jenseickmeyer

resource "aws_s3_bucket" "database_backups" {
  bucket = "my-app-database-backups"
}

resource "aws_s3_bucket_public_access_block" "database_backups_block_public" {
  bucket = aws_s3_bucket.database_backups.id

  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true

jenseickmeyer

Use a Bastion Host

Login

At least two techniques exist for jumping "through" a bastion host to a "hidden" server. In the following examples, the bastion host has the hostname BastionHost whereas the target host has the hostname TargetHost.

Agent Forwarding

First, we log in to the bastion host

jenseickmeyer

'use strict';

const aws = require('aws-sdk');

const dynamoDB = new aws.DynamoDB.DocumentClient();

exports.handler = async (event, context) => {
  return await getItems();
};

jenseickmeyer

#!/bin/bash

DISTRIBUTION_ID=

#Invalidate the CloudFront Distribution
invalidation_id=$(aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*" --query Invalidation.Id)
length=${#invalidation_id}

# Wait for invalidation to finish
aws cloudfront wait invalidation-completed --distribution-id $DISTRIBUTION_ID --id ${invalidation_id:1:$length-2}

jenseickmeyer

const AWS = require('aws-sdk');

exports.handler = (event, context, callback) => {
  assumeRole('123456789012', 'RoleName', null, (error, credentials) => {
    if(error) {
      console.log('Failed to assume role: ' + error);
      callback(error);
    } else {
      assumeRole('098765432109', 'OrganizationAccountAccessRole', credentials, (error, credentials) => {
        if(error) {