Amazon EC2安全组
我正在寻找创建一个 Python 脚本来检测以下四个 Amazon Neptune 错误配置: Neptune 的 IAM 数据库身份验证 Neptune Auto 小版本升级 Neptune 数据库加密...
在 Terraform 安全组规则中不能将跨账户源安全组 id 列入白名单
我有一个中央 AWS 帐户,我正在使用 Packer 运行一些 AMI 构建。我有一个辅助帐户,有时我也需要在其中运行构建,但我只能负担得起保留我的 CI/CD 服务器
如何配置安全组以将 Laravel Vapor 连接到 AWS RDS
我有一个 AWS RDS,它已正确设置为允许端口 3306 上的入站流量来自对两个 EC2 实例进行负载平衡的 ELB。这一切都在正常工作,并且已经有一段时间了。 我是...
AWS 批处理上的 Python 3.8.10 Docker 映像:urllib3 和请求的连接超时错误
尝试在 AWS Batch 上运行 Python 3.8.10 Docker 映像时遇到连接超时错误。这是错误消息: urllib3.exceptions.NewConnectionError: 尝试在 AWS Batch 上运行 Python 3.8.10 Docker 镜像 时遇到连接超时错误。这是错误信息: urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f809b43d430>: Failed to establish a new connection: [Errno 110] Connection timed out ... urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='hooks.slack.com', port=443): Max retries exceeded with url: /services/XXXXXX/YYYYY/ZZZZZZZZ(Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f809b43d430>: Failed to establish a new connection: [Errno 110] Connection timed out')) 我正在使用以下 dockerfile: FROM python:3.8.10 WORKDIR /code COPY ./requirements.txt /code/requirements.txt RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt COPY ./app /code/app CMD ["python", "./app/train.py"] 我的 ComputeEnvironment 在公共子网中,安全组当前允许所有 TLS 流量进出。我该如何解决这个问题?我错过了什么? 相关云格式模板: Resources: # VPC VPC: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 # 16 means that our VPC will be able to host 65536 IPs approximately. EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: service-vpc-${sls:stage} # Security Group # The creation of a Security Group is not really necessary, but I think is very useful at least to have a default one attached to the VPC. This security group allows SSH, HTTP and HTTPS access from the custom IP configure by the sgCidr parameter. DMZSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: service-dmz-sg-${sls:stage} GroupDescription: DMZ Security Group to allow Access to SSH VpcId: !Ref VPC SecurityGroupIngress: - Description: Allow SSH IpProtocol: tcp FromPort: "22" ToPort: "22" CidrIp: 0.0.0.0/0 # Custom IP to configure the Security Group to allow access only from the specified IP that you can define, by default is 0.0.0.0/0 which means open to the internet. - Description: Allow Http IpProtocol: tcp FromPort: "80" ToPort: "80" CidrIp: 0.0.0.0/0 # Custom IP to configure the Security Group to allow access only from the specified IP that you can define, by default is 0.0.0.0/0 which means open to the internet. - Description: Allow Https IpProtocol: tcp FromPort: "443" ToPort: "443" CidrIp: 0.0.0.0/0 # Custom IP to configure the Security Group to allow access only from the specified IP that you can define, by default is 0.0.0.0/0 which means open to the internet. # Internet Gateway InternetGateway: Type: AWS::EC2::InternetGateway DependsOn: VPC Properties: Tags: - Key: Name Value: service-internet-gateway-${sls:stage} AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway # NAT Gateway ElasticIPAddress: Type: AWS::EC2::EIP Properties: Domain: VPC NATGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt ElasticIPAddress.AllocationId SubnetId: !Ref PublicSubnetA Tags: - Key: Name Value: service-nat-gateway-${sls:stage} # Subnets PublicSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ""] # Get the first AZ in the list MapPublicIpOnLaunch: True Tags: - Key: Name Value: service-subnet-public-a-${sls:stage} PublicSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: 10.0.2.0/24 AvailabilityZone: !Select [1, !GetAZs ""] # Get the second AZ in the list MapPublicIpOnLaunch: True Tags: - Key: Name Value: service-subnet-public-b-${sls:stage} PrivateSubnetC: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ""] # Get the first AZ in the list CidrBlock: 10.0.3.0/24 Tags: - Key: Name Value: service-subnet-private-c-${sls:stage} PrivateSubnetD: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ""] # Get the second AZ in the list CidrBlock: 10.0.4.0/24 Tags: - Key: Name Value: service-subnet-private-d-${sls:stage} # Some route tables for our subnets: PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: service-routetable-public-${sls:stage} PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: service-routetable-private-${sls:stage} # Public route table has direct routing to IGW: PublicRoute: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway # Private route table can access web via NAT: PrivateRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 # Route traffic through the NAT Gateway: NatGatewayId: !Ref NATGateway # Attach the public subnets to public route tables, # and attach the private subnets to private route tables: PublicSubnetARouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetA RouteTableId: !Ref PublicRouteTable PublicSubnetBRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PublicSubnetB RouteTableId: !Ref PublicRouteTable PrivateSubnetCRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnetC RouteTableId: !Ref PrivateRouteTable PrivateSubnetDRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref PrivateSubnetD RouteTableId: !Ref PrivateRouteTable BERecommenderTrainingSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: service-be-recommender-training-security-group-${sls:stage} VpcId: !Ref VPC SecurityGroupEgress: # Allow all outgoing traffic - IpProtocol: "tcp" FromPort: 80 ToPort: 80 CidrIp: "0.0.0.0/0" - IpProtocol: "tcp" FromPort: 443 ToPort: 443 CidrIp: "0.0.0.0/0" BERecommenderTrainingComputeEnvironment: Type: AWS::Batch::ComputeEnvironment Properties: Type: MANAGED #ServiceRole: arn:aws:iam::111122223333:role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch ComputeEnvironmentName: service-be-recommender-training-compute-environment-${sls:stage} ComputeResources: Type: FARGATE_SPOT MaxvCpus: 256 SecurityGroupIds: - Fn::GetAtt: - VPC - DefaultSecurityGroup - !Ref BERecommenderTrainingSecurityGroup Subnets: - !Ref PublicSubnetA - !Ref PublicSubnetB #InstanceRole: ecsInstanceRole BERecommenderTrainingJobQueue: Type: AWS::Batch::JobQueue Properties: JobQueueName: service-be-recommender-training-job-queue-${sls:stage} Priority: 100 ComputeEnvironmentOrder: - Order: 1 ComputeEnvironment: !Ref BERecommenderTrainingComputeEnvironment BERecommenderTrainingExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "ecs-tasks.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: BERecommenderTrainingExecutionRolePolicyECR PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - logs:CreateLogStream - logs:PutLogEvents Resource: "*" BERecommenderTrainingJobRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "ecs-tasks.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: BERecommenderTrainingJobRolePolicyS3 PolicyDocument: Version: "2012-10-17" Statement: - Action: - s3:ListBucket Effect: Allow Resource: - arn:aws:s3:::service-s3-data-${sls:stage} - Action: - s3:GetObject - s3:PutObject - s3:DeleteObject Effect: Allow Resource: - arn:aws:s3:::service-s3-data-${sls:stage}/* BERecommenderTrainingJobDefinition: Type: AWS::Batch::JobDefinition Properties: JobDefinitionName: service-be-recommender-training-job-definition-${sls:stage} Type: container PlatformCapabilities: - FARGATE ContainerProperties: Image: !GetAtt BERecommenderTrainingRepository.RepositoryUri ResourceRequirements: # See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-batch-jobdefinition-resourcerequirement.html - Type: MEMORY Value: !If [IsProd, "30720", "512"] - Type: VCPU Value: !If [IsProd, "4", "0.25"] ExecutionRoleArn: !GetAtt BERecommenderTrainingExecutionRole.Arn JobRoleArn: !GetAtt BERecommenderTrainingJobRole.Arn Environment: - Name: "STAGE" Value: !If [IsProd, "prod", "dev"] BERecommenderTrainingEventRuleRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - "events.amazonaws.com" Action: - "sts:AssumeRole" Policies: - PolicyName: BERecommenderTrainingEventRulePolicy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - batch:SubmitJob - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:BatchGetImage - logs:CreateLogStream - logs:PutLogEvents Resource: "*" BERecommenderTrainingEventRule: Type: AWS::Events::Rule Properties: Name: service-be-recommender-training-event-rule-${sls:stage} ScheduleExpression: cron(0 * ? * * *) State: !If [IsProd, ENABLED, DISABLED] Targets: - Id: service-be-recommender-training-batch-job-${sls:stage} Arn: !Ref BERecommenderTrainingJobQueue RoleArn: !GetAtt BERecommenderTrainingEventRuleRole.Arn BatchParameters: JobDefinition: !Ref BERecommenderTrainingJobDefinition JobName: service-be-recommender-training-batch-job 我找到了解决这个问题的方法: 我必须将公共子网切换为私有子网,并附加一个 NAT 网关。它现在已成功连接到互联网!
