Working with ENI Flowlogs

Working with ENI Flowlogs

Setting up Flowlogs

1. Go to your network interface and create flow log (per this instruction)
2. It'll take about 5 min before you see anything in your Log Stream
3. Each entry will be in this format
   
• Protocols:
• 1: ICMP (source and dest ports will be 0)
• 6: TCP
• 17: UDP
•  Start/End are in UNIX Seconds

Basic search (from Cloudwatch Logs)

• Find all source IP of 10.0.0.1
  [a,b,c,d=10.0.0.1,e,f,g,h,i,j,k,l]
• Find all source IP of 10.0.0.1 destined to port 8443
  [a,b,c,d=10.0.0.1,e,f,port=8443,h,i,j,k,l]

AWS ELB Primer

AWS ELB Primer

Creating classic ELB

1 2 3 4 5 6 7 8 9

aws elb create-load-balancer --load-balancer-name ELB_NAME --listener "Protocol=HTTP, LoadBalancerPort=80, InstanceProtocol=HTTP, InstancePort=80" --scheme internal --subnets subnet-xxxx subnet-yyyy --security-groups sg-123456

Tagging ELB

1 2 3

aws elb add-tags --load-balancer-names ELB_NAME --tags "Key='keyA',Value='valueA'" "Key='keyB',Value='valueB'"

Adding instance to ELB

1 2 3

aws elb register-instances-with-load-balancer --load-balancer-name MY_ELB --instances i-xxxxx

Removing instance from ELB

1 2 3

aws elb deregister-instances-with-load-balancer --load-balancer-name MY_ELB --instances i-xxxxx

Working with Certificates

View: aws iam get-server-certificate --server-certificate-name MY_CERT_NAME

Delete: aws iam delete-server-certificate --server-certificate-name MY_CERT_NAME

List: aws iam list-server-certificates

Upload

1 2 3 4 5

aws iam upload-server-certificate --server-certificate-name MY_CERT --certificate-body file://c:\temp\public.pem --private-key file://c:\temp\private.pem --certificate-chain file://e:\temp\chain.pem

AWS EC2 Reset Windows Password

AWS EC2 Reset Windows Password (Win 2008)

1. Detach root volume from the inaccessible Windows (A) instance to another Windows instance (B) as a non-root volume. Be sure B is running identical version of Windows.
2. Log into B
3. Mount the secondary volume
4. Browse to the secondary volume into \Program Files\Amazon\Ec2ConfigService\Settings\config.xml 
5. Find the section for "Ec2SetPassword"
6. Set the "State" property to "Enabled"
   

   <Ec2ConfigurationSettings>
     <Plugins>
       <Plugin>
         <Name>Ec2SetPassword</Name>
         <State>Enabled</State>
       </Plugin>
   

7. Replace the file (accept the UAC warning)
8. Update the disk signature
1.  Open regedit.exe
2. Under HKEY_LOCAL_MACHINE, find "Windows Boot Manager"
3. This should look like "HKLM\BCD00000000\Objects\{XXXXX-XXX-XXXX-XXXX-XXXXXX}\Elements\"
4. Go to sub-path "11000001"
5. Select "Element" Value
6. Find the byte value found at offset 0x38
   
7. Reverse this set of bytes (6E E9 36 02)
8. This is the disk signature that this disk needs to have
9. Open Admin Command Prompt
10. Run diskpart
11. Select the disk of the drive from Windows instance A
    select disk 2
12. View the disk signature of this drive
    uniqueid disk
13. If this isn't what was found from step 7, then we need to make it so
    uniqueid disk id=6EE93602
14. This will cause this volume to come offline
9. From AWS, detach this volume from B and add it to A as /dev/sda1
10. Proceed to retrieve the random password as usual

S3 Presigned URL

S3 Presigned URL

Temporary credential that can be generated and given to anyone to allow temporary access to a bucket or an object.

