ELBv2 ALB Security Group Check in Cloud Conformity


We use Cloud Conformity as a compliance check tool against our AWS environments. Recently, there is a new check failed - ELBv2 ALB Security Group, and the given reason is Load Balancer [alb-d-LoadB-XXXXXXXX] is not associated with valid and secure security groups. I have confirmed that the ALB is associated with a valid and security … Continue reading ELBv2 ALB Security Group Check in Cloud Conformity

Service Role for CodeBuild


Do you notice anything that is not right in the following CloudFormation template? ... Resources: CodeBuildServiceRole: # IAM role for the codebuild project. Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-CodeBuild-ServiceRole Path: /team-abc/ AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: ['codebuild.amazonaws.com'] Policies: - PolicyName: !Sub ${ProjectName}-CodeBuild-Policy PolicyDocument: Version: "2012-10-17" Statement: - Action: # … Continue reading Service Role for CodeBuild

Renew AWS credential for a long run AWS CLI process


We use aws s3 sync to synchronise a big mount of files (800,000+ objects) from on-premise to AWS S3 bucket. Due to security restrictions, the Maximum CLI/API session duration is configured for 1 hour. So it is most likely the credential will expire before the sync job is completed. There are generally two places to … Continue reading Renew AWS credential for a long run AWS CLI process

Use AWS Secret Manager to handle credentials


AWS Secret Manager is a great solution for secret management. It is similar to HarshiCorp Vault, but with better integrations with other AWS services, e.g. IAM, RDS, Redshift, DocumentDB. As illustrated above, I created a database in RDS and a credential in Secret Manager, then attached the credential to the database for dynamic reference. The … Continue reading Use AWS Secret Manager to handle credentials

LDAP: error code 11 – This search operation has checked the maximum of 5000 entries for matches]


We have a Jenkins box that use OpenDJ as the LDAP authenticator. And recently we migrated the ldif data from the old OpenDJ to a new OpenDJ server, and reconfigured the Jenkins to use the new box. After that, the Jenkins authentication stops working. I noticed this message in the Jenkins log. It looks like … Continue reading LDAP: error code 11 – This search operation has checked the maximum of 5000 entries for matches]