我正在寻找创建一个 python 脚本来检测以下 4 个 Aws Neptune 错误配置。 Neptune 的 IAM 数据库身份验证 Neptune Auto 小版本升级 Neptune 数据库加密已启用
我在 Fargate 实例中托管了一个应用程序。在安全组中,如果我在入站规则中选择源到 Anywhere-IPv4,它工作正常,我可以访问我的网站。但是如果我改变源...
仅当请求包含特定标签时才允许 ec2:CreateSecurityGroup
我正在尝试编写 IAM 策略以确保资源(示例中的安全组)无法创建,除非它被标记为具有特定值的特定标签。 这是我的政策: { ...
如何让我的 lambda 成功调用 elasticbeanstalk.describeConfigurationSettings
我有一个 lambda 试图访问 Elastic beanstalk 的 describeConfigurationSettings,但它总是在 20 秒后超时,这已经足够了。我认为这是因为安全问题......
所以我在 EC2 的同一区域和子网中启动了两个 EC2 实例。我已经为这样的实例设置了安全权限: 实例 A:从 ELB 接收流量并可以出站...
我已经在谷歌上搜索过了,还没有找到一个可靠的解决方案。我在 AWS 中设置了一个环境,我不希望用户能够对 EC2 安全组进行任何更改...
authorize-security-group-ingress 不向安全组添加规则
创建了一个 AWS 安全组: aws ec2 create-security-group --group-name test-sg --description "测试" 显示输出为: { “GroupId”:“sg-79e9441d” } 为其添加了一条新规则: aws ec2 授权-
无法通过本地 pgAdmin 连接到我的 AWS Postgresql 实例
我的计划是从 SQL Server 迁移到托管在 AWS 上的 Postgresql。我的 Postgresql 数据库位于 VPC 中,附加到它的安全组具有以下入站规则: 第一个是我的 EC2
我想让它更加模块化以适应不同的环境(Dev,UAT,PROD),在这种情况下,我认为我应该使用SG("App${local.environment}sec_group")的'name',或者只使用Sec_group?
使用CloudFormation时,NodeGroup没有加入EKS集群
我一直在遵循这个指南 通过CloudFormation创建一个Kubernetes集群 但NodeGroup从来没有加入集群 我从来没有得到一个错误或解释 为什么没有加入。我可以...
AWS 中 2 个 VPC 的 2 个私有子网上的 2 个 Oracle RDS 实例之间的连接。
有没有办法将一个VPC中私有子网中的一个数据库连接到另一个VPC中私有子网中的另一个数据库?两者都有相同的主账户,但各自有独立的账户。
我创建了一个EC2实例,完美地通过http运行,但当我试图将http替换为https时,我在浏览器上得到了这样的打印: 这个网站不能提供一个安全的连接,安全组... ...
我正在使用terraform脚本部署AWS EKS Cluster。一切都部署良好。但是我与安全小组陷入了一个问题。我添加了两个端口,以允许传入流量到我的...
我正在尝试在AWS中找到我的Elasticsearch域的安全组,但是从Elasticsearch控制台中找不到它。我的ES域不在VPC内,但通过某些...
我创建了一个VPC,其中有2个子网,分别是公共子网和私有子网。我已经创建了公共和专用路由表,并将其附加到专用子网和公用子网。我也添加了ACL和入站...
我在SG1的专用子网中有一个服务器,我想在SG2的公用子网中调用负载均衡器。我在SG1上设置了出站规则,该规则允许到SG2的流量。但是,当我...