The latest articles on Forem by Saumil343 (@saumil343). https://forem.com/saumil343 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1108503%2Fe37fde75-750c-46bf-9138-5c80971e951d.jpeg https://forem.com/saumil343 en Saumil343 Thu, 02 Jan 2025 15:53:27 +0000 https://forem.com/saumil343/gen-ai-powered-healthcare-queries-with-aws-kendra-bedrock-gpd https://forem.com/saumil343/gen-ai-powered-healthcare-queries-with-aws-kendra-bedrock-gpd <p><strong>Introduction</strong></p> <p>In the healthcare industry, having accurate and contextually relevant information readily accessible is crucial for clinicians, patients, and administrative staff. Simple keyword-based searches can often fall short, offering information that lacks the specificity and depth required in a clinical setting. To address this, a solution was developed using AWS Kendra for intelligent search and AWS Bedrock for generative AI, enabling healthcare clients to receive not only relevant information but also enhanced, context-sensitive responses.</p> <p><strong>Business Problem</strong></p> <p>Healthcare professionals and patients frequently seek precise answers to complex medical questions. Standard keyword-based search systems may retrieve general documents but often lack the contextual accuracy needed in critical medical situations. Moreover, clinicians often require enhanced responses that go beyond straightforward answers to provide additional insights. This solution addresses these challenges by combining Kendra’s reliable document retrieval capabilities with Bedrock’s generative AI model to deliver well-rounded, contextually aware responses.</p> <p><strong>Solution Overview</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fli9lmzy17pin54d2h0iv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fli9lmzy17pin54d2h0iv.png" alt="architecture" width="352" height="245"></a></p> <p>This healthcare-focused solution integrates two powerful AWS tools:</p> <ul> <li><p><strong>AWS Kendra:</strong> Acts as the primary search engine, retrieving high-precision information from reliable medical documents based on user queries. Kendra enables clinicians and patients to access the exact information they need without time-consuming manual searches.</p></li> <li><p><strong>AWS Bedrock (Gen-AI):</strong> Adds depth and clarity to Kendra’s responses by generating enhanced, context-sensitive answers. Bedrock’s language generation capabilities allow for tailored responses that vary in complexity to suit different audiences, from healthcare professionals to patients.</p></li> </ul> <p>The solution uses Python to integrate these services, ensuring smooth communication and data processing across both AWS tools and enabling scalability for diverse healthcare applications.</p> <p><strong>Technical Implementation</strong></p> <p><strong>This implementation involves the following steps:</strong></p> <p><strong>1. AWS Kendra Query for Information Retrieval</strong></p> <p>A Kendra client is initialized with the designated AWS region and index ID.</p> <ul> <li><p>The user’s query text (e.g., “What are the warning signs for DKA?”) is sent to Kendra, which retrieves relevant medical information.</p></li> <li><p>Result Parsing: The response items from Kendra are filtered to extract the most relevant answer (e.g., through Highlights attributes) to be used for further processing.</p></li> </ul> <p><strong>Creating a Kendra index:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvstm47feiem4af81z04m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvstm47feiem4af81z04m.png" alt="create-kendra-index" width="455" height="340"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fty0mmsxebncjm1en2u40.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fty0mmsxebncjm1en2u40.png" alt="create-kendra-index" width="460" height="297"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxmx5katx18vlwjzp7vqh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxmx5katx18vlwjzp7vqh.png" alt="create-kendra-index" width="434" height="252"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd60wexsvbb902ub6uz74.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd60wexsvbb902ub6uz74.png" alt="create-kendra-index" width="434" height="122"></a></p> <p><strong>Adding a data source to Kendra:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjubiximqju3h78161ss.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvjubiximqju3h78161ss.png" alt="add-data-source-kendra" width="451" height="374"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn2p5prpigv5g2rrm79y4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn2p5prpigv5g2rrm79y4.png" alt="add-data-source-kendra" width="425" height="317"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F00smgfwtj3a2p7t56r2x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F00smgfwtj3a2p7t56r2x.png" alt="add-data-source-kendra" width="428" height="401"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswivcxgxl7a9c1a1hqcj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswivcxgxl7a9c1a1hqcj.png" alt="add-data-source-kendra" width="467" height="131"></a></p> <p><strong>2. Enhanced Response Generation with AWS Bedrock</strong></p> <ul> <li><p>The Blog utilizes ‘amazon.titan-text-lite-v1’ bedrock model. </p></li> <li><p>A Bedrock client is invoked to generate an enriched, context-sensitive answer based on Kendra’s initial response.</p></li> <li><p>The context and original question are structured into a prompt format to enhance Bedrock’s generative model’s output.</p></li> <li><p>Generative Configuration: Parameters such as temperature and maxTokenCount are optimized to balance response thoroughness and relevancy.