Forem: Shubham Kumar

Exploring AWS Generative AI & AI Services: A Practical Guide for Builders

Shubham Kumar — Sat, 20 Dec 2025 18:38:05 +0000

Having recently cleared the AWS Certified AI Practitioner exam, I wanted to share my learning and perspective through this practical tour of AWS Generative AI and AI services.

Generative AI is everywhere right now—but building real, production-ready GenAI systems requires much more than just large language models.

AWS has quietly built a powerful ecosystem of AI services that handle language, speech, vision, search, conversations and human feedback. These services often work behind the scenes of modern GenAI applications, making them scalable, reliable and enterprise-ready.

In this article, we’ll walk through the most important AWS AI services and understand where they fit in a real-world GenAI architecture.

1. AWS Bedrock

Purpose - Foundation Models Made Simple with AWS Bedrock

AWS Bedrock is the cornerstone of Generative AI on AWS. It provides a fully managed way to build GenAI applications using leading foundation models from Amazon and third-party providers—without managing infrastructure.

What makes Bedrock important:

Access to multiple foundation models via a single API

No need to manage or train large models

Enterprise-grade security and privacy

Seamless integration with AWS services

Support for Retrieval-Augmented Generation (RAG)

Why it matters:

Bedrock is where LLMs live, but their real power is unlocked only when combined with services like Comprehend, Kendra, Transcribe, and Rekognition. It acts as the brain of your GenAI application.

2. AWS Comprehend

Purpose - It help us to understanding the context of a text.

AWS Comprehend helps applications understand text rather than just store it.

It can detect:

Sentiment (positive, negative, neutral)

Named entities like people, locations and organizations

Key phrases and topics

Personally Identifiable Information (PII)

Why it matters:

Before sending data to a GenAI model, you often need to clean, classify or filter it. Comprehend does this efficiently and at scale.

3. AWS Translate

AWS Translate makes applications multilingual with minimal effort.

It supports real-time and batch translations, custom terminology and dozens of languages.

Where it shines:

Multilingual chatbots

International customer support

Localized content platforms

GenAI angle:

Translate allows GenAI applications to reach users across geographies—without training separate models per language.

4. AWS Transcribe

Purpose - It helps in turning speech into text.

AWS Transcribe converts spoken language into accurate text using deep learning.

It supports:

Live and batch transcription

Speaker identification

Custom vocabularies

Specialized models for medical and call analytics

Common use cases:

Call center analytics

Meeting summaries

Voice-driven applications

Once transcribed, the text becomes a perfect input for summarization, sentiment analysis or LLM prompts.

5. Amazon Polly

Amazon Polly does the opposite of Transcribe — it turns text into lifelike speech.

With neural voices and SSML support, Polly is widely used for:

Voice assistants

Audiobooks

Accessibility tools

IVR systems

GenAI in action:

Pair an LLM’s response with Polly and suddenly your GenAI application can speak.

6. Amazon Rekognition

Amazon Rekognition allows applications to understand images and videos.

It can:

Detect objects and scenes

Analyze faces

Extract text from images

Moderate inappropriate content

Analyze video streams

Why it’s powerful:

GenAI isn’t limited to text anymore. Rekognition enables multimodal AI, where visual data enhances decision-making.

7. Amazon Lex

Purpose - It helps in building Chatbots

Amazon Lex is AWS’s service for building conversational interfaces—the same technology behind Alexa.

It handles:

Natural language understanding

Speech recognition

Context-aware conversations

How it fits with GenAI:

Lex manages the conversation flow, while LLMs generate intelligent, dynamic responses behind the scenes.

8. Amazon Kendra

Amazon Kendra brings Google-like search to enterprise data.

It connects to:

S3

SharePoint

Confluence

Databases

And understands natural language questions, not just keywords.

GenAI superpower:

Kendra is often used in Retrieval-Augmented Generation (RAG) to ensure LLM answers are grounded in enterprise knowledge.

9. Amazon Mechanical Turk

Amazon Mechanical Turk provides access to a global workforce for human intelligence tasks.

It’s commonly used for:

Data labeling

Content moderation

Model evaluation

Edge-case validation

Why it matters:

GenAI models improve dramatically when humans help review and refine their outputs.

10. AWS Augmented AI

AWS Augmented AI (A2I) integrates human review directly into ML workflows.

It’s especially useful when:

Model confidence is low

Decisions are compliance-critical

Accuracy is non-negotiable

A2I is widely used with services like Rekognition and Textract but also works with custom models.

Final Thoughts

Generative AI may grab the headlines, but these foundational AWS AI services that make GenAI usable, scalable and trustworthy in real applications.

If you’re building AI systems on AWS, understanding how these services work together will give you a serious architectural advantage.

If you have questions or want to share your experience, feel free to drop a comment or reach out to me at https://www.linkedin.com/in/shubham-kumar1807/

Building a Responsible GenAI Agent with AWS Bedrock

Shubham Kumar — Sun, 26 Oct 2025 08:57:55 +0000

Generative AI (GenAI) is redefining how organizations interact with data, automate workflows and enhance decision-making. AWS Bedrock provides a fully managed environment that simplifies the process of building, scaling and deploying GenAI-powered applications—all without worrying about model hosting or infrastructure management.

In this blog, I’ll share my hands-on experience using AWS Bedrock to create a custom AI agent with Guardrails, grounding and relevance, prompt engineering, and a knowledge base backed by Amazon S3.

Getting Started with AWS Bedrock

AWS Bedrock enables access to foundation models (FMs) from leading providers like Anthropic, AI21 Labs and Stability AI through a single API. This makes it easy for developers to experiment and integrate powerful LLMs into enterprise systems securely.

For this project, I used the Novalite Agent—a flexible, pre-built agent in Bedrock that allows experimentation in both chat and text-based interactions through the Chat/Text Playground. This interactive playground helped me tune responses, test prompts, and explore the model’s reasoning capabilities.

Implementing Guardrails for Responsible AI

Responsible AI is a key principle when deploying GenAI applications. AWS Bedrock provides Guardrails that ensure your agent behaves safely and ethically.

Here’s how I configured my agent’s guardrails:

PII Detection and Masking: The agent automatically detects and blocks Personally Identifiable Information (PII) to prevent data leakage.
Content Filtering: I set up context restrictions to block certain domains, such as medical advice or other sensitive topics.
Custom Policy Enforcement: Specific rules ensure that responses stay compliant with organizational policies and data protection standards.

These guardrails make your agent enterprise-ready—safe, reliable, and aligned with compliance requirements.

Grounding and Relevance: Ensuring Trusted Responses

One of the major challenges with LLMs is hallucination—when models generate plausible but incorrect responses. To address this, I incorporated grounding and relevance techniques in my Bedrock agent:

Grounding: Ensures the model bases its responses on factual and verifiable data sources rather than just its internal training.

Relevance Filtering: Keeps responses contextually focused, discarding unrelated or speculative information.

This results in outputs that are more accurate, transparent, and trustworthy—critical for production-grade AI systems.

The Importance of Prompt Engineering

While models like those in AWS Bedrock are incredibly powerful, the quality of your prompts directly influences the quality of the model’s output. This is where Prompt Engineering becomes essential.

Prompt Engineering is the practice of designing and refining prompts that guide the model to produce the most relevant, coherent, and accurate responses.

A well-crafted prompt can:

Clarify intent: Clearly define what the model should do, avoiding ambiguity.
Provide context: Include background information or constraints to make outputs more precise.
Control tone and style: Guide the model to respond in a professional, conversational, or technical tone as needed.
Improve reliability: Reduce hallucinations and ensure the model stays on-topic.

In my experiments, I noticed how small prompt tweaks—like specifying format (“respond in bullet points”) or adding context (“use the S3 knowledge base as reference”)—dramatically improved the accuracy and structure of responses.

