Amazon Web Services

Python library for managing AWS logs

In Amazon Web Services it’s possible to enable logging for the whole VPC (CloudTrail) or for various services provided by Amazon, like S3. These logs get stored in S3 buckets. They are generated every few minutes in the case of CloudTrail, or every few seconds in the case of S3. CloudTrail logs are somewhat easier to manage because they are grouped by day, but S3 logs are all stored in one “folder”, so after some time there can be tens of...

Read More

Monitor AWS VPN from Python

Short demo script in Python that monitors the VPN tunnels in Amazon Web Services. It queries the current state every 1.5 seconds in a loop and if the state changes it writes the new state to a log file. Needs the boto library. import sys import time import boto import boto.vpc region = “eu-west-1” # key and keyID can be specified here, or in a config file “”” #access_key_id =...

Read More

AWS permissions – S3

A set of permissions to be used on Amazon Web Services Simple Storage Service (AWS S3) buckets. Each of them should be attached to a different group. The set imitates the Unix permissions model (rwx), where x would be administrative access to the bucket. Read (download) access to objects in ‘bucket-name’. No write access and no access to bucket properties except as needed in order to navigate in AWS console (ListAllMyBuckets and...

Read More

AWS permissions – restrict access to S3 bucket based on IP

A bucket policy that will deny access to anyone not coming from the specified IP addresses. Used in combination with IAM groups that allow access to S3, the net result will be that users will be allowed the access given to the group they belong to, but only if they are coming from one of the IP address specified in this policy, which is going to be attached to the bucket. Using an “Allow” policy, like in Amazon’s example, would allow...

Read More

AWS permissions – own MFA

AWS IAM permissions to allow users to set up MFA devices for themselves. ${aws:username} restricts access to the logged on user only. “iam:ListUsers” allows them to navigate to their own user in Amazon’s console. To be used with groups that otherwise don’t have access to IAM or only have read-only access. {   “Version”: “2012-10-17”,   “Statement”: [     {       “Sid”:...

Read More