</p></li> <li><p>Bedrock then generates an enhanced response, adding additional clarity, context, and suggestions that make the information suitable for healthcare decision-making.</p></li> </ul> <p><strong>3. Python application:</strong></p> <p><strong>Code repo :</strong> <a href="https://github.com/Saumil343/AWS-gen-ai-healthcare-queries/tree/main" rel="noopener noreferrer">Github-repo</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import boto3 import json # AWS region setup region_name = 'us-east-1' # Initialize Kendra client kendra = boto3.client('kendra', region_name=region_name) index_id = 'kendra-index-id-here' query = "what are the warning signs for DKA? " # Initialize Bedrock client boto3_bedrock = boto3.client('bedrock-runtime', region_name=region_name) # Function to invoke Bedrock for enhanced response def get_bedrock_enhanced_response(human_input, context_string): prompt_data = f"Here is some context:\n\n{context_string}\n\nHuman: {human_input}\nAssistant:" body_part = json.dumps({ 'inputText': prompt_data, 'textGenerationConfig': { 'maxTokenCount': 4096, # Corrected maxTokenCount to be within the allowed range 'stopSequences': [], 'temperature': 0.7, # Adjust as needed 'topP': 1.0 } }) # Invoke Bedrock model response = boto3_bedrock.invoke_model( body=body_part, contentType="application/json", accept="application/json", modelId='amazon.titan-text-lite-v1' # Bedrock model ID ) # Read and decode the StreamingBody before parsing response_body = response['body'].read().decode('utf-8') output_text = json.loads(response_body)['results'][0]['outputText'] return output_text # Kendra query processing response = kendra.query(QueryText=query, IndexId=index_id) # Process Kendra query results for query_result in response['ResultItems']: begin = 0 end = 0 if query_result['Type'] == 'ANSWER': answer = query_result['AdditionalAttributes'][0]['Value']['TextWithHighlightsValue'] highlight = answer['Highlights'] for obj in highlight: if obj['TopAnswer'] is True: begin = obj['BeginOffset'] end = obj['EndOffset'] # Get the answer text if end == 0: answer_text = answer['Text'] else: answer_text = answer['Text'][begin:end] print("Kendra Answer: ", answer_text) # Now pass the Kendra response to Bedrock for enhancement enhanced_response = get_bedrock_enhanced_response(query, answer_text) print("\nEnhanced response from Bedrock:\n") print(enhanced_response) </code></pre> </div> <p><strong>Use Case Example</strong></p> <p>A practical use case for this solution is illustrated with a query about diabetic ketoacidosis (DKA), a critical condition requiring timely recognition:</p> <p><strong>1. User Query:</strong> A clinician asks, “What are the warning signs for DKA?”</p> <p><strong>2. Kendra Response:</strong> AWS Kendra retrieves a concise answer from a document stored in S3, such as “DKA symptoms include excessive thirst, frequent urination, nausea, and fatigue.”</p> <p><strong>3. Enhanced Response via Bedrock:</strong> Bedrock processes this response, adding further context, such as explaining symptoms in layperson’s terms and suggesting next steps for patients. For instance, “Warning signs for DKA, a complication from high blood sugar, include extreme thirst, frequent urination, nausea, and fatigue. If these symptoms occur, patients should seek medical attention promptly to avoid severe complications.”</p> <p>This example demonstrates the combined power of Kendra and Bedrock to provide healthcare professionals with accurate, contextually enhanced answers that are easy to interpret for both patients and clinicians.</p> <p><strong>Results</strong></p> <p>The integration of AWS Kendra and Bedrock provides several key benefits for healthcare clients:</p> <p><strong>- Enhanced Information Relevance:</strong> Kendra’s retrieval of information ensures answers are precise and sourced from credible healthcare documents from S3.</p> <p><strong>- Clarity and Contextual Depth:</strong> Bedrock’s generative capabilities add context to complex medical terms, making information accessible and understandable.</p> <p><strong>- Efficiency and Time Savings:</strong> The solution minimizes the time clinicians spend searching for answers, supporting quicker decision-making and patient interactions.</p> <p>These outcomes improve the quality of healthcare information retrieval, ensuring that professionals and patients alike receive actionable, high-quality responses.</p> <p><strong>Conclusion</strong><br> This AWS Kendra and Bedrock solution demonstrates a robust use case for healthcare clients seeking reliable, context-rich information to enhance clinical decision-making and patient care. With Kendra’s precision search capabilities and Bedrock’s advanced language generation, the architecture provides accurate, well-rounded responses tailored to healthcare needs. This solution is highly scalable, adaptable, and effective for various healthcare applications, making it a valuable tool in the evolving landscape of healthcare information technology.