When combined with grounding and a knowledge base, prompt engineering acts as the bridge between human intent and model intelligence, helping you get consistently meaningful results from Bedrock.

Building a Knowledge Base in AWS Bedrock

A key part of my project was creating a Knowledge Base to provide my agent with contextual awareness and organization-specific data. Bedrock supports multiple types of knowledge bases, allowing flexible integration based on your data source.

Vector Store

Build a fully customizable knowledge base with maximum flexibility.
Specify the location of your data, select an embedding model, and Configure a vector store.
Bedrock automatically stores and updates embeddings, enabling efficient semantic retrieval for relevant responses.

Structured Data Store

Ideal for structured data such as databases or tables.
Enables semantic search and retrieval within your existing systems.
Allowing your agent to deliver accurate, data-driven answers.

Kendra GenAI Index

Powered by Amazon Kendra, this option enables deep document understanding and search.
Useful for retrieving context from unstructured documents such as PDFs, reports, and policies with high precision.

In my use case, I connected the agent to an S3-based knowledge base to provide access to domain-specific data. This allowed the agent to generate grounded, context-aware responses directly based on enterprise content.

Understanding Action Groups

While the knowledge base provides information, Action Groups define what the agent can do.

An Action Group in AWS Bedrock specifies a set of operations or functions your agent can perform, such as:

Querying data from a knowledge base
Calling APIs or triggering workflows
Executing specific business logic
Applying guardrails and filters

By modularizing these capabilities, Action Groups ensure that your AI agent operates within defined boundaries, remains auditable, and aligns with enterprise goals.

Enhancing Development with Amazon Q

To further enhance the GenAI development experience, AWS offers Amazon Q—an AI-powered assistant designed to help developers, data scientists and architects work more efficiently.

With Amazon Q, you can:

Use it as an extension in your code editor, such as VS Code, to get real-time code suggestions and explanations.

Integrate it with AWS Console or Bedrock workflows to assist with prompt optimization, model selection or debugging.

Quickly generate infrastructure-as-code templates, deployment scripts or Bedrock configurations using natural language.

In short, Amazon Q acts as a personal co-developer—accelerating your Bedrock projects and making the entire GenAI development lifecycle smoother and more intelligent.

Key Takeaways

Responsible AI Is Actionable: Guardrails make it easy to enforce safety and compliance in GenAI applications.

Prompt Engineering Drives Quality: The better your prompt, the better your model’s understanding, precision, and reliability.

Grounding Enhances Trust: Connecting your agent to verified data sources reduces hallucinations and improves user confidence.

Knowledge Base Adds Intelligence: Using S3, Vector Stores, or Kendra Indexes allows your AI to leverage both structured and unstructured enterprise data.

Action Groups Enable Control: They define what your AI agent can do, ensuring flexibility without compromising governance.

Amazon Q Accelerates Development: With Q integrated into your editor, you can experiment, refine, and deploy GenAI applications faster and smarter.

Conclusion

AWS Bedrock makes it remarkably easy to build intelligent, safe, and scalable GenAI applications. By combining the Novalite Agent, Guardrails, Grounding, Prompt Engineering, and an S3 Knowledge Base, I was able to create an AI assistant that not only understands context but also respects privacy and organizational constraints.

And with Amazon Q as a coding companion, the process becomes even more seamless—bridging the gap between creativity, compliance, and efficiency.

For teams exploring GenAI adoption, AWS Bedrock offers the perfect balance of innovation, control, and responsibility—a true enterprise-ready foundation for the next generation of AI-driven solutions.

If you have questions or want to share your experience, feel free to drop a comment or reach out to me at https://www.linkedin.com/in/shubham-kumar1807/

Getting Started with Coder.com

Shubham Kumar — Wed, 17 Sep 2025 17:20:25 +0000

Introduction

In today’s cloud-native world, developer productivity is often limited by the complexity of local development environments. Setting up tools, dependencies, and resources can be time-consuming and inconsistent across teams. That’s where Coder.com comes in.

Coder provides a way to run developer environments remotely, allowing engineers to code from anywhere while maintaining security, scalability, and reproducibility. Recently, I performed a Proof of Concept (POC) using Coder.com, and in this blog, I’ll share my experience, learnings, and key takeaways.

Why Coder.com?

Traditional development setups often face challenges like:

Inconsistent environments across machines
Long onboarding times for new developers
Security concerns when code resides on laptops
Scalability issues when projects demand more compute power

To address these issues, I explored Coder.com, a platform that enables cloud-hosted, reproducible developer workspaces. Recently, I ran a Proof of Concept (POC) to evaluate how Coder fits into a real-world setup. This blog walks you through my installation, configuration, and learnings.

Step 1: Install Dependencies
I began with a clean Ubuntu server. First, I updated the system and installed required utilities:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl unzip

Step 2: Install Coder
I fetched the latest release of Coder from GitHub and installed it:

CODER_VERSION=$(curl -s https://api.github.com/repos/coder/coder/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
curl -fSL "https://github.com/coder/coder/releases/download/v${CODER_VERSION}/coder_${CODER_VERSION}_linux_amd64.deb" -o coder.deb

sudo apt install ./coder.deb
coder --version

Step 3: Install Docker

Coder requires Docker for container-based workspaces, so I installed and enabled it:

sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker
docker ps

I also added my user (ubuntu) to the Docker group for permissions:

sudo usermod -aG docker ubuntu

Step 4: Run Coder Server

Once Docker was ready, I launched the Coder server:

coder server

To make Coder run as a service, I created a systemd service unit:

sudo tee /etc/systemd/system/coder.service > /dev/null <<EOF
[Unit]
Description=Coder service
After=network.target

[Service]
ExecStart=/usr/bin/coder server
Restart=always
User=ubuntu
Environment=CODER_ADDRESS=0.0.0.0:7080

[Install]
WantedBy=multi-user.target
EOF

Then reloaded and enabled it:

sudo systemctl daemon-reload
sudo systemctl enable coder
sudo systemctl start coder

Finally, I opened port 7080 on the server and accessed the Coder dashboard at:

http://<server-ip>:7080

Once you access the UI, we need to create admin user first.

Step 5: Play with Coder UI

I have used the built-in Docker Template to Create a Workspace
From the Coder dashboard, I selected the Docker template to spin up a workspace.
This template allowed me to quickly create a development container running on my server.
I have created a new user and assign him the member role and he can easily access my templates.

Step 6: Create Custom template

Coder integrates natively with Terraform. I have ssh into my ubuntu machine and created a main.tf file to define a simple workspace template:

terraform {
  required_providers {
    coder = {
      source  = "coder/coder"
      version = "0.15.0"
    }
  }
}

provider "coder" {}

resource "coder_agent" "dev" {
  arch = "amd64"
  os   = "linux"
  startup_script = <<EOT
    #!/bin/bash
    set -e

    sudo apt-get update
    sudo apt-get install -y python3 python3-pip git curl vim
  EOT
}

I initialized Terraform and pushed the template to Coder:

terraform init
coder templates push my-ubuntu-template

Now, in the Coder dashboard, I can see my custom template.

✅ Final Thoughts

This POC with Coder.com gave me a solid understanding of how remote developer environments can simplify onboarding, improve consistency, and enhance security. By testing both the Docker template and Terraform-based custom templates, I was able to validate that Coder is flexible enough to support simple as well as advanced use cases.

