Skip to content

aws

AWS IAM Policy Simulator

How to Validate AWS IAM Policies with the AWS Policy Simulator. A Deep Dive

Introduction

Brief overview of the AWS Policy Simulator

An underutilised yet powerful tool that helps verify the impact of IAM policies before deployment.

Highlight the importance of policy validation to ensure the principle of least privilege, especially in environments with strict compliance requirements.

Hashcat in AWS GPUs NVIDIA and password cracking, including performance benchmarks

Cracking Passwords with Hashcat - Performance Benchmarks and Security Implications

Important

DISCLAIMER - this is for educational porpuses only! You are responsable for your own actions.

Alert

GPUs instances can be expensive! Make sure you know and you can affort the cost of the instances you are selecting


Introduction

Hashcat is a widely-used, high-performance tool for cracking password hashes.

Its versatility across various platforms, including local machines and cloud instances, highlights how quickly seemingly complex passwords can be broken.

This post delves into the practical applications of Hashcat, explores password security risks, and presents benchmark comparisons between Apple's M1 chip and AWS GPU instances.

List all AWS VPCs or subnets with theirs tags and list them using jquery

Example AWS cli command with listing using [.jq(https://jqlang.github.io/jq/)].

This commands list all AWS VPCs within the account with their VpcId, CidrBlock and their Tags.

aws ec2 describe-vpcs | jq -r '.Vpcs[] | "\(.VpcId) \t \(.CidrBlock) \t \(.Tags[])" '

It is also possible to "select" a specific Tags.

aws ec2 describe-vpcs | jq -r '.Vpcs[] | "\(.VpcId) \t \(.CidrBlock) \t \(.Tags[] | select(.Key == "Application") | .Value)" '

example, select VPC name and sort by VPC name.

aws ec2 describe-vpcs | jq -r '.Vpcs[] | "\(.VpcId) \t \(.CidrBlock) \t \(.Tags[] | select(.Key == "Name")| .Value)" ' | sort -nk2

documentation for https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-vpcs.html


List all Subnets with filter .key, .value data that I picked.

the sort -nk5 at the end, put on put the subnet with the least number of available IPs, taken from .AvailableIpAddressCount.

aws ec2 describe-subnets | jq -r '.Subnets[] | "\(.AvailabilityZone); \(.AvailabilityZoneId); \(.VpcId); \(.CidrBlock); \t \(.AvailableIpAddressCount); \t \(.Tags[] | select(.Key == "Name")| .Value)  "  ' | sort -nk5

documentation for https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-subnets.html


Next, why not rotate through other AWS accounts in the Org if you have them?! and rotate through regions?! :)

I have been there, done that, so leave the challenge for you :)


Happy learning,

Antonio Feijao UK

aws sts decode-authorization-message

Decoding the aws sts decode-authorization-message

I included jq and tr commands to "clean up" and make the decoded message easier to read.

Note: - One of the command is jq, from jquery, which usually doesn't come installed by default in some OS, keep that in mind in case you might need to install it. - You need to have the sts permission to run the decode message - sts:DecodeAuthorizationMessage

  • TIP - I added the message to a variable, which makes it easier to read the command aws sts decode-authorization-message
enc_message="akjhkajshdkjahsdkjhakjshdais8duas8d7a98sd7a9s87da....example...." #replace with your encoded message

aws sts decode-authorization-message --encoded-message ${enc_message} | jq '.DecodedMessage' | tr -d '\\' | tr ',' '\n'

further reading from AWS documentation:


Happy learning,

Antonio Feijao UK

AWS CLI command-line script - How to automatically delete the Default-VPCs in all AWS regions

AWS CLI command-line script to automatically delete all Default-VPCs in all AWS regions.

The script needs to have enough permissions to run the actions.

The script will fail if there are other dependencies than the ones dealt with in the script.


linux-bash-script

USE AT YOUR OWN RISK

#!/bin/bash

## uncomment to see the commands as they are executed.
#set -x

## gets a list of all AWS regions

LIST_OF_REGIONS=$(aws ec2 describe-regions --all-regions --query "Regions[].{Name:RegionName}" --output text)

## for-loop to cycle through all regions

for REGION in ${LIST_OF_REGIONS}; do
    echo "---------"
    echo "Region: ${REGION}"

    RESULT=$(aws ec2 describe-vpcs --region ${REGION} --query "Vpcs[].[VpcId,IsDefault]" --output text 2>/dev/null)
    if [ -z "${RESULT}" ];
        then
            echo "NULL - No Default-VPC in the region: ${REGION}"
        else
            echo "Not NULL - There is a Default-VPC in the region: ${REGION}"
            ##
            ## --- use AT YOUR OWN RISK ---
            ##
            ## Uncomment the `aws ec2 ...` lines below to delete the default VPC in all regions.
            ## The script still needs to have enough permission to run the commands.
            ##
            
