The latest articles on Forem by David💻 (@davidshaek). https://forem.com/davidshaek https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F801789%2Fff604519-c4ca-47ef-8719-7a9a53f99343.gif https://forem.com/davidshaek en David💻 Wed, 11 Feb 2026 17:26:44 +0000 https://forem.com/davidshaek/the-aws-badge-dex-an-almost-complete-guide-for-2026-47dk https://forem.com/davidshaek/the-aws-badge-dex-an-almost-complete-guide-for-2026-47dk <p>This guide provides a comprehensive reference of all current AWS badges available on Credly, covering public badges, subscription-based programs, educational offerings, and AWS employee–exclusive badges.</p> <h2> AWS Certified Early Adopter </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj29hsgj39emvkqti02zx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj29hsgj39emvkqti02zx.png" alt="EarlyAdopter" width="800" height="526"></a></p> <p>AWS Certified Early Adopter, are badges given to those that has passed the certifications exams on their beta phases, if successfully the earner will get the certification plus this early adopter badge, which is only obtainable at beta.</p> <ul> <li> <strong>Requirements</strong>: The first 5,000 exam participants will receive a special Early Adopter badge upon passing.</li> <li> <strong>Cost</strong>: At half cost of the normal price of a certification</li> <li> <strong>Course Level</strong>: Ranges from foundational to advanced, catering to a wide range of professionals including beginners, intermediates, and experts.</li> <li> <strong>Duration</strong>: 250 minutes</li> <li> <strong>Assessment</strong>: Involves a proctored exam that need to be passed to achieve AWS Certified status.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/certification/" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Microcredentials </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbxtbrrukyuf27swuual.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbxtbrrukyuf27swuual.png" alt="AWS Microcredentials" width="800" height="526"></a></p> <p>AWS Microcredentials are hands on, scenario based labs designed to validate user ability to solve real world problems using AWS services. Each microcredential focuses on a specific service and on practical tasks rather than theory, ensuring the user can apply their knowledge in a controlled AWS environment.</p> <ul> <li> <strong>Requirements</strong>: An active skillbuilder subscription.</li> <li> <strong>Cost</strong>: $29 (or the cost of the basic skillbuilder subscription at the time)</li> <li> <strong>Course Level</strong>: Appropriate for Intermediates, and Advanced learners.</li> <li> <strong>Duration</strong>: 1h30m</li> <li> <strong>Assessment</strong>: A set of questions based on to-do tasks on an controlled AWS account environment.</li> <li> <strong>Platform</strong>: <a href="https://skillbuilder.aws/category/type/microcredentials" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Ambassador </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ywkrdqsbiwmg2n4i2lm.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ywkrdqsbiwmg2n4i2lm.jpg" alt="Ambassador" width="800" height="526"></a><br> The AWS Ambassador Program is a dynamic initiative designed to enhance expertise in AWS technologies, fostering a community of skilled professionals. This program offers a variety of digital and in-person learning opportunities, tailored to suit different learning preferences and schedules. It features multiple learning paths and courses that focus on a broad range of AWS topics and services, crucial for mastering the use of AWS tools and services. AWS Ambassadors, as participants, engage in interactive activities and practical exercises, which are key to reinforcing their knowledge and skills.</p> <ul> <li> <strong>Requirements</strong>: To become an AWS Ambassador, one must be an employee of an AWS Partner Network and hold at least two AWS technical certifications at the Professional or Specialty level. Active contribution to the AWS community through various channels is also required.</li> <li> <strong>Cost</strong>: The program, focused on community building and knowledge sharing, does not typically involve a subscription fee like traditional courses. Instead, it emphasizes active participation and contribution.</li> <li> <strong>Course Level</strong>: Suitable for individuals who are already familiar with AWS technologies, looking to deepen their expertise and share knowledge with others.</li> <li> <strong>Duration</strong>: The involvement varies, as it depends on the individual's contributions and activities within the AWS community.</li> <li> <strong>Assessment</strong>: The assessment in this context is more about real-world application and contribution rather than a formalized test. Ambassadors demonstrate their knowledge through public presentations, blogs, whitepapers, and community activities.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/partners/ambassadors/" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Quest </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy81oftfag22nyeijnoo1.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy81oftfag22nyeijnoo1.jpg" alt="Cloud Quest" width="800" height="526"></a><br> AWS Cloud Quest is an innovative learning platform that enhances skills in AWS technologies through a role-playing game format. It offers a blend of digital training options, catering to various learning styles and schedules. This platform includes diverse learning paths and courses, focusing on key AWS topics and services. Essential for effectively utilizing AWS tools, it enables learners to engage in interactive labs and hands-on exercises. This approach helps users proficiently architect, develop, and operate within the AWS cloud environment.</p> <ul> <li> <strong>Requirements</strong>: A skillbuilder account is needed.</li> <li> <strong>Cost</strong>: Some roles are available for free; others may require a subscription.</li> <li> <strong>Course Level</strong>: Appropriate for various levels, from beginners to advanced.</li> <li> <strong>Duration</strong>: Varies 2-6 hours based on the chosen role and learning pace.</li> <li> <strong>Assessment</strong>: Involves completing role-specific assignments and tasks.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/training/digital/aws-cloud-quest/" rel="noopener noreferrer">Link</a> | <a href="https://explore.skillbuilder.aws/learn/catalog?ctldoc-catalog-0=se-%22aws%20cloud%20quest%22" rel="noopener noreferrer">Cloud Quest</a> | <a href="https://explore.skillbuilder.aws/learn/catalog?ctldoc-catalog-0=se-%22AWS%20Industry%20Quest%22" rel="noopener noreferrer">Industry Quest</a> </li> </ul> <h2> AWS re/Start </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlnhbnd5q6urf95ox7tb.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlnhbnd5q6urf95ox7tb.jpg" alt="AWS Programs" width="800" height="526"></a><br> AWS re/Start is a comprehensive learning platform aimed at individuals seeking careers in cloud computing. It's a full-time, 12-week program that offers skills development in cloud technologies and professional skills like communication and time management. The program is designed for unemployed or underemployed individuals, and no prior technology background is required to apply. It provides hands-on labs and coursework to prepare for entry-level cloud roles and the AWS Certified Cloud Practitioner certification. Upon completion, the program also assists with job placement.</p> <ul> <li> <strong>Requirements</strong>: Targeted at individuals with little to no technology background, particularly those who are unemployed or underemployed.</li> <li> <strong>Cost</strong>: The program is free for learners.</li> <li> <strong>Course Level</strong>: Entry-level, suitable for individuals new to cloud computing.</li> <li> <strong>Duration</strong>: 12 weeks, full-time.</li> <li> <strong>Assessment</strong>: Includes preparation for the AWS Certified Cloud Practitioner exam.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/training/restart/" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Instructor </h2> <p>The AWS Authorized Instructor Program and AWS Classroom Training form an integrated learning platform designed to enhance knowledge and skills in AWS technologies. These programs offer a comprehensive range of instructor-led training options, meticulously crafted to cater to different learning styles and schedules. The platform features a variety of learning paths and courses, focusing on diverse AWS topics and services. These instructor-led courses are instrumental in cultivating the competencies required for effectively utilizing AWS tools and services.</p> <ul> <li> <strong>Requirements</strong>: To become an AWS Authorized Instructor, one must have at least the AWS Certified Solution Architect - Associate Certification and be sponsored by an AWS Training Partner.</li> <li> <strong>Cost</strong>: Joining the AWS Authorized Instructor Program is free. Instructors receive benefits like exam vouchers and console credits. The cost for classroom training varies based on the course and delivery method.</li> <li> <strong>Course Level</strong>: Suitable for various levels, from beginners to advanced learners, with courses available for different roles such as Solutions Architect, Developer, and Cloud Practitioner.</li> <li> <strong>Duration</strong>: Classroom training courses vary in length, ranging from half-day workshops to multi-day sessions.</li> <li> <strong>Assessment</strong>: Instructors are evaluated on their knowledge and ability to deliver courses effectively. Students in classroom training participate in hands-on labs and practical exercises.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/training/aai/" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Subject Matter Expert </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcbfus11tor8g6bw9hig0.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcbfus11tor8g6bw9hig0.jpg" alt="aws sme" width="800" height="526"></a><br> SME is a program that seeks qualified Subject Matter Experts (SME) to participate in AWS certification exam development events. Subject Matter Experts (SME) participate in remote and in-person events that focus on the creation and review of certification exam content.</p> <ul> <li> <strong>Requirements</strong>: </li> <li>Relevant hands-on experience with AWS, Approve an AWS certification an claim the benefit of applying for SME</li> <li>Strong reading and writing skills in English.</li> <li>For Foundational and Associate level exams: a minimum of one year of practical experience or equivalent in AWS.</li> <li>For the Professional and Specialty level exams: A minimum of two years of practical experience or equivalent in AWS.</li> <li> <strong>Cost</strong>: None</li> <li> <strong>Course Level</strong>: Advanced</li> <li> <strong>Duration</strong>: None/ At least participate in 3 exams creation</li> <li> <strong>Assessment</strong>: Pass the Item Writing Course/ some knowledge checks</li> <li> <strong>Platform</strong>:<a href="https://aws.amazon.com/es/certification/certification-sme-program/" rel="noopener noreferrer">Link</a> | <a href="https://explore.skillbuilder.aws/learn/course/external/view/elearning/1117/aws-certification-subject-matter-expert-sme-item-writing" rel="noopener noreferrer">Link (SME) Item Writing Course</a> </li> </ul> <h2> AWS Educate </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fty805dxfo6dcze4gpi77.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fty805dxfo6dcze4gpi77.jpg" alt="AWS Educate" width="800" height="526"></a><br> AWS Educate offers hundreds of hours of self-paced training and resources for students new to the cloud, including hands-on labs in the AWS Management Console.</p> <p>Introductory courses to learn and practice fundamental aspects of the AWS cloud through hands-on labs for six key services: Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, AWS Identity and Access Management (IAM), and Amazon Virtual Private Cloud (Amazon VPC).</p> <ul> <li> <strong>Requirements</strong>: Register via e-mail (an email from a educational institution is not needed anymore)</li> <li> <strong>Cost</strong>: None</li> <li> <strong>Course Level</strong>: Beginner</li> <li> <strong>Duration</strong>: 4-6 hours</li> <li> <strong>Assessment</strong>: Yes, you can retry as many times as you like</li> <li> <strong>Platform</strong>: <a href="https://www.awseducate.com/student/s/content" rel="noopener noreferrer">Link</a> </li> </ul> <p><strong>Note</strong> Register from the dashboard before entering the courses directly.</p> <h2> AWS Academy </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn26wd51qdw9pubq24lhy.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn26wd51qdw9pubq24lhy.jpg" alt="AWS Academy" width="800" height="526"></a><br> AWS Academy offers higher education institutions a free, ready-to-teach cloud computing curriculum that prepares students to pursue industry-recognized certifications and high-demand cloud jobs. Our curriculum helps educators stay on the cutting edge of AWS cloud innovation so they can help students develop the skills they need to get hired in one of the fastest growing industries.</p> <ul> <li> <strong>Requirements</strong>: Have been invited by an education institution to a canvas platform</li> <li> <strong>Cost</strong>: Not additional cost, but you need to be enrolled in a course</li> <li> <strong>Course Level</strong>: Beginner</li> <li> <strong>Duration</strong>: 3-12 Months</li> <li> <strong>Assessment</strong>: Assessments per module</li> <li> <p><strong>Platform</strong>:<a href="https://aws.amazon.com/training/awsacademy/member-list/" rel="noopener noreferrer">Link</a></p> <h2> AWS Solutions-Focused Immersion Days (Builders Quest) </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0fymyym0j5wybxj05wp.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv0fymyym0j5wybxj05wp.jpg" alt="Builder Quest" width="800" height="526"></a><br> The AWS Builders Quest comprises a series of webinar-style events aimed at facilitating learning about various AWS services. Each event features a presentation followed by lab sessions, which are instrumental in developing the skills necessary for building, deploying, and operating infrastructure and applications in the cloud.</p> </li> <li><p><strong>Requirements</strong>: Registration with a business/education email is required.</p></li> <li><p><strong>Cost</strong>: None.</p></li> <li><p><strong>Course Level</strong>: Appropriate for Beginners, Intermediates, and Advanced learners.</p></li> <li><p><strong>Duration</strong>: Sessions typically range from 4 to 6 hours.</p></li> <li><p><strong>Assessment</strong>: No formal assessment is conducted; however, participants must complete a form at the conclusion of the presentation.</p></li> <li><p><strong>Platform</strong>: <a href="https://aws.amazon.com/es/events/sfid-2024/?solution-immersion-days-cards.sort-by=item.additionalFields.sortDateTime&amp;solution-immersion-days-cards.sort-order=asc&amp;awsf.content-focus=*all&amp;awsf.event-type=*all&amp;awsf.language=*all&amp;awsf.location=*all&amp;awsf.level=*all&amp;awsf.month=*all&amp;awsf.topic=*all" rel="noopener noreferrer">Link</a></p></li> </ul> <h2> AWS Knowledge (Skillbuilder) </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdkkwf7a40rojw0q5udzn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdkkwf7a40rojw0q5udzn.jpg" alt="AWS Knowledge" width="800" height="526"></a></p> <p>The AWS Skill Builder is an integrated learning platform designed to enhance knowledge and skills in AWS technologies. It provides a comprehensive range of digital and classroom training options, each meticulously crafted to cater to different learning styles and schedules. The platform features a variety of learning paths and courses, focusing on diverse AWS topics and services. These courses are instrumental in cultivating the competencies required for effectively utilizing AWS tools and services. Learners can engage in interactive labs and hands-on exercises that reinforce their understanding, thereby enabling them to proficiently architect, develop, and operate applications and infrastructure within the AWS cloud environment.</p> <ul> <li> <strong>Requirements</strong>: Registration is mandatory, either through email or a Builder ID.</li> <li> <strong>Cost</strong>: Free access is available. Paths including labs require a subscription at $29 per month, although these are optional for earning the badge.</li> <li> <strong>Course Level</strong>: Suitable for Beginners, Intermediate, and Advanced learners.</li> <li> <strong>Duration</strong>: Learning paths vary in length, ranging from 2 to 100 hours.</li> <li> <strong>Assessment</strong>: At the end of each path, there is an assessment consisting of approximately 40-60 questions. Participants can attempt the assessment once per day. It is not timed.</li> <li> <strong>Platform</strong>: <a href="https://explore.skillbuilder.aws/learn/catalog?ctldoc-catalog-0=se-%22Knowledge%20Badge%20Readiness%20Path%22" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Certified </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg588miwhq6emcdj5ioim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg588miwhq6emcdj5ioim.png" alt="AWS Certified" width="800" height="526"></a></p> <p>AWS Certified is a certification program offered by Amazon Web Services (AWS) for professionals seeking to validate their technical expertise and knowledge in the AWS cloud. The program provides a range of certifications that cover various aspects of AWS, from foundational knowledge to specialized skills in areas like solutions architecture, development, operations, and more. These certifications are recognized in the industry and are designed to help professionals demonstrate their cloud abilities and enhance their careers.</p> <ul> <li> <strong>Requirements</strong>: Requires registration with any email. Prior knowledge and experience in the certification area are beneficial.</li> <li> <strong>Cost</strong>: Varies depending on the certification level and includes both free resources and paid exams from $100 - $300.</li> <li> <strong>Course Level</strong>: Ranges from foundational to advanced, catering to a wide range of professionals including beginners, intermediates, and experts.</li> <li> <strong>Duration</strong>: The preparation time varies based on the certification and the learner's background. Courses and study materials can range from a few hours to several weeks.</li> <li> <strong>Assessment</strong>: Involves a proctored exam that need to be passed to achieve AWS Certified status.</li> <li> <strong>Platform</strong>: <a href="https://aws.amazon.com/certification/" rel="noopener noreferrer">Link</a> </li> </ul> <p><strong>How to obtain a discount in your certifications</strong></p> <p>There are several ways to get discounts on AWS certifications:</p> <ol> <li><p><strong>AWS Certified Benefits</strong>: Once you are AWS Certified, you can access benefits including a 50% discount voucher for recertification or any other exam.</p></li> <li><p><strong>AWS Emerging Talent Community (ETC)</strong>: By participating in AWS Educate, AWS Educate, AWS re/start and earning a digital badge, you can be invited to the AWS ETC. Within this community, completing challenges earns you points, which can be redeemed for rewards like AWS certification vouchers.</p></li> <li><p><strong>AWS Certified Global Community</strong>: Similar to ETC, once you are AWS Certified you can get an invitation to the Certified Global Community. Within this community, completing challenges earns you points, which can be redeemed for rewards like AWS certification vouchers.</p></li> <li><p><strong>Get AWS Certified: Challenge</strong>: By joining the Get AWS Certified Challenge before a specified deadline, you can receive a 50% discount code for a Practitioner, Associate, or Professional-level certification exam. There are also challenges for specific specialty exams; however, these events tend to occur throughout the year without prior notice. Be sure to follow <a href="https://www.linkedin.com/showcase/aws-training-&amp;-certification/" rel="noopener noreferrer">AWS Training &amp; Certification</a> on LinkedIn for updates.</p></li> <li><p><strong>AWS Community Builders Programand Other Initiatives</strong>: You can obtain free AWS certification vouchers through various initiatives like the <a href="https://aws.amazon.com/developer/community/community-builders/" rel="noopener noreferrer">AWS Community Builders Program</a>, the All Builders Welcome Grant scholarship, the AWS New Voices foundational speaker training program.</p></li> <li><p><strong>AWS re:Invent Discount</strong>: Attendees of the AWS re:Invent conference also have the opportunity to receive a 50% discount voucher. This voucher can be used for any AWS certification exams.</p></li> </ol> <h2> AWS Partner </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63zwtdjfh34g2vgb355k.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63zwtdjfh34g2vgb355k.jpg" alt="AWS Partner" width="800" height="526"></a><br> The AWS Partner Network offers an array of specialized courses and interactive labs, specifically curated to empower partners with a profound understanding of AWS technologies. This suite of educational resources is thoughtfully designed, encompassing both digital and classroom training tailored to diverse learning styles and busy schedules. The program highlights various learning paths, each focused on distinct AWS themes and services, essential for mastering the nuances of AWS tools and applications. These courses play a crucial role in developing the requisite expertise for effectively deploying AWS solutions. Enrollees are immersed in hands-on labs and engaging exercises, which are instrumental in reinforcing their knowledge. This practical approach ensures that AWS partners are well-equipped to architect, implement, and manage sophisticated solutions within the AWS ecosystem.</p> <ul> <li> <strong>Requirements</strong>: Company email (the company needs to be part of APN).</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: Suitable for Intermediate and Advanced learners.</li> <li> <strong>Duration</strong>: Learning paths vary in length, ranging from 4 to 8hours.</li> <li> <strong>Assessment</strong>: Yes, you can retake as many times as you like</li> <li> <strong>Platform</strong>: <a href="https://explore.skillbuilder.aws/learn/catalog?ctldoc-catalog-0=l-_en~field14-_2~se-%22AWS%20Partner:%22" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Cloud Club Captain </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4rg6e0pxoydcbg04zyoi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4rg6e0pxoydcbg04zyoi.png" alt="Cloud club aws" width="800" height="526"></a></p> <p>AWS Cloud Clubs are student-led user groups for post-secondary students and independent learners. Led by Cloud Club Captains, these communities are open to learners aged 18+ and focus on building, sharing, and growing cloud knowledge through peer-driven activities and events.</p> <ul> <li> <strong>Requirements</strong>: Must be a post secondary student or an eligible independent learner aged 18+.</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: Community focused; targeted at individuals interested in building and leading learning communities.</li> <li> <strong>Assessment</strong>: No formal assessment. Badge levels are earned based on community activity, event organization, and overall engagement.</li> <li> <strong>Platform</strong>: <a href="https://builder.aws.com/community/cloud-clubs" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Support Engineer </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx68in6xmle8t6waqlthf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx68in6xmle8t6waqlthf.png" alt="AWSSupport" width="800" height="526"></a></p> <p>The AWS Support team is at the forefront of transformational technology, working with a global community of companies and developers who leverage an ever-growing portfolio of AWS services and features to run mission critical applications. These badges recognize demonstrated expertise and a deep understanding of AWS services, reflecting the ability to support, troubleshoot, and optimize complex cloud workloads at scale.</p> <ul> <li> <strong>Requirements</strong>: Being an AWS active employee. And pass a curated course compromising of level 300 laboratories.</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: For advances engineers with a deep understanding of services in the area of support</li> <li> <strong>Assessment</strong>: An SME Assesment.</li> <li> <strong>Platform</strong>: <a href="https://www.credly.com/organizations/aws-support-engineering/badges" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Worldwide Field Enablement </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfujgz879a6o7gn2lisl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfujgz879a6o7gn2lisl.png" alt="AWSWRO" width="800" height="526"></a></p> <p>The WWFE mission is to enable the AWS field organization to be the most efficient in the world by empowering sellers to focus their time where it matters most helping customers succeed. This is achieved through the delivery of efficient tools and streamlined processes, timely and relevant customer data, and best in class training and enablement, ensuring sellers can provide exceptional customer experiences and positioning AWS as the place where top sellers want to work. AWS employees that earn the accreditation badge has demonstrated foundational industry domain knowledge, an understanding of financial services customer outcomes, and familiarity with AWS industry solution areas.</p> <ul> <li> <strong>Requirements</strong>: Must be an active AWS employee.</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: Targeted to individuals working within a specific industry domain.</li> <li> <strong>Assessment</strong>: No formal assessment required.</li> <li> <strong>Platform</strong>: <a href="https://aws.highspot.com/signin" rel="noopener noreferrer">Link</a> </li> </ul> <h2> AWS Builders League </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdxdklxcrolssynejd6dv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdxdklxcrolssynejd6dv.png" alt="AWS Builders League" width="800" height="526"></a></p> <p>Builders League (BL) is a 4-6 month event where customers compete in a gamified environment through AWS GameDays, Immersion Days, Certification Challenges, Workshops, and other activities. Solutions Architect, Training &amp; Certification, and Marketing teams leverage the league to increase technical expertise in AWS services, best practices, and architecture patterns through chaos engineering challenges and Skill Builder learning plans. It aims to increase customer AWS certifications, build a technical community for sharing AWS-related queries, and enhance Skill Builder platform knowledge.</p> <ul> <li> <strong>Requirements</strong>: Needs to be part of APN of Latin America.</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: Intermediate to advanced; targeted to technical AWS practitioners.</li> <li> <strong>Assessment</strong>: No formal assessment required; participation and challenges are gamified through point accumulation.</li> <li> <strong>Platform</strong>: <a href="https://d1fyro91017eon.cloudfront.net/FAQ.html" rel="noopener noreferrer">Builders League</a> Virtual AWS-hosted environments and online events (GameDays, Immersion Days, Webinars).</li> </ul> <h2> AWS AWSome Awards </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F725hgbm5aihwuvmf1ifg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F725hgbm5aihwuvmf1ifg.png" alt="AWSome" width="800" height="526"></a></p> <p>The AWSome Award program recognizes individuals who exemplify Amazon’s Leadership Principles and deliver extraordinary customer outcomes over the course of a year.</p> <ul> <li> <strong>Requirements</strong>: Must be an active AWS employee.</li> <li> <strong>Cost</strong>: None.</li> <li> <strong>Course Level</strong>: Not applicable.</li> <li> <strong>Assessment</strong>: No formal assessment required. Recipients must consistently perform at the highest level in their role, raise the bar through their contributions, deliver extraordinary customer outcomes, and be selected by their respective organizational leader.</li> <li> <strong>Platform</strong>: <a href="https://www.credly.com/organizations/aws-awsome-awards/badges" rel="noopener noreferrer">AWS Private</a> </li> </ul> <h2> Other Badges </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjca66c7jr6mxqt1mheyf.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjca66c7jr6mxqt1mheyf.jpg" alt="Other Badges" width="800" height="526"></a></p> <p>Don't forget to gather all your emails in one credly account, you can find the option in settings.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3tf7q1eiiqhrki6afn9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3tf7q1eiiqhrki6afn9.png" alt="Credly" width="800" height="586"></a><br> Stuck at an assesment question ? Feel free to check <a href="https://github.com/bdllerena/aws-badge-assessments-quizzes" rel="noopener noreferrer">this</a></p> todayilearned beginners todayisearched aws David💻 Sat, 18 Oct 2025 23:55:12 +0000 https://forem.com/davidshaek/implementing-a-secure-data-governance-architecture-on-aws-with-s3-glue-athena-and-lake-formation-30gb https://forem.com/davidshaek/implementing-a-secure-data-governance-architecture-on-aws-with-s3-glue-athena-and-lake-formation-30gb <p>This article explains how to built a secure and fully auditable data governance architecture using AWS S3, Glue, CloudTrail, Lake Formation, and Amazon Quick Suite</p> <p>This design ensures data organization, encryption, version control, access restriction, and advanced traceability, while enabling analytical queries and dashboards through Athena and Quick Suite</p> <p><strong>Requirements</strong></p> <ul> <li>AWS account</li> <li>CSV files with data</li> </ul> <h2> The proposed architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flnx1ftjhtxx040b9fbrf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flnx1ftjhtxx040b9fbrf.png" alt="Architecture" width="800" height="384"></a></p> <h2> Walkthrough </h2> <p>The goal is to build a centralized S3-based data lake that manages raw, processed, and sensitive data securely.