Permission granted can only be at the same level as the role used to generate the presigned URL

Presigned URL includes the following:

• X-Amz-Algorithm
• X-Amz-Expires
• X-Amz-Date
• X-Amz-SignedHeaders
• X-Amz-Security-Token
• X-Amz-Credential
• X-Amz-Signature

Presigned URL is valid for either one of the below

• 3600 seconds is none is defined
• Seconds as defined by "--expires-in" flag
• Expired time of the role used to generate the URL

CORS Configuration must be defined to allow external URL to gain access if the user is trying to retrieve the target object from another webpage

Example (via PowerShell)

1 2 3 4 5 6

$s3uri = "myBucket/mylogs/important.log" $expireSec = 120 $output = aws s3 presign $s3uri --expires-in $expireSec $objIE = new-object -ComObject InternetExplorer.Application $objIE.Navigate($output) $objIE.visible = $true

AWS S3 Bucket Policy examples

S3 bucket policy examples

Grant full permission to another account

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

{ "Version": "2012-10-17", "Id": "PolicyForPrincipal", "Statement": [ { "Sid": "AccountAllow", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXX:root" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::myBucket", "arn:aws:s3:::myBucket/*" ] } ] }

Notes

• The principal points to the root of the account, if you want to specify a user in that account, this must be delegated from IAM policy of that account
• Resources must contain the bucket itself if you want to grant "ListObject" operation

Grant read/write from specific set of IP addresses

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

{ "Version": "2012-10-17", "Id": "PolicyForIP", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::myBucket/*", "Condition": { "IpAddress": { "aws:SourceIp": [ "10.10.10.10/32", "168.0.0.10/32" ] } } } ] }

AWS CLI Examples

Miscellanous AWS CLI Example

Run (Launch) new instance

1 2 3 4 5 6 7

aws ec2 run-instances --image-id ami-xxxxxxxxxx --network-interface "NetworkInterface='eni=xxxxxx',DeviceIndex=0" --key-name MY_KEY --instance-type "m4.xlarge" --disable-api-termination --iam-instance-profile "Arn=arn:aws-iso:iam::1234567890:instance-profile/myiamprofile"

Lines

1. Base command
2. ID of AMI
3. Network Interface ID and its placement (if known). You can opt instead to provide subnet-id if you want a new interface to be used 
4. Key Name
5. Instance Type
6. Disable API termination (remove if you want to enable API termination)
7. IAM instance profile (remove if you don't want to use IAM profile)

Other options and their defaults

• Security Group: Default
• Shutdown Behavior: Stop
• EBS Optimized: False
• Enhanced Monitoring: False

Create new AMI

1 2 3 4

aws ec2 create-image --instance-id i-xxxxxxxxxxxxxxxxxx --name MY_AMI_NAME_01 --description "My Description"

Tagging Resource

aws ec2 create-tags --resources SOME_ID --tags "Key=MYKEY,Value='MYVALUE'..."

Notes:

• Any EC2 resource ID can be used
• tag must be a key, value pair separated by a comma
• Multiple tags can be provided, they must be separated by a space

View all of my AMIs

aws ec2 describe-images --owners "self"

View all Instances of some account

aws ec2 describe-instances --filters "Name=owner-id,Values=XXXXXX"

View all snapshots of some account

aws ec2 describe-snapshots --owner-ids XXXXXXX

Remove Termination Protection

1 2 3

aws ec2 modify-instance-attribute --instance-id i-xxxxxxxxxxx --no-disable-api-termination

Terminate Instance

1 2	aws ec2 terminate-instances --instance-id i-xxxxxxxxxxx

Create Volume from Snapshot

1 2 3 4 5

aws ec2 create-volume --snapshot-id snap-xxxxxxxxxx --size 50 --availability-zone us-east-1a --volume-type gp2

Copy single file to S3

aws s3 cp filename.log s3://bucketname

Copy directory to S3

aws s3 cp \\path\directory\ s3://bucketname/prefix --recursive

Note

• Case sensitive
• Empty sub-directories will be ignored

Copy with filter (only copy .log files from all path and sub-path)

aws s3 cp \\path\directory\ s3://bucketname/prefix/ --exclude '*' --include '*.log' --recursive

