Updates from July, 2020 Toggle Comment Threads | Keyboard Shortcuts

  • ThomasPowell 10:16 pm on July 25, 2020 Permalink
    Tags: alarms, , ,   

    Monitoring your S3 buckets for #omgcat usage 

    If you’re serving up a static website from S3, especially if you have larger assets stored there, you may want to put monitoring on the requests or bytes downloaded from S3, just to make sure someone’s not running up terabytes of transfers or millions of requests.

    Enabling Metrics on S3

    You will have to enable metrics on S3 in order to get CloudWatch alarms on them.

    • Go to Services -> S3 -> Buckets and select the bucket for your static site.
    • Select Management tab and [Metrics] and then click on the pencil icon next to the bucket icon.
    • Once enabled, the metrics will take a bit to populate.

    Setting up Simple Notification Service (SNS)

    (These are the same instructions as in Monitoring your CloudFront #omgcat usage)

    Set up a topic

    • First, you’re going to want to be notified. Go to Services -> Simple Notification Service to set up a pathway for that to happen.
    • Next, click “Topics” and then [Create topic]
    • Name your topic something that adequately describes the purpose (I just used domainname-com)
    • Scroll down to [Create Topic]

    Set up a subcription

    • Under “Amazon SNS” left sidebar, click “Subscriptions” and [Create Subscription]
    • Click on the Topic ARN field and you should be able to see an ARN with your topic name as the last part of the ARN. Click that ARN
    • Under Protocol, select your preferred method of notification (I’m going with SMS.
    • Under Endpoint, enter your cell number, including country code (+18005551212 for (800) 555-1212 in the US)

    Setting up a CloudWatch Alarm

    • Go to Services -> CloudWatch -> Alarms and [Create alarm]
    • [Select metric] and select S3
    • If you don’t see “Request Metrics per Filter” then the metrics haven’t started populating yet.
    • Check “GetRequests” or “BytesDownloaded” and [Select Metric]
    • Set conditions as you would like to have flag any anomalies and click [Next]
    • Choose “In Alarm” and “Select an existing SNS topic” and click in the box below “Send Notification To…” to get suggestions and select the SNS topic corresponding to the notification method you set up. Click [Next]
    • Name your alarm and click [Next]
    • Review the summary and click [Create Alarm]

     
  • ThomasPowell 1:51 pm on July 25, 2020 Permalink
    Tags: alarm, , ,   

    Monitoring your CloudFront #omgcat usage 

    Ok, so you’ve created a lovely static site and/or set up a CloudFront distribution for https for it. But CloudFront bills by the GB. What if somebody decides your assets are perfect to hotlink to or just straight up makes an insane boatload of requests? How do you protect yourself from getting a frightening bill before AWS Budget can even notify you?

    Setting up Simple Notification Service (SNS)

    Set up a topic

    • First, you’re going to want to be notified. Go to Services -> Simple Notification Service to set up a pathway for that to happen.
    • Next, click “Topics” and then [Create topic]
    • Name your topic something that adequately describes the purpose (I just used domainname-com)
    • Scroll down to [Create Topic]

    Set up a subcription

    • Under “Amazon SNS” left sidebar, click “Subscriptions” and [Create Subscription]
    • Click on the Topic ARN field and you should be able to see an ARN with your topic name as the last part of the ARN. Click that ARN
    • Under Protocol, select your preferred method of notification (I’m going with SMS.
    • Under Endpoint, enter your cell number, including country code (+18005551212 for (800) 555-1212 in the US)

    Get Notified

    • Go to Services -> CloudFront -> Alarms
    • [Create Alarm]
    • Under Metric, choose the threshold that you want to detect on… maybe it’s Requests, maybe it’s Bytes Downloaded…
    • Select the distribution that you want to watch ( domainname.com should be mentioned in the dropdown)
    • For “Send a notification to”, select the SNS topic that corresponds to the notification method you set up.
    • Since mine is a dev/test site, I don’t expect more than a request/second so
    • Finally, [Create Alarm]

    Testing the Alarm

    • If you have a low enough threshold you can probably just hold down F5 (or whatever your refresh key is) for a few seconds. (Word of caution: Don’t do this with a page that downloads a lot of assets!)
    • In bash you can also do the following.
    for i in {1..61}
    do
      curl https://domainname.com
    done
    
    • If your notifications are working, you should get an message through your preferred notification method.
    • Under Services -> CloudWatch -> Alarms, you should also see your Alarm count be > 0.
     