<br> Our main bucket can be called as <code>company-data-governance-raw</code></p> <p>Inside our bucket we follow this folder structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>company-data-governance-raw/ ├── raw/ │ ├── clientes/ │ ├── transacciones/ │ └── productos/ │ ├── processed/ │ ├── clientes/ │ └── transacciones/ │ └── sensible=no/ │ ├── sensitive/ │ ├── athena/ │ └── logs/ └── s3-access/ </code></pre> </div> <p>Inside raw folder we will have these respective csv files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>clientes.csv cliente_id,nombre,email,tarjeta_credito,region,unidad_negocio 1,Juan Perez,juan@email.com,4532-1234-5678-9010,LATAM,Ventas 2,Maria Lopez,maria@email.com,5425-2345-6789-0123,LATAM,Marketing 3,Carlos Ruiz,carlos@email.com,3782-3456-7890-1234,NORTE,Ventas 4,Ana Torres,ana@email.com,6011-4567-8901-2345,EUROPA,IT 5,Luis Garcia,luis@email.com,4916-5678-9012-3456,LATAM,Finanzas </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>transaccion_id,cliente_id,monto,fecha,tipo,sensible 1001,1,150.50,2025-10-01,compra,no 1002,2,320.75,2025-10-02,compra,no 1003,3,89.99,2025-10-03,devolucion,no 1004,1,1500.00,2025-10-04,compra,si 1005,4,45.20,2025-10-05,compra,no </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>producto_id,nombre,precio,categoria,stock 101,Laptop,899.99,Tecnologia,50 102,Mouse,25.99,Tecnologia,200 103,Teclado,45.50,Tecnologia,150 104,Monitor,299.99,Tecnologia,75 105,Webcam,79.99,Tecnologia,100 </code></pre> </div> <p>This organization keeps every dataset in its right lifecycle stage, from ingestion to analysis.</p> <h2> S3 Configuration and Security Controls </h2> <p>When creating the bucket:</p> <p>✅ Block all public access</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4weq5ts7xgswnuswaxx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft4weq5ts7xgswnuswaxx.png" alt="Block s3 access" width="800" height="170"></a></p> <p>✅ Enable versioning to preserve data integrity and restore older versions</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydl7dm2h5100qc6gdti6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydl7dm2h5100qc6gdti6.png" alt="Bucket Versioning" width="800" height="192"></a></p> <p>✅ Enable MFA Delete to prevent accidental or unauthorized deletions</p> <p>✅ Enable encryption in transit and at rest (S3 SSE-S3 or SSE-KMS with your own CMK)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0w5xiq8rxcddf8nwjsfj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0w5xiq8rxcddf8nwjsfj.png" alt="Encryption" width="800" height="166"></a></p> <p>Using AWS KMS allows symmetric encryption under your control, essential for sensitive workloads.</p> <h2> S3 Bucket Policy – Enforcing Security </h2> <p>To harden the S3 layer, we can configure our bucket policy with these three key rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyInsecureTransport", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::company-data-governance-raw/*", "arn:aws:s3:::company-data-governance-raw" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "RestrictSensitiveData", "Effect": "Deny", "Principal": "*", "Action": ["s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::company-data-governance-raw/sensitive/*", "Condition": { "StringNotEquals": { "aws:PrincipalArn": [ "arn:aws:iam::&lt;account-id&gt;:user/&lt;user-or-role&gt;", "arn:aws:iam::&lt;account-id&gt;:role/AWSGlueServiceRole-GobiernoDatos" ] } } }, { "Sid": "S3PolicyStmt-DO-NOT-MODIFY-1760725108745", "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::company-data-governance-raw/*", "Condition": { "StringEquals": { "aws:SourceAccount": "&lt;your-account-id" } } } ] } </code></pre> </div> <p>What this does, denies HTTP requests only HTTPS traffic is allowed.</p> <p>Restricts access to /sensitive/ only for a specific IAM user and Glue role. Grants S3 logging service permission to write access logs only from the same AWS account. This combination provides network level encryption, identity based access control, and logging integrity.</p> <h2> Enabling Access Logging </h2> <p>Enabling S3 server access logging is essential for auditing who accessed what. Logs from all requests (user or programmatic) are stored under /logs/s3-access/ inside the same bucket, ensuring full traceability of every data operation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fybws5103msf26a8967j6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fybws5103msf26a8967j6.png" alt="Access log s3" width="800" height="150"></a></p> <h2> Building the Data Catalog in AWS Glue </h2> <p>After uploading your data into the appropriate folders, the next step is to catalog it. Go to AWS Glue → Data Catalog → Databases</p> <p>Create a new database named <code>data_governance_catalog</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo20p7zinfccoiocmuw6g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo20p7zinfccoiocmuw6g.png" alt="aws glue database" width="800" height="344"></a></p> <p>Then create a crawler that will scan your S3 bucket and automatically build table schemas.</p> <p>Steps:</p> <ul> <li>Crawler name: company-crawler-governance-data-raw</li> <li>Create a new IAM role: DataGovernance</li> <li>Choose the database data_governance_catalog as target</li> <li>Run the crawler on demand</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fclxdw4ayzjqccr7ikiim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fclxdw4ayzjqccr7ikiim.png" alt="Crawler" width="800" height="494"></a></p> <p>Once it finishes, you’ll see three tables reflecting your S3 folder structure (clientes, transacciones, productos).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foebedfqzy9c6csht1jmm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foebedfqzy9c6csht1jmm.png" alt="Tags in table" width="800" height="406"></a></p> <h2> Adding Traceability with AWS CloudTrail </h2> <p>Security doesn’t stop at encryption. We also need visibility into every read and write operation.</p> <p>In CloudTrail → Trails, select your primary trail and enable Data Events for S3. This allows auditing of operations like GetObject and PutObject inside the bucket. CloudTrail logs will now show who accessed which file and when, ensuring compliance and audit readiness</p> <h2> Applying Data Access Controls with Lake Formation </h2> <p>For column level and row level permissions, we can use AWS Lake Formation Filters. Go to Lake Formation → Data Filters → Create new filter</p> <p>Filter name: data-governance-filters</p> <ul> <li>Select your data catalog and focus on sensitive columns in the clientes table (e.g., credit card holder details)</li> <li>Column filters: hide entire sensitive columns</li> <li>Row filters: restrict specific data rows</li> <li>Then, under Permissions, define Grants to control who can see what.</li> <li>For example, deny the Glue role and the current user access to columns marked as sensitive.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkta3r91gk5g9qfupfsan.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkta3r91gk5g9qfupfsan.png" alt="Filters datalake" width="800" height="640"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figf7o4ixb5487q8nrx1j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figf7o4ixb5487q8nrx1j.png" alt="Row filters" width="800" height="294"></a></p> <p>After applying the filter, running queries via Athena will show masked results for those restricted columns.</p> <h2> Querying Data with Amazon Athena </h2> <p>Now we can query the cataloged data using Athena, which automatically integrates with Glue. When executing a query, Athena respects Lake Formation permissions sensitive columns are hidden for restricted users, and queries run against optimized Parquet data under /processed/.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SELECT * FROM data_governance_catalog.clientes; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzh3wc3jna2o123vwh171.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzh3wc3jna2o123vwh171.png" alt="Query results" width="800" height="323"></a></p> <p>Results are stored in the /athena/ folder, ready to visualize in Quick suite.</p> <h2> Visualizing Insights with Amazon QuickSight </h2> <p>To visualize and share insights. Open QuickSight → New Analysis</p> <ul> <li>Choose Athena as the data source</li> <li>Select the data_governance_catalog</li> <li>Build dashboards using your filtered datasets</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F173lozww29mpxndrqrbk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F173lozww29mpxndrqrbk.png" alt="Athena sources" width="800" height="384"></a></p> <p>Example visualizations:</p> <ul> <li>Customers by region</li> <li>Predicted transactions per segment</li> <li>Sensitive data audit summaries Quick Suite connects seamlessly with Athena, ensuring that governance rules continue to apply even at the visualization layer.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqd5ovkqjvujh7c2m04p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqd5ovkqjvujh7c2m04p.png" alt="Source tables" width="800" height="661"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgqt2ilpjrwgk4w9jb714.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgqt2ilpjrwgk4w9jb714.png" alt="Result dashboards" width="800" height="328"></a></p> <h2> Cost Estimation </h2> <p>Here’s an approximate monthly cost breakdown for a moderate workload:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th><strong>Component</strong></th> <th><strong>Usage Assumption</strong></th> <th><strong>Estimated / Month (USD)</strong></th> </tr> </thead> <tbody> <tr> <td>S3 Storage</td> <td>500 GB (Standard)</td> <td>$11.50</td> </tr> <tr> <td>S3 Requests</td> <td>Moderate GET/PUT traffic</td> <td>$8.00</td> </tr> <tr> <td>CloudTrail Data Events</td> <td>25 M events</td> <td>$25.00</td> </tr> <tr> <td>Glue Data Catalog</td> <td>20k objects / 1 M requests</td> <td>$1.20</td> </tr> <tr> <td>Glue Crawler</td> <td>~0.3 h/day (≈ 9 DPU-h)</td> <td>$4.00</td> </tr> <tr> <td>Glue ETL (light)</td> <td>≈ 9 DPU-h/month</td> <td>$4.00</td> </tr> <tr> <td>Athena Queries</td> <td>3 TB scanned/month</td> <td>$15.00</td> </tr> <tr> <td>CloudWatch Alarms</td> <td>5 alarms</td> <td>$0.50</td> </tr> <tr> <td>QuickSight (Enterprise)</td> <td>1 author + 1 reader + 5 GB SPICE</td> <td>$30.90</td> </tr> <tr> <td><strong>Total Estimated Cost</strong></td> <td></td> <td><strong>≈ $100.10 / month</strong></td> </tr> </tbody> </table></div> <p>A compact and cost efficient solution for complete data governance.</p> <h2> Conclusion </h2> <p>This architecture provides a secure, auditable, and scalable data governance foundation built entirely with managed AWS services.<br> From S3 encryption to Lake Formation filters and QuickSight dashboards, every layer enforces security, traceability, and performance. We can easily extend this solution by:</p> <ul> <li>Adding Glue ETL jobs for automated transformations</li> <li>Integrating with Amazon Redshift for advanced analytics</li> <li>Applying AWS Macie for sensitive data discovery</li> </ul> <p>If you’re building a data lake or starting a governance project, this structure provides a strong and repeatable foundation for compliance ready analytics in AWS.</p> data awsdatalake todayilearned aws David💻 Sun, 05 Oct 2025 15:59:44 +0000 https://forem.com/davidshaek/implementing-owin-authentication-and-roles-for-appservice-in-aspnet-framework-33og https://forem.com/davidshaek/implementing-owin-authentication-and-roles-for-appservice-in-aspnet-framework-33og <p>This article purpose is to describe how to secure our ASP.NET Framework application following a layer structure using OWIN as a middleware and Microsoft Entra ID. This comprehensive guide walks you through the creation of an App that will be published to Azure App Service.</p> <p><strong>Requirements</strong></p> <ul> <li>Visual Studio 2022</li> <li>Azure Subscription</li> </ul> <h2> Walkthrough </h2> <h3> Creating the App Service </h3> <p>Within our Azure subscription, we will create an App Service of type Web App.<br> In the template, we will fill in basic data:</p> <ul> <li>Select our Azure subscription</li> <li>Create a resource group if one doesn't already exist</li> <li>Give our application a name</li> <li>We will publish the code directly from Visual Studio 2022</li> <li>Our Runtime will be ASP.NET V4.8</li> <li>Choose the Region and plan that best suits our needs</li> <li>For this example, we will select a less crowded region and proceed with the Free plan</li> </ul> <p>Proceed with the "Review + Create" option.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1w5iuyv9hbwmsx8wua1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1w5iuyv9hbwmsx8wua1.png" alt="image1" width="800" height="789"></a></p> <h3> Configuring the Default Domain </h3> <p>After our service has been created, we will navigate to the dashboard and copy the "Default Domain" value.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Few7a6ye9eq4a9o9zk1v6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Few7a6ye9eq4a9o9zk1v6.png" alt="image2" width="800" height="132"></a></p> <h3> Registering the Application in Microsoft Entra ID </h3> <p>Now we will navigate within our Azure Portal to Microsoft Entra ID &gt; Manage &gt; App Registrations.<br> Within this window, we will register the application by clicking the "New Registration" option.</p> <p>In this window, we will:</p> <ul> <li>Register the name of our application</li> <li>Define which Tenants can access the application</li> <li>Register the URI by copying the App Service application URL as "Web"</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxrbhj7qlwkb2alng95n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxrbhj7qlwkb2alng95n.png" alt="image3" width="800" height="571"></a></p> <h3> Configuring Authentication </h3> <p>After having our application registered, in the same dashboard of our registered application, we navigate to Manage &gt; Authentication.</p> <p>In this window, we will activate the following options:</p> <ul> <li>ID tokens (used for implicit and hybrid flows)</li> <li>Access tokens (used for implicit and hybrid flows)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2q039vixomotx022ren1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2q039vixomotx022ren1.png" alt="image4" width="800" height="372"></a></p> <h3> Creating the Application in Visual Studio 2022 </h3> <p>We will create a new project with the following template:</p> <ul> <li>ASP.NET Web Application (.NET Framework)</li> <li>Select runtime: .NET Framework 4.8</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly15gxm91pb7n9bjdl6m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly15gxm91pb7n9bjdl6m.png" alt="image5" width="800" height="162"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4skn5y4kk3a1l90dw4xv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4skn5y4kk3a1l90dw4xv.png" alt="image6" width="800" height="542"></a></p> <p>In the next window:</p> <ul> <li>Select type: Empty &amp; Web Api</li> <li>Authentication: None</li> </ul> <h3> Installing Required Dependencies </h3> <p>Now we will proceed to install the necessary dependencies to run the project. Within the project:</p> <p>Right-click &gt; Manage NuGet Packages for Solution</p> <p>Search for and install the following packages:</p> <ul> <li>System.Linq;</li> <li>System.Security.Claims;</li> <li>Microsoft.IdentityModel.Protocols.OpenIdConnect;</li> <li>Microsoft.IdentityModel.Tokens;</li> <li>Microsoft.Owin.Host.SystemWeb;</li> <li>Microsoft.Owin.Security;</li> <li>Microsoft.Owin.Security.Cookies;</li> <li>Microsoft.Owin.Security.OpenIdConnect;</li> <li>Owin;</li> <li>System.Configuration;</li> <li>System.IdentityModel.Tokens.Jwt;</li> <li>Microsoft.Owin;</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo87obgtp72rb7n7ldlf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo87obgtp72rb7n7ldlf.png" alt="image8" width="800" height="573"></a></p> <h3> Modifying Web.Config </h3> <p>After installing our dependencies, we start by modifying the Web.Config file.<br> Within appSettings, we proceed to modify the following values. </p> <p>From Microsoft Entra ID, in App registrations, we look for our application and copy the following values:</p> <ul> <li>ClientID</li> <li>TenantID</li> <li>RedirectUri (that we configured in App Service)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39tgh9kah0n14khrc387.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39tgh9kah0n14khrc387.png" alt="image8" width="800" height="152"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;appSettings&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"webpages:Version"</span> <span class="na">value=</span><span class="s">"3.0.0.0"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"webpages:Enabled"</span> <span class="na">value=</span><span class="s">"false"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ClientValidationEnabled"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"UnobtrusiveJavaScriptEnabled"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:ClientId"</span> <span class="na">value=</span><span class="s">"&lt;your-client-id&gt;"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:TenantId"</span> <span class="na">value=</span><span class="s">"&lt;your-tenant-id&gt;"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:Authority"</span> <span class="na">value=</span><span class="s">"https://login.microsoftonline.com/&lt;your-tenant-id&gt;/v2.0"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:RedirectUri"</span> <span class="na">value=</span><span class="s">"https://&lt;your-application&gt;.azurewebsites.net/"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/appSettings&gt;</span> <span class="nt">&lt;system.web&gt;</span> <span class="nt">&lt;authentication</span> <span class="na">mode=</span><span class="s">"None"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;compilation</span> <span class="na">debug=</span><span class="s">"true"</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;httpRuntime</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;customErrors</span> <span class="na">mode=</span><span class="s">"Off"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/system.web&gt;</span> <span class="nt">&lt;system.webServer&gt;</span> <span class="nt">&lt;modules&gt;</span> <span class="nt">&lt;remove</span> <span class="na">name=</span><span class="s">"FormsAuthentication"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/modules&gt;</span> <span class="nt">&lt;/system.webServer&gt;</span> </code></pre> </div> <h3> Creating Startup.cs </h3> <p>Now we will proceed with the creation of a file in the root called <code>Startup.cs</code> which is the entry point of an ASP.NET application that uses OWIN; it’s where we define how our app boots up and handles requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Web.Http</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Owin</span><span class="p">;</span> <span class="p">[</span><span class="n">assembly</span><span class="p">:</span> <span class="n">Microsoft</span><span class="p">.</span><span class="n">Owin</span><span class="p">.</span><span class="nf">OwinStartup</span><span class="p">(</span><span class="k">typeof</span><span class="p">(</span><span class="n">TestOwinRoles</span><span class="p">.</span><span class="n">Startup</span><span class="p">))]</span> <span class="k">namespace</span> <span class="nn">OwinAuthApp</span> <span class="p">{</span> <span class="k">public</span> <span class="k">partial</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configuration</span><span class="p">(</span><span class="n">IAppBuilder</span> <span class="n">app</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// auth middleware</span> <span class="nf">ConfigureAuth</span><span class="p">(</span><span class="n">app</span><span class="p">);</span> <span class="c1">// web API</span> <span class="kt">var</span> <span class="n">config</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpConfiguration</span><span class="p">();</span> <span class="c1">// attribute routing (required for [Route]/[RoutePrefix])</span> <span class="n">config</span><span class="p">.</span><span class="nf">MapHttpAttributeRoutes</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseWebApi</span><span class="p">(</span><span class="n">config</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Creating Startup.Auth.cs </h3> <p>Now we will proceed with the creation of a file in the folder <code>App_start</code> called <code>Startup.Auth.cs</code> which is where our app’s sign-in is set up. It reads our Azure Entra ID settings, turns on cookie authentication so users stay logged in, and enables OpenID Connect so the Microsoft login page is used for authentication. It also fine tunes claims: it keeps the "roles" claim intact, maps those roles so <code>User.IsInRole(...)</code> works.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Linq</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Claims</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.IdentityModel.Protocols.OpenIdConnect</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.IdentityModel.Tokens</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Host.SystemWeb</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.Cookies</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.OpenIdConnect</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Owin</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Configuration</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.IdentityModel.Tokens.Jwt</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">OwinAuthApp</span> <span class="p">{</span> <span class="k">public</span> <span class="k">partial</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">ConfigureAuth</span><span class="p">(</span><span class="n">IAppBuilder</span> <span class="n">app</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">clientId</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:ClientId"</span><span class="p">];</span> <span class="kt">var</span> <span class="n">authority</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:Authority"</span><span class="p">];</span> <span class="kt">var</span> <span class="n">redirectUri</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:RedirectUri"</span><span class="p">];</span> <span class="n">JwtSecurityTokenHandler</span><span class="p">.</span><span class="n">DefaultMapInboundClaims</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="n">app</span><span class="p">.</span><span class="nf">SetDefaultSignInAsAuthenticationType</span><span class="p">(</span><span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCookieAuthentication</span><span class="p">(</span><span class="k">new</span> <span class="n">CookieAuthenticationOptions</span> <span class="p">{</span> <span class="n">AuthenticationType</span> <span class="p">=</span> <span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">,</span> <span class="n">CookieName</span> <span class="p">=</span> <span class="s">"OwinAuthApp"</span><span class="p">,</span> <span class="n">CookieSecure</span> <span class="p">=</span> <span class="n">CookieSecureOption</span><span class="p">.</span><span class="n">Always</span><span class="p">,</span> <span class="n">CookieSameSite</span> <span class="p">=</span> <span class="n">SameSiteMode</span><span class="p">.</span><span class="n">None</span><span class="p">,</span> <span class="n">ExpireTimeSpan</span> <span class="p">=</span> <span class="n">System</span><span class="p">.</span><span class="n">TimeSpan</span><span class="p">.</span><span class="nf">FromHours</span><span class="p">(</span><span class="m">1</span><span class="p">),</span> <span class="n">SlidingExpiration</span> <span class="p">=</span> <span class="k">true</span><span class="p">,</span> <span class="n">CookieManager</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SystemWebCookieManager</span><span class="p">()</span> <span class="p">});</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseOpenIdConnectAuthentication</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIdConnectAuthenticationOptions</span> <span class="p">{</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="n">clientId</span><span class="p">,</span> <span class="n">Authority</span> <span class="p">=</span> <span class="n">authority</span><span class="p">,</span> <span class="n">RedirectUri</span> <span class="p">=</span> <span class="n">redirectUri</span><span class="p">,</span> <span class="n">PostLogoutRedirectUri</span> <span class="p">=</span> <span class="n">redirectUri</span><span class="p">,</span> <span class="n">Scope</span> <span class="p">=</span> <span class="n">OpenIdConnectScope</span><span class="p">.</span><span class="n">OpenIdProfile</span><span class="p">,</span> <span class="n">ResponseType</span> <span class="p">=</span> <span class="n">OpenIdConnectResponseType</span><span class="p">.</span><span class="n">IdToken</span><span class="p">,</span> <span class="n">TokenValidationParameters</span> <span class="p">=</span> <span class="k">new</span> <span class="n">TokenValidationParameters</span> <span class="p">{</span> <span class="n">ValidateIssuer</span> <span class="p">=</span> <span class="k">false</span><span class="p">,</span> <span class="n">NameClaimType</span> <span class="p">=</span> <span class="s">"name"</span><span class="p">,</span> <span class="n">RoleClaimType</span> <span class="p">=</span> <span class="s">"roles"</span> <span class="p">},</span> <span class="n">CookieManager</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">SystemWebCookieManager</span><span class="p">(),</span> <span class="n">Notifications</span> <span class="p">=</span> <span class="k">new</span> <span class="n">OpenIdConnectAuthenticationNotifications</span> <span class="p">{</span> <span class="n">SecurityTokenValidated</span> <span class="p">=</span> <span class="n">context</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">id</span> <span class="p">=</span> <span class="p">(</span><span class="n">ClaimsIdentity</span><span class="p">)</span><span class="n">context</span><span class="p">.</span><span class="n">AuthenticationTicket</span><span class="p">.</span><span class="n">Identity</span><span class="p">;</span> <span class="kt">var</span> <span class="n">v2Roles</span> <span class="p">=</span> <span class="n">id</span><span class="p">.</span><span class="nf">FindAll</span><span class="p">(</span><span class="s">"roles"</span><span class="p">).</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span><span class="p">).</span><span class="nf">ToList</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="kt">var</span> <span class="n">r</span> <span class="k">in</span> <span class="n">v2Roles</span><span class="p">)</span> <span class="n">id</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">,</span> <span class="n">r</span><span class="p">));</span> <span class="c1">// this through the route /token exposes the JWT token for debugging purposes</span> <span class="kt">var</span> <span class="n">raw</span> <span class="p">=</span> <span class="n">context</span><span class="p">.</span><span class="n">ProtocolMessage</span><span class="p">.</span><span class="n">IdToken</span><span class="p">;</span> <span class="k">if</span> <span class="p">(!</span><span class="kt">string</span><span class="p">.</span><span class="nf">IsNullOrEmpty</span><span class="p">(</span><span class="n">raw</span><span class="p">))</span> <span class="n">id</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="s">"raw_id_token"</span><span class="p">,</span> <span class="n">raw</span><span class="p">));</span> <span class="k">return</span> <span class="n">System</span><span class="p">.</span><span class="n">Threading</span><span class="p">.</span><span class="n">Tasks</span><span class="p">.</span><span class="n">Task</span><span class="p">.</span><span class="nf">FromResult</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="p">},</span> <span class="n">RedirectToIdentityProvider</span> <span class="p">=</span> <span class="n">context</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="c1">// force re-login only when you explicitly ask: ?relogin=1</span> <span class="k">if</span> <span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">ProtocolMessage</span><span class="p">.</span><span class="n">RequestType</span> <span class="p">==</span> <span class="n">OpenIdConnectRequestType</span><span class="p">.</span><span class="n">Authentication</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="s">"1"</span><span class="p">.</span><span class="nf">Equals</span><span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">OwinContext</span><span class="p">.</span><span class="n">Request</span><span class="p">.</span><span class="n">Query</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="s">"relogin"</span><span class="p">)))</span> <span class="p">{</span> <span class="n">context</span><span class="p">.</span><span class="n">ProtocolMessage</span><span class="p">.</span><span class="n">Prompt</span> <span class="p">=</span> <span class="s">"login"</span><span class="p">;</span> <span class="n">context</span><span class="p">.</span><span class="n">ProtocolMessage</span><span class="p">.</span><span class="n">MaxAge</span> <span class="p">=</span> <span class="s">"0"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">System</span><span class="p">.</span><span class="n">Threading</span><span class="p">.</span><span class="n">Tasks</span><span class="p">.</span><span class="n">Task</span><span class="p">.</span><span class="nf">FromResult</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="p">},</span> <span class="n">AuthenticationFailed</span> <span class="p">=</span> <span class="n">context</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">System</span><span class="p">.</span><span class="n">Diagnostics</span><span class="p">.</span><span class="n">Trace</span><span class="p">.</span><span class="nf">TraceError</span><span class="p">(</span><span class="s">"OIDC Auth Failed: "</span> <span class="p">+</span> <span class="n">context</span><span class="p">.</span><span class="n">Exception</span><span class="p">);</span> <span class="n">context</span><span class="p">.</span><span class="nf">HandleResponse</span><span class="p">();</span> <span class="kt">var</span> <span class="n">msg</span> <span class="p">=</span> <span class="n">System</span><span class="p">.</span><span class="n">Uri</span><span class="p">.</span><span class="nf">EscapeDataString</span><span class="p">(</span><span class="n">context</span><span class="p">.</span><span class="n">Exception</span><span class="p">.</span><span class="n">Message</span><span class="p">);</span> <span class="n">context</span><span class="p">.</span><span class="n">Response</span><span class="p">.