If you have questions or want to share your experience, feel free to drop a comment or reach out to me at https://www.linkedin.com/in/shubham-kumar1807/

🛡️ Kubernetes Pod Security Best Practices: 13 Key Strategies for Hardening Your Workloads

Shubham Kumar — Tue, 05 Aug 2025 07:28:49 +0000

Kubernetes has become the standard and default platform for deploying containerized applications at scale—but with this power comes a broad and evolving attack surface. Pods, as the smallest deployable units, must be secured thoughtfully to prevent breaches, privilege escalation or lateral movement within the cluster.
In this guide, we’ll walk through 13 practical and essential strategies to secure Kubernetes pods, covering everything from IAM and network policy to runtime protection and advanced detection tools.

1. 🔐 Use IAM Roles for Service Accounts (IRSA)

What it is: Instead of assigning broad IAM roles to entire worker nodes, Kubernetes in AWS (EKS) supports IAM Roles for Service Accounts (IRSA)—a method that grants AWS permissions to individual pods via service accounts.

Why it matters: This approach aligns with the principle of least privilege, reducing the blast radius in case a pod is compromised.

Example: A pod that needs access to an S3 bucket gets a scoped-down IAM role via its associated service account, without granting that access to every pod on the node.

2. 🌐 Implement Network Policies

What it is: Kubernetes Network Policies control how pods communicate with each other and external endpoints.

Why it matters: By default, all pods can talk to each other, which is risky in production. Network policies let you isolate traffic by namespace, label, port or IP block.

Best practice:

Start with a default deny-all policy.
Explicitly allow required connections (e.g., frontend ↔ backend). Think of network policies as a virtual firewall for your pods.

3. 📦 Apply Pod Security Standards (PSS)

What it is: Kubernetes defines three levels of pod security:

Privileged: No restrictions—use only in trusted, internal environments.
Baseline: Disallows dangerous features but permits standard workloads.
Restricted: Enforces strong security defaults (e.g., no privilege escalation, non-root containers).

Why it matters: These standards help establish a cluster-wide baseline for pod hardening, especially useful in multi-team or shared environments.

4. 🛂 Enforce Pod Security Admission (PSA)

What it is: Pod Security Admission (PSA) evaluates pods against the above standards during admission (Kubernetes 1.25+).

Modes of enforcement:

Enforce: Blocks non-compliant pods.
Warn: Allows the pod but shows a warning message.
Audit: Records policy violations in logs for visibility.

Use case: In development environments, start with audit and warn, then gradually move to enforce as your policies mature.

5. 🔧 Use Security Context for Containers

What it is: The securityContext in pod specs allows you to define OS-level security settings for containers.

Key settings:

runAsNonRoot: true– Avoid running containers as root.
readOnlyRootFilesystem: true – Prevent writing to the container filesystem.
allowPrivilegeEscalation: false – Blocks processes from gaining additional privileges.
capabilities.drop: ["ALL"] – Removes unneeded Linux capabilities.

Why it matters: These settings significantly reduce the risk of container breakout and lateral attacks.

6. 🔐 Enable TLS Between Pods

What it is: Use mutual TLS (mTLS) to encrypt traffic between services within the cluster and verify their identities.

How to implement:

Use service meshes like Istio, Linkerd, or Consul.
Configure automatic certificate rotation and policy-based encryption.

Why it matters: TLS prevents man-in-the-middle attacks and eavesdropping in internal service-to-service communication.

7. 🐧 Prefer Linux Nodes for Security Features

Why it matters: Most advanced container security features like AppArmor, Seccomp, and SELinux are only supported on Linux nodes.
Best practice: For workloads requiring advanced security hardening, run them on Linux-based nodes rather than Windows nodes, which currently lack equivalent support.

8. 📉 Set Resource Limits and Requests Wisely

What it is: Kubernetes allows defining CPU and memory requests (guaranteed) and limits (maximum allowed) per container.

Why it matters:

Prevent resource starvation across the cluster.
Avoid over-committing memory, which can cause pods to be evicted or terminated.

Pro tip: Set memory limits equal to or lower than the request to avoid unpredictable behavior.

9. 🚫 Enable Seccomp Profiles

What it is: Seccomp (Secure Computing Mode) restricts the syscalls a container can make to the kernel.

How to implement:

Use RuntimeDefault for base protection.
Create custom profiles for even tighter control.

Why it matters: It minimizes the risk of kernel-level attacks and narrows the container’s system call surface.

10. 🧱 Use AppArmor or SELinux for Mandatory Access Control

What it is:

AppArmor: Available in Debian/Ubuntu-based distributions.
SELinux: Used in RedHat/CentOS environments.

Both restrict what a containerized application can do, e.g., file access, network usage, system resource access.
Why it matters: Enforcing security profiles with AppArmor or SELinux provides host-level protection from malicious container activity.

11. 📊 Enable Logging and Monitoring

What it is: Centralized logging and monitoring systems capture logs and metrics from pods and the cluster.

Tools:

Fluent Bit / Fluentd
Prometheus + Grafana
ELK Stack (Elasticsearch + Logstash + Kibana)
Splunk, Datadog, or Cloud-native options (CloudWatch, GCP Ops)

Why it matters: Early detection of anomalies (e.g., unauthorized access, unexpected pod restarts) is only possible if you have proper visibility.

12. 📍 Define Pod Placement Rules

What it is: Use Node Affinity, Taints/Tolerations, and Node Selectors to control where pods are scheduled.

Why it matters: Helps isolate critical workloads, enforce compliance, and reduce the attack surface.

Example:

Place workloads with elevated privileges on isolated nodes.
Prevent multi-tenancy risks by using taints and tolerations.

13. 🛡️ Use GuardDuty for Runtime Threat Detection (EKS Only)

What it is: Amazon GuardDuty offers runtime threat detection for Amazon EKS clusters.

Capabilities:

Detect suspicious Kubernetes API calls (e.g., unauthorized role binding)
Identify known malware in containers (via GuardDuty Malware Protection)
Surface signs of crypto mining, lateral movement, or C2 activity

Why it matters: Provides deep, continuous security insights with no additional agent installation required.

✅ Final Thoughts

Securing Kubernetes pods is not a one-time task—it’s a layered strategy that involves identity controls, traffic restrictions, runtime hardening, visibility, and threat detection. By implementing these 13 best practices, you strengthen your defenses against both internal misconfigurations and external threats.

"Security is not a feature. It’s a discipline." — Treat it as such in every phase of your Kubernetes adoption.

If you have questions or want to share your experience, feel free to drop a comment or reach out to me at https://www.linkedin.com/in/shubham-kumar1807/

🔐 Setting Up Headscale and Tailscale for Secure Private Networking: A Step-by-Step Guide

Shubham Kumar — Thu, 24 Jul 2025 06:24:28 +0000

In this blog, we'll walk through how to set up Headscale, a self-hosted alternative to Tailscale coordination server and connect multiple systems using Tailscale — all within your own private network. This setup enables secure and seamless access between devices, governed by customisable ACLs (Access Control Lists).

🧩 What Are Tailscale and Headscale?

Tailscale is a modern VPN built on WireGuard. It creates secure peer-to-peer connections between devices, even behind NATs and firewalls.
Headscale is an open-source self-hosted control server that manages Tailscale nodes without relying on Tailscale's cloud infrastructure.
By setting up Headscale and connecting clients via Tailscale, you gain full control over your network topology, access rules, and data flow.

🛠️ Step-by-Step Implementation

1. Provision an EC2 Server for Headscale
First, we spin up an EC2 instance (Ubuntu is preferred) to host our Headscale server. Make sure to:

Open required ports in your EC2 security group (e.g., 443 for HTTPS, 80 for HTTP if using a web UI later).
Assign a static public IP or use Elastic IP for persistent access.