</p> genai bedrock kendra aws Saumil343 Sun, 10 Nov 2024 17:14:28 +0000 https://forem.com/saumil343/aws-backup-mastery-navigating-cross-account-cross-regional-immutable-backups-for-rds-with-practical-ease-4072 https://forem.com/saumil343/aws-backup-mastery-navigating-cross-account-cross-regional-immutable-backups-for-rds-with-practical-ease-4072 <p><strong>Introduction:</strong><br> In the realm of tech, data safety is non-negotiable, and AWS Backup emerges as the superhero in this narrative. This blog unlocks the perks of savvy backups, spanning different accounts and regions, ensuring the fortification of your data. This blog begins by addressing a quirk—certain AWS services, like RDS, can't execute backups across accounts and regions simultaneously. No sweat! This blog will walk you through a step-by-step plan. First, let's set up cross-regional backups to lay a solid foundation. Once that's nailed, this blog will guide you on extending this safety net across different AWS accounts, giving your data a superhero cape ready for any digital challenge. </p> <p><strong>Considerations</strong></p> <ul> <li><p><strong>Primary region:</strong> us-east-1 </p></li> <li><p><strong>Backup region:</strong> us-east-2 </p></li> <li><p><strong>Retention in backup account:</strong> 30 days [Customizable in Python Lambda code] </p></li> </ul> <p><strong>Step-by-step guide:</strong> </p> <p><strong>1. Create a Backup Vault in Backup Account (Backup Region)</strong></p> <p>Establish a vault for storing immutable backups, a secure haven for your critical data. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgbfk3cylgdytruk0v1i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjgbfk3cylgdytruk0v1i.png" alt="Image description" width="520" height="403"></a></p> <p><strong>2. Set up an Immutable Vault Lock</strong></p> <p>Secure your vault by implementing an immutable vault lock, adding an extra layer of protection against accidental modifications or deletions. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo580c5ejdfoqq2rqand4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo580c5ejdfoqq2rqand4.png" alt="Image description" width="800" height="446"></a></p> <p><strong>3. Create a KMS-CMK in Workload Account (Backup Region)</strong><br> Generate a Key Management Service (KMS) key with a 'Single region &amp; Symmetric key' configuration, enhancing data security in your workload account, which is shared with backup account for seamless transmission of backups from workload account to backup account. </p> <p><strong>Key Policy for KMS key</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-consolepolicy-3"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Enable IAM User Permissions"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::{workload-account-number}:root"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kms:*"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow use of the key"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"arn:aws:iam::{backup-account-number}:root"</span><span class="p">,</span><span class="s2">"arn:aws:iam::{workload-account-number}:root"</span><span class="p">]</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:Encrypt"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:Decrypt"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:DescribeKey"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow attachment of persistent resources"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"arn:aws:iam::{backup-account-number}:root"</span><span class="p">,</span><span class="s2">"arn:aws:iam::{workload-account-number}:root"</span><span class="p">]</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:CreateGrant"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:ListGrants"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="s2">"kms:RevokeGrant"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"Bool"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"kms:GrantIsForAWSResource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><strong>4. Create Backup Vault in Workload Account (Backup Region)</strong></p> <p>Establish a backup vault in the workload account, utilizing the KMS key created in the previous step to ensure a secure backup environment. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9d30axawccs3isizsbw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9d30axawccs3isizsbw.png" alt="Image description" width="642" height="485"></a></p> <p><strong>5. Set Up Backup Vaults in Primary Region (Workload Account)</strong></p> <p>Create backup vaults in the primary, laying the groundwork for efficient data backup and recovery. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtumrue3wfzuwmn1w74x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtumrue3wfzuwmn1w74x.png" alt="Image description" width="678" height="518"></a></p> <p><strong>6. Create a Backup Plan for RDS in Workload Account</strong><br> Develop a backup plan with a daily frequency set for 8 pm IST, ensuring a consistent and reliable backup schedule for your RDS instances. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk7zx9mmjj2jegxxosff9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk7zx9mmjj2jegxxosff9.png" alt="Image description" width="607" height="649"></a></p> <p><strong>Backup window configuration:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg20ijmfm1ovzp01jmmqt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg20ijmfm1ovzp01jmmqt.png" alt="Image description" width="604" height="269"></a></p> <p><strong>7. Copy Configuration to Intermediate Vault</strong></p> <p>Configure copy settings to an intermediate vault in the backup region, streamlining the process of moving backups between regions. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6597fiwqw69h1c50wavf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6597fiwqw69h1c50wavf.png" alt="Image description" width="545" height="565"></a></p> <p><strong>8. Add Crucial Tags</strong><br> Enhance backup management by adding tags; a key tag to include is 'FinalVault' with a value representing the ARN of the backup vault in the backup account in the backup region. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fca5wkaasclszmdnwcl8j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fca5wkaasclszmdnwcl8j.png" alt="Image description" width="424" height="346"></a></p> <p><strong>9. Create Lambda Function in Workload Account (Backup Region)</strong><br> Implement a Lambda function using any runtime environment to automate AWS Backup copy jobs, enhancing the efficiency of your backup strategy, the lambda function would be responsible for initiating a copy job from secondary region of workload account to backup account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">import</span> <span class="err"> </span><span class="n">boto3</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="err"> </span> <span class="err"> </span> <span class="c1"># Main lambda function to invoke AWS Backup copy job </span> <span class="err"> </span> <span class="err"> </span> <span class="k">try</span><span class="p">:</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">eventDetail</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">detail</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="k">if</span> <span class="n">eventDetail</span><span class="p">:</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="c1">#Fetching parameters from event </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">jobState</span> <span class="o">=</span> <span class="n">eventDetail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">destinationBackupVaultArn</span> <span class="o">=</span> <span class="n">eventDetail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">destinationBackupVaultArn</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">iamRoleArn</span> <span class="o">=</span> <span class="n">eventDetail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">iamRoleArn</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">backupVaultName</span> <span class="o">=</span> <span class="n">destinationBackupVaultArn</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">destinationRecoveryPointArn</span> <span class="o">=</span> <span class="n">eventDetail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">destinationRecoveryPointArn</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="k">if</span> <span class="sh">'</span><span class="s">COMPLETED</span><span class="sh">'</span> <span class="o">==</span> <span class="n">jobState</span><span class="p">:</span> <span class="c1"># Ensuring the config work on 'COMPLETE' </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">backup_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">backup</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">response</span> <span class="o">=</span> <span class="n">backup_client</span><span class="p">.</span><span class="nf">list_tags</span><span class="p">(</span><span class="n">ResourceArn</span><span class="o">=</span><span class="n">destinationRecoveryPointArn</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">tag_list</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Tags</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">tag_list from Copy Job :</span><span class="si">{</span><span class="n">tag_list</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">tag_list</span><span class="p">:</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="c1"># Feteching tag from recovery points, to identify and copy RDS to final vault </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="k">if</span> <span class="n">key</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="o">==</span> <span class="sh">'</span><span class="s">FinalVault</span><span class="sh">'</span><span class="p">.</span><span class="nf">lower</span><span class="p">():</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">destinationVaultArn</span> <span class="o">=</span> <span class="n">tag_list</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">Copying </span><span class="si">{</span><span class="n">destinationRecoveryPointArn</span><span class="si">}</span><span class="s"> to </span><span class="si">{</span><span class="n">destinationVaultArn</span><span class="si">}</span><span class="s"> from </span><span class="si">{</span><span class="n">backupVaultName</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="c1">#Initiating a copy job from intermediate to final vault </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">response</span> <span class="o">=</span> <span class="n">backup_client</span><span class="p">.</span><span class="nf">start_copy_job</span><span class="p">(</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">RecoveryPointArn</span><span class="o">=</span><span class="n">destinationRecoveryPointArn</span><span class="p">,</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">SourceBackupVaultName</span><span class="o">=</span><span class="n">backupVaultName</span><span class="p">,</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">DestinationBackupVaultArn</span><span class="o">=</span><span class="n">destinationVaultArn</span><span class="p">,</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">IamRoleArn</span><span class="o">=</span><span class="n">iamRoleArn</span><span class="p">,</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="c1"># Retention period for final recovery point </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="n">Lifecycle</span><span class="o">=</span><span class="p">{</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="sh">'</span><span class="s">DeleteAfterDays</span><span class="sh">'</span><span class="p">:</span> <span class="mi">30</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="p">})</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">'</span><span class="s">start_copy_job done : </span><span class="si">{</span><span class="n">response</span><span class="si">}</span><span class="sh">'</span><span class="p">)</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="err"> </span> <span class="err"> </span> <span class="err"> </span> <span class="nf">print</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> </code></pre> </div> <p><strong>10. Create EventBridge Rule in Workload Account (Backup Region)</strong><br> Develop an EventBridge rule to trigger the Lambda function upon completion of a copy job, enhancing automation and responsiveness, don’t forget to update the backup plan id in below code with newly created backup plan. </p> <p><strong>Event Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws.backup"</span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Copy Job State Change"</span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"createdBy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"backupPlanId"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"6d0fefcf-t4a4-46c2-9d87-770c506f4e54"</span><span class="p">]</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>11. Add Resource-Based Policy to Lambda Function</strong><br> Strengthen Lambda function security by adding a resource-based policy, allowing the EventBridge rule to invoke it seamlessly. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj06jllxflup8izdldwyj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj06jllxflup8izdldwyj.png" alt="Image description" width="452" height="406"></a></p> <p><strong>12. Create EventBridge Rule in Workload Account (Primary Region)</strong></p> <p>Establish a second EventBridge rule in the primary region to trigger the EventBridge rule in the backup region upon completion of a copy job, don’t forget to update the backup plan id in below code with newly created backup plan. </p> <p><strong>Event Pattern:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws.backup"</span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"detail-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Copy Job State Change"</span><span class="p">],</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"createdBy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="nl">"backupPlanId"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"6d0fefcf-t4a4-46c2-9d87-770c506f4e54"</span><span class="p">]</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err"> </span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Final flourish for security and management</strong></p> <ul> <li><p>You can utilize AWS organization to manage the backups. </p></li> <li><p>SCPs can be used to enhance the security of backups. </p></li> <li><p>Least previledged IAM role with IAM policies should be used for backup plan, lambda function. </p></li> </ul> <p><strong>Conclusion</strong><br> By following these steps, you'll successfully implement a robust cross-account, cross-regional immutable backup solution for your RDS instances using AWS Backup, ensuring the safety and integrity of your critical data. </p> Saumil343 Mon, 25 Sep 2023 13:16:04 +0000 https://forem.com/saumil343/aws-backup-the-cornerstone-of-data-resilience-47nd https://forem.com/saumil343/aws-backup-the-cornerstone-of-data-resilience-47nd <p><strong>Author</strong><br> Saumil Shah </p> <p>In the ever-evolving digital landscape, where data is the lifeblood of businesses and organizations, the concept of data backup has become paramount. In essence, a backup is a secure and duplicate copy of your critical data and information. This copy is stored separately from your primary data source, ensuring that in the face of unexpected calamities, data corruption, or cyberattacks, your valuable information remains intact and recoverable. A well-implemented backup strategy is akin to a safety net for your digital assets, providing you with the assurance that, even in the worst-case scenarios, your data can be resurrected, and business operations can continue with minimal disruption.<br> With that to say disaster recovery (DR) planning is essential for business continuity. Disasters, whether natural or digital, can strike without warning, leading to data loss and downtime. Backups are at the heart of an effective DR strategy, enabling rapid data recovery. They are crucial for maintaining operations, preserving trust, and preventing financial losses. This blog will guide you through AWS Backup, a service that reinforces the core concept of data 'Backup'.</p> <p><strong>What is AWS Backup Service and Why It Matters</strong><br> AWS Backup is a fully managed data backup and recovery service offered by Amazon Web Services (AWS). It provides a centralized and streamlined solution for safeguarding your data across various AWS resources and services. AWS Backup is designed to simplify the backup process, making it easier to create, manage, and restore backups for critical data.</p> <p><strong>Key Components of AWS Backup Service</strong><br> AWS Backup comprises several vital components that collectively provide a robust data protection and recovery solution:</p> <p><strong>1. Backup Vaults:</strong><br> Vaults are logical containers that help you organize and manage your backups effectively. You can create multiple vaults to categorize and store backups based on your requirements.</p> <p><strong>2. Backup Plans:</strong><br> These are at the heart of AWS Backup and define your backup policies and schedules. Within a backup plan, you specify settings such as backup frequency, retention periods, and lifecycle rules.