</span><span class="nf">Redirect</span><span class="p">(</span><span class="s">"/error.html?message="</span> <span class="p">+</span> <span class="n">msg</span><span class="p">);</span> <span class="k">return</span> <span class="n">System</span><span class="p">.</span><span class="n">Threading</span><span class="p">.</span><span class="n">Tasks</span><span class="p">.</span><span class="n">Task</span><span class="p">.</span><span class="nf">FromResult</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now we are going to create some roles to test our app. For this we go into Azure portal &gt; App registration &gt; Our App &gt; Manifest &gt; AppRoles</p> <p>Inside our manifest which should be a json object create the following roles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="nl">"appRoles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedMemberTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"User"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Regular users"</span><span class="p">,</span><span class="w"> </span><span class="nl">"displayName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"00000000-0000-0000-0000-000000000002"</span><span class="p">,</span><span class="w"> </span><span class="nl">"isEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"origin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Application"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedMemberTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"User"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Administrators can do admin things"</span><span class="p">,</span><span class="w"> </span><span class="nl">"displayName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"00000000-0000-0000-0000-000000000001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"isEnabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"origin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Application"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Admin"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="err">,</span><span class="w"> </span></code></pre> </div> <p>Now still at Azure portal &gt; Enterprise Application &gt; Our App &gt; Users and groups &gt; Add user/group<br> Here we will assign our tenant users into the previously created roles</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2gwhy4rmthaszd5p7mur.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2gwhy4rmthaszd5p7mur.png" alt="RolesAzure" width="800" height="208"></a></p> <h3> Creating Controllers </h3> <p>Now we proceed to create a controller which will expose our API routes. Create the file <code>SecureController.cs</code> inside the folder Controllers.</p> <p>In this controller we will expose 4 API's which we should access like: https://.azurewebsites.net/api/secure/</p> <ul> <li>info: Expose the current user authenticated and current role</li> <li>claims: Expose all current claims with type-value</li> <li>token: Expose the JWT token for the session</li> <li>test: A simple endpoint to test if the application is up </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Linq</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Security.Claims</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web.Http</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">OwinAuthApp.Controllers</span> <span class="p">{</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="p">[</span><span class="nf">RoutePrefix</span><span class="p">(</span><span class="s">"api/secure"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">SecureController</span> <span class="p">:</span> <span class="n">ApiController</span> <span class="p">{</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"info"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IHttpActionResult</span> <span class="nf">GetInfo</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">id</span> <span class="p">=</span> <span class="n">User</span><span class="p">?.</span><span class="n">Identity</span> <span class="k">as</span> <span class="n">ClaimsIdentity</span><span class="p">;</span> <span class="kt">var</span> <span class="n">rolesV2</span> <span class="p">=</span> <span class="n">id</span><span class="p">?.</span><span class="nf">FindAll</span><span class="p">(</span><span class="s">"roles"</span><span class="p">).</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span><span class="p">).</span><span class="nf">ToArray</span><span class="p">()</span> <span class="p">??</span> <span class="k">new</span> <span class="kt">string</span><span class="p">[</span><span class="m">0</span><span class="p">];</span> <span class="kt">var</span> <span class="n">rolesV1</span> <span class="p">=</span> <span class="n">id</span><span class="p">?.</span><span class="nf">FindAll</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">).</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span><span class="p">).</span><span class="nf">ToArray</span><span class="p">()</span> <span class="p">??</span> <span class="k">new</span> <span class="kt">string</span><span class="p">[</span><span class="m">0</span><span class="p">];</span> <span class="kt">var</span> <span class="n">anyRoles</span> <span class="p">=</span> <span class="n">rolesV2</span><span class="p">.</span><span class="nf">Concat</span><span class="p">(</span><span class="n">rolesV1</span><span class="p">).</span><span class="nf">Distinct</span><span class="p">().</span><span class="nf">ToArray</span><span class="p">();</span> <span class="kt">var</span> <span class="n">isAdmin</span> <span class="p">=</span> <span class="n">User</span><span class="p">.</span><span class="nf">IsInRole</span><span class="p">(</span><span class="s">"Admin"</span><span class="p">)</span> <span class="p">||</span> <span class="n">anyRoles</span><span class="p">.</span><span class="nf">Contains</span><span class="p">(</span><span class="s">"Admin"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">isUser</span> <span class="p">=</span> <span class="n">User</span><span class="p">.</span><span class="nf">IsInRole</span><span class="p">(</span><span class="s">"User"</span><span class="p">)</span> <span class="p">||</span> <span class="n">anyRoles</span><span class="p">.</span><span class="nf">Contains</span><span class="p">(</span><span class="s">"User"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">role</span> <span class="p">=</span> <span class="n">isAdmin</span> <span class="p">?</span> <span class="s">"Admin"</span> <span class="p">:</span> <span class="n">isUser</span> <span class="p">?</span> <span class="s">"User"</span> <span class="p">:</span> <span class="s">"Unassigned"</span><span class="p">;</span> <span class="kt">var</span> <span class="n">message</span> <span class="p">=</span> <span class="n">isAdmin</span> <span class="p">?</span> <span class="s">"Welcome, Admin!"</span> <span class="p">:</span> <span class="n">isUser</span> <span class="p">?</span> <span class="s">"Hello, User!"</span> <span class="p">:</span> <span class="s">"You don’t have a role yet. Please contact an administrator."</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">isAuthenticated</span> <span class="p">=</span> <span class="n">id</span><span class="p">?.</span><span class="n">IsAuthenticated</span> <span class="p">??</span> <span class="k">false</span><span class="p">,</span> <span class="n">userName</span> <span class="p">=</span> <span class="n">id</span><span class="p">?.</span><span class="n">Name</span> <span class="p">??</span> <span class="s">""</span><span class="p">,</span> <span class="n">authType</span> <span class="p">=</span> <span class="n">User</span><span class="p">?.</span><span class="n">Identity</span><span class="p">?.</span><span class="n">AuthenticationType</span> <span class="p">??</span> <span class="s">""</span><span class="p">,</span> <span class="n">rolesV2</span><span class="p">,</span> <span class="n">rolesV1</span><span class="p">,</span> <span class="n">role</span><span class="p">,</span> <span class="n">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"claims"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IHttpActionResult</span> <span class="nf">Claims</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">ci</span> <span class="p">=</span> <span class="n">User</span><span class="p">?.</span><span class="n">Identity</span> <span class="k">as</span> <span class="n">ClaimsIdentity</span><span class="p">;</span> <span class="kt">var</span> <span class="n">claims</span> <span class="p">=</span> <span class="p">(</span><span class="n">ci</span><span class="p">?.</span><span class="n">Claims</span> <span class="p">??</span> <span class="n">Enumerable</span><span class="p">.</span><span class="n">Empty</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;())</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="p">{</span> <span class="n">c</span><span class="p">.</span><span class="n">Type</span><span class="p">,</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span> <span class="p">})</span> <span class="p">.</span><span class="nf">ToList</span><span class="p">();</span> <span class="kt">var</span> <span class="n">rolesV2</span> <span class="p">=</span> <span class="p">(</span><span class="n">ci</span><span class="p">?.</span><span class="nf">FindAll</span><span class="p">(</span><span class="s">"roles"</span><span class="p">)</span> <span class="p">??</span> <span class="n">Enumerable</span><span class="p">.</span><span class="n">Empty</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;())</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span><span class="p">).</span><span class="nf">ToArray</span><span class="p">();</span> <span class="kt">var</span> <span class="n">rolesV1</span> <span class="p">=</span> <span class="p">(</span><span class="n">ci</span><span class="p">?.</span><span class="nf">FindAll</span><span class="p">(</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">)</span> <span class="p">??</span> <span class="n">Enumerable</span><span class="p">.</span><span class="n">Empty</span><span class="p">&lt;</span><span class="n">Claim</span><span class="p">&gt;())</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span><span class="n">c</span> <span class="p">=&gt;</span> <span class="n">c</span><span class="p">.</span><span class="n">Value</span><span class="p">).</span><span class="nf">ToArray</span><span class="p">();</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">rolesV2</span><span class="p">,</span> <span class="n">rolesV1</span><span class="p">,</span> <span class="n">claimsCount</span> <span class="p">=</span> <span class="n">claims</span><span class="p">.</span><span class="n">Count</span><span class="p">,</span> <span class="n">claims</span> <span class="p">});</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"token"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IHttpActionResult</span> <span class="nf">GetToken</span><span class="p">()</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">ci</span> <span class="p">=</span> <span class="n">User</span> <span class="k">as</span> <span class="n">ClaimsPrincipal</span><span class="p">;</span> <span class="kt">var</span> <span class="n">token</span> <span class="p">=</span> <span class="n">ci</span><span class="p">?.</span><span class="nf">FindFirst</span><span class="p">(</span><span class="s">"raw_id_token"</span><span class="p">)?.</span><span class="n">Value</span> <span class="p">??</span> <span class="s">"(none)"</span><span class="p">;</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">id_token</span> <span class="p">=</span> <span class="n">token</span> <span class="p">});</span> <span class="p">}</span> <span class="p">[</span><span class="n">AllowAnonymous</span><span class="p">]</span> <span class="p">[</span><span class="n">HttpGet</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"test"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IHttpActionResult</span> <span class="nf">Test</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">message</span> <span class="p">=</span> <span class="s">"Controller is working!"</span><span class="p">,</span> <span class="n">timestamp</span> <span class="p">=</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Publishing to Azure </h3> <p>With our project ready, we will now proceed to publish it:</p> <ul> <li>Right-click on the project &gt; Publish &gt; Azure</li> <li>Authenticate with the user account that has access to our Azure subscription</li> <li>Select our resource group and app service</li> <li>Click Publish</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao3kvwslstjsd5htg5v0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao3kvwslstjsd5htg5v0.png" alt="image10" width="800" height="224"></a></p> <h2> Testing the Application </h2> <p>Finally, we verify the access:</p> <p>User authenticated but without a role</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r0fkqkbar2q4len568v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7r0fkqkbar2q4len568v.png" alt="Role1" width="800" height="78"></a></p> <p>User authenticated with an assigned role</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi97l9kyucnt2oyap5azq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi97l9kyucnt2oyap5azq.png" alt="Role2" width="800" height="83"></a></p> <h2> Summary </h2> <p>The Startup.cs sets up the OWIN pipeline so every request passes through authentication and routing, while Startup.Auth.cs configures cookie authentication and OpenID Connect to handle Microsoft logins. We defined app roles in Entra, assigned users and guests to those roles, and mapped the "roles" claim from the ID token into the app so <code>User.IsInRole() and [Authorize(Roles=...)]</code> work correctly. The end result is a secure API where users must log in with Microsoft accounts and see different responses depending on whether they are assigned as Admin or User</p> azure programming webdev todayilearned David💻 Mon, 29 Sep 2025 02:41:55 +0000 https://forem.com/davidshaek/automating-ebs-volume-upsizing-on-aws-ok0 https://forem.com/davidshaek/automating-ebs-volume-upsizing-on-aws-ok0 <p>In this article, we’ll show how to automate EBS volume upsizing using CloudWatch alarms, SNS notifications, AWS Systems Manager runbooks, and Lambda. By the end, we will have a hands-free setup that detects when volumes are running low on space, triggers an automated workflow, and expands them without downtime, keeping our workloads running smoothly</p> <h2> The Problem </h2> <p>This solution was created so we can fix a specific problem, and that is for the workloads that are running SAP in our EC2 instances, which sometimes run out of space. However, we are very intricate with our cost. The challenge is that not all disks are mounted on the same mount point: some are under /hana/data, others are under /usr/. Also, AWS Lambda currently has no way or library to identify inside our EC2 instances which volumes we have or where they are mounted. Certainly, we can increment the disk size of an EBS volume; however, we also need to extend that storage space inside the instance. For this, we created the following automation that can be easily adapted to other disks, not only SAP solutions</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpcovtu1ad5yiji8zxzar.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpcovtu1ad5yiji8zxzar.png" alt="Architecture" width="800" height="243"></a></p> <p><strong>Requirements</strong></p> <ul> <li>AWS account / AWS CLI</li> </ul> <h2> Walkthrough </h2> <p>Before we begin, let's make sure the EBS volume that we are going to monitor is attached to an EC2 instance and has the CloudWatch agent installed. This way, we can leverage it to collect metrics</p> <h3> Accesing through Sessiong Manager </h3> <p>First, let's configure an EC2 instance so it has access to Systems Manager. In the AWS Console &gt; Search for EC2 &gt; Instances &gt; Pick your instance &gt; Security</p> <p>If the instance doesn't have an instance profile role attached, go to Actions &gt; Security &gt; Modify IAM Role</p> <p>Create a new role or use an existing one that has the policy <code>AmazonSSMManagedInstanceCore</code> attached. This role enables the instance to communicate with the AWS Systems Manager API</p> <blockquote> <p>Note: Systems Manager is already installed in instances like AL2 and AL2023. If you are using another type of AMI, you should install Systems Manager first</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsm5yudngmcc1kqjp03t6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsm5yudngmcc1kqjp03t6.png" alt="Security" width="800" height="124"></a></p> <p>Now, if our EC2 is not public or doesn't have an Elastic IP attached, we need to create VPC endpoints. For this, in the AWS Console go to &gt; VPC &gt; Endpoints &gt; Create endpoint</p> <p>Here, we need to create 3 types of endpoints in our VPC, in the subnets where our EC2 instances live<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>com.amazonaws.us-east-1.ssm com.amazonaws.us-east-1.ssmmessages com.amazonaws.us-east-1.ec2messages </code></pre> </div> <p>After picking your VPC and subnets, be sure to pick or create a SG that has the instance SG in the port 443 as the source, feel free to use the same SG for each endpoint</p> <p>After waiting some minutes this should be enough to have our instance ready ! In the AWS Console search for EC2 &gt; Connect &gt; Session Manager</p> <h3> Installing Amazon Cloudwatch Agent in EC2 AL2023 </h3> <p>We begin by downloading the RPM file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-O</span> https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>dnf <span class="nb">install</span> <span class="nt">-y</span> ./amazon-cloudwatch-agent.rpm </code></pre> </div> <p>We then execute the wizard installer, this will create a series of steps to configure the agent in our instance<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard </code></pre> </div> <p>For the first option we pick Linux. <br> On which OS are you planning to use the agent? 1. Linux<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe6597i7g1xqm9dhsx9nw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe6597i7g1xqm9dhsx9nw.png" alt="First" width="780" height="298"></a></p> <ul> <li>Trying to fetch the default region based on ec2 metadata. 1. EC2</li> <li>Which user are you planning to run the agent?. 1. cwagent</li> <li>Do you want to turn on StatsD daemon?. 2.No</li> <li>Do you want to monitor metrics from CollectD? WARNING: CollectD must be installed or the Agent will fail to start. 2.No</li> <li>Do you want to monitor any host metrics? e.g. CPU, memory, etc. 1. yes</li> <li>Do you want to monitor cpu metrics per core? 2. No (We are only focusing on storage here)</li> <li>Do you want to add ec2 dimensions (ImageId, InstanceId, InstanceType, AutoScalingGroupName) into all of your metrics if the info is available? 1. yes</li> <li>Do you want to aggregate ec2 dimensions (InstanceId)? 2. No</li> <li>Would you like to collect your metrics at high resolution (sub-minute resolution)? This enables sub-minute resolution for all metrics, but you can customize for specific metrics in the output json file. 4. 60s</li> <li>Which default metrics config do you want?. 2. Standard</li> </ul> <p>Final output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"agent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"run_as_user"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cwagent"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metrics"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"append_dimensions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AutoScalingGroupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:AutoScalingGroupName}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ImageId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:ImageId}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:InstanceId}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:InstanceType}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metrics_collected"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cpu_usage_idle"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_iowait"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_user"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_system"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalcpu"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"disk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"used_percent"</span><span class="p">,</span><span class="w"> </span><span class="s2">"inodes_free"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"diskio"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"io_time"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mem"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mem_used_percent"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"swap"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"swap_used_percent"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now let's make sure the cloudwatch agent is running by enabling the agent<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl start amazon-cloudwatch-agent <span class="nb">sudo </span>systemctl <span class="nb">enable </span>amazon-cloudwatch-agent <span class="nb">sudo </span>systemctl status amazon-cloudwatch-agent </code></pre> </div> <p>If the agent presents this error:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F211m0xj2e4vecfal35z0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F211m0xj2e4vecfal35z0.png" alt="etc agent" width="800" height="82"></a></p> <p>Search for your configuration that probably was created at bin at copy it in the <code>/etc/</code> folder<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo cp</span> /opt/aws/amazon-cloudwatch-agent/bin/config.json /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json </code></pre> </div> <p>After that restart the agent<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart amazon-cloudwatch-agent </code></pre> </div> <blockquote> <p>Note: If you want to retrieve metrics from inside the EC2 be sure to have this permission <code>cloudwatch:GetMetricStatistics</code> in the instance role, or copy your temporal credentials in the instance</p> </blockquote> <p>If you only want to track disk percentage which this article aims for this is the config file minimum for that, edit the file <code>/opt/aws/amazon-cloudwatch-agent/bin/config.json</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"agent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"run_as_user"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cwagent"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metrics"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"append_dimensions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AutoScalingGroupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:AutoScalingGroupName}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ImageId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:ImageId}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:InstanceId}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"InstanceType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${aws:InstanceType}"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metrics_collected"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cpu_usage_idle"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_iowait"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_user"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cpu_usage_system"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"totalcpu"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"disk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"used_percent"</span><span class="p">,</span><span class="w"> </span><span class="s2">"inodes_free"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"diskio"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"io_time"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mem"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mem_used_percent"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"swap"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"measurement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"swap_used_percent"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metrics_collection_interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>After that reload the file with the following commands<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl <span class="se">\</span> <span class="nt">-a</span> fetch-config <span class="nt">-m</span> ec2 <span class="se">\</span> <span class="nt">-c</span> file:/opt/aws/amazon-cloudwatch-agent/bin/config.json <span class="nt">-s</span> </code></pre> </div> <p>Now let's proceed to create a dashboard to actually track the disk usage. For this in the AWS Console &gt; Cloudwatch &gt; Dashboard &gt; Create Dashboard</p> <p>Inside the dashboard we are going to create a widget metric of type gauge</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmvi84l3bb7kbcoc0jmr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmvi84l3bb7kbcoc0jmr.png" alt="Gauge1" width="800" height="736"></a></p> <p>Here in the tab <code>Source</code> we are going to add the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "region": "us-east-1", "title": "Disk Used % (Exact dims, /, &lt;instance-id&gt;)", "view": "gauge", "stat": "Average", "period": 60, "setPeriodToTimeRange": true, "yAxis": { "left": { "min": 0, "max": 100 } }, "metrics": [ [ "CWAgent", "disk_used_percent", "InstanceId", "&lt;your-instance-id&gt;", "path", "/", "device", "&lt;devive-name&gt;", "fstype", "&lt;device-type&gt;", "ImageId", "&lt;ami-id&gt;", "InstanceType", "&lt;instance-type&gt;" ] ] } </code></pre> </div> <p>After adding the source click on Save, you should see a Gauge graphic showing your current disk usage </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi927ej7w7kkbehdm14ai.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi927ej7w7kkbehdm14ai.png" alt="dikusagegauge" width="800" height="502"></a></p> <blockquote> <p>For cloudwatch the dimensions needed for instance are required, otherwise you can use only the host.</p> <p>Since I'm tracking instance with a single root volume, I only checking the device name of the root otherwise you should add the other devices type attached if using more than one volume</p> </blockquote> <p>Now let's create our custom runbook for this in the AWS Console we search for System Manager. Inside the left menu bar we go for Change Management Tools &gt; Documents</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2s6uspl0grpizh5bdwur.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2s6uspl0grpizh5bdwur.png" alt="menu1" width="800" height="225"></a></p> <p>Here we are going to click a Document of type Command. <br> We can fill the file like this:<br> Name: ExtendFilesystemRunbook<br> Target Type: --<br> Document Type: Command<br> For the code we are going to use yaml and paste the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">schemaVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2.2"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Robust</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">extension</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">proper</span><span class="nv"> </span><span class="s">error</span><span class="nv"> </span><span class="s">handling"</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">device</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Device</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">CloudWatch"</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Mount</span><span class="nv"> </span><span class="s">path</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">CloudWatch</span><span class="nv"> </span><span class="s">alarm"</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/"</span> <span class="na">executionTimeout</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">900"</span> <span class="na">mainSteps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">action</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws:runShellScript"</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">extendFilesystem"</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">executionTimeout</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">runCommand</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#!/bin/bash"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">set</span><span class="nv"> </span><span class="s">-e"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'===</span><span class="nv"> </span><span class="s">Starting</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">extension</span><span class="nv"> </span><span class="s">==='"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Device:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">device</span><span class="nv"> </span><span class="s">}}'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Mount</span><span class="nv"> </span><span class="s">Path:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">mountPath</span><span class="nv"> </span><span class="s">}}'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Install</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">tools"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Installing</span><span class="nv"> </span><span class="s">required</span><span class="nv"> </span><span class="s">tools...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sudo</span><span class="nv"> </span><span class="s">yum</span><span class="nv"> </span><span class="s">install</span><span class="nv"> </span><span class="s">-y</span><span class="nv"> </span><span class="s">parted</span><span class="nv"> </span><span class="s">cloud-utils-growpart</span><span class="nv"> </span><span class="s">util-linux"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Wait</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">changes</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">optimization"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Waiting</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">optimization</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">complete...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">60"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Check</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">volume</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">still</span><span class="nv"> </span><span class="s">optimizing"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Checking</span><span class="nv"> </span><span class="s">volume</span><span class="nv"> </span><span class="s">status...