2. Install and Configure Headscale
SSH into the EC2 instance and follow these steps:

# Update packages
sudo apt update && sudo apt upgrade -y

# Install dependencies
sudo apt install -y curl git sqlite3

# Install Headscale binary
curl -fsSL https://tailscale.com/headscale/install.sh | sh

# Generate configuration
sudo headscale generate-config > /etc/headscale/config.yaml

# Start Headscale service
sudo systemctl enable --now headscale

3. Create a User in Headscale

sudo headscale users create employee

This creates a user under which multiple devices can be registered.

4. Register a Node (Application Server)

Now, create another EC2 server that we’ll use to host a sample application:

For the testing purpose, I am simply running a sample application

# Start a simple web server on port 8888
python3 -m http.server 8888

Make sure to open port 8888 on the EC2 security group.

To add this server as a node:

Install Tailscale on the node.
Get a join URL from Headscale, run the following command on headscale server :

sudo headscale preauthkeys create --reusable --expiration 24h --user employee

On the node, run the following command to connect node:

sudo tailscale up --login-server "https://<your-headscale-ec2-ip>" --authkey <generated-key>

You can also try with http for the learning and POC purpose.

The server is now securely connected to the Headscale-managed private network.

Go to the headscale server and confirm the node has been attached successfully.

sudo headscale list nodes

5. Add a Client System (Intern's Laptop)
Repeat the above Tailscale installation steps on another system (e.g., your laptop or intern’s machine), using a different auth key or the same reusable one. Once connected, this device becomes a node in your mesh network.

6. Define ACLs to Control Access
To restrict access based on roles, define ACLs in the Headscale configuration file.

Create a file with name acl.hujson and save this file on the location /etc/headscale. You can refer the following ACL for example

{
  "groups": {
    "group:employees": [
    "username1",
    "username2"

],
    "group:interns": [
        "shubham.kumar"      
    ]
  },
  "acls": [    
{
     "action": "accept",
     "src": ["group:employees"],
     "dst": ["*:*"]
},
{
     "action": "accept",
     "src": ["group:interns"],
     "dst": ["<app server ip>:8888"]
}
  ]
}

This is just a simple test policy which is allowing full access to the employee group and only a specific IP on specific port access to the Intern group.

In the headscale config file which is present at /etc/headscale, add/uncomment the following -

policy:
  path: "/etc/headscale/acl.hujson"

Restart the headscale to update the ACL:

sudo systemctl stop headscale
sudo systemctl start headscale

Check the Headscale status

sudo systemctl status headscale

✅ Final Test

Test 1 - Connectivity Check
From the intern's laptop, run:

telnet <app server ip> 88888

Response should be connected.

Test 2 - Web Access Test
Open the browser and visit:

http://<tailscale-ip-of-app-server>:8888

Confirm that access works only as defined in the ACL rules.

Test 3 - ACL Enforcement
Change the ACL policy to remove access or modify the port, then restart Headscale:
# Example change: remove 8888 access for interns

Now retry access — it should be blocked as per the updated ACL.

I hope this guide helps you get started with setting up your own Headscale-Tailscale network. Setting up your own secure, self-hosted VPN network doesn't have to be complex — and with Headscale and Tailscale, it's easier than ever. Try it out and take full control of your network access.

If you have questions or want to share your experience, feel free to drop a comment or reach out to me at https://www.linkedin.com/in/shubham-kumar1807/

Good Luck!!

A Beginner’s Guide to Building a Career in DevOps and Cloud

Shubham Kumar — Thu, 21 Nov 2024 18:30:31 +0000

With over 7 years of experience in the fields of Cloud and DevOps, I often get asked a common question:

“How can I start a career in DevOps and Cloud?”

The answer isn’t simple, but it’s definitely achievable with the right mindset and plan. DevOps and Cloud are vast domains and diving into them without a roadmap can feel overwhelming. In this blog, I’ll share some key steps to help you begin your journey in these exciting fields.

1. Understand the Connection Between Cloud and DevOps
In today’s tech-driven world, DevOps and Cloud are inseparable. Cloud platforms (like AWS, Azure, and GCP) provide the infrastructure while DevOps tools and practices enable efficient development, deployment, and management of applications on these platforms.

Where to Start

Begin by picking one cloud platform to focus on. Your choice can depend on your interests or the platform’s popularity in your region or industry.

A key point to note: All major cloud providers offer similar services with different names. For example:

For a server:
AWS provides EC2
Azure offers Compute
GCP uses Compute Engine
Though the terminology varies, the functionality remains largely the same.

How to Approach Learning Cloud Computing to start your career

Cloud computing is a vast domain, so it’s essential to go step by step:

Start with the Basics: Identify and focus on foundational services. Just search online for "top 10 basic services of [cloud provider]" to create a list and start learning them one by one.
Use Free or Affordable Learning Resources:
YouTube tutorials for practical demonstrations.
Udemy courses for structured learning.
Focus on Hands-on Practice: Practice is key to understanding concepts. Create and manage resources on your chosen cloud platform to solidify your learning.
Remember, you don’t need to learn everything at once. Start small and build your expertise gradually.

2. Learn the Basics of DevOps
DevOps fosters collaboration between development and operations teams through tools and automation. Here are the areas you should focus on first:

CI/CD Pipelines

CI/CD (Continuous Integration/Continuous Deployment) is the backbone of DevOps. It automates the process of building, testing, and deploying applications.

Start with Jenkins, a popular tool for creating CI/CD pipelines.
Install Jenkins on your system, explore tutorials, and practice building pipelines on your local machine.

Containerization

Docker is a critical tool in DevOps that enables containerization of applications. Learn the basics of Docker, understand its concepts, and experiment with containerizing simple applications on your local system.

3. Master Infrastructure as Code (IaaC)
When learning cloud platforms, you’ll likely create resources manually using the console. However, DevOps emphasizes automation. Tools like Terraform or CloudFormation allow you to automate resource creation and management.

Start with Terraform: Practice creating resources like the ones you learned in your initial cloud exploration. Automating tasks builds confidence and expertise.

4. Understand Source Code Management
Version control is vital for modern software development. Start with Git, one of the most widely used version control tools.

Learn how to use Git to manage code repositories.
Practice on your local system to gain hands-on experience.

5. Develop Basic Scripting Skills
While DevOps doesn’t require you to be a programming expert, understanding the basics of scripting is essential.

Learn the fundamentals of Python or Bash scripting.
Focus on practical tasks, like automating repetitive processes or managing files.

6. Explore Orchestration Tools
Kubernetes is a powerful tool for container orchestration. While it’s a vast topic, even a basic understanding will set you apart.

Start learning Kubernetes concepts using tutorials or courses.
Install Minikube on your laptop to practice orchestrating the Dockerized applications you’ve already built.

Plan Your Learning Path
I understand this might seem overwhelming at first, but remember, everyone starts somewhere. I began my journey the same way—step by step. It might seem like a lot to take in, but trust me, starting with the process I’ve outlined will make it manageable.

Don’t aim to master everything right away. Focus on learning gradually, one step at a time. Practical experience is the key to mastering any skill. Once you have a basic understanding of DevOps and Cloud, start building simple projects to solidify your knowledge.

You can connect with me on LinkedIn or via email for guidance. I’d be happy to suggest projects that will help you gain hands-on experience.

Good Luck!

Welcome to the world of DevOps and Cloud! If you found this guide helpful or have questions, feel free to connect with me on LinkedIn: "shubham-kumar1807", or leave a comment here.

Thank you for reading!

Enhancing AWS S3 Security with GuardDuty.

Shubham Kumar — Fri, 30 Aug 2024 06:24:56 +0000

In today's digital era, data is the lifeblood of businesses and individuals alike. As the volume of data continues to grow exponentially, more organizations are turning to cloud solutions for scalable and reliable storage. Among these, Amazon S3 has emerged as one of the most popular and trusted data storage services.