</p> <p><strong>3. Resource Assignments</strong><br> Resource assignments link your AWS resources, such as EC2 instances or RDS databases, to specific backup plans. This ensures that your resources are protected according to the defined policies, which also supports TAG based resource selections.</p> <p><strong>4. Backup Jobs</strong><br> Backup jobs are the operational processes responsible for creating backups of your resources. They run according to the schedules you've set in your backup plans and capture the data for safekeeping.</p> <p><strong>5. Recovery Points</strong><br> These are specific states of your resources captured by backup jobs at particular points in time. AWS Backup retains multiple recovery points based on the retention settings in your backup plan.</p> <p><strong>6. Lifecycle Rules</strong><br> Lifecycle rules determine the retention period of your backups and when they should be deleted. You can configure rules to automatically transition backups to cold storage or remove them when they're no longer needed.</p> <p><strong>7. Vault Lock</strong><br> Vault lock provides an additional layer of security for your backups. When enabled, it prevents the deletion of backup data for a specified retention period, ensuring data integrity and compliance with retention policies.</p> <p><strong>Key features of backup service</strong><br> The importance of AWS Backup cannot be overstated in today's data-driven world. Here are some key reasons why it matters,</p> <p><strong>Data Resilience:</strong> Data loss can be catastrophic for any organization. AWS Backup ensures that your critical data is protected and can be quickly recovered in case of accidental deletions, hardware failures, or data corruption.</p> <p><strong>Security and Compliance:</strong> AWS Backup integrates with AWS Identity and Access Management (IAM) and AWS Key Management Service (KMS) to provide secure, encrypted backups. This is crucial for meeting regulatory requirements and maintaining data privacy.</p> <p><strong>Simplicity and Automation:</strong> AWS Backup simplifies the backup process with automated policies, making it easy to create, schedule, and manage backups without the need for complex scripting or manual interventions.</p> <p><strong>Centralized Management:</strong> With AWS Backup, you can manage backups for multiple AWS services from a single console, streamlining backup operations and reducing management overhead.</p> <p><strong>Cross-Region and Cross-Account Backups:</strong> AWS Backup enables you to create backups that span regions and AWS accounts, enhancing data resilience and disaster recovery capabilities.</p> <p><strong>Importance of Cross-Account and Cross-Regional Backups</strong><br> Cross-account and cross-regional backups form the cornerstone of a resilient data protection strategy. In today's distributed computing landscape, where organizations operate across multiple AWS accounts and regions, ensuring data availability and recoverability is paramount. <br> Cross-account backups involve replicating critical data from one AWS account to another, mitigating the risk of accidental data loss and enhancing security by adhering to the principle of least privilege. Cross-regional backups extend this protection by replicating data across different AWS regions, guarding against region-specific outages or unforeseen disruptions. Together, these practices fortify data resiliency, reducing downtime and safeguarding data integrity in the face of evolving threats.<br> Benefits of cross-account and cross-regional backups</p> <ul> <li>Enhanced Security Control</li> <li>Reduced Risk of Data Loss</li> <li>Data Isolation</li> <li>Compliance Benefits</li> <li>Geographic Redundancy</li> <li>Enhanced Resilience</li> </ul> <p>Combining cross-account and cross-regional backups offers a comprehensive data protection solution that not only secures your data against threats but also ensures its availability, even in challenging scenarios.</p> <p><strong>Guide to Achieve Immutable Backups</strong></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkg27kaxt2y6rq1e08a3q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkg27kaxt2y6rq1e08a3q.png" alt="Immutable-Bakups" width="800" height="444"></a></p> <p>Key security layers which contribute to immutability of backup</p> <p><strong>1. Least privilege access through IAM policies</strong><br> Least privilege access on both backup and workload account to a limited set of users can prevent unauthorized access to backups.</p> <p><strong>2. Service control policies on both workload account &amp; backup account</strong><br> Service control policies (SCPs) further restricts the access to backup service and backup account to strengthen the security of backups.</p> <p><strong>3. Backup Vault lock on backup account</strong><br> Backup vault lock ‘Compliance Mode’ ensures that No-one including even AWS cannot delete the recovery points which are stored in backup vault of backup account.</p> <p><strong>4. Encryption of backups through isolated KMS-CMK.</strong><br> KMS key which is used along with the backup vault encrypts the backups thus there is no direct vulnerable open data which can be used.</p> <p><strong>5.Audit &amp; monitoring through backup audit manager &amp; cloud trail events</strong><br> Active monitoring and logging of backup jobs can be done via audit manager, with that cloudtrail events can be used to notify the admins if there are specific actions performed on backup service.</p> <p>In summary, AWS Backup is a crucial service for modern businesses, offering simplified and centralized data backup solutions. It ensures data resilience, security, and compliance through features like cross-account and cross-regional backups, immutable backups, and encryption. With AWS Backup, organizations can protect their critical data, reduce downtime, and enhance data integrity in today's rapidly evolving digital landscape.