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">for</span><span class="nv"> </span><span class="s">i</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">{1..10};</span><span class="nv"> </span><span class="s">do"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Check</span><span class="nv"> </span><span class="s">$i/10</span><span class="nv"> </span><span class="s">-</span><span class="nv"> </span><span class="s">waiting</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">volume</span><span class="nv"> </span><span class="s">optimization...</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">sleep</span><span class="nv"> </span><span class="s">30"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">#</span><span class="nv"> </span><span class="s">Try</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">read</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">device"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">if</span><span class="nv"> </span><span class="s">sudo</span><span class="nv"> </span><span class="s">blockdev</span><span class="nv"> </span><span class="s">--getsize64</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/dev/null</span><span class="nv"> </span><span class="s">2&gt;&amp;1;</span><span class="nv"> </span><span class="s">then"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'Volume</span><span class="nv"> </span><span class="s">appears</span><span class="nv"> </span><span class="s">ready'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">break"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">fi"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">done"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Find</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">actual</span><span class="nv"> </span><span class="s">device"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Finding</span><span class="nv"> </span><span class="s">actual</span><span class="nv"> </span><span class="s">device</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">mount</span><span class="nv"> </span><span class="s">path</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">mountPath</span><span class="nv"> </span><span class="s">}}...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ACTUAL_DEVICE=$(df</span><span class="nv"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">mountPath</span><span class="nv"> </span><span class="s">}}'</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">tail</span><span class="nv"> </span><span class="s">-1</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">awk</span><span class="nv"> </span><span class="s">'{print</span><span class="nv"> </span><span class="s">$1}')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Device</span><span class="nv"> </span><span class="s">found:</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Show</span><span class="nv"> </span><span class="s">current</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">info"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Current</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">info:'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">lsblk</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">blkid</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Extract</span><span class="nv"> </span><span class="s">base</span><span class="nv"> </span><span class="s">device</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">partition"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">if</span><span class="nv"> </span><span class="s">[[</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">=~</span><span class="nv"> </span><span class="s">nvme.*p[0-9]</span><span class="nv"> </span><span class="s">]];</span><span class="nv"> </span><span class="s">then"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">BASE_DEVICE=$(echo</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sed</span><span class="nv"> </span><span class="s">'s/p[0-9]*$//')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">PARTITION=$(echo</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sed</span><span class="nv"> </span><span class="s">'s/.*p//')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">else"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">BASE_DEVICE=$(echo</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sed</span><span class="nv"> </span><span class="s">'s/[0-9]*$//')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">PARTITION=$(echo</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">sed</span><span class="nv"> </span><span class="s">'s/.*[^0-9]//')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">fi"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Base</span><span class="nv"> </span><span class="s">device:</span><span class="nv"> </span><span class="s">$BASE_DEVICE</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Partition:</span><span class="nv"> </span><span class="s">$PARTITION</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Show</span><span class="nv"> </span><span class="s">partition</span><span class="nv"> </span><span class="s">table</span><span class="nv"> </span><span class="s">before"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Partition</span><span class="nv"> </span><span class="s">table</span><span class="nv"> </span><span class="s">before:'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sudo</span><span class="nv"> </span><span class="s">fdisk</span><span class="nv"> </span><span class="s">-l</span><span class="nv"> </span><span class="s">$BASE_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Grow</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">partition"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Growing</span><span class="nv"> </span><span class="s">partition...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sudo</span><span class="nv"> </span><span class="s">growpart</span><span class="nv"> </span><span class="s">$BASE_DEVICE</span><span class="nv"> </span><span class="s">$PARTITION"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Show</span><span class="nv"> </span><span class="s">partition</span><span class="nv"> </span><span class="s">table</span><span class="nv"> </span><span class="s">after"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Partition</span><span class="nv"> </span><span class="s">table</span><span class="nv"> </span><span class="s">after:'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sudo</span><span class="nv"> </span><span class="s">fdisk</span><span class="nv"> </span><span class="s">-l</span><span class="nv"> </span><span class="s">$BASE_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Force</span><span class="nv"> </span><span class="s">kernel</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">re-read</span><span class="nv"> </span><span class="s">partition</span><span class="nv"> </span><span class="s">table"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Forcing</span><span class="nv"> </span><span class="s">kernel</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">re-read</span><span class="nv"> </span><span class="s">partition</span><span class="nv"> </span><span class="s">table...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sudo</span><span class="nv"> </span><span class="s">partprobe</span><span class="nv"> </span><span class="s">$BASE_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sync"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Get</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">type"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">FS_TYPE=$(lsblk</span><span class="nv"> </span><span class="s">-no</span><span class="nv"> </span><span class="s">FSTYPE</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Filesystem</span><span class="nv"> </span><span class="s">type:</span><span class="nv"> </span><span class="s">$FS_TYPE</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">#</span><span class="nv"> </span><span class="s">Extend</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">based</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">type"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">case</span><span class="nv"> </span><span class="s">$FS_TYPE</span><span class="nv"> </span><span class="s">in"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">'ext2'|'ext3'|'ext4')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'Extending</span><span class="nv"> </span><span class="s">ext</span><span class="nv"> </span><span class="s">filesystem...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">sudo</span><span class="nv"> </span><span class="s">e2fsck</span><span class="nv"> </span><span class="s">-f</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'e2fsck</span><span class="nv"> </span><span class="s">failed,</span><span class="nv"> </span><span class="s">continuing...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">sudo</span><span class="nv"> </span><span class="s">resize2fs</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">;;"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">'xfs')"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'Extending</span><span class="nv"> </span><span class="s">XFS</span><span class="nv"> </span><span class="s">filesystem...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">sudo</span><span class="nv"> </span><span class="s">xfs_growfs</span><span class="nv"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">mountPath</span><span class="nv"> </span><span class="s">}}'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">;;"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">*)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="se">\"</span><span class="s">Unknown</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">unsupported</span><span class="nv"> </span><span class="s">filesystem</span><span class="nv"> </span><span class="s">type:</span><span class="nv"> </span><span class="s">$FS_TYPE</span><span class="se">\"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'Trying</span><span class="nv"> </span><span class="s">resize2fs</span><span class="nv"> </span><span class="s">anyway...'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">sudo</span><span class="nv"> </span><span class="s">resize2fs</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE</span><span class="nv"> </span><span class="s">||</span><span class="nv"> </span><span class="s">echo</span><span class="nv"> </span><span class="s">'resize2fs</span><span class="nv"> </span><span class="s">failed'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="nv"> </span><span class="s">;;"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">esac"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'===</span><span class="nv"> </span><span class="s">Filesystem</span><span class="nv"> </span><span class="s">extension</span><span class="nv"> </span><span class="s">completed!</span><span class="nv"> </span><span class="s">==='"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'Final</span><span class="nv"> </span><span class="s">result:'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">df</span><span class="nv"> </span><span class="s">-h</span><span class="nv"> </span><span class="s">'{{</span><span class="nv"> </span><span class="s">mountPath</span><span class="nv"> </span><span class="s">}}'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">lsblk</span><span class="nv"> </span><span class="s">$ACTUAL_DEVICE"</span> </code></pre> </div> <p>This AWS Systems Manager runbook automates LVM filesystem expansion to utilize additional storage. It takes three parameters volume group name, logical volume name, and mount point (defaulting to a SAP HANA data setup) then runs a script that resizes all physical volumes in the group, extends the logical volume to use all available free space, and grows the XFS filesystem</p> <p>Feel free to add tags if necessary, and then click on Create Document<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0fbh3kqhea8a2yi19fy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0fbh3kqhea8a2yi19fy.png" alt="Runbook" width="800" height="240"></a></p> <p>Now we proceed to create our lambda, the purpose of this is to actually increment the volume size at the aws level and then call for the runbook to extend the lvm filesystem.<br> For this we search for the service Lambda, we click on Functions &gt; Create Function.</p> <p>We select Author from scratch and fill the following data.</p> <p>Function name: ExtendFileSystemLambda<br> Runtime: Python 3.13<br> Architecture: x86_64<br> Execution Role: Create a new role with basic Lambda permissions</p> <p>Feel free to add tags, and then click on CreateFunction</p> <blockquote> <p>Note: There is no need for the lambda to be on the same VPC</p> </blockquote> <p>Before we proceed we are going to add an aditional permission needed to run the runbook, for this we go to Configuration &gt; Permissions &gt; Click on Role Name<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl73rt7ca3c8z2sb65hiw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl73rt7ca3c8z2sb65hiw.png" alt="menu2" width="800" height="277"></a></p> <p>Inside the IAM Role of the lambda we are going to click on Add Permissions &gt; Create inline policy &gt; Choose JSON</p> <p>And we copy the following policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeVolumes"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:ModifyVolume"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ssm:SendCommand"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ssm:GetCommandInvocation"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:CreateLogStream"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:PutLogEvents"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:logs:*:*:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This IAM policy allows the view and resize of EC2 storage volumes, execute commands on EC2 instances through Systems Manager, and write logs for monitoring</p> <p>After copying the policy in the policy editor we click on Next, we give it a policy name like CommandExecutionResizeFileSystem and proceed clicking Create policy</p> <p>Now we can go back to our lambda, after this we go into the Code tab and copy this code under the lambda_function.py file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">logging</span><span class="p">.</span><span class="n">INFO</span><span class="p">)</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s">AWS Lambda to resize EBS volume based on CloudWatch alarm.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Configuration </span> <span class="n">volume_increase_gb</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">VOLUME_INCREASE_GB</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="p">))</span> <span class="n">wait_time</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">WAIT_TIME_SECONDS</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">30</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># AWS clients </span> <span class="n">ec2</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ec2</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Parse SNS message </span> <span class="n">sns_message</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">[</span><span class="sh">'</span><span class="s">Records</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">Sns</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Message</span><span class="sh">'</span><span class="p">])</span> <span class="n">alarm_name</span> <span class="o">=</span> <span class="n">sns_message</span><span class="p">[</span><span class="sh">'</span><span class="s">AlarmName</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Extract instance ID and device from alarm dimensions </span> <span class="n">dimensions</span> <span class="o">=</span> <span class="n">sns_message</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Trigger</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Dimensions</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])</span> <span class="n">instance_id</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">device</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">dim</span> <span class="ow">in</span> <span class="n">dimensions</span><span class="p">:</span> <span class="k">if</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">InstanceId</span><span class="sh">'</span><span class="p">:</span> <span class="n">instance_id</span> <span class="o">=</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">]</span> <span class="k">elif</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">device</span><span class="sh">'</span><span class="p">:</span> <span class="n">device</span> <span class="o">=</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">instance_id</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">No instance ID found in alarm</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Processing alarm </span><span class="sh">'</span><span class="si">{</span><span class="n">alarm_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> for instance </span><span class="si">{</span><span class="n">instance_id</span><span class="si">}</span><span class="s">, device: </span><span class="si">{</span><span class="n">device</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Get instance to find the volume </span> <span class="n">response</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">describe_instances</span><span class="p">(</span><span class="n">InstanceIds</span><span class="o">=</span><span class="p">[</span><span class="n">instance_id</span><span class="p">])</span> <span class="n">instance</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Reservations</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">Instances</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># Find the volume for the specific device </span> <span class="n">target_volume</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">device_variations</span> <span class="o">=</span> <span class="p">[</span><span class="n">device</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/dev/</span><span class="si">{</span><span class="n">device</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">device</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">xvd</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">sd</span><span class="sh">'</span><span class="p">),</span> <span class="n">device</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">sd</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">xvd</span><span class="sh">'</span><span class="p">)]</span> <span class="k">for</span> <span class="n">block_device</span> <span class="ow">in</span> <span class="n">instance</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BlockDeviceMappings</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">device_name</span> <span class="o">=</span> <span class="n">block_device</span><span class="p">[</span><span class="sh">'</span><span class="s">DeviceName</span><span class="sh">'</span><span class="p">]</span> <span class="n">volume_id</span> <span class="o">=</span> <span class="n">block_device</span><span class="p">[</span><span class="sh">'</span><span class="s">Ebs</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">VolumeId</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Check if this device matches our target (handle naming variations) </span> <span class="k">if</span> <span class="nf">any</span><span class="p">(</span><span class="n">device_name</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="n">var</span><span class="p">.</span><span class="nf">lstrip</span><span class="p">(</span><span class="sh">'</span><span class="s">/dev/</span><span class="sh">'</span><span class="p">))</span> <span class="k">for</span> <span class="n">var</span> <span class="ow">in</span> <span class="n">device_variations</span><span class="p">):</span> <span class="n">target_volume</span> <span class="o">=</span> <span class="n">volume_id</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Found target volume </span><span class="si">{</span><span class="n">volume_id</span><span class="si">}</span><span class="s"> on device </span><span class="si">{</span><span class="n">device_name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">break</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">target_volume</span><span class="p">:</span> <span class="c1"># Fallback: if no device specified, resize the first non-root volume or root if it's the only one </span> <span class="n">volumes</span> <span class="o">=</span> <span class="p">[</span><span class="n">bd</span><span class="p">[</span><span class="sh">'</span><span class="s">Ebs</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">VolumeId</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">bd</span> <span class="ow">in</span> <span class="n">instance</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BlockDeviceMappings</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])]</span> <span class="k">if</span> <span class="n">volumes</span><span class="p">:</span> <span class="n">target_volume</span> <span class="o">=</span> <span class="n">volumes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">No specific device found, using first volume: </span><span class="si">{</span><span class="n">target_volume</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">target_volume</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">No volume found to resize for instance </span><span class="si">{</span><span class="n">instance_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Get current volume size </span> <span class="n">vol_response</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">describe_volumes</span><span class="p">(</span><span class="n">VolumeIds</span><span class="o">=</span><span class="p">[</span><span class="n">target_volume</span><span class="p">])</span> <span class="n">current_size</span> <span class="o">=</span> <span class="n">vol_response</span><span class="p">[</span><span class="sh">'</span><span class="s">Volumes</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">Size</span><span class="sh">'</span><span class="p">]</span> <span class="n">new_size</span> <span class="o">=</span> <span class="n">current_size</span> <span class="o">+</span> <span class="n">volume_increase_gb</span> <span class="c1"># Resize the volume </span> <span class="n">ec2</span><span class="p">.</span><span class="nf">modify_volume</span><span class="p">(</span><span class="n">VolumeId</span><span class="o">=</span><span class="n">target_volume</span><span class="p">,</span> <span class="n">Size</span><span class="o">=</span><span class="n">new_size</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Resized volume </span><span class="si">{</span><span class="n">target_volume</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">current_size</span><span class="si">}</span><span class="s">GB -&gt; </span><span class="si">{</span><span class="n">new_size</span><span class="si">}</span><span class="s">GB</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Wait for modification to complete </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Waiting </span><span class="si">{</span><span class="n">wait_time</span><span class="si">}</span><span class="s"> seconds for volume modification...</span><span class="sh">"</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">wait_time</span><span class="p">)</span> <span class="c1"># Optional: Run SSM command to extend filesystem </span> <span class="n">runbook_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">RUNBOOK_NAME</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">ExtendFilesystemRunbook</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">runbook_name</span><span class="p">:</span> <span class="n">ssm</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ssm</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Get mount path and device from alarm dimensions </span> <span class="n">disk_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span> <span class="c1"># default </span> <span class="n">disk_device_raw</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">dim</span> <span class="ow">in</span> <span class="n">dimensions</span><span class="p">:</span> <span class="k">if</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">path</span><span class="sh">'</span><span class="p">:</span> <span class="n">disk_path</span> <span class="o">=</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">]</span> <span class="k">elif</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">device</span><span class="sh">'</span><span class="p">:</span> <span class="n">disk_device_raw</span> <span class="o">=</span> <span class="n">dim</span><span class="p">[</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Find the actual device by looking at the instance </span> <span class="n">actual_device</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">block_device</span> <span class="ow">in</span> <span class="n">instance</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BlockDeviceMappings</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">device_name</span> <span class="o">=</span> <span class="n">block_device</span><span class="p">[</span><span class="sh">'</span><span class="s">DeviceName</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Strip /dev/ prefix for comparison </span> <span class="n">device_short</span> <span class="o">=</span> <span class="n">device_name</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">/dev/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="c1"># Match against the alarm device (handle xvda vs nvme naming) </span> <span class="nf">if </span><span class="p">(</span><span class="n">disk_device_raw</span> <span class="ow">and</span> <span class="p">(</span><span class="n">device_short</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">disk_device_raw</span><span class="p">)</span> <span class="ow">or</span> <span class="n">disk_device_raw</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="n">device_short</span><span class="p">)</span> <span class="ow">or</span> <span class="n">device_short</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">nvme0n1p</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">xvd</span><span class="sh">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">a</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="n">disk_device_raw</span> <span class="ow">or</span> <span class="n">disk_device_raw</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">xvd</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">nvme0n1p</span><span class="sh">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">a</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="n">device_short</span><span class="p">)):</span> <span class="n">actual_device</span> <span class="o">=</span> <span class="n">device_name</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">/dev/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="c1"># Remove /dev/ prefix </span> <span class="k">break</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">actual_device</span><span class="p">:</span> <span class="c1"># Fallback: use the first device </span> <span class="n">actual_device</span> <span class="o">=</span> <span class="n">instance</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BlockDeviceMappings</span><span class="sh">'</span><span class="p">,</span> <span class="p">[{}])[</span><span class="mi">0</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">DeviceName</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">/dev/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="c1"># Prepare parameters for the runbook </span> <span class="n">ssm_params</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">device</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="n">actual_device</span><span class="p">],</span> <span class="c1"># Send device without /dev/ prefix </span> <span class="sh">'</span><span class="s">mountPath</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="n">disk_path</span><span class="p">]</span> <span class="c1"># Send the actual mount path from alarm </span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Running runbook with device=</span><span class="sh">'</span><span class="si">{</span><span class="n">actual_device</span><span class="si">}</span><span class="sh">'</span><span class="s"> and mountPath=</span><span class="sh">'</span><span class="si">{</span><span class="n">disk_path</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="n">command_response</span> <span class="o">=</span> <span class="n">ssm</span><span class="p">.