However, while data is undeniably valuable, it also becomes a prime target for malicious activities. Ensuring the security of your data is not just an option—it's a necessity. Protecting your data from potential threats is crucial to maintaining the integrity and trustworthiness of your operations.

AWS GuardDuty offers robust features for safeguarding your S3 data through two distinct protection plans:

S3 Protection
Malware Protection for S3

In this blog, we'll provide a brief overview of the S3 Protection plan and take a closer look at the Malware Protection for S3.

S3 Protection Plan
The S3 Protection plan within Amazon GuardDuty is designed to monitor and detect suspicious activities and potential security threats involving your S3 buckets. It emphasizes the identification of unauthorized access, data exfiltration attempts, and misconfigurations that could jeopardize your data. By analyzing access logs, API call patterns, and bucket configurations, the S3 Protection plan generates actionable alerts, enabling you to swiftly address unauthorized actions and maintain secure bucket settings. This plan plays a crucial role in safeguarding your S3 environment by continuously monitoring how your data is accessed and managed.

Malware Protection for S3
AWS recently introduced the Malware Protection for S3 feature as part of Amazon GuardDuty. This powerful tool helps detect potential malware by scanning newly uploaded objects in your selected Amazon Simple Storage Service (Amazon S3) buckets. Whenever a new object or a new version of an existing object is uploaded to the designated bucket, GuardDuty automatically initiates a malware scan, providing an additional layer of security for your data.

Why should We use it?

Key Features of Malware Protection for S3

Seamless Integration: Integrating Malware Protection for S3 is straightforward, requiring no additional infrastructure. Simply enable the feature and select the desired S3 bucket for scanning. You can activate it through the AWS Management Console, API, CLI, CloudFormation templates, or Terraform.
Customizable Scanning: You have the flexibility to configure scans at the folder level by defining prefixes, allowing you to target specific areas of your S3 buckets.
Automatic Scans on Upload: The system automatically scans new objects as they are uploaded to your bucket, generating detailed reports within seconds.
Support for All File Formats: Malware Protection for S3 is versatile, supporting scans across all file formats.
Highly Scalable: The service is designed to scale effortlessly with your needs, ensuring consistent performance regardless of your data volume.
Tagging Mechanism: When enabled, the tagging feature labels each scanned object with one of the following statuses:
- NO_THREATS_FOUND: The object is clean.
- THREATS_FOUND: Malware has been detected.
- UNSUPPORTED: The file format is not supported for scanning.
- ACCESS_DENIED: The scan couldn't access the object.
- FAILED: The scan was unsuccessful.
Quarantine Infected Files: Infected files are automatically quarantined in a separate S3 bucket, effectively preventing further distribution and mitigating potential threats.
Rapid Findings: Scan results are generated within seconds, providing swift feedback on the status of your files.
Contextualized Findings: The system provides detailed insights, including metadata about the S3 data, specific scan results for the object, and the category of detected malware.

How it works?

Architecture

When you enable Malware Protection, an EventBridge rule is automatically added to your S3 bucket. This rule triggers the scanning mechanism whenever a file is uploaded. GuardDuty then initiates a process within a dedicated, secure VPC that has no internet access. Through AWS PrivateLink, the files are securely transferred from the S3 bucket to this isolated environment. GuardDuty’s Malware Protection then scans the files using heuristic analysis and machine learning models. Once the scan is complete, the file is deleted and the scan status, along with scan metadata, is processed. The results are published via an EventBridge rule, and scan metrics are sent to CloudWatch for monitoring.

What It Scans
- The system detects threats using YARA rule definitions, which are specialized patterns for identifying malicious files.
- It has comprehensive visibility into various types of malware that may target AWS environments.
- The detection capabilities extend to multiple types of malware, including crypto miners, ransomware and web shells.

GuardDuty Malware S3 protection Quota and Limitations:

Maximum S3 Object Size: Up to 5 GB per object.
Extracted Archive Bytes: The maximum size for extracted archive content is 5 GB.
Extracted Archive Files: Up to 1,000 files can be extracted from an archive for scanning.
Maximum Archive Depth Levels: Archives can be scanned up to a depth of 5 nested levels.
Maximum Protected Buckets: You can protect up to 25 S3 buckets per account.

Thank you for taking the time to read my blog. I hope this guide has provided you with a clear understanding of how AWS GuardDuty's Malware Protection for S3 can effectively safeguard your data against potential threats. Implementing these security measures will enhance the protection of your S3 buckets, ensuring that your data remains secure and your cloud environment resilient.

FAQs:

What will happen if we upload a file of size greater than 5 GB?
The 5 GB limit is a strict threshold as of now, and it cannot be increased. If a file larger than this limit is uploaded, GuardDuty will not scan it. Additionally, if tagging is enabled, the file will be tagged as "UNSUPPORTED."

Thank you for reading our guide on AWS GuardDuty S3 Malware Protection! We hope this information helps enhance your security practices. If you have any questions or suggestions, feel free to reach out at kumarshubham1807@gmail.com.

Stay secure, and happy cloud computing!

Understanding Reverse Proxy with Nginx - Step By Step Guide

Shubham Kumar — Mon, 18 Dec 2023 07:24:02 +0000

Introduction:

In the realm of web servers and networking, the concept of a reverse proxy is a powerful and versatile tool. Among the myriad of choices, Nginx stands out as a robust solution for implementing reverse proxy functionality. In this blog post, we'll explore what a reverse proxy is, why it's beneficial, and how to set up and configure one using Nginx.

What is a Reverse Proxy?

A reverse proxy is a server that sits between client devices (such as web browsers) and a web server, forwarding client requests to the server and returning the server's responses back to the clients. Unlike a forward proxy, which handles requests from clients to the internet, a reverse proxy manages requests from clients to one or more backend servers.

Why Use a Reverse Proxy?

Port Forwarding:
A reverse proxy is an excellent tool for simplifying and securing port forwarding scenarios. Instead of exposing internal services directly to the internet, you can use a reverse proxy to manage access to these services.

Load Balancing:
One of the primary benefits of using a reverse proxy is load balancing. When multiple backend servers are available, a reverse proxy distributes incoming requests among them, ensuring optimal resource utilization and preventing any single server from being overwhelmed.

Increased Security:
A reverse proxy acts as an additional layer of security for your web applications. It can hide the identity and characteristics of your backend servers from external clients. This adds a level of obscurity, making it more challenging for potential attackers to gather information about your infrastructure.

SSL Termination:
Handling SSL/TLS encryption can be resource-intensive for backend servers. A reverse proxy can offload the SSL termination process, freeing up resources on the backend and simplifying certificate management.

Web Acceleration:
Reverse proxies can cache static assets, such as images and CSS files, and serve them directly to clients. This reduces the load on backend servers, speeds up content delivery, and enhances overall web performance.

Setting up Reverse Proxy with Nginx:

Step 1: Install Nginx. I am using Ubuntu OS.

sudo apt-get update
sudo apt-get install nginx

Step 2: Configure Nginx as a Reverse Proxy
Edit the Nginx configuration file, usually located at /etc/nginx/nginx.conf or /etc/nginx/sites-available/default. Add a location block for the backend server:

server {
    listen 80;

    server_name example.com;

    location /serviceA/ {
        proxy_pass http://backend-server:8080/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /serviceB/ {
        proxy_pass http://backend-server:8081/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # Add more location blocks for additional services as needed
}

Let's say you have multiple services running on your backend servers, each on a different port (e.g., service A on port 8080, service B on port 8081, and so on). Instead of exposing each service individually, you can leverage Nginx as a reverse proxy for port forwarding.

Replace example.com with your domain and backend-server with the address of your backend server.

proxy_pass http is the parameter where you have to mentioned where really you want to forward or proxy to. So, as per the configuration of the above file if you hit example.com/serviceA --> it will proxy you to the backend service with name backend-server and port 8080 and likewise for serviceB.