            VPCID=${RESULT:0:-5}
            echo "${REGION} : ${VPCID}"
            
            ## We need to detach AND delete the correct Internet Gateway (IGW), before we can delete the Default-VPC.
            
            IGW=$(aws ec2 describe-internet-gateways --region ${REGION} --filters "Name=attachment.vpc-id,Values=${VPCID}" --query 'InternetGateways[].InternetGatewayId' --output text)
            
            ## IF IGW exists, then detach and delete the IGW from the Default-VPC
            if [ -z "${IGW}" ];
                then
                    echo "NULL - IGW already removed."
                else
                    echo "Removing and deleting the IGW: ${IGW}, from the Default-VPC: ${VPCID}."
                    #aws ec2 detach-internet-gateway --region ${REGION} --internet-gateway-id ${IGW} --vpc-id ${VPCID}
                    #aws ec2 delete-internet-gateway --region ${REGION} --internet-gateway-id ${IGW}
            fi
            
            ## From my own experience, also need to delete any subnets associated with the Default-VPC.

            LIST_OF_SUBNETS=$(aws ec2 describe-subnets --region ${REGION} --filters "Name=vpc-id,Values=${VPCID}" --query "Subnets[*].[SubnetId]" --output text)

            echo "List of subnets on the Default-VPC: ${LIST_OF_SUBNETS}"

            ## could add an if loop here too...

            for SUBNET in ${LIST_OF_SUBNETS}; do
                #aws ec2 delete-subnet --region ${REGION} --subnet-id ${SUBNET}
            done

            ## Finally, delete the Default-VPC.

            #aws ec2 delete-vpc --vpc-id ${VPCID} --region ${REGION} 2>/dev/null && echo "Default-VPC removed succesfully." || echo "Something is still not right..."
    fi

done

aws-documentation


Happy learning,

Antonio Feijao UK

AWS boto3 credentials, boto session and boto3 available clients in python for the region the session was created.

About AWS credentials, boto3.session, list boto3 available clients in python3, load and access AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN.

Documentation here https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html.

My notes below.


aws-boto3-session

Example of AWS boto session credentials.

import boto3

help(boto3.session.Session)
  • output of help(...)
Help on class Session in module boto3.session:

class Session(builtins.object)
 |  Session(aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None, region_name=None, botocore_session=None, profile_name=None)
 |
 |  A session stores configuration state and allows you to create service
 |  clients and resources.
 |
 |  :type aws_access_key_id: string
 |  :param aws_access_key_id: AWS access key ID
 |  :type aws_secret_access_key: string
 |  :param aws_secret_access_key: AWS secret access key
 |  :type aws_session_token: string
 |  :param aws_session_token: AWS temporary session token
 |  :type region_name: string
 |  :param region_name: Default region when creating new connections
 |  :type botocore_session: botocore.session.Session
 |  :param botocore_session: Use this Botocore session instead of creating
 |                           a new default one.
 |  :type profile_name: string
 |  :param profile_name: The name of a profile to use. If not given, then
 |                       the default profile is used.
 |
 |  Methods defined here:
 
 (...)

creating-aws-boto3-session-with-aws-access-keys-secret-access-key-and-token

In this method, you must pass the AWS_ACCESS_KEY, SECRET and TOKEN through environment variables. It is not recommended to hard-code credentials.

session = boto3.session.Session(
    aws_access_key_id     = AWS_ACCESS_KEY_ID,
    aws_secret_access_key = AWS_SECRET_ACCESS_KEY,
    aws_session_token     = AWS_SESSION_TOKEN,
    region_name='eu-west-2',
    botocore_session=None,
    profile_name=None
)

In this method, the boto3, session will look for credentials in various locations based on predefined order, as described in the documentation https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html.

session = boto3.session.Session(
    region_name='eu-west-2'
)

using-the-session-list-available-clients

services = session.get_available_services()