</span><span class="nf">send_command</span><span class="p">(</span> <span class="n">InstanceIds</span><span class="o">=</span><span class="p">[</span><span class="n">instance_id</span><span class="p">],</span> <span class="n">DocumentName</span><span class="o">=</span><span class="n">runbook_name</span><span class="p">,</span> <span class="n">Parameters</span><span class="o">=</span><span class="n">ssm_params</span><span class="p">,</span> <span class="n">Comment</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">Filesystem extension for alarm: </span><span class="si">{</span><span class="n">alarm_name</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">TimeoutSeconds</span><span class="o">=</span><span class="mi">300</span> <span class="p">)</span> <span class="n">command_id</span> <span class="o">=</span> <span class="n">command_response</span><span class="p">[</span><span class="sh">'</span><span class="s">Command</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">CommandId</span><span class="sh">'</span><span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Started filesystem extension: </span><span class="si">{</span><span class="n">command_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">command_id</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">No SSM runbook configured, skipping filesystem extension</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Success response </span> <span class="n">result</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">'</span><span class="s">instance_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">instance_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">volume_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">target_volume</span><span class="p">,</span> <span class="sh">'</span><span class="s">old_size_gb</span><span class="sh">'</span><span class="p">:</span> <span class="n">current_size</span><span class="p">,</span> <span class="sh">'</span><span class="s">new_size_gb</span><span class="sh">'</span><span class="p">:</span> <span class="n">new_size</span><span class="p">,</span> <span class="sh">'</span><span class="s">alarm_name</span><span class="sh">'</span><span class="p">:</span> <span class="n">alarm_name</span> <span class="p">}</span> <span class="k">if</span> <span class="n">command_id</span><span class="p">:</span> <span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">command_id</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">command_id</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">statusCode</span><span class="sh">'</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">'</span><span class="s">success</span><span class="sh">'</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">'</span><span class="s">error</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>After copying the code, click on Deploy</p> <p>This Lambda function automatically responds to CloudWatch alarms by expanding disk storage. When triggered by an SNS notification from a storage alarm, it identifies the specific EC2 instance from the alarm, increases each volume by 1GB, waits for the changes to take effect, then runs the filesystem extension runbook to make the additional space available to the database</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqugvdjprqiigjkhs3zsl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqugvdjprqiigjkhs3zsl.png" alt="Lambda" width="800" height="445"></a></p> <p>Now to test our lambda, this body should replicate the data of the alarm we should receive from a cloudwatch alarm this way the lambda will resize the disk in AWS and invoke the runbook we previously config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sns"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">AlarmName</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">DiskUsed% CRIT</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">AWSAccountId</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">111882299112</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">NewStateValue</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">ALARM</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Trigger</span><span class="se">\"</span><span class="s2">: {</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Namespace</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">CWAgent</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">MetricName</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">disk_used_percent</span><span class="se">\"</span><span class="s2">,</span><span class="se">\n</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Dimensions</span><span class="se">\"</span><span class="s2">: [</span><span class="se">\n</span><span class="s2"> {</span><span class="se">\"</span><span class="s2">name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">InstanceId</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">&lt;your-instance-id&gt;</span><span class="se">\"</span><span class="s2">},</span><span class="se">\n</span><span class="s2"> {</span><span class="se">\"</span><span class="s2">name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">device</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">nvme0n1p1</span><span class="se">\"</span><span class="s2">},</span><span class="se">\n</span><span class="s2"> {</span><span class="se">\"</span><span class="s2">name</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">path</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">value</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">/</span><span class="se">\"</span><span class="s2">}</span><span class="se">\n</span><span class="s2"> ]</span><span class="se">\n</span><span class="s2"> }</span><span class="se">\n</span><span class="s2">}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Once we tested our lambda we can verify it certainly increase the space both in AWS and inside the volume</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyy0g6iiku2b295k824id.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyy0g6iiku2b295k824id.png" alt="Lambda execution" width="800" height="542"></a></p> <p>Now for our final steps we are going to configure the automated part of this, for this we are going to create a cloudwatch alarm with a sns to trigger our lambda we are going to receive the event for our lambda to increment the space on the volume and then expand it at OS level. For this we go AWS Console &gt; Cloudwatch &gt; All alarms &gt; Create alarm.</p> <p>In the first step Metric, we copy the same source we used in our dashboard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Disk Used % (Exact dims, /, &lt;instance-id&gt;)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"view"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gauge"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Average"</span><span class="p">,</span><span class="w"> </span><span class="nl">"period"</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="nl">"setPeriodToTimeRange"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"yAxis"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"left"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"metrics"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"CWAgent"</span><span class="p">,</span><span class="w"> </span><span class="s2">"disk_used_percent"</span><span class="p">,</span><span class="w"> </span><span class="s2">"InstanceId"</span><span class="p">,</span><span class="w"> </span><span class="s2">"&lt;your-instance-id&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"path"</span><span class="p">,</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="s2">"device"</span><span class="p">,</span><span class="w"> </span><span class="s2">"&lt;devive-name&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"fstype"</span><span class="p">,</span><span class="w"> </span><span class="s2">"&lt;device-type&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ImageId"</span><span class="p">,</span><span class="w"> </span><span class="s2">"&lt;ami-id&gt;"</span><span class="p">,</span><span class="w"> </span><span class="s2">"InstanceType"</span><span class="p">,</span><span class="w"> </span><span class="s2">"&lt;instance-type&gt;"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This should show us the current metric we are tracking</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3abaccb2hgt66xh5ny3i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3abaccb2hgt66xh5ny3i.png" alt="disk" width="800" height="319"></a></p> <p>At conditions for testing purpose we are going to put the disk at the current limit otherwise put it at a threshold you see fit</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flyo69gxi1rd4yfzgy6l0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flyo69gxi1rd4yfzgy6l0.png" alt="condditions" width="800" height="277"></a></p> <p>At notification pick &gt; In alarm state &gt; Create new topic &gt; Set up your sns topic &gt; your sns topic should point to the lambda<br> Next in alarm details feel free to add a name and a description, after that create the Alarm.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh4uw90nxqmr6oev663ku.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh4uw90nxqmr6oev663ku.png" alt="SNS" width="800" height="485"></a></p> <p>After waiting for some minutes we should see the alarm being triggered</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyxhrs4hhtl1f2dfn7op.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyxhrs4hhtl1f2dfn7op.png" alt="Alarm trigger" width="800" height="539"></a></p> <p>When the alarm is activated it will trigger our lambda then our runbook will resize our volume</p> <blockquote> <p>The volume can only be resized every 6 hours</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F134ri7voehwr8326ql91.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F134ri7voehwr8326ql91.png" alt="Lambda execution" width="800" height="266"></a></p> <p>After lambda execution we can se our resize has been succesful</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9uw81rj9jk3jk72fhirp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9uw81rj9jk3jk72fhirp.png" alt="Volume resized" width="800" height="510"></a></p> <h2> Lessons learned and a conclusion </h2> <p>Automating EBS growth from disk usage alarms is solid, but there are some details:</p> <ul> <li>Don’t rely on device names. Rely on the VolumeId. You won’t get it from CloudWatch; resolve it on the instance via SSM using the device and path the alarm provides</li> <li>Pick a single integration pattern and wire it correctly. For code that expects SNS, use Alarm → SNS → Lambda and the SNS principal in your Lambda policy</li> <li>Bias toward safety. Remove “first volume” fallbacks, add idempotency checks, and guard with clear alarms and logs</li> </ul> aws programming python todayilearned David💻 Thu, 18 Sep 2025 21:31:54 +0000 https://forem.com/davidshaek/protecting-our-eks-nodes-with-wazuh-3k7f https://forem.com/davidshaek/protecting-our-eks-nodes-with-wazuh-3k7f <p>This article explains how to deploy a secure Wazuh All-in-One server on AWS and configure Amazon EKS node groups to automatically install the Wazuh agent. With this setup, we can enable vulnerability detection and continuous monitoring across our Kubernetes workloads.</p> <p>Before we start with this article, have you heard of Wazuh before ?</p> <h2> What is Wazuh? </h2> <p><a href="https://wazuh.com/" rel="noopener noreferrer">Wazuh</a> is a powerful open source platform for threat detection, incident response, and compliance.</p> <h2> Requirements </h2> <ul> <li>AWS Account &amp; CLI (and a profile with enough permissions for: VPC, EC2, ACM PCA, and Client VPN</li> <li>ACM Private CA (or an external CA you control</li> <li>OpenSSL</li> </ul> <h2> What is AWS Client VPN? </h2> <p>AWS Client VPN is a managed VPN service that lets users securely connect to AWS resources using OpenVPN based clients. By using ACM Private CA certificates, we can enforce mutual authentication, ensuring both the server and the client prove their identities before a session is established</p> <h2> Walkthrough </h2> <h3> Creating the VPC </h3> <p>Let's start by creating or using an existing VPC. Create subnets for:</p> <ul> <li>Public subnet – for NAT Gateway</li> <li>Private subnet – for Wazuh All-in-One</li> <li>VPN subnet – to associate with the Client VPN endpoint</li> <li>The Wazuh server must go in the private subnet. No public IP is required</li> </ul> <p>In this case, we are defining one public subnet and two private subnets. The public subnet will host the Internet Gateway and a NAT Gateway, which act as controlled egress points for outbound traffic. The private subnet will serve different purposes: one dedicated to the Wazuh server itself, and another for VPN clients that will provide secure access into the VPC</p> <blockquote> <p>Note: If your architecture already connects multiple VPCs through an AWS Transit Gateway (TGW), you could simplify this design by deploying Wazuh entirely in private subnets and routing access through the TGW. This way, Wazuh services remain isolated while still being reachable from other connected networks without needing multiple subnet roles or direct internet exposure</p> </blockquote> <p>We are going to create our VPC, for this in the AWS console we search for VPC &gt; Your VPCs &gt; Create VPC &gt; VPC Only</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuokxbkcn0oq7jaqikz7z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuokxbkcn0oq7jaqikz7z.png" alt="VPC 1" width="800" height="585"></a></p> <p>We follow by creating our subnets in our VPC, by following in the AWS console &gt; VPC &gt; Subnet &gt; Create Subnet &gt; Select the previously created VPC. And we follow the following segmentation, for this example we are going to use a single AZ but for reability we can use two.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrrnqn6oa60nm4qoegrw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrrnqn6oa60nm4qoegrw.png" alt="Subnet 1" width="800" height="619"></a></p> <h3> Segmentation </h3> <p>VPC CIDR: 10.50.0.0/24</p> <ul> <li>WAZUH Public Subnet (10.50.0.0/28): Hosts the NAT Gateway to provide controlled outbound internet access.</li> <li>WAZUH Server Managed (10.50.0.32/27): Private subnet for the Wazuh All-in-One server.</li> <li>VPN Client Subnet (10.50.0.64/27): Private subnet dedicated to Client VPN resources.</li> <li>Client VPN Endpoint Range (10.50.8.0/22): Address pool for devices connecting through the VPN, non-overlapping with the VPC.</li> </ul> <p>Now we create. route table for our subnets, for this in the AWS Console &gt; VPC &gt; Route Tables &gt; Create Route Table</p> <p>Our route table for the Wazuh subnet, should have a NAT Gateway pointing to the public subnet:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff76n9y2iimfqz2a5zbz0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff76n9y2iimfqz2a5zbz0.png" alt="Route Table" width="800" height="267"></a></p> <h3> The Peering between VPC </h3> <p>Since my EKS lives in another VPC we need to make a VPC peering between both so they can communicate, this step can be ignored if the Wazuh server and EKS lives in the same VPC, but as a good practices both of them are separated.</p> <p>For this we follow this step in the AWS Console &gt; VPC &gt; Peering Connections. Define the request VPC as the EKS VPC and the acepter as the Wazuh VPC.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtukl0tyqsidppbehoxq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtukl0tyqsidppbehoxq.png" alt="Peering" width="800" height="473"></a></p> <h3> Certificates with ACM PCA </h3> <p>Create server and client certificates to use with Client VPN.<br> Server Certificate:<br> Generate a CSR and private key with OpenSSL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-nodes</span> <span class="se">\</span> <span class="nt">-keyout</span> server.key <span class="se">\</span> <span class="nt">-out</span> server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/CN=wazuh.server"</span> <span class="se">\</span> <span class="nt">-addext</span> <span class="s2">"extendedKeyUsage=serverAuth"</span> </code></pre> </div> <p>Issue the certificate with ACM PCA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws acm-pca issue-certificate <span class="se">\</span> <span class="nt">--certificate-authority-arn</span> &lt;pca-arn&gt; <span class="se">\</span> <span class="nt">--csr</span> fileb://server.csr <span class="se">\</span> <span class="nt">--signing-algorithm</span> <span class="s2">"SHA256WITHRSA"</span> <span class="se">\</span> <span class="nt">--validity</span> <span class="nv">Value</span><span class="o">=</span>365,Type<span class="o">=</span><span class="s2">"DAYS"</span> <span class="se">\</span> <span class="nt">--idempotency-token</span> vpn-cert-01 </code></pre> </div> <p>Fetch the certificate (replace with the ARN from the previous command):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws acm-pca get-certificate <span class="se">\</span> <span class="nt">--certificate-authority-arn</span> &lt;pca-arn&gt; <span class="se">\</span> <span class="nt">--certificate-arn</span> &lt;certificate-arn&gt; <span class="se">\</span> <span class="nt">--output</span> text <span class="o">&gt;</span> server.crt </code></pre> </div> <p>Import the certificate into ACM so it can be used by Client VPN:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws acm import-certificate <span class="se">\</span> <span class="nt">--certificate</span> fileb://server.crt <span class="se">\</span> <span class="nt">--private-key</span> fileb://server.key <span class="se">\</span> <span class="nt">--certificate-chain</span> fileb://ca-chain.pem </code></pre> </div> <p>Client Certificate<br> Generate a CSR and private key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-nodes</span> <span class="se">\</span> <span class="nt">-keyout</span> client.key <span class="se">\</span> <span class="nt">-out</span> client.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/CN=wazuh.client"</span> <span class="se">\</span> <span class="nt">-addext</span> <span class="s2">"keyUsage=digitalSignature,keyEncipherment"</span> <span class="se">\</span> <span class="nt">-addext</span> <span class="s2">"extendedKeyUsage=clientAuth"</span> </code></pre> </div> <p>Issue with ACM PCA (using the EndEntityClientAuthCertificate template):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws acm-pca issue-certificate <span class="se">\</span> <span class="nt">--certificate-authority-arn</span> &lt;pca-arn&gt; <span class="se">\</span> <span class="nt">--csr</span> fileb://client.csr <span class="se">\</span> <span class="nt">--signing-algorithm</span> <span class="s2">"SHA256WITHRSA"</span> <span class="se">\</span> <span class="nt">--validity</span> <span class="nv">Value</span><span class="o">=</span>365,Type<span class="o">=</span><span class="s2">"DAYS"</span> <span class="se">\</span> <span class="nt">--idempotency-token</span> vpn-cert-02 <span class="se">\</span> <span class="nt">--template-arn</span> arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1 </code></pre> </div> <p>Fetch the certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws acm-pca get-certificate <span class="se">\</span> <span class="nt">--certificate-authority-arn</span> &lt;pca-arn&gt; <span class="se">\</span> <span class="nt">--certificate-arn</span> &lt;certificate-arn&gt; <span class="se">\</span> <span class="nt">--output</span> text <span class="o">&gt;</span> client.crt </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fai03ip7mil8hw0yektny.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fai03ip7mil8hw0yektny.png" alt="Private Certificate" width="800" height="323"></a></p> <h3> Security Groups </h3> <p>Client VPN SG – allow inbound 443 (UDP) and allow traffic from the VPN CIDR.<br> Wazuh SG – allow 22, 443, 1514, and 1515 only from the VPN CIDR.</p> <h4> SG for Client VPN: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> wazuh-clientvpn-access <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Enable traffic from Client VPN"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> &lt;vpc-id&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> &lt;vpn-sg-id&gt; <span class="se">\</span> <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 22 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 authorize-security-group-ingress <span class="se">\</span> <span class="nt">--group-id</span> &lt;vpn-sg-id&gt; <span class="se">\</span> <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 443 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <h4> SG for Wazuh Server </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-security-group <span class="se">\</span> <span class="nt">--group-name</span> wazuh-management-access <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Enable access from VPN to Wazuh"</span> <span class="se">\</span> <span class="nt">--vpc-id</span> &lt;vpc-id&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 authorize-security-group-ingress <span class="nt">--group-id</span> &lt;wazuh-sg-id&gt; <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 22 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="nt">--region</span> &lt;region&gt; aws ec2 authorize-security-group-ingress <span class="nt">--group-id</span> &lt;wazuh-sg-id&gt; <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 443 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="nt">--region</span> &lt;region&gt; aws ec2 authorize-security-group-ingress <span class="nt">--group-id</span> &lt;wazuh-sg-id&gt; <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 1514 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="nt">--region</span> &lt;region&gt; aws ec2 authorize-security-group-ingress <span class="nt">--group-id</span> &lt;wazuh-sg-id&gt; <span class="nt">--protocol</span> tcp <span class="nt">--port</span> 1515 <span class="nt">--cidr</span> &lt;vpn-client-cidr&gt; <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <h3> Create Client VPN Endpoint </h3> <p>Use the ACM server certificate and your root CA for mutual authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-client-vpn-endpoint <span class="se">\</span> <span class="nt">--client-cidr-block</span> &lt;vpn-client-cidr&gt; <span class="se">\</span> <span class="nt">--server-certificate-arn</span> &lt;server-cert-arn&gt; <span class="se">\</span> <span class="nt">--authentication-options</span> <span class="nv">Type</span><span class="o">=</span>certificate-authentication,MutualAuthentication<span class="o">={</span><span class="nv">ClientRootCertificateChainArn</span><span class="o">=</span>&lt;ca-arn&gt;<span class="o">}</span> <span class="se">\</span> <span class="nt">--dns-servers</span> 8.8.8.8 8.8.4.4 <span class="se">\</span> <span class="nt">--transport-protocol</span> udp <span class="se">\</span> <span class="nt">--vpc-id</span> &lt;vpc-id&gt; <span class="se">\</span> <span class="nt">--security-group-ids</span> &lt;vpn-sg-id&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <p>Associate the endpoint with your VPN subnet, create a route to the Wazuh subnet, and authorize ingress<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 associate-client-vpn-target-network <span class="se">\</span> <span class="nt">--client-vpn-endpoint-id</span> &lt;cvpn-endpoint-id&gt; <span class="se">\</span> <span class="nt">--subnet-id</span> &lt;subnet-id&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <p>Route to Wazuh subnet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 create-client-vpn-route <span class="se">\</span> <span class="nt">--client-vpn-endpoint-id</span> &lt;cvpn-endpoint-id&gt; <span class="se">\</span> <span class="nt">--destination-cidr-block</span> &lt;wazuh-subnet-cidr&gt; <span class="se">\</span> <span class="nt">--target-vpc-subnet-id</span> &lt;subnet-id&gt; <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <p>Authorize access<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 authorize-client-vpn-ingress <span class="se">\</span> <span class="nt">--client-vpn-endpoint-id</span> &lt;cvpn-endpoint-id&gt; <span class="se">\</span> <span class="nt">--target-network-cidr</span> &lt;wazuh-subnet-cidr&gt; <span class="se">\</span> <span class="nt">--authorize-all-groups</span> <span class="se">\</span> <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> <h3> Launch Wazuh All-in-One </h3> <p>Deploy the official Wazuh All-in-One AMI from AWS Marketplace. Place it in your private subnet with the Wazuh SG attached. No public IP is needed</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9msyig3owli7ytjuv40v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9msyig3owli7ytjuv40v.png" alt="Wazuhec2" width="800" height="548"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9sx26eops0hgddjkuv1l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9sx26eops0hgddjkuv1l.png" alt="Wazuhec22" width="800" height="548"></a></p> <h3> Configure the VPN Client </h3> <p>Download the Client VPN config file and add your client certificate, key, and CA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>client dev tun proto udp remote &lt;vpn-endpoint&gt;.prod.clientvpn.&lt;region&gt;.amazonaws.com 443 nobind &lt;cert&gt; <span class="o">(</span>client.crt<span class="o">)</span> &lt;/cert&gt; &lt;key&gt; <span class="o">(</span>client.key<span class="o">)</span> &lt;/key&gt; &lt;ca&gt; <span class="o">(</span>root-ca.pem<span class="o">)</span> &lt;/ca&gt; </code></pre> </div> <p>Import this into the AWS VPN client or OpenVPN client.</p> <p>For this Download AWS VPN Client <a href="https://aws.amazon.com/vpn/client-vpn-download/" rel="noopener noreferrer">here</a>, after installing go to File &gt; Manage Profiles &gt; Fill the name and import he ovpn.</p> <h3> Test Access </h3> <p>Connect to the VPN.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fof5b6f7mubeao0lhtzr5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fof5b6f7mubeao0lhtzr5.png" alt="VPN" width="800" height="260"></a></p> <p>Open Wazuh UI at https://</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1n8bf93eh0jddgfwhpzt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1n8bf93eh0jddgfwhpzt.png" alt="Wazuh" width="800" height="388"></a></p> <p>Confirm agents can communicate on ports 1514 and 1515.</p> <p>At this point, your Wazuh All-in-One deployment is securely reachable only via VPN. You’ve kept your server private, used certificate-based authentication, and segmented your AWS environment properly.</p> <h2> Installing Wazuh in our EKS Node </h2> <p>For this we are going to create a new launch template that we can use in our managed EC2 nodes.</p> <blockquote> <p>Note: Replace WAZUH_MANAGER with the IP of the EC2 instance of Wazuh</p> </blockquote> <p>Create a bash script like this and execute it after filling the fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">LT_NAME</span><span class="o">=</span><span class="s2">"wazuh-agents-lt"</span> <span class="nv">AMI_ID</span><span class="o">=</span><span class="s2">"ami-030da889991638ab6"</span> <span class="c"># (AL EKS 2023 or your preferred EKS AMI)</span> <span class="nv">INSTANCE_PROFILE_ARN</span><span class="o">=</span><span class="s2">"&lt;arn:aws:iam::123456789012:instance-profile/MyRole&gt;"</span> <span class="c"># Useful if you want to session manager into the nodes.</span> <span class="nv">SECURITY_GROUP_ID</span><span class="o">=</span><span class="s2">"&lt;sg-xxx&gt;"</span> <span class="nv">SUBNET_ID</span><span class="o">=</span><span class="s2">"&lt;subnet-xxx&gt;"</span> <span class="nv">BOUNDARY</span><span class="o">=</span><span class="s2">"==MYBOUNDARY=="</span> <span class="nb">read</span> <span class="nt">-r</span> <span class="nt">-d</span> <span class="s1">''</span> MIME <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==MYBOUNDARY==" --==MYBOUNDARY== Content-Type: text/x-shellscript; charset="us-ascii" #!/bin/bash set -euxo pipefail HOSTNAME=</span><span class="si">$(</span>curl <span class="nt">-s</span> http://169.254.169.254/latest/meta-data/local-hostname <span class="o">||</span> <span class="nb">hostname</span><span class="si">)</span><span class="sh"> curl -o /root/wazuh-agent-4.12.0-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.12.0-1.x86_64.rpm WAZUH_MANAGER=10.50.0.41 WAZUH_AGENT_NAME="</span><span class="nv">$HOSTNAME</span><span class="sh">" rpm -ihv /root/wazuh-agent-4.12.0-1.x86_64.rpm systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent --==MYBOUNDARY==-- </span><span class="no">EOF </span><span class="nv">UD_B64</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s2">"%s"</span> <span class="s2">"</span><span class="nv">$MIME</span><span class="s2">"</span> | <span class="nb">base64</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'\n'</span><span class="si">)</span> aws ec2 create-launch-template <span class="se">\</span> <span class="nt">--launch-template-name</span> <span class="s2">"</span><span class="nv">$LT_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--version-description</span> <span class="s2">"v1-wazuh-agent"</span> <span class="se">\</span> <span class="nt">--launch-template-data</span> <span class="s2">"{ </span><span class="se">\"</span><span class="s2">ImageId</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">AMI_ID</span><span class="k">}</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">InstanceType</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">&lt;your-node-group-instance&gt;</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">IamInstanceProfile</span><span class="se">\"</span><span class="s2">: { </span><span class="se">\"</span><span class="s2">Arn</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">INSTANCE_PROFILE_ARN</span><span class="k">}</span><span class="se">\"</span><span class="s2"> }, </span><span class="se">\"</span><span class="s2">NetworkInterfaces</span><span class="se">\"</span><span class="s2">: [ { </span><span class="se">\"</span><span class="s2">DeviceIndex</span><span class="se">\"</span><span class="s2">: 0, </span><span class="se">\"</span><span class="s2">SubnetId</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">SUBNET_ID</span><span class="k">}</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">Groups</span><span class="se">\"</span><span class="s2">: [ </span><span class="se">\"</span><span class="k">${</span><span class="nv">SECURITY_GROUP_ID</span><span class="k">}</span><span class="se">\"</span><span class="s2"> ], </span><span class="se">\"</span><span class="s2">AssociatePublicIpAddress</span><span class="se">\"</span><span class="s2">: false } ], </span><span class="se">\"</span><span class="s2">MetadataOptions</span><span class="se">\"</span><span class="s2">: { </span><span class="se">\"</span><span class="s2">HttpTokens</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">required</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">HttpEndpoint</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">enabled</span><span class="se">\"</span><span class="s2"> }, </span><span class="se">\"</span><span class="s2">TagSpecifications</span><span class="se">\"</span><span class="s2">: [ { </span><span class="se">\"</span><span class="s2">ResourceType</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">instance</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">Tags</span><span class="se">\"</span><span class="s2">: [ { </span><span class="se">\"</span><span class="s2">Key</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">Name</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">Value</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">wazuh-agent</span><span class="se">\"</span><span class="s2"> }, { </span><span class="se">\"</span><span class="s2">Key</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">Role</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">Value</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">wazuh</span><span class="se">\"</span><span class="s2"> } ] } ], </span><span class="se">\"</span><span class="s2">UserData</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">UD_B64</span><span class="k">}</span><span class="se">\"</span><span class="s2"> }"</span> </code></pre> </div> <p>After creating the launch template, create the nodegroup, by going to AWS Console &gt; EKS &gt; Compute &gt; Node Groups &gt; Add &gt; Launch Template </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foandfzuskvlmsd28zhn1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foandfzuskvlmsd28zhn1.png" alt="Launch Template" width="800" height="364"></a></p> <p>Now inside our Wazuh server dashboard we can see our nodes being registered.