Step 3: Test and Reload Nginx
Test the configuration for syntax errors:

sudo nginx -t

If no errors are reported, restart Nginx to apply the changes:

sudo service nginx restart

Step 4: Test the Reverse Proxy if it is working

Incase you don't have any backend services currently running on the server, you can test it by the following approach

Create a file named index.html with some basic content. For example:

<!DOCTYPE html>
<html>
<head>
    <title>Port Forwarding Test</title>
</head>
<body>
    <h1>Hello, this is a test page!</h1>
</body>
</html>

Use Python to Serve the HTML File on Port 8080:

Open a terminal and navigate to the directory containing index.html. Run the following Python command to start a simple HTTP server on port 8080:

cd /path/to/test/
python3 -m http.server 8080

Update Nginx Configuration with the following configuration by following all the steps mentioned above:

server {
    listen 80;
    server_name localhost;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
}

Access Your Application:
Now, you should be able to access your application on port 80, and Nginx will forward the traffic to port 8080.

Visit http://localhost (or Server IP) in your web browser, and it should display the content served by the application running on port 8080.

Adjust the Nginx configuration as needed based on your specific requirements and the structure of your application.

Thank you for reading our guide! We hope it proves valuable for your web server setup. If you have any questions or suggestions, feel free to reach out on kumarshubham1807@gmail.com. Happy coding!

My CKAD Exam Journey: Tips for Success

Shubham Kumar — Tue, 17 Oct 2023 06:10:51 +0000

If you've found your way to this page, congratulations because it means you're already one step ahead on your Kubernetes journey and you are planning for certification. While many are merely considering joining the Kubernetes community, your presence here reflects a genuine interest and the ambition to excel in this dynamic field. Boost your confidence!!!!!

Today, I'm thrilled to share that I've successfully cleared my CKAD (Certified Kubernetes Application Developer) exam. This certification marks a significant milestone in my Kubernetes adventure, and I'm excited to pass on the knowledge and insights I've gained along the way. This blog is designed to serve as a guiding light, helping you prepare for the CKAD exam and increase your confidence in achieving this remarkable certification. So, let's dive in and explore the path to CKAD success together.

Section 1: Understanding the CKAD Exam
The CKAD (Certified Kubernetes Application Developer) exam stands apart from the typical certification tests you may have encountered, such as those from AWS, Azure, or other cloud providers. Unlike the multiple-choice questions or a small handful of subjective queries that populate many exams, the CKAD is an entirely subjective exam. In essence, it challenges your practical Kubernetes skills and problem-solving abilities rather than mere rote memorization.

With the CKAD, you won't find any multiple-choice questions. Instead, you'll be tasked with real-world scenarios where you must craft Kubernetes manifest files, troubleshoot issues, and perform hands-on tasks. What sets this exam apart is that you have access to the Kubernetes official documentation during the test. This open-book approach makes the CKAD not just challenging but also engaging. The questions are designed to be clear and to the point. If you possess the skill to navigate and search the Kubernetes documentation swiftly, you're well on your way to mastering this exam.

Here are some essential details to note about the CKAD:

Duration: You're given a total of 2 hours to complete the exam.
Number of Questions: There will be 15 to 20 questions.
Passing Score: To successfully clear the CKAD, you generally need to score around 67% to 68%.
Weightage: Each question in the exam carries a different weightage, and this information is clearly indicated for you. Understanding the weightage of each question allows you to allocate your time efficiently and prioritize tasks accordingly.
The CKAD is a unique certification experience, and with the right approach and preparation, you can confidently conquer it. Now, let's dive deeper into how you can prepare effectively for this exam.

Section 2: Preparing for the Exam
To excel in the CKAD (Certified Kubernetes Application Developer) exam, it's essential to build a strong foundation in the fundamental concepts of Kubernetes. The beauty of this exam lies in its simplicity – the questions are designed to test your understanding of core concepts rather than trick you with complexity. Before you venture into the exam room, ensure that you have a crystal-clear understanding of various critical topics, including:

Pod Designing
Resource Allocation
Deployment
Service
ConfigMap and Secrets
Network Policy
Ingress
Docker
Volume Mounting

It's worth noting that you can expect at least one question related to each of these topics during the exam. Mastering these fundamental concepts will put you in a strong position to tackle the CKAD exam questions with confidence.

Here's a recommended strategy how to prepare for it:

1. Set Up Minikube: Begin by setting up Minikube on your local system. Minikube is a lightweight Kubernetes cluster that allows you to create a local, isolated environment for Kubernetes testing and experimentation. It's an excellent tool for hands-on learning.

2. Hands-On Practice: Once Minikube is up and running, delve into hands-on practice. Take each of the core topics mentioned earlier, such as pod designing, deployment, services, config maps, secrets, network policies, ingress, Docker, and volume mounting, and work through practical exercises.

3. Simulate Exam Conditions: To truly prepare for the CKAD exam, it's essential to simulate the exam conditions. Select one topic at a time, look for sample questions related to that topic, and set a specific time limit for yourself, mirroring the real exam conditions. This will help you practice time management and the efficient execution of tasks.

This hands-on, focused approach not only solidifies your understanding but also sharpens your ability to work under the constraints of time and pressure. It's a highly effective way to prepare for the CKAD exam and aligns with the exam's practical nature. Remember, practice is the key to success in this exam, and this approach ensures that you're not just well-versed in theory but can confidently apply your knowledge in real-world scenarios.

With this practical strategy, you'll be well-prepared to tackle the CKAD exam's challenges and emerge with the confidence to excel.

Section 3: Tips for Exam Day

Preparing for the CKAD (Certified Kubernetes Application Developer) exam is not just about mastering Kubernetes concepts; it's also about honing specific skills and techniques that can help you perform your best on exam day. Here are some valuable tips to ensure success:

1. Efficient VIM Editor Usage: Familiarity with the VIM text editor is a tremendous asset for the CKAD. Since you'll be writing manifest files, practicing writing them in VIM can significantly enhance your speed and accuracy.

2. Linux Basics: A solid grasp of Linux fundamentals is crucial. Understanding common Linux commands and concepts will make your interactions with the Kubernetes cluster smoother.

3. Utilize Environment Variables: Time is of the essence during the CKAD exam. To save precious seconds, create environment variables in your terminal for frequently used commands. This way, you can avoid typing the same commands repeatedly, which can be a real time-saver. Here's a practical example:

alias k=kubectl
export do="--dry-run=client -o yaml
export now="--force --grace-period 0"

#How to use it:
k creat deploy ckad --image=nginx $do > deploy.yaml

4. Leverage Imperative Commands: Imperative commands are your friends. They allow you to generate manifest files quickly, edit them, and deploy them in a few simple steps. Practice using kubectl imperative commands extensively. Remember, efficiency is key.

5. Don't Get Stuck: If you encounter a challenging question, don't let it stall your progress. Flag the question, move on to others, and come back to it later. The CKAD exam is not about achieving a perfect score but rather demonstrating your overall competence. Time management is critical.

6. Effective Use of kubectl --help: Make sure you understand how to use the kubectl --help command. It can provide valuable insights and options for various kubectl commands, helping you work more efficiently.

Last and Final Step Before Taking the Exam

Once you've taken the initiative to book your CKAD (Certified Kubernetes Application Developer) exam, you're well on your way to achieving this valuable certification. However, before you rush into the exam, it's crucial to make the most of your preparation time. Here's what you should consider in the lead-up to your exam:

1. Timing and Scheduling: The CKAD exam booking grants you a one-year window to take the test. This generous timeframe provides flexibility and allows you to choose a date that best suits your preparation. Avoid rushing into the exam; take the time you need to build confidence and proficiency.

