categorization of AWS Managed Policy and Customer Managed Policy. So all the changes can be effectively done at a single place.
I tried to sketch a picture of a scenario how we visualize the scenario (below). The whole idea is to effectively leverage the power of the indirection introduced between IAM entities and Attachment of the Managed IAM Policies. We would like to have a Manage IAM Policy Library [Mix of out of the box – AWS Managed Policies and Custom Managed Policies ]; and have them attached them to the IAM entities.

Having the possibility to only attach only 2 Managed Policies to an IAM Entity would be a major limiting factor ( in my opinion ) to get the full potential of the Managed Policies [ Version Control, Easy Attachment & Detachment ]. However functionality wise the limit of just 2 wouldn’t stop to define an IAM Entity [concatenate all IAM policy document Content] but it would be pretty exciting to define any IAM Entity [ User, Role, Group ) with any number of the Lego Blocks from the Managed Library; again the best part is all of the Lego blocks are version control with rollback. The policy definition can be done in a single place with having to do an dependency check (or reverse engineering).

In short the current count of 2 wouldn’t be adoption enabler against the traditional inline policies considering the possibilities & potential of the Managed Policies.

AWS, Cloud, CloudTrail, Config, S3

Resource Id for CloudTrail to view AWS Config CI logs

AWS Config is an Amazing way to track to the changes and relationship among the various AWS Services. It provides little bit of perspective of CDC – Change Data Capture functionality across the AWS Services used under the account.

Recently when I tried to look for changes in one of the AWS Config’s Cousin [ CloudTrail ] to see the information about when CloudTrail logging was initiated etc. The Lookup by Resource ID accepts the CloudTrail Trail’s Name -[What is CloudTrail Trail’s Name ? ] I tried all possible combinations of CloudTrail, S3Bucket Name, empty; but none of them succeeded.

Turned out it is Default [ D in Upper Case ]; I got this information after contacting the AWS via. AWS Forums.

Hope this helps.

Active Directory, AD, AD Connector, Amazon, Architecture, AWS, Directory Services, EC2, Solved

SOLVED : Request could not be satisfied – Amazon Directory Service

You can create a new Amazon Directory Service – AD Connector or Simple AD with/without On-Premises AD Settings. Once done, you need to provide Access URL by choosing a keyword; which will go along with the Post that you need to explicitly enable the Apps & Services [ Amazon Workspaces, Amazon Zocalo, AWS Management Console ] individually.

The AWS Management Console can take the URL as

While the Access URL and other necessary configurations are done; Nevertheless you would be prompted with error page [ CloudFront Error Page] stating – Request Could Not be Satisfied. as below.
The simple fix to solve that problem is to just wait for another couple of minutes; for the CloudFront to pick your AD apps’s web artefacts and distribute it to its edge locations.
Active Directory, AD, AD Connector, Amazon, Architecture, AWS, Directory Services, EC2

AWS Directory Service – AD Connector – A Short Overview

I really like the types of Services Amazon is concentrating these days – Directory Services, Zocalo, Containers, Lambda etc.; this clearly shows the length and breadth of Innovation Areas in AWS. Lets look into what is AWS Directory Service AD Connector, this time.

What is AD Connector ?

  • AD Connector is SaaS-like offering – Plug and Play Service; fully managed by Amazon
  • Make use of existing Active Directory Running On-Premises / Cloud to Authenticate and Authorize AWS Console and AWS Resources; this means you don’t need to create & manage IAM users from AWS Console, but make use of the AD which is already configured in your data center.
  • Continue using centralized credentials, users, access, policy from the same Corporate Directory; but this time for the AWS Console & AWS Resources.
  • The Directory Synchronization, Availability, Connectivity, Federation are taken care by the service
  • The MFA authentication can also be enabled if required.

What are the Prerequisites ?

  • VPC with 2 Subnets in different Availability Zone
  • Hardware VPN Connection to AWS VPC 
  • Firewall & Ports opened for 53 (DNS), 88 (Kerberos), 389(LDAP) – TCP / UDP appropriately

What are your Responsibilities ?

  • Creation of IAM Roles to map the Active Directory Users / Groups
  • Ensure the Uptime & Connectivity of the On-Premises Active Directory

What are the AWS Resources created by AD Connector in the Account ?

I was able to observer the following automatically created in my account when successfully finished creating & configuring AD Connector.
  • 2 ENIs ( Places in the specified Subnets )
  • 2 Security Groups ( Each having All Traffic enabled between themselves )

Can it be used for AD already running in EC2 ?

  • Yes, Actually this post illustrates that exact use case.


Installation & Setup

  • Once the Active Directory Domain Services are installed in the EC2 instance; you will need the details like user name & password, Net BIOS name, Directory DNS name.
  • The important thing to note here is to use the PRIVATE IP of the EC2 Instance ( for this scenario )
  • Once the the Setup is completed you get to see the status.

The access URL would be configured as the entry point to AWS Console ( and / or Amazon Workspaces, Amazon Zocalo ). Once done, you need explicitly enable the AWS Management Console Access.
You would now be prompted with a dialogue box to start the wizard for IAM Role and AD User Association
Click on New Role – this would be an IAM Role
Both new IAM Role Creation and Modifying existing Role(s) can be done in this step
When choosing on the Create New Role, you would notice similar predefined IAM Role templates as in Identity and Access Control in AWS Management Console.
On Navigation to the next step ; you can search for existing Users / Group which is populated from your Active Directory.

Now, the specified IAM Role and AD User ( or Group ) are associated. With this your AD users can start using AWS Management with the same AD credentails.

When you login to the Access URL – you would be prompted to enter the Organization Name (public endpoint – without the in the URL), user name and password ( from your AD )
AWS Management Console