print(services)
['accessanalyzer', 'account', 'acm', 'acm-pca', 'alexaforbusiness', 'amp', 'amplify', 'amplifybackend', 'amplifyuibuilder', 'apigateway', 'apigatewaymanagementapi', 'apigatewayv2', 'appconfig', 'appconfigdata', 'appflow', 'appintegrations', 'application-autoscaling', 'application-insights', 'applicationcostprofiler', 'appmesh', 'apprunner', 'appstream', 'appsync', 'arc-zonal-shift', 'athena', 'auditmanager', 'autoscaling', 'autoscaling-plans', 'backup', 'backup-gateway', 'backupstorage', 'batch', 'billingconductor', 'braket', 'budgets', 'ce', 'chime', 'chime-sdk-identity', 'chime-sdk-media-pipelines', 'chime-sdk-meetings', 'chime-sdk-messaging', 'chime-sdk-voice', 'cleanrooms', 'cloud9', 'cloudcontrol', 'clouddirectory', 'cloudformation', 'cloudfront', 'cloudhsm', 'cloudhsmv2', 'cloudsearch', 'cloudsearchdomain', 'cloudtrail', 'cloudtrail-data', 'cloudwatch', 'codeartifact', 'codebuild', 'codecatalyst', 'codecommit', 'codedeploy', 'codeguru-reviewer', 'codeguru-security', 'codeguruprofiler', 'codepipeline', 'codestar', 'codestar-connections', 'codestar-notifications', 'cognito-identity', 'cognito-idp', 'cognito-sync', 'comprehend', 'comprehendmedical', 'compute-optimizer', 'config', 'connect', 'connect-contact-lens', 'connectcampaigns', 'connectcases', 'connectparticipant', 'controltower', 'cur', 'customer-profiles', 'databrew', 'dataexchange', 'datapipeline', 'datasync', 'dax', 'detective', 'devicefarm', 'devops-guru', 'directconnect', 'discovery', 'dlm', 'dms', 'docdb', 'docdb-elastic', 'drs', 'ds', 'dynamodb', 'dynamodbstreams', 'ebs', 'ec2', 'ec2-instance-connect', 'ecr', 'ecr-public', 'ecs', 'efs', 'eks', 'elastic-inference', 'elasticache', 'elasticbeanstalk', 'elastictranscoder', 'elb', 'elbv2', 'emr', 'emr-containers', 'emr-serverless', 'es', 'events', 'evidently', 'finspace', 'finspace-data', 'firehose', 'fis', 'fms', 'forecast', 'forecastquery', 'frauddetector', 'fsx', 'gamelift', 'gamesparks', 'glacier', 'globalaccelerator', 'glue', 'grafana', 'greengrass', 'greengrassv2', 'groundstation', 'guardduty', 'health', 'healthlake', 'honeycode', 'iam', 'identitystore', 'imagebuilder', 'importexport', 'inspector', 'inspector2', 'internetmonitor', 'iot', 'iot-data', 'iot-jobs-data', 'iot-roborunner', 'iot1click-devices', 'iot1click-projects', 'iotanalytics', 'iotdeviceadvisor', 'iotevents', 'iotevents-data', 'iotfleethub', 'iotfleetwise', 'iotsecuretunneling', 'iotsitewise', 'iotthingsgraph', 'iottwinmaker', 'iotwireless', 'ivs', 'ivs-realtime', 'ivschat', 'kafka', 'kafkaconnect', 'kendra', 'kendra-ranking', 'keyspaces', 'kinesis', 'kinesis-video-archived-media', 'kinesis-video-media', 'kinesis-video-signaling', 'kinesis-video-webrtc-storage', 'kinesisanalytics', 'kinesisanalyticsv2', 'kinesisvideo', 'kms', 'lakeformation', 'lambda', 'lex-models', 'lex-runtime', 'lexv2-models', 'lexv2-runtime', 'license-manager', 'license-manager-linux-subscriptions', 'license-manager-user-subscriptions', 'lightsail', 'location', 'logs', 'lookoutequipment', 'lookoutmetrics', 'lookoutvision', 'm2', 'machinelearning', 'macie', 'macie2', 'managedblockchain', 'marketplace-catalog', 'marketplace-entitlement', 'marketplacecommerceanalytics', 'mediaconnect', 'mediaconvert', 'medialive', 'mediapackage', 'mediapackage-vod', 'mediapackagev2', 'mediastore', 'mediastore-data', 'mediatailor', 'memorydb', 'meteringmarketplace', 'mgh', 'mgn', 'migration-hub-refactor-spaces', 'migrationhub-config', 'migrationhuborchestrator', 'migrationhubstrategy', 'mobile', 'mq', 'mturk', 'mwaa', 'neptune', 'network-firewall', 'networkmanager', 'nimble', 'oam', 'omics', 'opensearch', 'opensearchserverless', 'opsworks', 'opsworkscm', 'organizations', 'osis', 'outposts', 'panorama', 'payment-cryptography', 'payment-cryptography-data', 'personalize', 'personalize-events', 'personalize-runtime', 'pi', 'pinpoint', 'pinpoint-email', 'pinpoint-sms-voice', 'pinpoint-sms-voice-v2', 'pipes', 'polly', 'pricing', 'privatenetworks', 'proton', 'qldb', 'qldb-session', 'quicksight', 'ram', 'rbin', 'rds', 'rds-data', 'redshift', 'redshift-data', 'redshift-serverless', 'rekognition', 'resiliencehub', 'resource-explorer-2', 'resource-groups', 'resourcegroupstaggingapi', 'robomaker', 'rolesanywhere', 'route53', 'route53-recovery-cluster', 'route53-recovery-control-config', 'route53-recovery-readiness', 'route53domains', 'route53resolver', 'rum', 's3', 's3control', 's3outposts', 'sagemaker', 'sagemaker-a2i-runtime', 'sagemaker-edge', 'sagemaker-featurestore-runtime', 'sagemaker-geospatial', 'sagemaker-metrics', 'sagemaker-runtime', 'savingsplans', 'scheduler', 'schemas', 'sdb', 'secretsmanager', 'securityhub', 'securitylake', 'serverlessrepo', 'service-quotas', 'servicecatalog', 'servicecatalog-appregistry', 'servicediscovery', 'ses', 'sesv2', 'shield', 'signer', 'simspaceweaver', 'sms', 'sms-voice', 'snow-device-management', 'snowball', 'sns', 'sqs', 'ssm', 'ssm-contacts', 'ssm-incidents', 'ssm-sap', 'sso', 'sso-admin', 'sso-oidc', 'stepfunctions', 'storagegateway', 'sts', 'support', 'support-app', 'swf', 'synthetics', 'textract', 'timestream-query', 'timestream-write', 'tnb', 'transcribe', 'transfer', 'translate', 'verifiedpermissions', 'voice-id', 'vpc-lattice', 'waf', 'waf-regional', 'wafv2', 'wellarchitected', 'wisdom', 'workdocs', 'worklink', 'workmail', 'workmailmessageflow', 'workspaces', 'workspaces-web', 'xray']