2. Simulator Exams: Along with your exam booking, you'll receive two simulator exams. These simulator exams are slightly more challenging than the real CKAD exam, serving as an excellent preparation tool. They offer a taste of real exam conditions and a chance to refine your skills.

3. Practice and Repetition: Dedicate significant time to these simulator exams. Solve them repeatedly until you feel confident in your ability to tackle the questions. Remember, practice is the key to success in the CKAD exam. The simulator exams provide a testing ground for you to refine your knowledge and skills.

By the time you feel comfortable completing the simulator exams, you'll be in an excellent position to clear the actual CKAD exam. With your understanding of core Kubernetes concepts, hands-on experience, and a taste of real exam conditions, you can confidently book your CKAD exam.

Wishing you the best of luck on your CKAD journey! You're on the path to becoming a Certified Kubernetes Application Developer, and with your dedication and preparation, success is within reach.

AWS DMS - Database Migration to AWS

Shubham Kumar — Thu, 24 Aug 2023 17:46:59 +0000

Moving databases to the cloud can be confusing, but AWS Data Migration Service (DMS) is here to help. It's like a guide that makes moving your data to Amazon Web Services (AWS) simple. Whether you're new to this or already know a bit, AWS DMS is here to make things easier. In this guide, we'll show you what AWS DMS is, what it does, and why it's important for modern IT. Come with us to learn about AWS DMS and see how it can help you smoothly shift to the cloud. Let's start this exciting journey into AWS DMS together!We are going to explore AWS DMS. We will se how AWS Data migration service work in real project.

As shown in the diagram to explore AWS DMS we are going to migrate one DB hosted on EC2 to the AWS RDS using AWS DMS.

But what is AWS DMS?

AWS Data Migration Service (DMS) is a specialized tool by Amazon Web Services that simplifies moving your databases from one place to another, like from your own computers to the powerful cloud servers of AWS. It's like a skilled mover for your data, ensuring it gets to its new home safely and quickly. Whether you're shifting lots of data or just a bit, DMS takes care of the tricky parts, making database migration a breeze.

Now let's see the implementation step by step

Step 1: Configure one MySQL database on EC2 which will act as a source database in our case.

1.1. Create one EC2 instance and configure MySQL database on it. Please note the DB endpoint, username and password. We will need it in the further step to migrate data from this server to AWS RDS, which is the agenda of this session.

Step 2: Create a managed database using AWS Relational Database.

2.1. Go to the AWS RDS console.
2.2. Choose Create Database.
2.3. For choose a database creation method: Select Standard Create.
2.4. For Engine Type: Select MySQL
2.5. For Edition: Select MySQL Community
2.6. For Version: Select Latest Version
2.7. For Templates: Select Free Tier
2.8. Under setting give DB instance identifier name-TargetDB
2.9. Give Master Username - admin
2.10. Give Master Password - shubhamkcloud
2.11. Confirm Password
2.12. Under instance Configuration - For DB instance class select Brustable classes and then select db.t3.micro
2.13. Leave the storage parameter as it is.
2.14. Under Connectivity: Select VPC and Subnet Group.
2.15. For Public Access: Select No
2.16. Select Security Group. Make sure to allow port 3306.
2.17. For Database Authentication: Select password Authentication.
2.18. Finally click on Create Database

It will take sometime but finally DB will be created.

Step 3: Create Replication Instance

Replication Instance initiates the connection between source and target database and it will transfer data.

3.1. Go to the Database Migration Service console.
3.2. Click on the Replication instance on the left side panel.
3.3. Click on Create Replication instance
3.4. Enter instance name - replication-instance
3.5. For instance class: select dms.t3.medium
3.6. For Engine version: select latest version. Currently it is 3.5.1
3.7. For High Availability: Select Dev or test workload
3.8. For Allocation storage: enter 50
3.9. For network type - select IPV4
3.10. Select VPC and Subnet
3.11. Select the checkbox for public accessible
3.12. Expand Advance setting and select Availability zone and Security group.
3.13. Choose Create replication instance.

This will again take some time but after waiting for 5-7 mins replication instance will be created.

Step 4: Configure Source Database

Use continuous replication of changes (also known as Change Data Capture(CDC))to ensure minimum downtime.

4.1. Get the Source DB endpoint, username and password.
4.2. You need to login to the DB server and grant the following permission to the DB USER. You can use the following command.

mysql -u root -p <password>
GRANT REPLICATION CLIENT ON *.* to '<DB_USER>;
GRANT REPLICATION SLAVE ON *.* to '<DB_USER>;
GRANT SUPER ON *.* to '<DB_USER>;
exit

4.3. Restart MYSQL service with the following command

sudo service mysql restart

STEP 5: Create Source and Target end points

5.1. Go to the AWS DMS console.
5.2. Click on Create endpoint from the left panel.
5.3. Give Endpoint identifier name as source-endpoint
5.4. Select Source engine as MySQL
5.5. For Access to endpoint database - Select Provide access information manually
5.6. For Server name - Enter Source DB server name(from step 1).
5.7. For port enter: 3306
5.8. Enter Username set on the first step.
5.9. Enter password set on the first step.
5.10. For Secure Socket Layer mode - select None
5.11. Click on Test endpoint connection for testing the endpoint.
5.12. Select VPC
5.13. For Replication instance - Select replication-instance from the dropdown list.
5.14. Choose Create endpoint
5.15 Follow the same step from 5.1 to 5.14 and create Target endpoint in the same way as you created for source endpoint. Remember we have to give here RDS endpoint, username and password.

Step 6: Create and Run Replication Task

As I mentioned above we will perform this migration by continuous data replication migration approach. Although this can be perform in multiple ways.

6.1. Go to the AWS DMS console.
6.2. Navigate to Database Migration Tasks on the left side.
6.3. Click Create Task
6.4. Provide a task identifier name, e.g., replication-task
6.5. For "Replication instance," select replication-instance from the dropdown list.
6.6. For Source database endpoint - Select source-endpoint from the dropdown list.
6.7. For Target database endpoint - Select target-endpoint from the dropdown list.
6.8. For Migration Type - Select Migrate existing data and replicate ongoing changes
6.9. On the Task setting section, For Editing mode - Select Wizard
6.10. For Target table preparation mode - Select Do nothing
6.11. For Stop task after full load complete: Select Don't stop
6.12. For Include LOB columns in replication: Select Limited LOB mode
6.13. For Maximum LOB size(KB) - Enter 32
6.14. Select the checkbox for - Turn on validation
6.15. Select the checkbox for - Turn on Cloudwatch logs
6.16. Leave the other values as default
6.17. For the Table mapping section, select Editing mode as Wizard
6.18. choose Selection rules and then choose Add new selection rule
6.19. For Schema - SelectEnter a schema from the dropdown list
6.20. For Source name - enter DB name.
6.21. Under the Migration task startup configuration, for Start migration task - Select Automatically on create
6.22. Choose Create task. This will take few minutes to complete. Wait for the status to change to Load complete, replication ongoing
6.23. We can check the table statistics on the Table statistics tab inside your replication-task

Step 7: Validate

Since you completed all these steps, now you can verify the data in your RDS.

Conclusion: Congratulations on successfully migrating your database using AWS Data Migration Service (DMS). You've harnessed the power of seamless data movement to AWS RDS.

Mastering Prompt Engineering: A Journey into AI-Powered Conversations

Shubham Kumar — Tue, 22 Aug 2023 09:21:29 +0000

Why Prompt Engineering?

In a world where artificial intelligence (AI) is becoming an integral part of our lives, understanding the art of prompt engineering can be your key to unlocking AI's true potential. Let's embark on a journey to explore how crafting the right prompts can empower you to communicate effectively with AI, enhancing the way you interact with technology.