</p> <p>In Collaboration with, <br> <a class="mentioned-user" href="https://dev.to/piyush_jalan">@piyush_jalan</a> </p> backup data immutable awsbackup Saumil343 Tue, 15 Aug 2023 07:59:59 +0000 https://forem.com/saumil343/automated-s3-security-lambda-functions-to-the-rescue-335b https://forem.com/saumil343/automated-s3-security-lambda-functions-to-the-rescue-335b <p><strong>Author</strong><br> Saumil Shah </p> <p><strong>ABSTRACT:</strong><br> In today's business landscape, the widespread migration of workloads to the cloud has become a norm, with S3 playing a crucial role as a key solution for effective data storage and retrieval. Further, ensuring the security of S3 buckets becomes paramount. In this technical blog, we will explore an automated approach to enhance the security of S3 buckets using AWS Lambda. By leveraging CloudTrail events and Lambda functions, we can detect and remediate common security issues related to S3 public access block.</p> <p><strong>POTENTIAL SECURITY THREATS OF S3</strong><br> Amazon S3 is widely used for static website hosting, providing scalability and cost-effectiveness. However, disabling the public access block exposes security threats. Without the block, misconfigurations or errors in permissions can lead to unintended public access, potentially exposing sensitive information. Unauthorized listing of bucket contents becomes possible, giving attackers insights for further exploitation.</p> <p><strong>SECURITY RISK OF S3:</strong><br> • Disabling the public access block exposes security threats<br> • Misconfigurations or errors in permissions can lead to unintended public access<br> • Unauthorized listing of bucket contents becomes possible, enabling further exploitation<br> • Inadvertent changes to block settings can bypass security measures<br> • Failure to enforce encryption increases the risk of exposing sensitive data at rest<br> • Misconfigured access control policies may allow unauthorized public access</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flslw67mz88khwjfeqc65.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flslw67mz88khwjfeqc65.png" alt="Image description" width="800" height="273"></a></p> <p>Thus, Regular security audits are essential to identify changes or misconfigurations. Inadequate auditing could lead to undetected vulnerabilities. To reduce the risk of these threats, it is essential to have an automated system that regularly checks the environment to ensure that critical controls are enabled for the specific use case.</p> <p><strong>AUTOMATED SECURITY REMEDIATION WITH LAMBDA AND EVENT BRIDGE</strong></p> <p>Let's explore a practical example of restricting public access to S3 buckets.<br> Here is the architecture we will be implementing to address the issue at hand.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmx041w7gt74gqngesynv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmx041w7gt74gqngesynv.png" alt="Image description" width="800" height="242"></a></p> <p>The lambda function is designed to be triggered by the ‘CreateBucket’ event in CloudTrail. Its purpose is to block public access for S3 buckets that do not have a specific tag. The tag, with the key "hosting" and the value "web," is crucial for identifying buckets which are used for static website hosting or not. By filtering based on this tag, we can ensure that blocking public access only applies to the appropriate buckets.<br> To begin the implementation, we will create an Event Bridge rule, which will be used for invoking a Lambda Function.</p> <p><strong>Step 1:</strong> Create below Lambda Function with Python runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import boto3 def lambda_handler(event, context): s3 = boto3.client('s3') # Get all the S3 buckets response = s3.list_buckets() buckets = response['Buckets'] # Iterate through each bucket for bucket in buckets: bucket_name = bucket['Name'] try: # Get the bucket tags response = s3.get_bucket_tagging(Bucket=bucket_name) if 'TagSet' in response: tags = response['TagSet'] # Check if the bucket has the required tag has_hosting_tag = any(tag['Key'] == 'hosting' and tag['Value'] == 'web' for tag in tags) # If bucket does not have the required tag, block public access if not has_hosting_tag: s3.put_public_access_block( Bucket=bucket_name, PublicAccessBlockConfiguration={ 'BlockPublicAcls': True, 'IgnorePublicAcls': True, 'BlockPublicPolicy': True, 'RestrictPublicBuckets': True } ) except: # Handle exception print("TagSet not ") return { 'statusCode': 200, 'body': 'Public access blocked for buckets without the "hosting:web" tag' } </code></pre> </div> <p><strong>Step 2:</strong> Create the below event bridge rule with custom pattern:</p> <p>1) Go to EventBridge console, create a new rule, and select rule type as event pattern:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdenr4nnj237ikhkzc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8uxdenr4nnj237ikhkzc.png" alt="Image description" width="800" height="341"></a></p> <p> <br> 2) In build event pattern keep everything default except ‘Creation Method’ select Custom pattern (JSON editor) in that place the event JSON code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "source": ["aws.s3"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["CreateBucket"] } } </code></pre> </div> <p>3) Select target as the Lambda function which was created in step 1.