Questions tagged with AWS Well-Architected Framework

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I have gone through this article to **generate architecture diagrams of AWS Cloud workloads** there is no certain guideline on where to start and how to start to build this to get architecture diagrams of any size live workload of aws account to reside. Does anyone use this feature to create architecture diagrams of AWS Cloud workloads?
1
answers
0
votes
9
views
asked 5 days ago
I need to understand the differences between the December 2021 and December 2022 versions of the framework but I can't find a link to a prior version in PDF or HTML. Anyone could help? Thanks in advance,
2
answers
0
votes
37
views
atirado
asked a month ago
Hi, Is there a way to federate the SSH connection with O 365 accounts? I am looking to get the benefit of SSO with the SSH connection to my EC2 instances.
1
answers
0
votes
28
views
asked a month ago
We are designing a cloud native architecture for a simple web application with user base of 10 users and transactions volume of 100. Planning to host the React web app on S3, Spring Boot (Micro) services on ECS to connect the AWS RDS instance of PostgreSQL. It is a single AZ based deployment as there no need for replication. There will be only one ECS per environment (dev, UAT and Prod). Having said, please help me understand the queries below 1. Does the solution need an ELB when only one ECS instance is sufficient? 2. If ELB is not required, then can R53 send traffic to instance? 3. Does the solution needs an API gateway between React app and ECS microservice? 4. Does CloudFront necessary when only 10 users accessed? Thanks.
5
answers
0
votes
72
views
asked 2 months ago
Hello, I would like to know the riskRules for each question of the 6 Well-Architected Framework Pillars. When executing a WAFR, you have to answer multiple multiple questions. For example: * SEC 1. How do you securely operate your workload? * REL 1. How do you manage service quotas and constraints? * and many more Each of these questions contain tickboxes which are called "best practices". These best practices are categorised in 3 categories: * Low * Medium (MRI) * High (HRI) When answering the questions, something called "riskRules" will decide whether your question will be a HRI or MRI. When solving issues and hence checking more best practices boxes in your question, your HRI could become a MRI. This will be shown in the Well-Architected dashboard and you can use this to keep track of your progress. I would like to build some automation around the Well-Architected tool and when I did my research I found that you can define your own riskRules if you are creating a Custom Lens. You can see how that works over here: https://docs.aws.amazon.com/wellarchitected/latest/userguide/lenses-format-specification.html#lenses-format-risk-rules. This made me think that I would like to know what the riskRules are on the questions that are part of the 6 pillars. I can use this information in deciding which best practices need to be solved in order to go from a HRI to a MRI. Is there anyone out there who can provide me with this information? Thank you in advance! Kind regards, Enri Peters
1
answers
0
votes
301
views
asked 2 months ago
Hi, currently the WAR report is 100+ pages, however, it is very difficult to summarize, it is possible to generate the report in excel, so that we can easily navigate through the filters. Thanks, Sunil
1
answers
0
votes
41
views
AWS
Sunil_P
asked 2 months ago
**What is the advantage of AWS organization management over the account management ? Why take the leap****** Every Company has users and resources they interact with. End of the day - management of these users and resources (allowing the intended and blocking the un-intended usage) is the purpose of our job. Answer is to use an account level strategy or organizational level strategy. In AWS , few years back , focus was on securing an account and VPCs did the separation for production, development and testing stages. [Please understand Separate VPC is as good as a separate datacenter ]. Now idea is promoted that practically each developer or team will have an account and the department will work as an OU and Enterprise will run as a AWS organization - handling this multi account strategy. So along comes SCPs (at the end of the day they are DENY rules). Control Tower and Landing Zone. But the same things can be run on account level. *Are we Securing the blast radius by limiting to an account ? incase of an account compromise ? **I do not agree as firstly* when your running a multi-account system similar cross account access are also in place which needs to be secure along with the basic level account security management. Also top-managing account in organization can be compromised . In fact the attack surface largely increasing onto an other level. Causes difficulties to visibility and monitoring - ( Guard Duty can be enabled for multi accounts and Cloud Trails Aggregator can be used )- but it is getting complicated. Secondly, anyways one has to keep the account secure also. Clear demarcation is possible and good environment can be provided with VPC , Conditional statements , tagging. In case of merger there can be cross account access enabled with external ID. **I am not here to challenge but I want to gain an understanding in why the shift was undertaken. Also any resources in this regard will be great help. Even a comment might help. ****** **
2
answers
0
votes
48
views
asked 2 months ago