import-pretty-print-pprint-as-pp-for-list-ouput

```py from pprint import pprint as pp

pp(session.get_available_services()) ['accessanalyzer', 'account', 'acm', 'acm-pca', 'alexaforbusiness', 'amp', 'amplify', 'amplifybackend', 'amplifyuibuilder', 'apigateway', 'apigatewaymanagementapi', 'apigatewayv2', 'appconfig', 'appconfigdata', 'appflow', 'appintegrations', 'application-autoscaling', 'application-insights', 'applicationcostprofiler', 'appmesh', 'apprunner', 'appstream', 'appsync', 'arc-zonal-shift', 'athena', 'auditmanager', 'autoscaling', 'autoscaling-plans', 'backup', 'backup-gateway', 'backupstorage', 'batch', 'billingconductor', 'braket', 'budgets', 'ce', 'chime', 'chime-sdk-identity', 'chime-sdk-media-pipelines', 'chime-sdk-meetings', 'chime-sdk-messaging', 'chime-sdk-voice', 'cleanrooms', 'cloud9', 'cloudcontrol', 'clouddirectory', 'cloudformation', 'cloudfront', 'cloudhsm', 'cloudhsmv2', 'cloudsearch', 'cloudsearchdomain', 'cloudtrail', 'cloudtrail-data', 'cloudwatch', 'codeartifact', 'codebuild', 'codecatalyst', 'codecommit', 'codedeploy', 'codeguru-reviewer', 'codeguru-security', 'codeguruprofiler', 'codepipeline', 'codestar', 'codestar-connections', 'codestar-notifications', 'cognito-identity', 'cognito-idp', 'cognito-sync', 'comprehend', 'comprehendmedical', 'compute-optimizer', 'config', 'connect', 'connect-contact-lens', 'connectcampaigns', 'connectcases', 'connectparticipant', 'controltower', 'cur', 'customer-profiles', 'databrew', 'dataexchange', 'datapipeline', 'datasync', 'dax', 'detective', 'devicefarm', 'devops-guru', 'directconnect', 'discovery', 'dlm', 'dms', 'docdb', 'docdb-elastic', 'drs', 'ds', 'dynamodb', 'dynamodbstreams', 'ebs', 'ec2', 'ec2-instance-connect', 'ecr', 'ecr-public', 'ecs', 'efs', 'eks', 'elastic-inference', 'elasticache', 'elasticbeanstalk', 'elastictranscoder', 'elb', 'elbv2', 'emr', 'emr-containers', 'emr-serverless', 'es', 'events', 'evidently', 'finspace', 'finspace-data', 'firehose', 'fis', 'fms', 'forecast', 'forecastquery', 'frauddetector', 'fsx', 'gamelift', 'gamesparks', 'glacier', 'globalaccelerator', 'glue', 'grafana', 'greengrass', 'greengrassv2', 'groundstation', 'guardduty', 'health', 'healthlake', 'honeycode', 'iam', 'identitystore', 'imagebuilder', 'importexport', 'inspector', 'inspector2', 'internetmonitor', 'iot', 'iot-data', 'iot-jobs-data', 'iot-roborunner', 'iot1click-devices', 'iot1click-projects', 'iotanalytics', 'iotdeviceadvisor', 'iotevents', 'iotevents-data', 'iotfleethub', 'iotfleetwise', 'iotsecuretunneling', 'iotsitewise', 'iotthingsgraph', 'iottwinmaker', 'iotwireless', 'ivs', 'ivs-realtime', 'ivschat', 'kafka', 'kafkaconnect', 'kendra', 'kendra-ranking', 'keyspaces', 'kinesis', 'kinesis-video-archived-media', 'kinesis-video-media', 'kinesis-video-signaling', 'kinesis-video-webrtc-storage', 'kinesisanalytics', 'kinesisanalyticsv2', 'kinesisvideo', 'kms', 'lakeformation', 'lambda', 'lex-models', 'lex-runtime', 'lexv2-models', 'lexv2-runtime', 'license-manager', 'license-manager-linux-subscriptions', 'license-manager-user-subscriptions', 'lightsail', 'location', 'logs', 'lookoutequipment', 'lookoutmetrics', 'lookoutvision', 'm2', 'machinelearning', 'macie', 'macie2', 'managedblockchain', 'marketplace-catalog', 'marketplace-entitlement', 'marketplacecommerceanalytics', 'mediaconnect', 'mediaconvert', 'medialive', 'mediapackage', 'mediapackage-vod', 'mediapackagev2', 'mediastore', 'mediastore-data', 'mediatailor', 'memorydb', 'meteringmarketplace', 'mgh', 'mgn', 'migration-hub-refactor-spaces', 'migrationhub-config', 'migrationhuborchestrator', 'migrationhubstrategy', 'mobile', 'mq', 'mturk', 'mwaa', 'neptune', 'network-firewall', 'networkmanager', 'nimble', 'oam', 'omics', 'opensearch', 'opensearchserverless', 'opsworks', 'opsworkscm', 'organizations', 'osis', 'outposts', 'panorama', 'payment-cryptography', 'payment-cryptography-data', 'personalize', 'personalize-events', 'personalize-runtime', 'pi', 'pinpoint', 'pinpoint-email', 'pinpoint-sms-voice', 'pinpoint-sms-voice-v2', 'pipes', 'polly', 'pricing', 'privatenetworks', 'proton', 'qldb', 'qldb-session', 'quicksight', 'ram', 'rbin', 'rds', 'rds-data', 'redshift', 'redshift-data', 'redshift-serverless', 'rekognition', 'resiliencehub', 'resource-explorer-2', 'resource-groups', 'resourcegroupstaggingapi', 'robomaker', 'rolesanywhere', 'route53', 'route53-recovery-cluster', 'route53-recovery-control-config', 'route53-recovery-readiness', 'route53domains', 'route53resolver', 'rum', 's3', 's3control', 's3outposts', 'sagemaker', 'sagemaker-a2i-runtime', 'sagemaker-edge', 'sagemaker-featurestore-runtime', 'sagemaker-geospatial', 'sagemaker-metrics', 'sagemaker-runtime', 'savingsplans', 'scheduler', 'schemas', 'sdb', 'secretsmanager', 'securityhub', 'securitylake', 'serverlessrepo', 'service-quotas', 'servicecatalog', 'servicecatalog-appregistry', 'servicediscovery', 'ses', 'sesv2', 'shield', 'signer', 'simspaceweaver', 'sms', 'sms-voice', 'snow-device-management', 'snowball', 'sns', 'sqs', 'ssm', 'ssm-contacts', 'ssm-incidents', 'ssm-sap', 'sso', 'sso-admin', 'sso-oidc', 'stepfunctions', 'storagegateway', 'sts', 'support', 'support-app', 'swf', 'synthetics', 'textract', 'timestream-query', 'timestream-write', 'tnb', 'transcribe', 'transfer', 'translate', 'verifiedpermissions', 'voice-id', 'vpc-lattice', 'waf', 'waf-regional', 'wafv2', 'wellarchitected', 'wisdom', 'workdocs', 'worklink', 'workmail', 'workmailmessageflow', 'workspaces', 'workspaces-web', 'xray'] ```


Happy learning,

Antonio Feijao UK

AWS Console information. Reading the userInfo cookie information to display, alert, or anything else you want.
For example, include a banner on your AWS console with highlighting when you login as "AWS Administrator" role.
This can then be used in various applications.


sample code that "grabs" the userInfo and create an banner alert

javascript:(function () {
    function fullDecode (input) {
        let decoded = decodeURIComponent(input);
        return (decoded == input ? decoded : fullDecode(decoded))
    };
    let userInfo = document.cookie.replace(/(?:(?:^|.*;\s*)aws-userInfo\s*\=\s*([^;]*).*$)|^.*$/, "$1");
    alert(JSON.stringify(JSON.parse(fullDecode(userInfo)), null, 4))
})();

source code https://gist.github.com/ajkerrigan/0e2348d4ed960409b462e8aaca230d36


sample code that "grabs" the userInfo and outputs in the console

let userInfo = document.cookie.replace(/(?:(?:^|.*;\s*)aws-userInfo\s*\=\s*([^;]*).*$)|^.*$/, "$1");
let decoded = decodeURIComponent(userInfo);
JSON.stringify(JSON.parse(decoded), null, 1);

TBC...


Happy learning,

Antonio Feijao UK

