Management & Governance

Hello everyone, I think you have also experienced this problem. I deleted the google authenticator app on my old phone and didn't move the account. On my new phone, I can't get the verification code. How can I re-enable 2fa app for my root account. I looked at many articles and progressed by marking troubleshooting, but it keeps looping. As a result, how can you disable and re-enable 2fa in your root accounts without entering the console? Best regardslg...

I just created an AWS account for the purpose of using AWS EC2 virtual machine at some point in the future. However I don't need to use it yet (probably in the next 6-12 months). How can I pause the 12 month free-tier until I am ready to use EC2? Thanks,lg...

Hi AWS, I am trying to impose a condition on S3 `BucketEncryption` property whether it should be customer managed (SSE-KMS) or AWS managed key (SSE-S3). The code for the template is: ``` # version: 1.0 AWSTemplateFormatVersion: "2010-09-09" Description: Create standardized S3 bucket using CloudFormation Template Parameters: BucketName: Type: String Description: "Name of the S3 bucket" KMSKeyArn: Type: String Description: "KMS Key Arn to encrypt S3 bucket" Default: "" SSEAlgorithm: Type: String Description: "Encryption algorithm for KMS" AllowedValues: - aws:kms - AES256 Conditions: KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]] Resources: S3Bucket: Type: 'AWS::S3::Bucket' DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: BucketName: !Ref BucketName PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true BucketEncryption: ServerSideEncryptionConfiguration: - !If - KMSKeysProvided - ServerSideEncryptionByDefault: SSEAlgorithm: !Ref SSEAlgorithm KMSMasterKeyID: !Ref KMSKeyArn BucketKeyEnabled: true - !Ref "AWS::NoValue" ``` When I am selecting the SSEAlgorithm as `AES256` I am receiving this error **Property ServerSideEncryptionConfiguration cannot be empty**. I know `KMSMasterKeyID` should not be present when the SSEAlgorithm is of AES256 type but I am confused how to get rid of this error. Please help.lg...

I didn't understand the concept of delegating admin access to member account for certain services (Say guard duty etc.). Why is that delegation required. Generally at an enterprise level, AWS sso in management account is integrated with IDP(mostly Azure) and users/groups would be able to access the member accounts as per the permission sets and scps defined. If I gave the security account access to particular group/user in Azure AD and restricted the access to all others, what is this concept of delegation. Can anyone help me with this.lg...

Here is an example of creating a tag for a stack. const tags = [ { Key: 'Environment', Value: 'Development' }, ]; // Create the stack with tags try { const response = await cloudFormation .createStack({ StackName: stackName, TemplateURL: templateUrl, Tags: tags, }) .promise(); When you create a tag for stack level, how do you retrieve the tag from the stack, What is the API? I did not find anything here https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cloudformation/classes/cloudformation.htmllg...

I'm trying to better understand the cost associated with CloudWatch Metric Filters and dimensions. Specifically, the explanations of the cost structure and the calculator are not clear in terms of how to identify what exactly constitutes a charge. The pricing calculator only allows you to input the "number of metrics" but it isn't clear if the number of metrics is just the configuration or if it is the data from the logs themselves. I want to have insight into how much it will cost me to setup a metric that is structured similar to this: I have a log statement that looks like this: { "foo": "x", "bar": "y", "baz": "z" } One metric filter on the word "foo" with 1 dimension: Bar = $.bar I know that my logs could produce up to a maximum of16 different values for bar. Assuming that my logs write these statements at a rate of approximately 1.6 per second, how much would I be charged in a single month for this metric filter? If I added a dimension of Baz = $.baz and there are a maximum of up to 4 different values for baz, does that mean I multiply the previous amount by 4?lg...

Hi guys, I want to cancel an exam (2.4.2023). Can I get a refund for the exam fee? Thanks in advance!lg...

Hi, I've created a new s2s VPN connection, but my tunnels are down. Therefore, I've enabled logs to check what's wrong. I created Log group, enabled logs, however there are no logs. There's just one Log Stream called **log_stream_created_by_aws_to_validate_log_delivery_subscriptions** which has the following entry  What am I doing incorrectly ?lg...

Hi, I am deploying a lambda function that utilizes the NLTK packages for preprocessing text. For the application to work I need to download the stop words, punkt and wordnet libraries. I have deployed using a docker image and SAM cli. When the function runs on AWS, I get a series of errors when trying to access the NLTK libraries. The first error I got was that '/home/sbx_user1051/' cannot be edited. After reading solutions on stack over flow, I was pointed in the direction of needing to store the NLTK libraries in the /tmp/ directory because that is the only directory that can be modified. Now, after redeploying the image with the changes to the code, I have the files stored in temp, but the lambda function does not search for that file when trying to access the stop words. It still tries to search for the file in these directories: - '/home/sbx_user1051/nltk_data' - '/var/lang/nltk_data' - '/var/lang/share/nltk_data' - '/var/lang/lib/nltk_data' - '/usr/share/nltk_data' - '/usr/local/share/nltk_data' - '/usr/lib/nltk_data' - '/usr/local/lib/nltk_data' What should I do about importing the NLTK libraries needed when running this function on aws lambda?lg...

I want to transfer my root user to IAM user account, am I still able to manage the IAM users account that were linked to my root account after the transfer?lg...

How do I **reset ** access to my root account. The current user has left the organisation and we no longer have access to his mobile or 2FA but we do have access to his email account? I do have an administrator IAM User account but I want to reclaim access to the **root ** account.lg...