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jm9c1d3sdj6zickuzi2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jm9c1d3sdj6zickuzi2.png" alt="Wazuh Dashboard" width="800" height="388"></a></p> <h2> Lessons learned and a conclusion </h2> <p>While setting up a Client VPN with private certificates ensures a secure and private connection, it can become costly in the long run. A practical alternative is to leverage AWS Systems Manager Session Manager with port forwarding to reach the Wazuh dashboard. This approach shifts access control to the AWS service layer instead of the networking layer, reducing complexity and cost while still maintaining strong security</p> todayilearned aws security kubernetes David💻 Mon, 15 Sep 2025 13:28:56 +0000 https://forem.com/davidshaek/creating-a-security-incident-portal-with-kiro-and-aws-1l11 https://forem.com/davidshaek/creating-a-security-incident-portal-with-kiro-and-aws-1l11 <p>This article aims to showcase how Kiro’s features can be used to build a simple security incident portal, hosted on AWS with services like Lambda, Secrets Manager, S3, and CloudFront, while leveraging MSAL Entra ID for authentication.</p> <p><strong>Requirements</strong></p> <ul> <li>AWS account</li> <li>MSAL Entra ID</li> <li>Kiro</li> </ul> <blockquote> <p>Note: This project was made with Kiro before the release of their pricing plan.</p> </blockquote> <h2> The proposed architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf9vtciiigjzcw2ws5do.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf9vtciiigjzcw2ws5do.png" alt="Architecture" width="800" height="488"></a></p> <h2> What is Kiro? </h2> <p>Kiro IDE is an AI powered development environment designed to speed up software creation. Instead of starting with manual boilerplate code, you interact with Kiro in natural language. You can describe what you want to build, and Kiro generates the project structure, code, and configurations.<br> Find it <a href="https://kiro.dev/" rel="noopener noreferrer">here</a> </p> <h2> What is Vibe coding? </h2> <p>Vibe coding is a development style where you start writing software through natural conversation or free form prompts instead of rigid plans or detailed specifications. The focus is on exploration and iteration, you describe what you want, review what’s generated, and refine it step by step.</p> <h3> Kiro Vibe Mode vs Spec </h3> <p>Kiro offers two ways to start your project:</p> <ul> <li>Vibe: Chat first, then build. You provide a prompt with your requirements, Kiro generates code, and you give feedback on the output.</li> <li>Spec: Plan first, then build. You give Kiro a detailed set of instructions, similar to a PRD (Product Requirements Document) that outlines the purpose and functionality of the product/feature.</li> </ul> <p>In my experience, especially during Kiro’s early days, Spec mode quickly ran out of requests and often did a poor job completing specific tasks. Some requests timed out, others didn’t match the requirements, and the code started looking like spaghetti. This led me to restart the project from scratch.</p> <p>That’s when I switched to Kiro Vibe mode. Here, I interacted with Kiro through specific prompts about what I needed. I began with the frontend project. Since I wanted to test Kiro’s capabilities, I was intentionally vague and only specified that I wanted a form to report security incidents. Kiro quickly proposed a solution stack: Vite + React. With continuous feedback and iteration, it took me about two days to build the frontend—though I was limited by Kiro’s daily request cap. Without that limitation, it probably would have been faster.</p> <blockquote> <p>Note: This project, while necessary, started as a side project in my free time. The main goal was to explore how popular LLM tools could be leveraged for vibe coding and to see the results. Sure, I could have coded everything manually, but that would have required writing unit tests, creating user stories, designing in Figma, and more. With Kiro, I was able to focus on delivering an MVP as quickly as possible.</p> </blockquote> <h2> Walkthrough </h2> <p>After installing Kiro IDE, create a project. Feel free to organize both the backend and frontend into two folders.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjk58pwrmcjpigdqsznyu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjk58pwrmcjpigdqsznyu.png" alt="kiro1" width="800" height="438"></a></p> <h3> Something about the risk of Autopilot </h3> <p>While Autopilot can be an awesome tool—allowing Kiro to update multiple files automatically—it can also be a double-edged sword. Letting changes go through without review might introduce unnecessary code or even break the codebase. In some cases, other LLM coding assistants have executed terminal commands that interacted with projects and even deleted databases !</p> <p>I can’t stress enough that these types of tools should only be used in offline or development environments, not directly in production</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwydnatudg1ta5qpviah8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwydnatudg1ta5qpviah8.png" alt="kiro2" width="640" height="878"></a></p> <p>Fortunately, Kiro’s default behavior is to prompt you before authorizing any script or command execution.</p> <h3> After some prompting </h3> <p>It is very important to keep in mind that if Autopilot is active, it can lead to massive changes in the codebase. This may result in some functionalities being abandoned or replaced with unnecessary code. To mitigate this risk, I recommend managing our project with git and maintaining a README.MD file for context use, this file is useful if we runout of context window, since it provides a quick reference that allows another session to continue working with the same background knowledge</p> <h2> Frontend structure </h2> <blockquote> <p>Note: The code will be at the final of this article in a git repository.</p> </blockquote> <p>We start by building our frontend with the following prompts:</p> <blockquote> <p>I would like to create a security incident portal where users can authenticate with their organization email using MSAL. The portal should support two roles: User (can only submit reports through a security report form) and Admin (can view submitted reports in a dashboard). Please generate the frontend project structure, including components for login, forms, common UI elements, and an admin dashboard.</p> <p>Please organice the project in a good practice matter, be sure to separate the logic on different components</p> <p>The user role should be able to fill a form with fields related to a IT security incident, be sure to add fields that details the case, the admin role should be able to view this cases in a dashboard with the option to resolve this reports with a modal view.</p> <p>The admin should be also be able to download a report of this incidents in the dashboard tab, through a csv file, please add a button with the option to download the reports including the detailed information</p> <p>Note: There was a process of debugging and asking other prompts for fixing some aspects</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwgi5u7gis9pxqlprhbdo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwgi5u7gis9pxqlprhbdo.png" alt="kiro3" width="800" height="411"></a></p> <p>Our frontend is being described as the follow:</p> <h3> components/: All UI building blocks. </h3> <ul> <li>admin/: admin dashboard &amp; modals.</li> <li>auth/: login screen and Microsoft (MSAL) button.</li> <li>common/: reusable UI bits (logo, spinner, success/error modals).</li> <li>forms/: the security incident report form.</li> </ul> <h3> config/: App configuration and constants </h3> <ul> <li>constants.js → shared constants (app names, messages, etc.).</li> <li>lambdaUrls.js → API/Lambda endpoints.</li> <li>msalConfig.js → MSAL/Entra ID settings (clientId, authority, redirect).</li> <li>roles.js → role names/permissions used for RBAC.</li> </ul> <h3> hooks/: Reusable logic as React hooks: </h3> <ul> <li>useRequests.js → fetch/POST helpers to your APIs.</li> <li>useUserRole.js → derive the user’s role from MSAL claims or app state.</li> </ul> <h3> Main/Root files </h3> <ul> <li>App.jsx → The root UI shell (routes/layout). It wires providers, nav, and renders pages/components based on auth/role.</li> <li>main.jsx → The entry point creates the React root and mounts (often wraps with MSAL/Context providers).</li> <li>App.css / index.css → Global styles.</li> <li>env.example → Sample environment variables to copy to your local .env.</li> <li>eslint.config.js → Linting rules.</li> <li>companylog.webp → Brand/logo asset. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/ ├─ assets/ ├─ components/ │ ├─ admin/ │ │ ├─ SecurityDashboard.jsx │ │ └─ SecurityReportModal.jsx │ ├─ auth/ │ │ ├─ LoginScreen.jsx │ │ └─ MicrosoftLoginButton.jsx │ ├─ common/ │ │ ├─ CompanyLogo.jsx │ │ ├─ ErrorModal.jsx │ │ ├─ LoadingSpinner.jsx │ │ └─ SuccessModal.jsx │ └─ forms/ │ └─ PhishingReportForm.jsx ├─ config/ │ ├─ constants.js │ ├─ lambdaUrls.js │ ├─ msalConfig.js │ └─ roles.js ├─ hooks/ │ ├─ useRequests.js │ └─ useUserRole.js ├─ App.css ├─ App.jsx ├─ index.css ├─ main.jsx ├─ companylog.webp ├─ env.example └─ eslint.config.js </code></pre> </div> <h2> Authentication </h2> <p>Before we can execute our code we have some parameters that need to be filled.</p> <p>In this application we will use Entra ID MSAL authentication, since most organizations has a corporate email through Microsoft.</p> <p>For this we go to Microsoft Entra Admin Center &gt; App Registrations &gt; New Registration</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh9g8bxoo3iv6dueghu70.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh9g8bxoo3iv6dueghu70.png" alt="Microsoft Entra" width="800" height="314"></a></p> <p>In the registration we will give it a name select our current single tenant, and for Redirect URI we will select Web and add our localhost</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flejv01h1qaevai71x512.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flejv01h1qaevai71x512.png" alt="Microsoft Entra2" width="800" height="626"></a></p> <blockquote> <p>Note: We will later deploy this in a bucket using cloudfront and route53</p> </blockquote> <p>After registering our app we will copy the ClientID and the TenantID</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhl1k1g8mij8qhf2mjsiz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhl1k1g8mij8qhf2mjsiz.png" alt="Microsoft Entra3" width="800" height="308"></a></p> <p>And replace it in our code at <code>config &gt; msalConfig.js</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// msalConfig.js - MSAL authentication configuration</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PublicClientApplication</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@azure/msal-browser</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Get configuration from environment variables with fallbacks</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_MSAL_CLIENT_ID</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">&lt;your-client-id&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">tenantId</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_MSAL_TENANT_ID</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">&lt;your-tenant-id&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">msalConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">clientId</span><span class="p">,</span> <span class="na">authority</span><span class="p">:</span> <span class="s2">`https://login.microsoftonline.com/</span><span class="p">${</span><span class="nx">tenantId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">redirectUri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">cache</span><span class="p">:</span> <span class="p">{</span> <span class="na">cacheLocation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">sessionStorage</span><span class="dl">"</span><span class="p">,</span> <span class="na">storeAuthStateInCookie</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">msalInstance</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PublicClientApplication</span><span class="p">(</span><span class="nx">msalConfig</span><span class="p">);</span> </code></pre> </div> <h2> Running our frontend </h2> <p>Now we can test out our frontend view by running the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>frontend npm <span class="nb">install </span>npm run dev </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg3xzr90an237zw5kdb8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyg3xzr90an237zw5kdb8.png" alt="RunningApp" width="592" height="226"></a></p> <p>Our login landpage should look like this:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfm6ufg8pkegxocjbyg7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmfm6ufg8pkegxocjbyg7.png" alt="Landpage" width="800" height="534"></a><br> The form: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wbv9cnxe6b6tcc2tpw6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0wbv9cnxe6b6tcc2tpw6.png" alt="Form" width="800" height="435"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F77s0l3aotrtxcouscfiq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F77s0l3aotrtxcouscfiq.png" alt="Form2" width="800" height="660"></a></p> <p>The dashboard:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2zj1y3035yit2x1q7vu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2zj1y3035yit2x1q7vu.png" alt="Dashboard" width="800" height="581"></a></p> <p>Now that our that we check our frontend is working at a mock level let's proceed uploading our frontend to AWS.</p> <p>For this we execute<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run build </code></pre> </div> <p>This will generate a dist folder in our project with the following content<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dist/ ├─ index.html ├─ vite.sg ├─ assets/ │ ├─ admin/ │ │ ├─ index.js │ │ └─ index.css </code></pre> </div> <h2> Frontend from local to AWS </h2> <p>Now we are going to create an S3 bucket, we can configure it with the default settings, as we are going to use S3 origin access with cloudfront there is no need to make the bucket public we securely expose it through it.<br> We go into the AWS Console &gt; S3 Bucket &gt; We left everything as is.</p> <blockquote> <p>Note: You might check what object locking and versioning can do, normally we handle our frontend through a CI/CD process, but for this example I will upload the files directly into the bucket.</p> </blockquote> <p>After creating we bucket before we upload our files we will go into Properties &gt; Static website hosting.</p> <p>We will enabled it as Bucket hosting and set index.html as default</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhkbfh34dletzz1lgsg6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhkbfh34dletzz1lgsg6.png" alt="Enabled" width="800" height="198"></a><br> Our files in our S3</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcla4hxzfa09imnwl70nt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcla4hxzfa09imnwl70nt.png" alt="files" width="800" height="130"></a></p> <p>Now let's proceed with the cloudfront creation:</p> <p>For this we give our distribution a name, we are going to use a custom domain since I already have a route53 and my certificate loaded at ACM I will use that, otherwise you can use the provided link at cloudfront or just use s3 directly.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dnsa0nzy5eveykrrh0e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dnsa0nzy5eveykrrh0e.png" alt="cfstep1" width="800" height="350"></a></p> <p>Here we will use our bucket as a origin, be sure to select the s3 endpoint not the website, as we will configure the s3 endpoint with origin access, AWS cloudfront will provide a policy that should be added to the bucket.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F093h1vcafq5wjjrlo9mk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F093h1vcafq5wjjrlo9mk.png" alt="cfstep2" width="800" height="291"></a></p> <p>The policy goes at the permission tab of our bucket at bucket policy, it should look similar to this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2008-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PolicyForCloudFrontPrivateContent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowCloudFrontServicePrincipal"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloudfront.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::security-portal.company.net/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:cloudfront::111882899112:distribution/E1DCXJC9B8PVOV"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>After that feel free to setup WAF and security features to the cloudfront distribution for this example, I will keep it as simple as possible.</p> <p>After the distribution is created you have two options to register that alternative domain, you can copy the url provided by cloudfront and register it at your registar or route53 as an A record or CNAME or if. you use route53 you can directly add both required records by pressing the button <code>Route Domains to Cloudfront</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghl664kcgqmmcj8ygt3h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghl664kcgqmmcj8ygt3h.png" alt="Cloudfront" width="800" height="149"></a></p> <p>Finally we have our frontend ready, however there is one big task left. Entering the backend.</p> <blockquote> <p>Note: Don't forget to add the new domain to MSAL config !</p> </blockquote> <h2> Backend structure </h2> <p>For our backend we will manage a simple architecture based on an small mysql rds database and a lambda, the lambda will be deployed on a VPC that has a peering connection between the VPC of the database, otherwise if your database is public or lives in the same VPC there might be no need to do this.</p> <p>Our frontend is being described as the follow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>├─ database/ │ ├─ schema.sql/ ├─ lambda/ │ ├─ node-modules/ │ ├─ index.js │ ├─ package.json │ ├─ package-lock.json </code></pre> </div> <h3> database/: Database sql script </h3> <ul> <li>schema.sql → full MySQL 8.0 DDL: tables (requests, request_comments, user_roles, request_audit_log), request_stats view, seed admins, sample data.</li> </ul> <h3> lambda/: Python 3.13 with URI Function and VPC </h3> <ul> <li>index.js → main Lambda handler &amp; router (health, auth role lookup, list/create requests, stats, update status). Includes MySQL pool, JSON helpers, ID generators, Teams/Power Automate notifier, and CORS.</li> <li>package.json → Node project manifest (runtime entrypoint, scripts, deps like mysql2/promise).</li> <li>package-lock.json → exact dependency lock for reproducible builds.</li> <li>node_modules/ → installed npm packages used by the Lambda at runtime.</li> </ul> <p>For our database we are going to use the following script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Security Incident Portal Database Schema</span> <span class="c1">-- Production-ready schema for MySQL 8.0+</span> <span class="c1">-- Database: SecurityIncidentPortal</span> <span class="c1">-- Create the database if it doesn't exist</span> <span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">SecurityIncidentPortal</span> <span class="nb">CHARACTER</span> <span class="k">SET</span> <span class="n">utf8mb4</span> <span class="k">COLLATE</span> <span class="n">utf8mb4_unicode_ci</span><span class="p">;</span> <span class="n">USE</span> <span class="n">SecurityIncidentPortal</span><span class="p">;</span> <span class="c1">-- Main requests table for security incidents</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">requests</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_info</span> <span class="n">JSON</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">form_data</span> <span class="n">JSON</span><span class="p">,</span> <span class="n">request_type</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">details</span> <span class="n">JSON</span><span class="p">,</span> <span class="n">reason</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">request_status</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="s1">'pending'</span><span class="p">,</span> <span class="n">priority_level</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="s1">'normal'</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">ON</span> <span class="k">UPDATE</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">approved_at</span> <span class="nb">TIMESTAMP</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">completed_at</span> <span class="nb">TIMESTAMP</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">assigned_to</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="n">assigned_by</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_user_id</span> <span class="p">(</span><span class="n">user_id</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_request_type</span> <span class="p">(</span><span class="n">request_type</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_request_status</span> <span class="p">(</span><span class="n">request_status</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_priority_level</span> <span class="p">(</span><span class="n">priority_level</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_created_at</span> <span class="p">(</span><span class="n">created_at</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_assigned_to</span> <span class="p">(</span><span class="n">assigned_to</span><span class="p">),</span> <span class="k">CONSTRAINT</span> <span class="n">chk_request_status</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">request_status</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'open'</span><span class="p">,</span> <span class="s1">'in-progress'</span><span class="p">,</span> <span class="s1">'resolved'</span><span class="p">,</span> <span class="s1">'closed'</span><span class="p">)),</span> <span class="k">CONSTRAINT</span> <span class="n">chk_priority_level</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">priority_level</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'low'</span><span class="p">,</span> <span class="s1">'medium'</span><span class="p">,</span> <span class="s1">'high'</span><span class="p">,</span> <span class="s1">'critical'</span><span class="p">)),</span> <span class="k">CONSTRAINT</span> <span class="n">chk_request_type</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">request_type</span> <span class="k">IN</span> <span class="p">(</span> <span class="s1">'phishing-email'</span><span class="p">,</span><span class="s1">'suspicious-website'</span><span class="p">,</span><span class="s1">'social-engineering'</span><span class="p">,</span> <span class="s1">'malware'</span><span class="p">,</span><span class="s1">'data-breach'</span><span class="p">,</span><span class="s1">'identity-theft'</span><span class="p">,</span><span class="s1">'other'</span><span class="p">,</span><span class="s1">'phishing-report'</span> <span class="p">))</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COLLATE</span><span class="o">=</span><span class="n">utf8mb4_unicode_ci</span><span class="p">;</span> <span class="c1">-- Comments table for request discussions</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">request_comments</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">request_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_name</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">message</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">is_internal</span> <span class="nb">BOOLEAN</span> <span class="k">DEFAULT</span> <span class="k">FALSE</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">request_id</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">requests</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_request_id</span> <span class="p">(</span><span class="n">request_id</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_user_id</span> <span class="p">(</span><span class="n">user_id</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_created_at</span> <span class="p">(</span><span class="n">created_at</span><span class="p">)</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COLLATE</span><span class="o">=</span><span class="n">utf8mb4_unicode_ci</span><span class="p">;</span> <span class="c1">-- User roles table - For caching user roles and permissions</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">user_roles</span> <span class="p">(</span> <span class="n">user_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">UNIQUE</span><span class="p">,</span> <span class="n">user_name</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">200</span><span class="p">),</span> <span class="n">user_role</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">)</span> <span class="k">DEFAULT</span> <span class="s1">'user'</span><span class="p">,</span> <span class="n">permissions</span> <span class="n">JSON</span><span class="p">,</span> <span class="n">last_updated</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">ON</span> <span class="k">UPDATE</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_email</span> <span class="p">(</span><span class="n">email</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_user_role</span> <span class="p">(</span><span class="n">user_role</span><span class="p">),</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">user_role</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'user'</span><span class="p">,</span> <span class="s1">'it-support'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">))</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COLLATE</span><span class="o">=</span><span class="n">utf8mb4_unicode_ci</span><span class="p">;</span> <span class="c1">-- Request audit log table - For tracking changes</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">request_audit_log</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INT</span> <span class="n">AUTO_INCREMENT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">request_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">user_id</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">action_type</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">50</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">old_values</span> <span class="n">JSON</span><span class="p">,</span> <span class="n">new_values</span> <span class="n">JSON</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">TIMESTAMP</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="k">FOREIGN</span> <span class="k">KEY</span> <span class="p">(</span><span class="n">request_id</span><span class="p">)</span> <span class="k">REFERENCES</span> <span class="n">requests</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="k">INDEX</span> <span class="n">idx_request_id</span> <span class="p">(</span><span class="n">request_id</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_user_id</span> <span class="p">(</span><span class="n">user_id</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_action_type</span> <span class="p">(</span><span class="n">action_type</span><span class="p">),</span> <span class="k">INDEX</span> <span class="n">idx_created_at</span> <span class="p">(</span><span class="n">created_at</span><span class="p">)</span> <span class="p">)</span> <span class="n">ENGINE</span><span class="o">=</span><span class="n">InnoDB</span> <span class="k">DEFAULT</span> <span class="n">CHARSET</span><span class="o">=</span><span class="n">utf8mb4</span> <span class="k">COLLATE</span><span class="o">=</span><span class="n">utf8mb4_unicode_ci</span><span class="p">;</span> <span class="c1">-- Insert a single default admin (generic email)</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">user_roles</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">user_name</span><span class="p">,</span> <span class="n">user_role</span><span class="p">,</span> <span class="n">permissions</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="s1">'admin-user'</span><span class="p">,</span> <span class="s1">'bolivar.llerena@company.net'</span><span class="p">,</span> <span class="s1">'Admin User'</span><span class="p">,</span> <span class="s1">'admin'</span><span class="p">,</span> <span class="n">JSON_ARRAY</span><span class="p">(</span><span class="s1">'request:create'</span><span class="p">,</span><span class="s1">'request:view-own'</span><span class="p">,</span><span class="s1">'request:view-all'</span><span class="p">,</span><span class="s1">'request:approve'</span><span class="p">,</span><span class="s1">'request:assign'</span><span class="p">,</span><span class="s1">'request:delete'</span><span class="p">,</span><span class="s1">'notification:send'</span><span class="p">,</span><span class="s1">'user:manage'</span><span class="p">,</span><span class="s1">'analytics:view'</span><span class="p">))</span> <span class="k">ON</span> <span class="n">DUPLICATE</span> <span class="k">KEY</span> <span class="k">UPDATE</span> <span class="n">user_name</span> <span class="o">=</span> <span class="k">VALUES</span><span class="p">(</span><span class="n">user_name</span><span class="p">),</span> <span class="n">user_role</span> <span class="o">=</span> <span class="k">VALUES</span><span class="p">(</span><span class="n">user_role</span><span class="p">),</span> <span class="n">permissions</span> <span class="o">=</span> <span class="k">VALUES</span><span class="p">(</span><span class="n">permissions</span><span class="p">);</span> <span class="c1">-- Comprehensive statistics view</span> <span class="k">CREATE</span> <span class="k">VIEW</span> <span class="n">request_stats</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">total_requests</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_status</span> <span class="o">=</span> <span class="s1">'open'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">open_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_status</span> <span class="o">=</span> <span class="s1">'in-progress'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">in_progress_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_status</span> <span