AWS advanced networking playing with AWS Gateway Load balancer

AWS advanced networking, playing with AWS Gateway Load balancer (GWLB).

tag: workshop-gwlb

possible-source

  • https://catalog.workshops.aws/networking/en-US/gwlb

documents-info-blog-posts

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/

https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/

poc-with-aws-gateway-load-balancer-gwlb

proof of concept with AWS Gateway Load Balancer GWLB

cd /tmp

curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document > /home/ec2-user/iid;

export instance_interface=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/);

export instance_vpcid=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/$instance_interface/vpc-id);

export instance_az=$(cat /home/ec2-user/iid |grep 'availability' | awk -F': ' '{print $2}' | awk -F',' '{print $1}');

export instance_ip=$(cat /home/ec2-user/iid |grep 'privateIp' | awk -F': ' '{print $2}' | awk -F',' '{print $1}' | awk -F'"' '{print$2}');

export instance_region=$(cat /home/ec2-user/iid |grep 'region' | awk -F': ' '{print $2}' | awk -F',' '{print $1}' | awk -F'"' '{print$2}');

export gwlb_ip=$(aws --region $instance_region ec2 describe-network-interfaces --filters Name=vpc-id,Values=$instance_vpcid | jq ' .NetworkInterfaces[] | select(.AvailabilityZone=='$instance_az') | select(.InterfaceType=="gateway_load_balancer") |.PrivateIpAddress' -r);
  • Start httpd and configure index.html
systemctl start httpd;
touch /var/www/html/index.html;
echo > /var/www/html/index.html;
echo "<html>" >> /var/www/html/index.html
echo "  <head>" >> /var/www/html/index.html
echo "    <title>Gateway Load Balancer POC</title>" >> /var/www/html/index.html
echo "    <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>" >> /var/www/html/index.html
echo "  </head>" >> /var/www/html/index.html
echo "  <body>" >> /var/www/html/index.html
echo "    <h1>Welcome to Gateway Load Balancer POC:</h1>" >> /var/www/html/index.html
echo "  </body>" >> /var/www/html/index.html
echo "</html>" >> /var/www/html/index.html
  • Start and configure iptables
systemctl enable iptables;
systemctl start iptables;
  • Configuration below allows all traffic
# Set the default policies for each of the built-in chains to ACCEPT:
iptables -P INPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -P OUTPUT ACCEPT;
  • Flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
iptables -t nat -F;
iptables -t mangle -F;
iptables -F;
iptables -X;
  • Configure nat table to hairpin traffic back to GWLB
iptables -t nat -A PREROUTING -p udp -s $gwlb_ip -d $instance_ip -i eth0 -j DNAT --to-destination $gwlb_ip:6081;
iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $gwlb_ip -d $gwlb_ip -o eth0 -j MASQUERADE;
  • Save iptables
    service iptables save;
       
    iptables -L -n
    

antonio-feijao-uk

Thank you, and happy learning.

Antonio Feijao UK

AWS Route53 Domains via the AWS CLI with aws route53 list-prices

AWS Route53 Domains via the AWS CLI with aws route53 list-prices

ReadOnly role is enough to run these commands.

getting-the-results-aws-route53domains-list-prices

I redirected the API results into a local text file so I can work with the file much quicker locally.

the --region=us-east-1 is only needed if your default region is not us-east-1.

aws route53domains list-prices --region=us-east-1 > 2023-02-17-prices-as-of-this-date.txt

result-from-query-for-aws-route53-list-prices

Initially I was getting Null results for some query RegistrationPrice,
so I check for diference between the jquery values and realised that not all domains have the RegistrationPrice value.

So I went with the output from RenewalPrice as that seemed to match the value on the AWS console.

See if you can spot the differnce on the outputs below :)

cat 2023-02-17-prices-as-of-this-date.txt | jq -r '.Prices[]' | egrep "RegistrationPrice|TransferPrice|RenewalPrice|ChangeOwnershipPrice|RestorationPrice" | cut -f 2 -d '"' | sort | uniq -c | sort -n
 302 RegistrationPrice
 302 TransferPrice
 315 RestorationPrice
 316 ChangeOwnershipPrice
 316 RenewalPrice

aws-domains-price-from-cheapest-to-the-most-expective

aws route53domains list-prices --region=us-east-1 | jq -r '.Prices[] | "\(.RenewalPrice.Price) USD;\t .\(.Name)  "' | sort | uniq | sort -n

3 USD;	 .click
5 USD;	 .link
8 USD;	 .me.uk
9 USD;	 .be
9 USD;	 .co.uk
9 USD;	 .de
9 USD;	 .name
9 USD;	 .org.uk
9 USD;	 .uk
10 USD;	 .cz
10 USD;	 .es
10 USD;	 .nl
10 USD;	 .pictures
11 USD;	 .net
12 USD;	 .academy
12 USD;	 .boutique
12 USD;	 .cc
12 USD;	 .consulting
12 USD;	 .fr
12 USD;	 .futbol
12 USD;	 .life
12 USD;	 .live
12 USD;	 .media
12 USD;	 .news
12 USD;	 .org
12 USD;	 .rocks
12 USD;	 .services
12 USD;	 .social
12 USD;	 .solutions
12 USD;	 .studio
12 USD;	 .world
13 USD;	 .audio
13 USD;	 .ca
13 USD;	 .ch
13 USD;	 .co.za
13 USD;	 .com
13 USD;	 .eu
13 USD;	 .juegos
13 USD;	 .xyz
15 USD;	 .au
15 USD;	 .com.au
15 USD;	 .in
15 USD;	 .it
15 USD;	 .net.au
15 USD;	 .onl
15 USD;	 .qpon
15 USD;	 .uno
15 USD;	 .us
15 USD;	 .website
16 USD;	 .club
16 USD;	 .help
16 USD;	 .lol
16 USD;	 .photo
16 USD;	 .pics
17 USD;	 .rip
18 USD;	 .business
18 USD;	 .company
18 USD;	 .ninja
19 USD;	 .agency
19 USD;	 .biz
19 USD;	 .city
19 USD;	 .diet
19 USD;	 .exposed
19 USD;	 .football
19 USD;	 .gifts
19 USD;	 .gratis
19 USD;	 .im
19 USD;	 .network
19 USD;	 .reisen
19 USD;	 .report
19 USD;	 .schule
19 USD;	 .supplies
19 USD;	 .supply
20 USD;	 .fyi
20 USD;	 .gift
20 USD;	 .run
20 USD;	 .soccer
21 USD;	 .center
21 USD;	 .directory
21 USD;	 .education
21 USD;	 .equipment
21 USD;	 .gallery
21 USD;	 .graphics
21 USD;	 .institute
21 USD;	 .international
21 USD;	 .lighting
21 USD;	 .management
21 USD;	 .photography
21 USD;	 .photos
21 USD;	 .support
21 USD;	 .systems
21 USD;	 .technology
21 USD;	 .tips
21 USD;	 .today
22 USD;	 .band
22 USD;	 .blue
22 USD;	 .dance
22 USD;	 .kim
22 USD;	 .moda
22 USD;	 .pink
22 USD;	 .pub
22 USD;	 .red
22 USD;	 .reviews
22 USD;	 .shiksha
22 USD;	 .video
23 USD;	 .info
23 USD;	 .se
24 USD;	 .co.nz
24 USD;	 .fi
24 USD;	 .net.nz
24 USD;	 .org.nz
25 USD;	 .cloud
25 USD;	 .co
25 USD;	 .email
25 USD;	 .flowers
25 USD;	 .guru
25 USD;	 .me
25 USD;	 .online
25 USD;	 .pro
27 USD;	 .training
28 USD;	 .wedding
29 USD;	 .associates
29 USD;	 .auction
29 USD;	 .cards
29 USD;	 .care
29 USD;	 .cash
29 USD;	 .catering
29 USD;	 .chat
29 USD;	 .church
29 USD;	 .community
29 USD;	 .deals
29 USD;	 .digital
29 USD;	 .direct
29 USD;	 .discount
29 USD;	 .exchange
29 USD;	 .fail
29 USD;	 .fish
29 USD;	 .fitness
29 USD;	 .forsale
29 USD;	 .gripe
29 USD;	 .guide
29 USD;	 .haus
29 USD;	 .hosting
29 USD;	 .immo
29 USD;	 .industries