Hi team, I am trying to setup an alarm over two days, I am getting this error Metrics cannot be checked across more than a day (EvaluationPeriods * Period must be <= 86400) There is no way around this, if you adust the period to be 6 hours and evaluation to be 5 it exceeds the threshold, and vise versa. Any alternative or approaches?lg...

Hi, Am using the below template for creating new was transfer family with vpc end point. But we could not reach VPC end point with other networks. Because it seems to route issue. Can any one please suggest me to fix. **Error Screen shot**  **Successful screen shot - Currently in production**  ``` Description: This template create aws transfer family with add user and deploys a VPC and security group, with a pair of public and private subnets spread across Single Availability Zones. It deploys an internet gateway, with a default route on the public subnets. It deploys a pair of NAT gateways (one AZ), and default routes for them in the private subnets, AWSTemplateFormatVersion: '2010-09-09' Parameters: EnvironmentName: Description: An environment name that is prefixed to resource names Type: String VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PublicSubnetCIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 PrivateSubnetCIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.192.20.0/24 CreateServer: AllowedValues: - 'true' - 'false' Type: String Description: >- Whether this stack creates a server internally or not. If a server is created internally, the customer identity provider is automatically associated with it. Default: 'true' Endpointtype: AllowedValues: - 'Internal' - 'Internet facing' Type: String Default: 'Internet facing' Conditions: CreateServer: 'Fn::Equals': - Ref: CreateServer - 'true' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Resources CloudWatchLoggingRole: Description: IAM role used by Transfer to log API requests to CloudWatch Type: 'AWS::IAM::Role' Condition: CreateServer Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - transfer.amazonaws.com Action: - 'sts:AssumeRole' GoldcoastTvodUser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/goldcoast-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::goldcoast-tvod", "arn:aws:s3:::goldcoast-tvod/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: GoldcoastTvodUser etcsvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/etc-svod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: etc-svod-user etctvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/tvn-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: etc-tvod-user lhtcsvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/lhtc-svod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: lhtc-svod-user lhtctvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/tvn-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: lhtc-tvod-user mastercopyfoleuser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/mastercopyfiles" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: mastercopyfole-user InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref EnvironmentName InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnetCIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet PrivateSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PrivateSubnetCIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Subnet NatGatewayEIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub ${EnvironmentName} Elsatic Ip PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Routes PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Routes PrivateSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable SubnetId: !Ref PrivateSubnet SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: "Production Security Group" GroupDescription: "Security Group with inbound and outbound rule" VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 69 ToPort: 69 CidrIp: 96.47.148.171/32 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 3.16.146.0/29 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub ${EnvironmentName} TfVPCInterfaceEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: Interface ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' VpcId: !Ref VPC SubnetIds: - !Ref PublicSubnet SecurityGroupIds: - !Ref SecurityGroup TransferServer: Type: 'AWS::Transfer::Server' Condition: CreateServer Properties: EndpointType: 'VPC' SecurityPolicyName: TransferSecurityPolicy-FIPS-2020-06 LoggingRole: 'Fn::GetAtt': CloudWatchLoggingRole.Arn Tags: - Key: Name Value: !Sub ${EnvironmentName} Transferserver EndpointDetails: VpcId: !Ref VPC SubnetIds: - !Ref PublicSubnet AddressAllocationIds: - !GetAtt NatGatewayEIP.AllocationId Tags: - Key: Name Value: !Sub ${EnvironmentName} Transferserver ```lg...

Hello we have an organization with several AWS accounts under and we are in the process of adding SSO to them with AWS IAM Identity Center. However that is a cluster of this accounts that belongs to our Security People which we want to keep independent from; yet they would like to have the benefits of SSO in their accounts if possible. So, Is it possible to delegate so that they can have their own independent Directory Service based IAM Identity Center to use only on their accounts? To sum this up; we would like to have multiple IAM Identity Center (by different AWS Directory Services on different accounts) to manage SSO to different sets of accounts within the same AWS Organization. This would allow to fully keep our Infosec folks fully independent from out Cloud Engineering/ IT people while providing SSO to the different teams.lg...

Dear Amazon, Our bounce rate is currently 0.1% what is way to high accoording to your standard. The Bouncetype for most of them are "Transient" and with Bouncesubtype "General". How many days does it take for "General" Bouncesubtype to become hardbounce? and how many % point will the bounce rate gain. What is the % point weight of: Bouncetype "Transient" bouncesubtype "General" Bouncetype "Undetermind" bouncesubtype "Undetermind" Bouncetype "Permanent" bouncesubtype "General" Thanks in advance! With kind regards,lg...

hi team, I have used same account details to login to the GCP cloud in the gcp account i had faced issue with the billing issue. in the meanwhile i checked my aws account the, and for this aws account facing issue like aws account blocked. did this issue solved within a 3 hours, because I need to submit project to managerlg...

After closing my root account, all the IAM Users accounts including my admin IAM account are now getting an authentication error when trying to log in to the AWS console. My plan is to terminate my root account and transfer to an Admin account without getting authentication errors from the IAM Users when they tried login, and while still being able to manage those IAM users accounts. How can I resolve this issue?lg...

The aws ecs fargate is being deployed through the aws cli using the console for only the task definition and the rest of the cluster, service container, and deployment. One day, I saw that the task definitions were created as stacks in cloudformation. (Failure records were also included.) Searching or looking at the official documentation says that the stack is not created in cloudformation. What is the cause? And how to prevent it from spawning? I created it by referring to the following document. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-blue-green.htmllg...