• Oct 7, 2021 by Petri Kallberg

    Delegating IAM access with permission boundary

    Back in the days, when creating an AWS account was a lot of overhead, common pattern was to have multiple teams sharing a single account. While it might have been possible (in theory) to create complex IAM policies to containerize resources by application or team, one fundamental problem did remain. Once you granted a right to create an IAM policy or role, you effectively granted admin level access to everything on the account.
  • Jun 15, 2021 by Petri Kallberg

    Networking meets Agile Deployment

    You know the feeling when you get a new idea and would like to start building right away, and then run into road block of getting IP addresses allocated for a new VPC. But unless you get CIDR from the network team, it is likely you have to tear down everything and start from scratch later when you want to connect with other services or internal networks. Or simply answering the question “how many IPs do you need?” isn’t possible because you are still evaluating different architecture options. Would it be possible to get best of the both worlds? Start independently, without risking future connectivity.

  • Apr 13, 2021 by Petri Kallberg

    Do the CloudWatch Metric Math

    “CloudWatch Metric Math makes it easy to perform math analytics on your metrics to derive additional insights into the health and performance of your AWS resources and applications.”

  • Jan 3, 2021 by Petri Kallberg

    Tunneling into VPC

    In Where is my bastion host? and EC2 Instance Connect vs. SSM Session Manager I wrote about how to connect to EC2 instances inside a VPC without having to run a bastion host exposed to Internet but using the AWS API as the contact point. While this arrangement has many advantages over running your own server/service there is still one important use-case it can not do.

  • Dec 22, 2020 by Petri Kallberg

    Building a Custom Cloudformation Resource Type

    Cloudformation resource types are real 1st class citizens and comparable to any AWS provided resources. Major difference to custom resources is the deployment model where AWS Cloudformation service is taking care of executing the resource type code on your behalf, and Cloudformation Registry for sharing and consuming resource types across multiple projects.