• Jan 26, 2022 by Petri Kallberg

    SSH over AWS SSM

    There is a saying that something is more than sum of it's parts, meaning it is the specific combination of things that makes it useful or valuable. But it can also be that one those parts is especially useful on it's own too. Here is the one-liner, taken from it's original context, that has saved me from a lot of trouble when I have needed remote access to EC2 instances.
  • Oct 7, 2021 by Petri Kallberg

    Delegating IAM access with permission boundary

    Back in the days, when creating an AWS account was a lot of overhead, common pattern was to have multiple teams sharing a single account. While it might have been possible (in theory) to create complex IAM policies to containerize resources by application or team, one fundamental problem did remain. Once you granted a right to create an IAM policy or role, you effectively granted admin level access to everything on the account.
  • Jun 15, 2021 by Petri Kallberg

    Networking meets Agile Deployment

    You know the feeling when you get a new idea and would like to start building right away, and then run into road block of getting IP addresses allocated for a new VPC. But unless you get CIDR from the network team, it is likely you have to tear down everything and start from scratch later when you want to connect with other services or internal networks. Or simply answering the question “how many IPs do you need?” isn’t possible because you are still evaluating different architecture options. Would it be possible to get best of the both worlds? Start independently, without risking future connectivity.

  • Apr 13, 2021 by Petri Kallberg

    Do the CloudWatch Metric Math

    “CloudWatch Metric Math makes it easy to perform math analytics on your metrics to derive additional insights into the health and performance of your AWS resources and applications.”

  • Jan 3, 2021 by Petri Kallberg

    Tunneling into VPC

    In Where is my bastion host? and EC2 Instance Connect vs. SSM Session Manager I wrote about how to connect to EC2 instances inside a VPC without having to run a bastion host exposed to Internet but using the AWS API as the contact point. While this arrangement has many advantages over running your own server/service there is still one important use-case it can not do.