Hi, want to create an ec2 instance with nitroTPM 2.0 enabled. I followed the instructions from this site: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enable-nitrotpm-support-on-ami.html ``` { "Images": [ { "Architecture": "x86_64", "CreationDate": "2022-11-21T20:07:43.000Z", "ImageId": "ami-05683f60db56ff1b5", "ImageLocation": "293786889684/DebianImage", "ImageType": "machine", "Public": false, "OwnerId": "293786889684", "PlatformDetails": "Linux/UNIX", "UsageOperation": "RunInstances", "State": "available", "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "DeleteOnTermination": true, "SnapshotId": "snap-0c493ccaccd018881", "VolumeSize": 8, "VolumeType": "gp2", "Encrypted": false } }, { "DeviceName": "/dev/xvdf", "Ebs": { "DeleteOnTermination": true, "VolumeSize": 10, "VolumeType": "gp2", "Encrypted": false } } ], "EnaSupport": true, "Hypervisor": "xen", "Name": "DebianImage", "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SriovNetSupport": "simple", "VirtualizationType": "hvm", "BootMode": "uefi", "TpmSupport": "v2.0" } ] } ``` So far it looks good, but if I try to launch an instance of this AMI, I cannot connect to the machine. If I create an instance from the management console without nitroTPM support I can connect to the machine via my Key. Also, I would like to get some measurements from the TPM, but I don't see any of the hashes in the response. I appreciate any help you can offer. Heres my ec2 description ``` { "Reservations": [ { "Groups": [], "Instances": [ { "AmiLaunchIndex": 0, "ImageId": "ami-05683f60db56ff1b5", "InstanceId": "i-03435c99e5a3a83b5", "InstanceType": "m6a.xlarge", "KeyName": "OPTI_PLEX_KEY_PAIR", "LaunchTime": "2022-11-21T20:53:29.000Z", "Monitoring": { "State": "disabled" }, "Placement": { "AvailabilityZone": "eu-central-1a", "GroupName": "", "Tenancy": "default" }, "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168", "ProductCodes": [], "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIpAddress": "18.159.62.7", "State": { "Code": 16, "Name": "running" }, "StateTransitionReason": "", "SubnetId": "subnet-12bdf778", "VpcId": "vpc-d90e6cb3", "Architecture": "x86_64", "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "AttachTime": "2022-11-21T20:53:30.000Z", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-05814aff540510c1f" } }, { "DeviceName": "/dev/xvdf", "Ebs": { "AttachTime": "2022-11-21T20:53:30.000Z", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-03027ae670649544f" } } ], "ClientToken": "45856522-8833-4e31-985f-f5209b014fa1", "EbsOptimized": true, "EnaSupport": true, "Hypervisor": "xen", "ElasticGpuAssociations": [], "ElasticInferenceAcceleratorAssociations": [], "NetworkInterfaces": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIp": "18.159.62.7" }, "Attachment": { "AttachTime": "2022-11-21T20:53:29.000Z", "AttachmentId": "eni-attach-01e82b7e623e8e9da", "DeleteOnTermination": true, "DeviceIndex": 0, "Status": "attached", "NetworkCardIndex": 0 }, "Description": "", "Groups": [ { "GroupName": "launch-wizard-10", "GroupId": "sg-05676ad26b7f6ed13" } ], "Ipv6Addresses": [], "MacAddress": "02:b8:28:63:4f:fc", "NetworkInterfaceId": "eni-095492d80db0313b8", "OwnerId": "293786889684", "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168", "PrivateIpAddresses": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-18-159-62-7.eu-central-1.compute.amazonaws.com", "PublicIp": "18.159.62.7" }, "Primary": true, "PrivateDnsName": "ip-172-31-16-168.eu-central-1.compute.internal", "PrivateIpAddress": "172.31.16.168" } ], "SourceDestCheck": true, "Status": "in-use", "SubnetId": "subnet-12bdf778", "VpcId": "vpc-d90e6cb3", "InterfaceType": "interface", "Ipv4Prefixes": [], "Ipv6Prefixes": [] } ], "RootDeviceName": "/dev/xvda", "RootDeviceType": "ebs", "SecurityGroups": [ { "GroupName": "launch-wizard-10", "GroupId": "sg-05676ad26b7f6ed13" } ], "SourceDestCheck": true, "Tags": [ { "Key": "Name", "Value": "Ubuntu bla" } ], "VirtualizationType": "hvm", "CpuOptions": { "CoreCount": 2, "ThreadsPerCore": 2 }, "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "HibernationOptions": { "Configured": false }, "Licenses": [], "MetadataOptions": { "State": "applied", "HttpTokens": "optional", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled", "HttpProtocolIpv6": "disabled", "InstanceMetadataTags": "enabled" }, "EnclaveOptions": { "Enabled": true }, "BootMode": "uefi", "PlatformDetails": "Linux/UNIX", "UsageOperation": "RunInstances", "UsageOperationUpdateTime": "2022-11-21T20:53:29.000Z", "PrivateDnsNameOptions": { "HostnameType": "ip-name", "EnableResourceNameDnsARecord": true, "EnableResourceNameDnsAAAARecord": false }, "TpmSupport": "v2.0", "MaintenanceOptions": { "AutoRecovery": "default" } } ], "OwnerId": "293786889684", "ReservationId": "r-0089af1cf650fc657" } ] } ```
1
answers
0
votes
42
views
asked 2 months ago
Hi, I'm a university student and I am doing some research regarding AMD SEV-SNP remote attestation. I want to host a VM on AWS with an AMD SEV-SNP processor and perform a remote attestation of the CPU/VM. Does AWS offer an API or another kind of interface, where I can do it? I would like to get the measurements of the VM to validate against AMD. Thank you for any help you can offer.
0
answers
0
votes
19
views
asked 2 months ago
1
answers
0
votes
38
views
asked 3 months ago
My application is rendering the CAPTCHA challenge from a WAF intercepted 405 response in an iframe. While successful completion of the puzzle renders the "That is correct, Success! You will be redirected shortly" text, the aws_waf_token cookie does not get updated in the chrome/firefox/safari/edge browser. Looking more closely at the network traffic, when user submits the puzzle answer a successful POST call from the challenge.js to the "verify" endpoint completes but the subsequent POST request to the "voucher" endpoint fails with an 'InvalidRequest' 400 error. The request payload for the failed voucher call has two properties: 1. a 'captcha_voucher' with the value taken from the verify response 2. a 'existing_token' property with a value of null. Given that the CAPTCHA challenge is essentially a black box, I'm at a loss on how to address this issue. Has anyone else run into this?
0
answers
0
votes
34
views
asked 3 months ago
Hi, i'm using TRUSTED ADVISOR ORGANIZATIONAL (TAO) DASHBOARD from AWS Well-Architected Labs. I need to know the last version available for this dashboard or others. thank you.
1
answers
0
votes
48
views
asked 4 months ago