What is Prompt Engineering?

Imagine explaining prompt engineering using a cooking analogy. Just like how we need the right ingredients to cook a specific dish, we need to provide precise information to artificial intelligence (AI) for it to work effectively.

Think about making rice. If you want to cook rice but you only have wheat, you won't get the desired result. Similarly, as we step into the era of Artificial Intelligence and machine learning, we need to prepare our input carefully.

When you want AI to do something, you're like the chef in the kitchen. If you give clear and exact instructions, AI will understand what you want and provide the right output, just like a well-cooked meal. This process is called prompt engineering.

In essence, prompt engineering is like giving smart directions to a computer friend. It involves using the right words and instructions to help AI comprehend our needs. By being precise in our prompts, we can ensure that AI gives us the outcomes we're looking for – much like a delicious dish prepared from the right ingredients.

The Palette of Effective Prompt Formulation

Just as an artist chooses colors with care, crafting effective prompts requires attention to detail. Let's dive into the palette of prompt formulation and examine its core components.

Clear and Specific Language: Guiding AI's Understanding
Using simple language and being specific in your requests ensures that AI grasps your intent accurately. Think of it as speaking directly to AI, clarifying your expectations like you would with a friend.

Contextual Details: Providing Depth to Your Prompts
Similar to adding layers to a painting for depth, including relevant context in your prompts helps AI to understand your request more comprehensively. This contextual information empowers AI to generate contextually fitting responses.

Avoiding Ambiguity: The Path to Precise Responses
Ambiguity in prompts is like blurred strokes in a painting – it leads to confusion. By steering clear of vague instructions, you enable AI to provide clear and accurate responses, just as an artist creates well-defined lines.

Prompt Example:
Suppose your prompt is - "Tell me about the best hiking spots."
You can make your prompt like - "I'm planning a weekend trip. Can you recommend the top hiking destinations in the Rocky Mountains?"

Complete Instructions: Crafting a Comprehensive Prompt
A complete prompt equates to a complete picture. Furnishing AI with all necessary details ensures it has the elements it needs to generate accurate and holistic responses, akin to a complete artwork.

Structured Queries: Organizing for Optimal Outcomes
Just as an architect plans a building with structured blueprints, framing your prompt in a structured manner enhances AI's understanding. Breaking down complex queries into clear steps enables AI to deliver more precise answers.

Prompt Example:
Suppose your prompt is "Explain the theory of relativity."
You can make your prompt like - "Break down the theory of relativity into its key components: general relativity and special relativity."

Testing and Iteration: Refining for Desired Results
Iterating prompts is like revising a draft until it's perfect. Testing your prompts, observing the results, and refining them based on feedback improves the accuracy of AI responses over time.

Prompt Frameworks Unleashed

Short Prompts: Direct and Impactful Communication
Ask your question directly, very short and very precise. You can also give some reference and ask AI to answer your question with respect of your example provided. You're telling AI exactly what you need. It's almost like having a chat with a very helpful and super-smart friend who knows all the answers. It'll give you just the info you're looking for.

Two-Way Communication: Ensuring Clarity through AI Interrogation
Think of prompt communication like having a friendly Q&A session with AI. Imagine you're the student, and AI is your knowledgeable teacher. When you ask a question, your teacher has to fully understand it to provide a helpful answer.
Here's the twist: what if your teacher didn't get your question? They might give you a puzzling answer, right? Similarly, if your prompt to AI isn't crystal clear, it might give you unexpected or odd responses.
So, let's teach AI to double-check! Just like you'd want your teacher to ask, "Did you mean this?" if they're unsure, prompt the AI to question your query. For example, "AI, did you understand my request to clearly?"
This two-way interaction is like teaching AI to be a careful student, making sure it understood before answering. It's a bit like avoiding misunderstandings in a classroom – with clear communication, you'll get the right answers. So, next time you prompt AI, have it quiz your query to ensure it's on the same page before providing the info you're looking for.

Prompt Example: 
- ChatGPT, did you understand my request for an overview of World War II?
- If you're uncertain about my request, please ask for clarification before providing an answer.

Nurturing Expertise with ChatGPT

Transforming ChatGPT: Your Personal Expert
Imagine ChatGPT as a super-smart friend who can become an expert in any topic you ask. It's like having a friend who can instantly learn about whatever you're curious about.
Here's the cool part: just tell ChatGPT the topic, and it will dive into it like a quick learner. It gathers information and becomes an expert. Then, it gives you the best answers, as if it's been studying that topic for ages.
Think of it like having a friend who becomes a champ in different subjects just to help you out. From science to history to art – ChatGPT has your back. So, the next time you're curious, ask ChatGPT to become an expert, and it will guide you like a pro!

Prompt Example:
- ChatGPT, you become an expert in renewable energy sources.
- Explore various types of renewable energy, their benefits, and their impact on the environment.

Perfecting Your Prompts with ChatGPT

Refinement Through Critique: ChatGPT as Your Prompt Coach
Just as an artist seeks feedback to enhance their work, ChatGPT can critique your prompts for improvement. It offers suggestions to make your prompts clearer, ensuring optimal results.

Empowering Your Queries: ChatGPT's Guided Refinement
Ever had a friend who helps you refine your ideas? Think of ChatGPT as that helpful friend. It can critique your prompts and help you make them even better!
Imagine ChatGPT as your prompt coach. It can give you tips to make your prompts clearer and better. Like a friend suggesting improvements, ChatGPT helps you create prompts that get the best results. So, when in doubt, let ChatGPT guide you to ask in the right way!

Prompt Example:
- ChatGPT, critique my prompt about climate change.
- Offer suggestions to make my climate change prompt more concise and impactful.

Conclusion: Embrace the Power of Prompt Engineering

In a world where communication with AI is increasingly prevalent, prompt engineering is your gateway to seamless interactions. Just as a skilled chef produces masterpieces with the right ingredients, you too can yield outstanding AI responses by mastering the art of prompt engineering. By understanding how to frame effective prompts, leveraging ChatGPT's expertise, and refining your queries, you're poised to navigate the AI landscape with finesse, transforming everyday interactions into extraordinary outcomes.

How to use AWSCLI to download S3 object

Shubham Kumar — Thu, 18 May 2023 13:54:32 +0000

AWS console doesn't allows to download multiple files or folder together. This is a limitation for the AWS console. But we can use awscli to get it. This is a very small doc but good to start with.

Prerequisite:

AWS Active Account
AWS CLI
IAM user with s3 list and get access

Steps:

Create IAM user
Configure AWSCLI in your local
Use awscli to download it.

Implementation:
Step 1: IAM user creation

Login to AWS console, go to the IAM service and create one user.
Make sure to add S3 specific permission with this user. For your test purpose you can give AWS managed S3FullAccess permission.
Once the user is created

--> click on users under the IAM page
--> click on the user that you created just now
--> click on security credentials

--> scroll down and under access key section click on create access key.

--> Save you access key and secrets key in safe place. You will not be able to find it if you missed to save.

Step 2: Configure AWSCLI

Please refer step 1 and 2 of the below mentioned doc to get the steps if you need it.

https://dev.to/shubhamkcloud/automate-application-deployment-into-lightsail-instance-28co

Step 3: Use awscli to download it

We may have different use cases of downloading a single file or a complete folder.

If you need to download a single file, use the following command.

aws s3 cp <s3://bucket-name>/<file_name> <local/path>

If you want to download complete folder, use the following command.

aws s3 sync <s3://bucket-name>/<folder_name> <local/path>

By using the above mentioned command you will be able to download S3 objects from your S3 bucket to your local system.

Thanks for reading. This is a very small blog but important one to save our time.

Cheers!