29 USD;	 .ink
29 USD;	 .limited
29 USD;	 .money
29 USD;	 .parts
29 USD;	 .place
29 USD;	 .property
29 USD;	 .republican
29 USD;	 .sale
29 USD;	 .sarl
29 USD;	 .school
29 USD;	 .style
29 USD;	 .tools
29 USD;	 .town
29 USD;	 .trade
29 USD;	 .vision
29 USD;	 .wtf
30 USD;	 .bargains
30 USD;	 .cheap
30 USD;	 .cool
30 USD;	 .democrat
30 USD;	 .events
30 USD;	 .foundation
30 USD;	 .guitars
30 USD;	 .immobilien
30 USD;	 .kaufen
30 USD;	 .mobi
30 USD;	 .productions
30 USD;	 .properties
30 USD;	 .rentals
30 USD;	 .ruhr
30 USD;	 .singles
30 USD;	 .wiki
30 USD;	 .works
31 USD;	 .cafe
31 USD;	 .express
31 USD;	 .loan
31 USD;	 .mba
31 USD;	 .plus
31 USD;	 .show
31 USD;	 .team
32 USD;	 .bike
32 USD;	 .builders
32 USD;	 .cab
32 USD;	 .clothing
32 USD;	 .coffee
32 USD;	 .computer
32 USD;	 .construction
32 USD;	 .contractors
32 USD;	 .domains
32 USD;	 .enterprises
32 USD;	 .estate
32 USD;	 .farm
32 USD;	 .florist
32 USD;	 .house
32 USD;	 .kiwi
32 USD;	 .land
32 USD;	 .marketing
32 USD;	 .repair
32 USD;	 .tv
32 USD;	 .zone
33 USD;	 .vc
34 USD;	 .com.mx
35 USD;	 .careers
35 USD;	 .codes
35 USD;	 .diamonds
35 USD;	 .holdings
35 USD;	 .holiday
35 USD;	 .recipes
35 USD;	 .vacations
35 USD;	 .vg
36 USD;	 .irish
36 USD;	 .ru
37 USD;	 .buzz
37 USD;	 .watch
39 USD;	 .sexy
43 USD;	 .mortgage
46 USD;	 .camera
46 USD;	 .camp
46 USD;	 .cleaning
46 USD;	 .dog
46 USD;	 .glass
46 USD;	 .kitchen
46 USD;	 .plumbing
46 USD;	 .shoes
46 USD;	 .solar
46 USD;	 .toys
47 USD;	 .apartments
47 USD;	 .bingo
47 USD;	 .capital
47 USD;	 .claims
47 USD;	 .clinic
47 USD;	 .coach
47 USD;	 .com.sg
47 USD;	 .delivery
47 USD;	 .dental
47 USD;	 .engineering
47 USD;	 .finance
47 USD;	 .financial
47 USD;	 .fund
47 USD;	 .furniture
47 USD;	 .healthcare
47 USD;	 .insure
47 USD;	 .lease
47 USD;	 .legal
47 USD;	 .memorial
47 USD;	 .pizza
47 USD;	 .restaurant
47 USD;	 .sg
47 USD;	 .surgery
47 USD;	 .tattoo
47 USD;	 .tax
47 USD;	 .tennis
47 USD;	 .university
47 USD;	 .ventures
47 USD;	 .villas
49 USD;	 .condos
49 USD;	 .cruises
49 USD;	 .dating
49 USD;	 .expert
49 USD;	 .flights
49 USD;	 .maison
49 USD;	 .partners
49 USD;	 .viajes
50 USD;	 .limo
50 USD;	 .tienda
50 USD;	 .voyage
50 USD;	 .wien
51 USD;	 .coupons
51 USD;	 .golf
51 USD;	 .hockey
51 USD;	 .jewelry
51 USD;	 .taxi
51 USD;	 .theater
51 USD;	 .tours
55 USD;	 .lgbt
57 USD;	 .mx
57 USD;	 .vegas
58 USD;	 .com.br
64 USD;	 .qa
65 USD;	 .host
66 USD;	 .berlin
66 USD;	 .black
66 USD;	 .poker
69 USD;	 .college
71 USD;	 .global
71 USD;	 .green
71 USD;	 .io
74 USD;	 .ceo
75 USD;	 .gg
76 USD;	 .ac
76 USD;	 .com.ar
76 USD;	 .sh
90 USD;	 .jp
92 USD;	 .fm
93 USD;	 .cl
94 USD;	 .accountants
94 USD;	 .credit
94 USD;	 .energy
94 USD;	 .investments
94 USD;	 .loans
94 USD;	 .tires
100 USD;	 .adult
100 USD;	 .porn
100 USD;	 .sex
101 USD;	 .gold
101 USD;	 .reise
141 USD;	 .casino
141 USD;	 .creditcard
254 USD;	 .hiv
282 USD;	 .sucks
306 USD;	 .movie

Of course, you can manipulate the list above and sort it in alphabetic order if you wish.

aws-route53domains-help

There is a lot more you can do with this API :)

Imagination is the limit.

Type aws route53domains help to get the help on the CLI

or go to the documentation page https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53domains/list-domains.html

antonio-feijao-uk

Thank you, and happy learning.

Antonio Feijao UK