In AWS’ KMS What Is the Difference between Administrative Permissions and Usage Permissions of a CMK?

Question
A CMK is an encryption key. In Amazon Web Services, for CMKs (Customer Managed Keys) in KMS (Key Management Service), what is the difference between administrative permissions and key usage permissions?

Answer
Usage permissions enable (either IAM users or roles) to encrypt and decrypt data with the AWS KMS API.

Administrative permissions for a CMK allows either an IAM user or role to give usage permissions to other IAM users or roles through the API (and sometimes the web console).

 » Read more..

How Do You Troubleshoot the Error “Secrets Manager cannot invoke the specified Lambda function.”?

Problem scenario
You try to store a secret, but you see this message:

“Your secret was created successfully but configuring rotation has failed

Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com. “

What do you do?

Solution
Try this posting.

 » Read more..

How Do You Configure Linux CentOS 6.x to Accept SSH Connections?

Problem scenario
You try to use PuTTY to connect to a Linux CentOS 6.x server. You get the message “Network error: Connection refused.” What should you do?

Solution
Prerequisite
This assumes that there is no software or hardware firewall blocking port 22. You may want to use nmap or a Windows PowerShell port tester to verify port 22 is open.

 » Read more..

Why Cannot You Ping an IP Address of an AWS Server When the Security Group Should Allow for Pinging?

Problem scenario
In AWS you manually added a Security Group rule for the source of a given IP address. This IP address is either the internal or external IP address. You can ping one of them (either the internal or external IP address). Why cannot you ping each IP address?

Solution
Check to see if a firewall is running on the Linux server.

 » Read more..

How Do You Create and Store an Application-Level Secret on the AWS Cloud?

Problem scenario
You want to create and save an application-level secret in AWS. What do you do?

Solution
Use Secrets Manager.

Procedures

  1. Log into the AWS console.
  2. Go to “Secrets Manager”
  3. Click “Store a new secret”
  4. For the secret type choose “Other type of secrets”.
  5. For the left-most field,

 » Read more..

How Do You Remove the ECDSA Fingerprints of Old Servers That You Will Not Connect to Again?

Problem scenario
You have a server that has run SSH to connect to other servers. You want to remove the fingerprints so the ECDSA key fingerprint will challenge a user to continue connecting. What do you do?

Solution
Run this command where x.x.x.x is the IP address or hostname of the server whose finger print should be removed: ssh-keygen -R x.x.x.x

If you used a hostname with the SSH comands,

 » Read more..

How Can You Change the cgroups Settings for Docker Containers while Bypassing Docker?

Problem scenario
You want to bypass Docker and configure the cgroups directly. You want new Docker containers to be governed by these customized settings. What should you do?

Solution
You may not want to bypass Docker for your cgroup modifications. You should read about the libcontainers. By default Docker uses libcontainers for granular configuration changes along the lines of modifying cgroups settings.

 » Read more..

What is a Secret in Kubernetes?

Question
What is a Secret in Kubernetes?

Answer
It is a ConfigMap with sensitive data that is encoded in Base64 text. What is a ConfigMap? It is a .yaml with a special format. There is always a “data:” section that is part of the YAML definition of a ConfigMap. The key-value pairs in the “data” section will have keys that appear in regular text;

 » Read more..

What Is The Immutable Bit vs. The Sticky Bit?

Problem scenario
You have heard of the immutable bit and want to know how it is different from the sticky bit. What is the immutable bit versus the sticky bit? What are the differences between the two?

Solution
We like the term “immutable flag” as opposed to “immutable bit” to help distinguish the two. We have three parts to explain this.

 » Read more..

How Do You Open a Port to Connect to a GCP server?

Problem scenario
You are used to AWS Security Groups. You created a firewall rule in GCP. You cannot seem to reach the GCP server. What is wrong?

Possible Solution
Does the GCP firewall rule use the same shorthand notation like this?
x.x.x.x/32

Inbound rules in AWS Security Groups use the /32 to allow an IP address to connect to an EC-2 instance or service.

 » Read more..