Note

• Exclude everything but .log extensions
• Order of operation is important

Copy from bucket to bucket

aws s3 cp s3://bucketA s3://bucketB --recursive

Sync local content to bucket

aws s3 sync \\localpath\ s3://bucketA/path/ --exclude '*' --include '*.log' --delete

Note

• Delete flag ensures what is deleted at source is also deleted at destination
• Recurse flag is always assumed

Sync local to bucket except a directory

aws s3 sync s3://bucketA/path/ \\localpath\test\ --exclude 'Special/*' 

S3 Permissions

Use "private" default - only "me" is granted permission

aws s3 cp filename.txt s3:/bucketA/path/

Also allow publc read

aws s3 cp filename.txt s3:/bucketA/path/ --acl public-read

Also allow public read/write

aws s3 cp filename.txt s3:/bucketA/path/ --acl public-read-write

Give owner of bucket full control too

aws s3 cp filename.txt s3:/bucketA/path/ --acl bucket-owner-full-control

Upload Bucket Policy

aws s3api put-bucket-policy --bucket myBucket --policy file://myPolicy.json

Notes

• myPolicy.json file is expected in the current directory

Various other EC2 describes

• Customer Gateways: aws ec2 describe-customer-gateways
• Network ACL: aws ec2 describe-network-acls
• ENIs: aws ec2 describe-network-interfaces
• Route Table: aws ec2 describe-route-tables
• Security Group: aws ec2 describe-security-groups
• Key Pairs: aws ec2 describe-key-pairs
• Subnets: aws ec2 describe-subnets
• VPN GWs: aws ec2 describe-vpn-gateways
• VPCs: aws ec2 describe-vpcs
• Peering Connections: aws ec2 describe-vpc-peering-connections
• VPN Connections: aws ec2 describe-vpn-connections

Patching PeopleTool 8.57

How to Patch Weblogic in PeopleTool 8.57

Per Oracle, if you are running PeopleTool 8.57 on Windows, it is recommended that you deploy the latest DPK that comes with all the necessary patches. However, if you just want to patch Weblogic (because...), follow this.

1. Stop all PIA services and Oracle service
2. Ensure you have 7-zip installed (because Windows can't natively handle such long path names that Oracle provides)
3. Download the latest Weblogic patch (the latest one contains all the previous patches too)
4. Use 7-zip to extract the content
5. Go into the content directory and run weblogic's opatch.bat with apply and "-oh" flag to designate Oracle Home directory for this installation. I'll assume Oracle DPK was installed in c:\pt857
   

   c:\pt857\pt\bea\OPatch\opatch.bat apply -oh c:\pt857\pt\bea -silent
   

6. Call same opatch.bat with lsinventory to ensure the patch took
   

   c:\pt857\pt\bea\OPatch\opatch.bat lsinventory -oh c:\pt857\pt\bea
   

7. Here's the whole thing in a bat file
   

   1 2 3 4 5 6 7 8 9 10 11 12

   call net stop "ORACLE ProcMGR v12.2.2.0.0_VS2015" call net stop "psDEMO-WebLogicAdmin" call net stop "psDEMO-PIA" aws s3 cp s3://my-repo-name/7zip/7z920.exe c:\temp aws s3 cp s3://my-repo-name/patches/p30386660_122130_Generic.zip c:\temp cd c:\temp call 7z920.exe /S /D="C:\Program Files (x86)\7-Zip" call "C:\Program Files (x86)\7-Zip\7z.exe" x C:\temp\p30386660_122130_Generic.zip call c:\pt857\pt\bea\OPatch\opatch.bat apply -oh c:\pt857\pt\bea -silent call "c:\Program Files (x86)\7-Zip\Uninstall.exe" /S cd c:\pt857\pt\bea\opatch call c:\pt857\pt\bea\opatch\opatch.bat lsinventory -oh c:\pt857\pt\bea