  • ThomasPowell 5:54 pm on July 24, 2020 Permalink
    Tags: , certificate manager, , https,   

    Adding a https to an S3 static site via CloudFront 

    Ok, so we’ve set up a static site hosted from an S3 bucket with a custom domain using Route 53. But sadly, it’s:

    Not Secure

    Request a Certificate in Certificate Manager

    • Go to Services -> Certificate Manager
    • Click [Request a Certificate]
    • In the window that opens from “Request or Import a Certificate with ACM”, enter your domain name (domainname.com) and click [Next]
    • Select DNS validation and click [Next]
    • Click [Review]
    • Click [Confirm and Request] if the details look correct.
    • Expand the domain in validation:
    • Click [Create record in Route 53] and confirm by clicking [Create] again.
    • You’ll be waiting from several minutes to half an hour for the validation to happen, during which time status will display as “Pending validation”
    • Click [Continue] to finish the request process and go back to the Certificate Manager main screen.
    • Click the (refresh icon) button to update status, and when status turns to “Issued” you are ready to use it in CloudFront.
    Pending validation
    Ready for use

    Setting up a CloudFront distribution

    • In the AWS Console, go to Services → Cloudfront
    • Click [Create Distribution]
    • Click [Get Started] under Web

    Create Distribution

    • Under “Origin Domain Name” select the selection under “Amazon S3 buckets” that corresponds to your static web site bucket. (e.g., domainname.com.s3.amazonaws.com)
    • Optional: Restrict Bucket Access [Yes] so that you can control access through the CloudFront distribution alone.
      • Set “Origin Access Identity” to “Create a new identity”
      • Set “Grant Read Permissions on Bucket” to “Yes, Update Bucket Policy”
    • Under Viewer Protocol Policy I select “Redirect HTTP to HTTPS” just to keep things uniform.

    Set up SSL

    • Under Alternate Domain Names, enter your domain name (e.g., domainname.com)
    • Select “Custom SSL Certificate”
    • Click “Request or Import a Certificate with ACM”
    • If you go back to CloudFront you should be able to select “Custom SSL Certificate” now and the certificate corresponding to your domain name should show up in suggestions:
    • Scroll down and leave defaults until you get to “Default Root Object”. You’ll want to set this to the name of the document to bring up (e.g., index.html) if the user browses to / on the domain.
    • Optional: I set Logging to On and selected my logging bucket that I used for the static site as the bucket, adding a log prefix for it.
    • To finish, click [Create Distribution]
    • You may be waiting quite a while for changes to propagate to the edge locations, but at some point before the “In Progress” changes to “Deployed” you will be able to pull up via the domain listed under the “Domain Name” column in your list of CloudFront Distributions.

    Pointing the domain name at your distribution

    • Go back to Route 53 and go into the hosted zone for your domain name
    • Check the checkbox next to your A record and then go up to Actions -> Edit
    • Change “Value/Route traffic to” from “Alias to S3 endpoint” to “Alias to CloudFront distribution” in the “Choose Distribution” input box.
    • Enter the domain name (“asdfkjdfasoiadsf9u.cloudfront.net.”) as your domain name. (The new interface wasn’t suggesting distributions like the last version of the interface did… it may change next week, of course.)

    Locking down S3

    If you selected “Restrict bucket access” and had CloudFront update your S3 policy, your public access setting on the bucket is still unaffected. You’ll want to remove that:

    • Go back to Services -> Amazon S3
    • Go to your domainname.com bucket
    • Click Permissions
    • Click Block public access
    • Check “Block all public access” and click [Save]

    Some other details

    If you want to have JavaScript and forms function properly You’ll want to set up CORS configuration by going to your S3 bucket, then selecting Permissions tab and clicking CORS configuration:

    <CORSConfiguration>
     <CORSRule>
       <AllowedOrigin>https://thomaspowell.work</AllowedOrigin>
       <AllowedMethod>PUT</AllowedMethod>
       <AllowedMethod>POST</AllowedMethod>
       <AllowedMethod>DELETE</AllowedMethod>
    
       <AllowedHeader>*</AllowedHeader>
     </CORSRule>
     <CORSRule>
       <AllowedOrigin>*</AllowedOrigin>
       <AllowedMethod>GET</AllowedMethod>
     </CORSRule>
    </CORSConfiguration>

    Some mistakes I made:

    • A certificate for *.domainname.com does not cover domainname.com. You have to add both if you want wildcard and domainname.com itself covered.

    Next up… preventing someone from running up a $1,000 AWS bill by hammering your site (i.e., monitoring your site’s access… with better granularity than AWS Budgets…

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: