Acumenix acumenix

This is the note for AWS course 1 on edX. List selected AWS services in alphabetic order. Course link is here.

Workflow

Building on AWS --

Create VPC which simulates a local network that contains all your servers and databases.
Create IAM policy, user/role which has permission to specific AWS services, but not all -- this adds security overall.
Create S3 bucket (login as specific IAM user) which will be used to store assets.
Create RDS database instance (login as specific IAM user) as database server.
Create Cloud9 environment (login as specific IAM user) which is an online IDE that you can build & save your project.
Create EC2 instance (login as specific IAM user) and deploy the application via user data. This EC2 instance should have corresponding IAM role (to allow EC2 instance to call AWS service) and security group (to allow web t

This gist gives instructions to setup a Validating Admission Webhook or Mutating Admission Webhook in Kubernetes.

Heavy credits to

Install cfssl PKI

OS X

Get the details to connect to your Nexus-managed npm repository

Note: Nexus group repositories (good example in this StackOverflow question) are out of this tutorial's scope. In any case, deployment to group repositories is currently still an open issue for Nexus 3 (and not intended ever to be implemented in Nexus 2). Thus, it is assumed that we'll push & pull to/from the same repository, and ignore the idea of groups hereon in.

Ask your sysadmin for a username & password allowing you to log into your organistation's Nexus Repository Manager.
Test the login credentials on the Nexus Repository manager at: http://localhost:8081/nexus/#view-repositories (localhost in our case is replaced by a static IP, and can only be connected to over VPN). If your organisation requires a VPN to connect to it, connect to that VPN before proceeding with this tutori

	[[constraint]]
	name = "k8s.io/api"
	version = "kubernetes-1.11.0"

	[[constraint]]
	name = "k8s.io/apimachinery"
	version = "kubernetes-1.11.0"

	[[constraint]]
	name = "k8s.io/client-go"

	{
	"options": {
	"domains": [],
	"inputIDs": [],
	"limit": []
	},
	"templates": [
	{
	"issuetype-field": "",
	"name": "DEFAULT TEMPLATE",

	---
	AWSTemplateFormatVersion: '2010-09-09'


	Description: Global assets needed for Inventory Discovery


	Metadata:

	AWS::CloudFormation::Interface:

	# currently synced from the GKE profile:
	# https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735
	apiVersion: audit.k8s.io/v1beta1
	kind: Policy
	rules:
	# The following requests were manually identified as high-volume and low-risk,
	# so drop them.
	- level: None
	users: ["system:kube-proxy"]
	verbs: ["watch"]

	- macro: nginx_consider_syscalls
	condition: (evt.num < 0)

	- macro: app_nginx
	condition: container and container.image contains "nginx"

	# Any outbound traffic raises a WARNING

	- rule: Unauthorized process opened an outbound connection (nginx)
	desc: A nginx process tried to open an outbound connection and is not whitelisted

	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

	a4b.amazonaws.com
	access-analyzer.amazonaws.com
	account.amazonaws.com
	acm-pca.amazonaws.com
	acm.amazonaws.com
	airflow-env.amazonaws.com
	airflow.amazonaws.com
	alexa-appkit.amazon.com
	alexa-connectedhome.amazon.com
	amazonmq.amazonaws.com