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2m6kwpklte3ypmmhx7bb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2m6kwpklte3ypmmhx7bb.png" alt="Image description" width="800" height="338"></a></p> <p>4) Review and create the event bridge rule.<br> <strong>Note:</strong> Ensure that there is at least one CloudTrail event running in your AWS account for successful execution of the task.</p> <p><strong>CONCLUSION</strong><br> In this technical blog, we delve into an automated method that utilizes AWS Lambda to bolster the security of S3 buckets. By leveraging CloudTrail events and Lambda functions, the blog demonstrates how to identify and resolve prevalent security concerns associated with S3 public access blocks. The blog covers the creation of an EventBridge rule, which serves as the trigger for invoking a Lambda function.</p> <p><strong>CO-FIRST AUTHORS</strong><br> <a class="mentioned-user" href="https://dev.to/khushi3008">@khushi3008</a> <br> <a class="mentioned-user" href="https://dev.to/piyush_jalan">@piyush_jalan</a> </p> lambda security s3security aws Saumil343 Thu, 29 Jun 2023 06:14:36 +0000 https://forem.com/saumil343/revolutionizing-access-no-more-bastion-hosts-with-aws-private-endpoint-tutorial-2f7e https://forem.com/saumil343/revolutionizing-access-no-more-bastion-hosts-with-aws-private-endpoint-tutorial-2f7e <p>In a significant update, Amazon Web Services (AWS) has introduced a groundbreaking feature that allows seamless connections to private instances using an endpoint. This innovative solution eliminates the need for traditional bastion hosts, simplifying and enhancing the security of SSH access to private instances. In this blog post, we will explore the step-by-step process of leveraging AWS private endpoints to establish secure SSH connections to private instances, both through the AWS console and the command-line interface (CLI).</p> <p>Two Ways of Connecting: There are two convenient methods to connect to private instances using AWS private endpoints: through the <strong>AWS console or AWS instance connect, and via the CLI</strong>. We will delve into both approaches, providing you with a comprehensive guide to help you utilize this exciting new feature effectively.</p> <p>Process:</p> <p>1.<strong>Creating an EC2 Endpoint</strong>: To begin, we need to create an EC2 endpoint, which will serve as the entry point for establishing SSH connections to private instances. Follow these steps:<br> a. Navigate to the AWS Management Console and access the VPC (Virtual Private Cloud) service.</p> <p>b. Within the VPC dashboard, select the "Endpoints" tab and click on the "Create Endpoint" option. </p> <p>c. When creating the endpoint, ensure you select the appropriate VPC, security group, and subnet.</p> <p>• The security group facilitates traffic through specific ports, enabling interaction with the security group.<br> • The chosen subnet ensures a private connection to that subnet with a specific SSH tunnel.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--OohKdi3X--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uol5elr03mifdomp3ik7.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--OohKdi3X--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uol5elr03mifdomp3ik7.png" alt="Creating Endpoint-1" width="800" height="364"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s---fWDSvxr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yjkvshx615uiy1d8uvf0.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---fWDSvxr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yjkvshx615uiy1d8uvf0.png" alt="Creating Endpoint-2" width="800" height="349"></a></p> <p>2.<strong>Creating an EC2 Instance in a Private Subnet</strong>: Now that we have set up the EC2 endpoint, we can proceed with creating an EC2 instance in a private subnet. Follow these steps:<br> a. Access the EC2 service through the AWS Management Console. <br> b. Choose the "Instance Connect" option and select the "Connect with EC2 Endpoint" feature.<br> c. Select the newly created EC2 endpoint from the list to establish the connection seamlessly.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--mOpvty-B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/geapgt88jamezgpjt7o3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--mOpvty-B--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/geapgt88jamezgpjt7o3.png" alt="Connecting via endpoint" width="800" height="375"></a></p> <p>3.<strong>Connecting via CLI</strong>: To leverage the power of the command-line interface (CLI) for SSH connections to private instances, follow these steps:<br> a. Begin by configuring the AWS CLI on your local machine. <br> b. Open a command prompt and execute the following command to create an SSH tunnel:</p> <p><code>aws ec2-instance-connect open-tunnel --instance-id YOUR_INSTANCE_ID --local-port 8888 <br> </code><br> c. In a new terminal window, use the SSH command to connect to the private instance by specifying the key pair file and the tunnel port:</p> <p><code>ssh -i key.pem ec2-user@localhost -p 8888</code> </p> <p>Conclusion: With the introduction of AWS private endpoints, the process of connecting to private instances securely has been revolutionized. By following the step-by-step guide outlined in this blog post, you can eliminate the reliance on bastion hosts and establish direct SSH connections to private instances with ease. Whether through the intuitive AWS console or the power of the CLI, AWS private endpoints empower you to simplify your infrastructure while enhancing security. Embrace this exciting new feature and experience a seamless and secure SSH access solution for your private instances on AWS.</p> aws ec2 privatendpoint tutorial