class="o">=</span> <span class="s1">'resolved'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">resolved_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_status</span> <span class="o">=</span> <span class="s1">'closed'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">closed_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="nb">DATE</span><span class="p">(</span><span class="n">created_at</span><span class="p">)</span> <span class="o">=</span> <span class="n">CURDATE</span><span class="p">()</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">today_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">DATE_SUB</span><span class="p">(</span><span class="n">NOW</span><span class="p">(),</span> <span class="n">INTERVAL</span> <span class="mi">7</span> <span class="k">DAY</span><span class="p">)</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">week_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">DATE_SUB</span><span class="p">(</span><span class="n">NOW</span><span class="p">(),</span> <span class="n">INTERVAL</span> <span class="mi">30</span> <span class="k">DAY</span><span class="p">)</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">month_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'phishing-email'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">phishing_email_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'suspicious-website'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">suspicious_website_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'social-engineering'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">social_engineering_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'malware'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">malware_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'data-breach'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">data_breach_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'identity-theft'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">identity_theft_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'other'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">other_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="o">=</span> <span class="s1">'phishing-report'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">phishing_report_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">priority_level</span> <span class="o">=</span> <span class="s1">'low'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">priority_low_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">priority_level</span> <span class="o">=</span> <span class="s1">'medium'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">priority_medium_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">priority_level</span> <span class="o">=</span> <span class="s1">'high'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">priority_high_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">priority_level</span> <span class="o">=</span> <span class="s1">'critical'</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">priority_critical_count</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_type</span> <span class="k">IN</span> <span class="p">(</span> <span class="s1">'phishing-email'</span><span class="p">,</span><span class="s1">'suspicious-website'</span><span class="p">,</span><span class="s1">'social-engineering'</span><span class="p">,</span> <span class="s1">'malware'</span><span class="p">,</span><span class="s1">'data-breach'</span><span class="p">,</span><span class="s1">'identity-theft'</span><span class="p">,</span><span class="s1">'phishing-report'</span><span class="p">,</span><span class="s1">'other'</span> <span class="p">)</span> <span class="k">THEN</span> <span class="mi">1</span> <span class="k">ELSE</span> <span class="mi">0</span> <span class="k">END</span><span class="p">)</span> <span class="k">as</span> <span class="n">security_incidents_count</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="k">AVG</span><span class="p">(</span><span class="k">CASE</span> <span class="k">WHEN</span> <span class="n">request_status</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'completed'</span><span class="p">,</span><span class="s1">'resolved'</span><span class="p">,</span><span class="s1">'closed'</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="n">completed_at</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">OR</span> <span class="n">updated_at</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">)</span> <span class="k">THEN</span> <span class="n">TIMESTAMPDIFF</span><span class="p">(</span><span class="n">HOUR</span><span class="p">,</span> <span class="n">created_at</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">completed_at</span><span class="p">,</span> <span class="n">updated_at</span><span class="p">))</span> <span class="k">ELSE</span> <span class="k">NULL</span> <span class="k">END</span><span class="p">),</span> <span class="mi">2</span><span class="p">)</span> <span class="k">as</span> <span class="n">avg_processing_time_hours</span> <span class="k">FROM</span> <span class="n">requests</span><span class="p">;</span> </code></pre> </div> <p>The SQL script defines normalized tables for incidents (requests), threaded discussions (request_comments), role-based access (user_roles), and an immutable change history (request_audit_log). It adds strategic indexes and CHECK constraints for data integrity and query performance, builds a request_stats view that powers dashboards (status/type/priority/time-window counts and average processing time), seeds an admin account,</p> <p>With this script we fill basically use for the following API:</p> <ul> <li>User should be able to fill a form with required and optional fields from different type such as string, timestamp, floats, emails</li> <li>User should have two roles user and admin, admin is the only role that is capable of viewing the dashboard, add investigation notes and set incident reports to solved, canceled or closed</li> <li>User should be able to see a small metric on how many reports exist, how many are critical, how many are solved</li> </ul> <p>With this in mind we are going to proceed to create our RDS database and our lambda.</p> <p>In the AWS Console, we search for Aurora and RDS &gt; Databases &gt; Create Database, for this example we are going to use MYSQL in a free tier environment with engine 8.0.x</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd7e86tc4ym0t61hwsbkk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd7e86tc4ym0t61hwsbkk.png" alt="RDS" width="800" height="444"></a></p> <p>As a good practice we should use secrets manager to manage our database password, this also enables us to program password rotation and other neat stuff.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjmi0m39idnxtkbibueud.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjmi0m39idnxtkbibueud.png" alt="RDS2" width="800" height="294"></a></p> <p>For the instance type a t4g.micro is good enough depending on our workload, and the size feel free to edit it to your needs</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88y1tf3l6izm6us9tnba.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88y1tf3l6izm6us9tnba.png" alt="RDS3" width="800" height="355"></a></p> <p>For other configurations select your database vpc, feel free to tune your logs, backup and maintance window, after configuring and creating the database proceed to execute the .sql script.</p> <p>Now we can create our lambda, we search for the service called Lambda &gt; Create Function.</p> <p>For our lambda, give it a name like security-api, let the lambda create the execution role and be sure to enable Function URL and VPC (if your database is not public)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fto4e5y50t966pyqkgeny.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fto4e5y50t966pyqkgeny.png" alt="Lambda1" width="800" height="441"></a></p> <p>Now for our lambda upload the code provided in the github repository at the end of this article and copy the url this url should be the one that needs to be replaced at our frontend</p> <blockquote> <p>Note: The lambda uses environment variables however it is recommended to use secrets manager and handle this access through code.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgwt7lm5w8evq90s74iq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgwt7lm5w8evq90s74iq.png" alt="Lambda2" width="800" height="175"></a></p> <p>Finally we have our security incident portal ready to go !</p> <h2> Lessons learned and a conclusion </h2> <p>While Kiro is a powerful tool that can help developers accelerate their SDLC process, it still requires close supervision. There is significant feedback and debugging needed, such as addressing unnecessary functions, security concerns, and a lack of unit tests. These challenges, however, can be mitigated by following a proper SDLC process, using Kiro to support each phase and ensuring a solid PRD is in place. I’m excited to see what the future holds there is still much potential yet to be revealed !</p> <h2> Repositories </h2> <p><a href="https://github.com/bdllerena/aws-kiro-security-portal-frontend" rel="noopener noreferrer">Frontend</a><br> <a href="https://github.com/bdllerena/aws-kiro-security-portal-backend" rel="noopener noreferrer">Backend</a></p> aws todayilearned programming webdev David💻 Wed, 10 Sep 2025 02:26:15 +0000 https://forem.com/davidshaek/implementing-owin-authentication-with-microsoft-entra-id-in-aspnet-framework-5g4i https://forem.com/davidshaek/implementing-owin-authentication-with-microsoft-entra-id-in-aspnet-framework-5g4i <p>This article purpose is to describe how to secure your ASP.NET Framework application using OWIN middleware and Microsoft Entra ID (Azure AD) authentication. This comprehensive guide walks you through creating protected endpoints while maintaining public health checks for load balancers.</p> <p><strong>Requirements</strong></p> <ul> <li>Visual Studio 2022</li> <li>Azure Subscription</li> </ul> <h2> Walkthrough </h2> <h3> Creating the App Service </h3> <p>Within our Azure subscription, we will create an App Service of type Web App.<br> In the template, we will fill in basic data:</p> <ul> <li>Select our Azure subscription</li> <li>Create a resource group if one doesn't already exist</li> <li>Give our application a name</li> <li>We will publish the code directly from Visual Studio 2022</li> <li>Our Runtime will be ASP.NET V4.8</li> <li>Choose the Region and plan that best suits our needs</li> <li>For this example, we will select a less crowded region and proceed with the Free plan</li> </ul> <p>Proceed with the "Review + Create" option.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1w5iuyv9hbwmsx8wua1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd1w5iuyv9hbwmsx8wua1.png" alt="image1" width="800" height="789"></a></p> <h3> Configuring the Default Domain </h3> <p>After our service has been created, we will navigate to the dashboard and copy the "Default Domain" value.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Few7a6ye9eq4a9o9zk1v6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Few7a6ye9eq4a9o9zk1v6.png" alt="image2" width="800" height="132"></a></p> <h3> Registering the Application in Microsoft Entra ID </h3> <p>Now we will navigate within our Azure Portal to Microsoft Entra ID &gt; Manage &gt; App Registrations.<br> Within this window, we will register the application by clicking the "New Registration" option.</p> <p>In this window, we will:</p> <ul> <li>Register the name of our application</li> <li>Define which Tenants can access the application</li> <li>Register the URI by copying the App Service application URL as "Web"</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxrbhj7qlwkb2alng95n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxrbhj7qlwkb2alng95n.png" alt="image3" width="800" height="571"></a></p> <h3> Configuring Authentication </h3> <p>After having our application registered, in the same dashboard of our registered application, we navigate to Manage &gt; Authentication.</p> <p>In this window, we will activate the following options:</p> <ul> <li>ID tokens (used for implicit and hybrid flows)</li> <li>Access tokens (used for implicit and hybrid flows)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2q039vixomotx022ren1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2q039vixomotx022ren1.png" alt="image4" width="800" height="372"></a></p> <h3> Creating the Application in Visual Studio 2022 </h3> <p>We will create a new project with the following template:</p> <ul> <li>ASP.NET Web Application (.NET Framework)</li> <li>Select runtime: .NET Framework 4.8</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly15gxm91pb7n9bjdl6m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fly15gxm91pb7n9bjdl6m.png" alt="image5" width="800" height="162"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4skn5y4kk3a1l90dw4xv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4skn5y4kk3a1l90dw4xv.png" alt="image6" width="800" height="542"></a></p> <p>In the next window:</p> <ul> <li>Select type: MVC</li> <li>Authentication: None (because Azure will handle the authentication)</li> <li>Uncheck "Configure for HTTPS"</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6eduo9bnxl3rexm4y1ha.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6eduo9bnxl3rexm4y1ha.png" alt="image7" width="790" height="552"></a></p> <h3> Installing Required Dependencies </h3> <p>Now we will proceed to install the necessary dependencies to run the project. Within the project:</p> <p>Right-click &gt; Manage NuGet Packages for Solution</p> <p>Search for and install the following packages:</p> <ul> <li>Microsoft.Owin.Security.OpenIdConnect</li> <li>Microsoft.Owin.Security.Cookies</li> <li>Microsoft.Owin.Host.SystemWeb</li> <li>Microsoft.IdentityModel.Protocols.OpenIdConnect</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo87obgtp72rb7n7ldlf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxo87obgtp72rb7n7ldlf.png" alt="image8" width="800" height="573"></a></p> <h3> Modifying Web.Config </h3> <p>After installing our dependencies, we start by modifying the Web.Config file.<br> Within appSettings, we proceed to modify the following values. </p> <p>From Microsoft Entra ID, in App registrations, we look for our application and copy the following values:</p> <ul> <li>ClientID</li> <li>TenantID</li> <li>RedirectUri (that we configured in App Service)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39tgh9kah0n14khrc387.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39tgh9kah0n14khrc387.png" alt="image8" width="800" height="152"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;appSettings&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"webpages:Version"</span> <span class="na">value=</span><span class="s">"3.0.0.0"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"webpages:Enabled"</span> <span class="na">value=</span><span class="s">"false"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ClientValidationEnabled"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"UnobtrusiveJavaScriptEnabled"</span> <span class="na">value=</span><span class="s">"true"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:ClientId"</span> <span class="na">value=</span><span class="s">"&lt;your-client-id&gt;"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:Authority"</span> <span class="na">value=</span><span class="s">"https://login.microsoftonline.com/&lt;your-tenant-id&gt;/v2.0"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;add</span> <span class="na">key=</span><span class="s">"ida:RedirectUri"</span> <span class="na">value=</span><span class="s">"https://&lt;your-application&gt;.azurewebsites.net/"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/appSettings&gt;</span> <span class="nt">&lt;system.web&gt;</span> <span class="nt">&lt;authentication</span> <span class="na">mode=</span><span class="s">"None"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;compilation</span> <span class="na">debug=</span><span class="s">"true"</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;httpRuntime</span> <span class="na">targetFramework=</span><span class="s">"4.8"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;customErrors</span> <span class="na">mode=</span><span class="s">"Off"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/system.web&gt;</span> </code></pre> </div> <h3> Creating Startup.cs </h3> <p>Now we will proceed with the creation of a file in the root called Startup.cs. What this file does is basically provide authentication control that sits in front of all requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Microsoft.Owin</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.Cookies</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Microsoft.Owin.Security.OpenIdConnect</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Owin</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Configuration</span><span class="p">;</span> <span class="p">[</span><span class="n">assembly</span><span class="p">:</span> <span class="nf">OwinStartup</span><span class="p">(</span><span class="k">typeof</span><span class="p">(</span><span class="n">TestAuthApplication</span><span class="p">.</span><span class="n">Startup</span><span class="p">))]</span> <span class="k">namespace</span> <span class="nn">TestAuthApplication</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configuration</span><span class="p">(</span><span class="n">IAppBuilder</span> <span class="n">app</span><span class="p">)</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">SetDefaultSignInAsAuthenticationType</span><span class="p">(</span><span class="n">CookieAuthenticationDefaults</span><span class="p">.</span><span class="n">AuthenticationType</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseCookieAuthentication</span><span class="p">(</span><span class="k">new</span> <span class="nf">CookieAuthenticationOptions</span><span class="p">());</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseOpenIdConnectAuthentication</span><span class="p">(</span> <span class="k">new</span> <span class="n">OpenIdConnectAuthenticationOptions</span> <span class="p">{</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:ClientId"</span><span class="p">],</span> <span class="n">Authority</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:Authority"</span><span class="p">],</span> <span class="n">RedirectUri</span> <span class="p">=</span> <span class="n">ConfigurationManager</span><span class="p">.</span><span class="n">AppSettings</span><span class="p">[</span><span class="s">"ida:RedirectUri"</span><span class="p">],</span> <span class="n">ResponseType</span> <span class="p">=</span> <span class="s">"code id_token"</span><span class="p">,</span> <span class="n">Scope</span> <span class="p">=</span> <span class="s">"openid profile email"</span><span class="p">,</span> <span class="n">TokenValidationParameters</span> <span class="p">=</span> <span class="k">new</span> <span class="n">Microsoft</span><span class="p">.</span><span class="n">IdentityModel</span><span class="p">.</span><span class="n">Tokens</span><span class="p">.</span><span class="n">TokenValidationParameters</span> <span class="p">{</span> <span class="n">ValidateIssuer</span> <span class="p">=</span> <span class="k">false</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Creating Controllers </h3> <p>Now we proceed to create two controllers: a health check which will allow us to return a 200 response to the load balancer without needing authentication, and a protected page.</p> <h3> HealthCheckController.cs (No Authentication Required) </h3> <p>Within Controllers &gt; HealthCheckController.cs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System</span><span class="p">;</span> <span class="k">using</span> <span class="nn">System.Web.Mvc</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">TestAuthApplication.Controllers</span> <span class="p">{</span> <span class="p">[</span><span class="n">AllowAnonymous</span><span class="p">]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">HealthCheckController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Json</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">status</span> <span class="p">=</span> <span class="s">"healthy"</span><span class="p">,</span> <span class="n">timestamp</span> <span class="p">=</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">UtcNow</span><span class="p">,</span> <span class="n">service</span> <span class="p">=</span> <span class="s">"TestAuthApplication"</span> <span class="p">},</span> <span class="n">JsonRequestBehavior</span><span class="p">.</span><span class="n">AllowGet</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Ping</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Content</span><span class="p">(</span><span class="s">"OK"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To prevent authentication, we define <code>[AllowAnonymous]</code>.</p> <h3> ProtectedController.cs (Authentication Required) </h3> <p>Now we will proceed to create a protected page in Controllers &gt; ProtectedController.cs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">System.Web.Mvc</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">TestAuthApplication.Controllers</span> <span class="p">{</span> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">ProtectedController</span> <span class="p">:</span> <span class="n">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">Index</span><span class="p">()</span> <span class="p">{</span> <span class="n">ViewBag</span><span class="p">.</span><span class="n">UserName</span> <span class="p">=</span> <span class="n">User</span><span class="p">.</span><span class="n">Identity</span><span class="p">.</span><span class="n">Name</span><span class="p">;</span> <span class="k">return</span> <span class="nf">View</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="n">ActionResult</span> <span class="nf">SecureData</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Json</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">message</span> <span class="p">=</span> <span class="s">"This is protected data"</span><span class="p">,</span> <span class="n">user</span> <span class="p">=</span> <span class="n">User</span><span class="p">.</span><span class="n">Identity</span><span class="p">.</span><span class="n">Name</span> <span class="p">},</span> <span class="n">JsonRequestBehavior</span><span class="p">.</span><span class="n">AllowGet</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To require authentication, we define <code>[Authorize]</code>.</p> <h3> Creating the View </h3> <p>Additionally, we can add a view for this in Views &gt; Protected &gt; Index.cshtml:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>@{ ViewBag.Title = "Protected Page"; } <span class="nt">&lt;h2&gt;</span>Protected Page - Authentication Successful!<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;p&gt;</span>Welcome, @User.Identity.Name!<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>You are successfully authenticated.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>This page requires authentication to access.<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <h3> Publishing to Azure </h3> <p>With our project ready, we will now proceed to publish it:</p> <ul> <li>Right-click on the project &gt; Publish &gt; Azure</li> <li>Authenticate with the user account that has access to our Azure subscription</li> <li>Select our resource group and app service</li> <li>Click Publish</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao3kvwslstjsd5htg5v0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao3kvwslstjsd5htg5v0.png" alt="image10" width="800" height="224"></a></p> <h2> Testing the Application </h2> <p>Finally, we verify the access:</p> <ol> <li>Page without authentication requirement</li> </ol> <p>Health check endpoint should return 200 without login</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flvekowiz4oi9nt6aqew1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flvekowiz4oi9nt6aqew1.png" alt="image11" width="800" height="124"></a></p> <ol> <li>User authenticated in the tenant</li> </ol> <p>Successfully accesses protected pages</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2wblir0qedg4h491don.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2wblir0qedg4h491don.png" alt="image12" width="800" height="313"></a></p> <ol> <li>User authenticated but not in the tenant</li> </ol> <p>Receives access denied message</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jea58i1513t7wgn65n4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6jea58i1513t7wgn65n4.png" alt="image13" width="800" height="429"></a></p> <h2> Summary </h2> <p>Public endpoints (health check) that don't require authentication<br> Protected endpoints that require Azure AD authentication<br> OWIN middleware handling the authentication flow<br> Integration with Azure App Service for hosting</p> azure todayilearned programming webdev David💻 Mon, 23 Sep 2024 08:48:16 +0000 https://forem.com/davidshaek/engines-to-get-you-started-in-your-web-based-gaming-development-1j45 https://forem.com/davidshaek/engines-to-get-you-started-in-your-web-based-gaming-development-1j45 <p><em>This is a submission for the <a href="https://dev.to/challenges/webgame">Web Game Challenge</a>: One Byte Explainer</em></p> <h2> Explainer </h2> <ol> <li>ct.js (openSource2D): Visual scripting language</li> <li>Babylon.js (3DHTML): WebGL for high-quality 3D scenes</li> <li>Phaser (openSource2D): Vast plugin ecosystem</li> <li>nunuStudio (openSource, three.js): Node based language</li> <li>RPG Maker (free non-commercial): Event system language</li> </ol> <h2> Additional Context </h2> <p>These engines can help get you kickstarted, most of them are friendly but powerful with a step learning curve, with a strong community behind them.</p> <ul> <li> <a href="https://ctjs.rocks/" rel="noopener noreferrer">ctjs</a> </li> <li> <a href="https://www.babylonjs.com/" rel="noopener noreferrer">Babylonjs</a> </li> <li> <a href="https://phaser.io/" rel="noopener noreferrer">Phaser</a> </li> <li> <a href="https://www.nunustudio.org/" rel="noopener noreferrer">nunuStudio</a> </li> <li> <a href="https://www.rpgmakerweb.com/" rel="noopener noreferrer">RPG Maker</a> </li> </ul> devchallenge gamechallenge gamedev webdev David💻 Wed, 18 Sep 2024 16:35:13 +0000 https://forem.com/aws-builders/create-an-aws-eks-fargate-v130-and-play-prince-of-persia--a40 https://forem.com/aws-builders/create-an-aws-eks-fargate-v130-and-play-prince-of-persia--a40 <p>In this article, I will provide a step by step guide on how to create an EKS cluster using eksctl (v1.30). I will also demonstrate how to deploy a game based on the MS-DOS version of Prince of Persia.</p> <p><strong>Requirements</strong></p> <ul> <li>AWS account / AWS CLI</li> <li>Github account or any git repository</li> <li>Docker</li> <li>eksctl</li> <li>helm</li> </ul> <h2> Walkthrough </h2> <p>Open Cloud Shell service in AWS.<br> If not already, install eksctl with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--silent</span> <span class="nt">--location</span> <span class="s2">"https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_</span><span class="si">$(</span><span class="nb">uname</span> <span class="nt">-s</span><span class="si">)</span><span class="s2">_amd64.tar.gz"</span> | <span class="nb">tar </span>xz <span class="nt">-C</span> /tmp <span class="nb">sudo mv</span> /tmp/eksctl /usr/local/bin </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnhxwqhv6x1xjgci9xny.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnhxwqhv6x1xjgci9xny.png" alt="eksctl version" width="800" height="57"></a><br> Now, let's proceed to create our cluster with version 1.30, using fargate. Run the following command. (Be sure to create your cluster in the same region as your VPC)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create cluster <span class="nt">--name</span> gaming-cluster <span class="nt">--version</span> 1.30 <span class="nt">--region</span> us-east-1 <span class="nt">--fargate</span> </code></pre> </div> <p>If you want to create your cluster in a specific VPC be sure to specify the corresponding subnets (otherwise this command is going to create a vpc dedicated to the eks)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create cluster <span class="nt">--name</span> gaming-cluster <span class="nt">--version</span> 1.30 <span class="nt">--region</span> us-east-1 <span class="nt">--fargate</span> <span class="nt">--vpc-private-subnets</span> subnet-private-1, subnet-private-2 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyywk4rwqhvf9tueya87o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyywk4rwqhvf9tueya87o.png" alt="EKS creation" width="800" height="305"></a><br> This process might take around 20~25+ minutes.</p> <p>Now let's associate an oidc provider in our cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl utils associate-iam-oidc-provider <span class="nt">--region</span> us-east-1 <span class="nt">--cluster</span> gaming-cluster <span class="nt">--approve</span> </code></pre> </div> <p>Our cluster is now ready with a default fargate profile that contains the namespace default and kube-system</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fup34bncx1h7sr14fmd0t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fup34bncx1h7sr14fmd0t.png" alt="Cluster new" width="800" height="396"></a></p> <p>Let's create a fargate profile for our game application. (Be sure to also create the ns inside our k8s cluster)<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6dzax3q2nmrfpe15qw7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6dzax3q2nmrfpe15qw7.png" alt="Default FP" width="800" height="360"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eksctl create fargateprofile \ --cluster gaming-cluster \ --name fp-gaming \ --namespace gaming \ --region us-east-1 </code></pre> </div> <p>Now, let's add the AWS Load Balancer Controller to expose our application using AWS load balancers.</p> <p>To do this we need to create an iam policy, a serviceaccount and install the plugin with helm.</p> <p>Take this IAM policy example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-o</span> iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json </code></pre> </div> <p>Create the IAM policy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws iam create-policy <span class="se">\</span> <span class="nt">--policy-name</span> AWSLoadBalancerControllerIAMPolicy-EKS <span class="se">\</span> <span class="nt">--policy-document</span> file://iam-policy.json </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F995j7iau0qcjrqes52ml.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F995j7iau0qcjrqes52ml.png" alt="EKS Policy" width="800" height="300"></a></p> <p>Now let's create a service account for this controller<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>eksctl create iamserviceaccount <span class="nt">--cluster</span><span class="o">=</span>gaming-cluster <span class="nt">--namespace</span><span class="o">=</span>kube-system <span class="nt">--name</span><span class="o">=</span>aws-load-balancer-controller <span class="nt">--attach-policy-arn</span><span class="o">=</span>arn:aws:iam::&lt;account_id&gt;:policy/AWSLoadBalancerControllerIAMPolicy-EKS <span class="nt">--approve</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcji86pdnhoggzrnukbs8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcji86pdnhoggzrnukbs8.png" alt="Service Account" width="800" height="176"></a></p> <p>Great ! Now is helm turn, to install some useful charts, in this case the aws load balancer controller.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash </code></pre> </div> <p>Run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add eks https://aws.github.io/eks-charts </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-k</span> <span class="s2">"github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">-i</span> aws-load-balancer-controller eks/aws-load-balancer-controller <span class="nt">-n</span> kube-system <span class="nt">--set</span> <span class="nv">clusterName</span><span class="o">=</span>gaming-cluster <span class="nt">--set</span> serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="nt">--set</span> serviceAccount.name<span class="o">=</span>aws-load-balancer-controller <span class="nt">--set</span> <span class="nv">vpcId</span><span class="o">=</span>&lt;the same vpc as the cluster&gt; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faalkrh6vspovu9z8bu5a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faalkrh6vspovu9z8bu5a.png" alt="albc" width="800" height="149"></a></p> <p>Awesome now we can access our cluster<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> gaming-cluster <span class="nt">--region</span> us-east-1 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf6jccr392gqi2w7cn0h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf6jccr392gqi2w7cn0h.png" alt="EKS" width="800" height="68"></a></p> <p>Before we proceed let's create our gaming namespace<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create ns gaming </code></pre> </div> <p>We are almost there, now is the game turn.</p> <p>For this I'm going to use this <a href="https://github.com/bdllerena/PrinceJS" rel="noopener noreferrer">fork</a> thanks to <a href="https://github.com/oklemenz" rel="noopener noreferrer">oklemenz</a>, <a href="https://github.com/ultrabolido" rel="noopener noreferrer">ultrabolido</a> and <a href="https://github.com/jmechner" rel="noopener noreferrer">jmechner</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/bdllerena/PrinceJS </code></pre> </div> <p>After cloning our image make sure to create an ECR repository (or use any of your choice to host our Prince of Persia image)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fim6906ptf6oqc03z6lc1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fim6906ptf6oqc03z6lc1.png" alt="ECR" width="800" height="707"></a></p> <p>Now copy the push command, it should look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password <span class="nt">--region</span> us-east-1 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> &lt;account_id&gt;.dkr.ecr.us-east-1.amazonaws.com </code></pre> </div> <p>Inside our repository there should be a Dockerfile that looks like this.</p> <p>Note: We use the --platform=linux/amd64 flag because our Kubernetes cluster supports this platform. Otherwise, if we build the Docker image with tools like Docker Desktop, it will make the image compatible with the local OS instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> --platform=linux/amd64 node:18</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["npm", "start"]</span> </code></pre> </div> <p>Inside our repository execute the following commands<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> prince-of-persia <span class="nb">.</span> </code></pre> </div> <p>After we built our image let's tag it and push it to ECR<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag prince-of-persia:latest &lt;account_id&gt;.dkr.ecr.us-east-1.amazonaws.com/prince-of-persia:latest docker push &lt;account_id&gt;.dkr.ecr.us-east-1.amazonaws.com/prince-of-persia:latest </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjb1dd6wbpmiels4nh6b3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjb1dd6wbpmiels4nh6b3.png" alt="ECR code" width="800" height="188"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9d2i22awe3d9o7b1esbo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9d2i22awe3d9o7b1esbo.png" alt="ECR Repo" width="800" height="169"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">gaming</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">image</span><span class="pi">:</span> <span class="s">&lt;account_id&gt;.dkr.ecr.us-east-1.amazonaws.com/prince-of-persia:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-nlb-target-type</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s">external</span> <span class="na">name</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">gaming</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">prince-of-persia</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> </code></pre> </div> <p>After checking that our image is the same that we pushed to ECR, execute our manifest !<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f manifest.yaml </code></pre> </div> <p>This manifest is going to create a deployment with 1 replica (1 pod) and a service that creates a network load balancer as client-facing (public)</p> <p>After some minutes, check if the service was created with this command<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc <span class="nt">-n</span> gaming </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zfintbtl14z1j4hkejq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zfintbtl14z1j4hkejq.png" alt="svc created" width="800" height="22"></a></p> <p>Awesome ! if you want you can check the logs of the pod, and see if everything is up and running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> gaming kubectl logs <span class="nt">-f</span> prince-of-persia-.... <span class="nt">-n</span> gaming </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjf872xl4nbgtpdaft5i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjf872xl4nbgtpdaft5i.png" alt="Logs" width="800" height="134"></a></p> <p>Finally let's enjoy our game by going to the svc that we created previously, it should look a bit like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>k8s-gaming-princeof-15fa57ff31-6933c5aaecd54910.elb.us-east-1.amazonaws.com </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs21eelma62gq90y4ezs7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs21eelma62gq90y4ezs7.png" alt="Prince of Persia" width="800" height="529"></a></p> <h2> Optional </h2> <p>If you want to enable logging of your pods follow this steps</p> <p>Create a namespace for aws-observability, and a fargate profile<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create ns aws-observability </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eksctl create fargateprofile \ --cluster gaming-cluster \ --name fp-observability \ --namespace aws-observability \ --region us-east-1 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmg7550u1pee4g8qtj7u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhmg7550u1pee4g8qtj7u.png" alt="New profile" width="800" height="122"></a></p> <p>Verify that the execution role of this fargate profile has the necessary permissions to execute logs event into cloudwatch, otherwise create an inline policy inside that role with the following permissions.</p> <p>Note: Be sure to add the specific name of the log group you are going to use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"logs:CreateLogStream"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:CreateLogGroup"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:DescribeLogStreams"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:PutLogEvents"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3xph4s3af94xe5zyabr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3xph4s3af94xe5zyabr.png" alt="Json policy" width="800" height="339"></a></p> <p>Now create a configmap like this an apply it, be sure to modify per your requirements, this configmap is going to start logging at a log group in cloudwatch named gaming-cluster<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-logging</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">aws-observability</span> <span class="na">data</span><span class="pi">:</span> <span class="na">flb_log_cw</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># set to true to ship Fluent Bit process logs to CloudWatch.</span> <span class="na">filters.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[FILTER]</span> <span class="s">Name parser</span> <span class="s">Match *</span> <span class="s">Key_name log</span> <span class="s">Parser crio</span> <span class="s">[FILTER]</span> <span class="s">Name kubernetes</span> <span class="s">Match kube.*</span> <span class="s">Merge_Log On</span> <span class="s">Keep_Log Off</span> <span class="s">Buffer_Size 0</span> <span class="s">Kube_Meta_Cache_TTL 300s</span> <span class="na">output.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[OUTPUT]</span> <span class="s">Name cloudwatch_logs</span> <span class="s">Match kube.*</span> <span class="s">region us-east-1</span> <span class="s">log_group_name gaming-cluster</span> <span class="s">log_stream_prefix from-fluent-bit-</span> <span class="s">log_retention_days 60</span> <span class="s">auto_create_group true</span> <span class="na">parsers.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[PARSER]</span> <span class="s">Name crio</span> <span class="s">Format Regex</span> <span class="s">Regex ^(?&lt;time&gt;[^ ]+) (?&lt;stream&gt;stdout|stderr) (?&lt;logtag&gt;P|F) (?&lt;log&gt;.*)$</span> <span class="s">Time_Key time</span> <span class="s">Time_Format %Y-%m-%dT%H:%M:%S.%L%z</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f observability.yaml </code></pre> </div> <p>Be sure to rollout restart your deployments !<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl rollout restart deployment prince-of-persia -n gaming </code></pre> </div> <p>Note: Is it recommended to only filter what is critical, modify the retention of the log group as it can get costly to get tons of logs</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxjoovzndt1lblefzpuri.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxjoovzndt1lblefzpuri.png" alt="Log groups" width="800" height="416"></a></p> <p>Hope this guide can be helpful ! Happy gaming !<br> <a href="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExdnBtMDhmNmczbmVyZWY5enBlZTltNWNpMmpjODhreDRidTM5YXRnbSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/ut4T2X3qn8YVi/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExdnBtMDhmNmczbmVyZWY5enBlZTltNWNpMmpjODhreDRidTM5YXRnbSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/ut4T2X3qn8YVi/giphy.gif" width="500" height="281"></a></p> kubernetes todayilearned beginners tutorial David💻 Tue, 03 Sep 2024 03:31:06 +0000 https://forem.com/davidshaek/automate-it-operations-with-nylas-and-amazon-bedrock-4agc https://forem.com/davidshaek/automate-it-operations-with-nylas-and-amazon-bedrock-4agc <p>This article explores how IT operations can leverage Nylas APIs, AWS Lambda, and Amazon Bedrock to automate repetitive tasks and manage brief requirement queries efficiently. By integrating a Knowledge Base with Retrieval-Augmented Generation (RAG), the solution enables quick and accurate responses to common operational requests, streamlining processes and improving SLA compliance. This approach reduces onboarding time for new staff, enhances efficiency, and ensures that routine tasks are handled precisely, freeing up valuable time for more complex issues</p> <h2> What is a Knowledge Base? </h2> <p>A Knowledge Base in Amazon Bedrock, often used with Retrieval-Augmented Generation (RAG), is a structured repository of information that enhances the ability of AI models to generate accurate responses by pulling relevant data during the response process. RAG combines generative AI with specific data retrieval from the knowledge base, allowing the AI to generate contextually accurate and up-to-date answers, which is particularly useful in handling dynamic and domain-specific queries</p> <h2> What is Nylas? </h2> <p>Nylas is a platform that provides APIs for email, calendar, and contact management, enabling developers to seamlessly integrate communication capabilities into their applications. Nylas simplifies the process of reading, sending, and managing emails, scheduling calendar events, and accessing contact data from various providers, allowing businesses to automate workflows, improve productivity, and enhance communication processes with minimal backend setup</p> <p><strong>Requirements</strong></p> <ul> <li>AWS Account</li> <li>Nylas Account</li> <li>Gmail or any email account</li> </ul> <h2> Walkthrough </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lu9251j774l0cp2nww3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lu9251j774l0cp2nww3.png" alt="Architecture" width="800" height="368"></a></p> <p>First, start by enabling your email account with Nylas. You need to enable your Grant ID and API Token be sure to note these values !</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7xo08eyx4v9lfgebe4iw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7xo08eyx4v9lfgebe4iw.png" alt="Nylas" width="536" height="254"></a></p> <p>Next, inside your AWS Account, create an S3 bucket. It is fine to use the standard options; no extra configurations are necessary. After creating the S3 bucket, upload some PDF files for your knowledge base. For this, I created some examples that look like this:</p> <blockquote> <p>How to Turn Off Instances in EC2<br> Step 1: Access the EC2 Dashboard<br> ● Go to the AWS Management Console.<br> ● Navigate to EC2 by searching for it in the search bar or selecting it from the list of AWS<br> services.<br> Step 2: Identify the Instance to Stop<br> ● In the EC2 Dashboard, go to the Instances section.<br> ● Look for the instance you wish to stop. You can use the search bar to filter by instance<br> ID, name, or other attributes.<br> Step 3: Check the Tags of the Instance<br> ● Select the instance and go to the Tags tab.<br> ● Look for a tag called "CanItBeTurnedOff". Ensure its value is "true". If the tag<br> does not exist or the value is not "true", do not turn off this instance.<br> Step 4: Stop the Instance<br> ● If the tag value is "true", click on the Actions dropdown menu at the top right.<br> ● Select Instance State &gt; Stop Instance.<br> Step 5: Confirm the Action<br> ● Confirm your choice in the popup dialog. The instance will begin to stop.<br> Step 6: Verify the Instance is Stopped<br> ● Wait a few moments and refresh the instance state. Ensure the instance status is<br> stopped before proceeding with any other tasks.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66pyh3ckgpfain5zkaa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh66pyh3ckgpfain5zkaa.png" alt="S3" width="800" height="393"></a></p> <p>Now, let's use the Knowledge Base service inside Amazon Bedrock. For the configurations, feel free to create or reuse a service role—it needs access to S3. For the Data Source, be sure to select S3</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fik0btswpe9sorys2h5s0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fik0btswpe9sorys2h5s0.png" alt="Data Source" width="800" height="377"></a></p> <p>In the next window, be sure to select the S3 URI to the respective prefix or root folder where you uploaded your PDF examples</p> <p>For the embedding model, I decided to use Amazon Titan Text Embedding v2 for its cost-effectiveness and reliability in determining vector dimensions</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8h353ztbk6f4t203rozy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8h353ztbk6f4t203rozy.png" alt="Vector dimension" width="800" height="439"></a></p> <p>Review and create your model !</p> <p>For testing, be sure to enable model access. I used Titan Text G1 - Premier</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9g2654l094pbveaqvblh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9g2654l094pbveaqvblh.png" alt="Premier" width="800" height="27"></a></p> <p>Now, our setup is almost ready to start writing the code, but before this, log in to your email account. For this example, I used Gmail</p> <p>Inside Gmail, be sure to create or have at least one contact. The purpose of this contact is to showcase how we can scale requirements that the Knowledge Base can't respond to, involving a human counterpart who can guide us on properly executing the requirement</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpmva8mp0167dnak38zu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnpmva8mp0167dnak38zu.png" alt="Second email" width="800" height="95"></a></p> <p>Great ! We have everything set up. Now let's create the code!</p> <p>This code connects the query from your emails, sends that query (in this example, the email subject) to the Knowledge Base, and returns a response based on the documents in your S3. If the model can't respond, it escalates the requirement to an "N2" support account or another person with more experience</p> <p>Variables:<br> <code>NYLAS_API_KEY</code> = Your Nylas api key<br> <code>NYLAS_GRANT_ID</code> = Grant ID<br> <code>SUPPORT_EMAIL_N1</code> = The email you used in Nylas<br> <code>AWS_REGION</code> = The region where the knowledge base is<br> <code>BEDROCK_MODEL_ARN</code> = The model of the model you gave access to (In this case Amazon Premier Text, it should look a bit like this: <code>arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-premier-v1:0</code><br> <code>KNOWLEDGE_BASE_ID</code> = The knowledge base ID that you created<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">nylas</span> <span class="kn">import</span> <span class="n">Client</span> <span class="kn">from</span> <span class="n">nylas.models.messages</span> <span class="kn">import</span> <span class="n">ListMessagesQueryParams</span> <span class="kn">from</span> <span class="n">nylas.models.contacts</span> <span class="kn">import</span> <span class="n">ListContactsQueryParams</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">nylas</span> <span class="o">=</span> <span class="nc">Client</span><span class="p">(</span><span class="n">api_key</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">NYLAS_API_KEY</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># bedrock configuration be sure to create your knowledge base beforehand </span><span class="n">region_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">AWS_REGION</span><span class="sh">'</span><span class="p">)</span> <span class="n">model_arn</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BEDROCK_MODEL_ARN</span><span class="sh">'</span><span class="p">)</span> <span class="n">kb_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">KNOWLEDGE_BASE_ID</span><span class="sh">'</span><span class="p">)</span> <span class="n">bedrock_agent_runtime_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">bedrock-agent-runtime</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="n">region_name</span><span class="p">)</span> <span class="c1"># generate a response asking our RAG with the email content </span><span class="k">def</span> <span class="nf">ask_bedrock_llm_with_knowledge_base</span><span class="p">(</span><span class="n">query</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">bedrock_agent_runtime_client</span><span class="p">.</span><span class="nf">retrieve_and_generate</span><span class="p">(</span> <span class="nb">input</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">text</span><span class="sh">'</span><span class="p">:</span> <span class="n">query</span><span class="p">},</span> <span class="n">retrieveAndGenerateConfiguration</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">KNOWLEDGE_BASE</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">knowledgeBaseConfiguration</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">knowledgeBaseId</span><span class="sh">'</span><span class="p">:</span> <span class="n">kb_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">modelArn</span><span class="sh">'</span><span class="p">:</span> <span class="n">model_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">text</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">No generated text found.</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># get this message if webhook nylas message.created is configured otherwise just pull the last message </span><span class="k">def</span> <span class="nf">fetch_latest_message</span><span class="p">(</span><span class="n">nylas_client</span><span class="p">:</span> <span class="n">Client</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">:</span> <span class="n">query_params</span> <span class="o">=</span> <span class="nc">ListMessagesQueryParams</span><span class="p">({</span><span class="sh">'</span><span class="s">limit</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">})</span> <span class="n">messages</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">nylas_client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span><span class="n">grant_id</span><span class="p">,</span> <span class="n">query_params</span><span class="p">)</span> <span class="k">return</span> <span class="n">messages</span> <span class="c1"># you can fetch the contacts per company or description for this example we only have one contact </span><span class="k">def</span> <span class="nf">fetch_contact</span><span class="p">(</span><span class="n">nylas_client</span><span class="p">:</span> <span class="n">Client</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">:</span> <span class="n">query_params</span> <span class="o">=</span> <span class="nc">ListContactsQueryParams</span><span class="p">({</span><span class="sh">'</span><span class="s">limit</span><span class="sh">'</span><span class="p">:</span> <span class="mi">1</span><span class="p">})</span> <span class="n">contacts</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">nylas_client</span><span class="p">.</span><span class="n">contacts</span><span class="p">.</span><span class="nf">list</span><span class="p">(</span><span class="n">grant_id</span><span class="p">,</span> <span class="n">query_params</span><span class="p">)</span> <span class="k">return</span> <span class="n">contacts</span> <span class="k">def</span> <span class="nf">send_message</span><span class="p">(</span><span class="n">nylas_client</span><span class="p">:</span> <span class="n">Client</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">subject</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">recipient</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">request_body</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">subject</span><span class="sh">"</span><span class="p">:</span> <span class="n">subject</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">body</span><span class="p">,</span> <span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">recipient</span><span class="p">}]</span> <span class="p">}</span> <span class="n">nylas_client</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">grant_id</span><span class="p">,</span> <span class="n">request_body</span><span class="o">=</span><span class="n">request_body</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_messages</span><span class="p">():</span> <span class="n">grant_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">NYLAS_GRANT_ID</span><span class="sh">'</span><span class="p">)</span> <span class="n">messages</span> <span class="o">=</span> <span class="nf">fetch_latest_message</span><span class="p">(</span><span class="n">nylas</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">message</span> <span class="ow">in</span> <span class="n">messages</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">message</span><span class="p">.</span><span class="n">subject</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">ask_bedrock_llm_with_knowledge_base</span><span class="p">(</span><span class="n">message</span><span class="p">.</span><span class="n">subject</span><span class="p">)</span> <span class="k">if</span> <span class="sh">"</span><span class="s">i could not find an exact answer to the question</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="n">contacts</span> <span class="o">=</span> <span class="nf">fetch_contact</span><span class="p">(</span><span class="n">nylas</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">contact</span> <span class="ow">in</span> <span class="n">contacts</span><span class="p">:</span> <span class="nf">send_message</span><span class="p">(</span> <span class="n">nylas</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Please </span><span class="si">{</span><span class="n">contact</span><span class="p">.</span><span class="n">given_name</span><span class="si">}</span><span class="s">, your help is needed with the following requirement</span><span class="sh">"</span><span class="p">,</span> <span class="n">message</span><span class="p">.</span><span class="n">subject</span><span class="p">,</span> <span class="n">contact</span><span class="p">.</span><span class="n">emails</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">email</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">send_message</span><span class="p">(</span> <span class="n">nylas</span><span class="p">,</span> <span class="n">grant_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">Answer from RAG Model</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">,</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">SUPPORT_EMAIL_N1</span><span class="sh">'</span><span class="p">)</span> <span class="p">)</span> <span class="nf">process_messages</span><span class="p">()</span> </code></pre> </div> <p>That's it ! If you want to get an idea on how this work be sure to check this <a href="https://dev.to/davidshaek/nylas-ai-and-communications-challenge-nylas-and-aiops-integration-59b4">post</a><br> Code is <a href="https://github.com/bdllerena/nylas-aiops" rel="noopener noreferrer">here</a></p> ai aws tutorial beginners David💻 Mon, 02 Sep 2024 01:54:17 +0000 https://forem.com/davidshaek/nylas-ai-and-communications-challenge-nylas-and-aiops-integration-17an https://forem.com/davidshaek/nylas-ai-and-communications-challenge-nylas-and-aiops-integration-17an <p><em>This is a submission for the <a href="https://dev.to/challenges/nylas">Nylas Challenge</a>: Galaxy Brain.</em></p> <h2> What we Built and Why </h2> <p>In IT operations, when a new user joins a team in a fast-paced industry, there often isn’t enough time for a thorough onboarding process. The constantly changing client requirements and evolving technologies make it challenging for new users to know how to proceed correctly, leading to missed SLAs or improperly executed processes.</p> <p>That’s why we developed a solution to help streamline the learning curve for operations staff while handling basic or repetitive tasks, making the process smoother and more efficient.</p> <h2> Demo </h2> <p><a href="https://www.youtube.com/watch?v=ydiXAKPnbZQ" rel="noopener noreferrer">Youtube Demo</a></p> <h2> Code </h2> <p><a href="https://github.com/bdllerena/nylas-aiops" rel="noopener noreferrer">Github Code</a></p> <h2> Our Journey </h2> <p>We leveraged Nylas' set of APIs to streamline the management of these requirements, as they often come via email. This allows us to easily read incoming emails and respond immediately with our RAG model. If the requirement is a simple or repetitive task, we automate the process using an AWS Step Function that handles the task efficiently.</p> <p>With this easy, out-of-the-box solution, we improve our SLA times significantly.</p> <p>Credits:<br> <a class="mentioned-user" href="https://dev.to/davidshaek">@davidshaek</a> <br> <a class="mentioned-user" href="https://dev.to/steven_aizaga">@steven_aizaga</a></p> devchallenge nylaschallenge api nylas David💻 Mon, 02 Sep 2024 01:53:36 +0000 https://forem.com/davidshaek/nylas-ai-and-communications-challenge-nylas-and-aiops-integration-59b4 https://forem.com/davidshaek/nylas-ai-and-communications-challenge-nylas-and-aiops-integration-59b4 <p><em>This is a submission for the <a href="https://dev.to/challenges/nylas">Nylas Challenge</a>: AI Expedition.</em></p> <h2> What we Built and Why </h2> <p>In IT operations, when a new user joins a team in a fast-paced industry, there often isn’t enough time for a thorough onboarding process. The constantly changing client requirements and evolving technologies make it challenging for new users to know how to proceed correctly, leading to missed SLAs or improperly executed processes.</p> <p>That’s why we developed a solution to help streamline the learning curve for operations staff while handling basic or repetitive tasks, making the process smoother and more efficient.</p> <h2> Demo </h2> <p><a href="https://www.youtube.com/watch?v=ydiXAKPnbZQ" rel="noopener noreferrer">Youtube Demo</a></p> <h2> Code </h2> <p><a href="https://github.com/bdllerena/nylas-aiops" rel="noopener noreferrer">Github Code</a></p> <h2> Our Journey </h2> <p>We leveraged Nylas' set of APIs to streamline the management of these requirements, as they often come via email. This allows us to easily read incoming emails and respond immediately with our RAG model. If the requirement is a simple or repetitive task, we automate the process using an AWS Step Function that handles the task efficiently.</p> <p>With this easy, out-of-the-box solution, we improve our SLA times significantly.</p> <p>Credits:<br> <a class="mentioned-user" href="https://dev.to/davidshaek">@davidshaek</a> <br> <a class="mentioned-user" href="https://dev.to/steven_aizaga">@steven_aizaga</a></p> devchallenge nylaschallenge api ai