├── .gitignore ├── README.md ├── images └── aws.png ├── policies ├── iam │ ├── billing-access-policy.json │ ├── cfn-resource-policy.json │ ├── cloudtrail-access-policy.json │ ├── power-user-policy.json │ ├── route53-hostedzone-policy.json │ └── subnet-access-policy.json └── s3 │ ├── cloudtrail-policy.json │ ├── public-policy.json │ └── root-only-policy.json ├── scripts ├── python │ ├── build-vpc │ │ └── README.md │ ├── create-trails │ │ └── README.md │ ├── default-vpc │ │ └── README.md │ ├── sg-chkr │ │ └── README.md │ └── subnet-test │ │ └── README.md └── shell │ ├── ebs-snapshot │ └── README.md │ ├── key-chkr │ └── README.md │ ├── r53-healthchk-sg │ └── README.md │ └── trail-chkr │ └── README.md ├── templates ├── cfn │ └── README.md └── other │ └── stack-update-policy.json └── tools ├── create-nat-rt ├── LICENSE.md ├── README.md ├── create-nat-rt.py └── routes.txt └── s3-object-storageclass ├── LICENSE.md ├── README.md ├── s3-object-role.json └── s3-object-storageclass.py /.gitignore: -------------------------------------------------------------------------------- 1 | # OSX files 2 | .DS_Store 3 | .AppleDouble 4 | .LSOverride 5 | scripts/.DS_Store 6 | scripts/*/.DS_Store 7 | scripts/*/*/.DS_Store 8 | templates/.DS_Store 9 | templates/*/.DS_Store 10 | policies/.DS_Store 11 | policies/*/.DS_Store 12 | 13 | # Icon must end with two \r 14 | Icon 15 | 16 | 17 | # Thumbnails 18 | ._* 19 | 20 | # Files that might appear in the root of a volume 21 | .DocumentRevisions-V100 22 | .fseventsd 23 | .Spotlight-V100 24 | .TemporaryItems 25 | .Trashes 26 | .VolumeIcon.icns 27 | 28 | # Images 29 | images/* 30 | *.png 31 | *.jpg 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### A place for my AWS work 2 | 3 | ![AWS Logo](./images/aws.png) 4 | 5 | * **policies:** 6 | JSON policies for IAM, S3, etc. 7 | 8 | * **scripts:** 9 | Various tools and things mostly python (boto) and shell 10 | 11 | * **templates:** 12 | CloudFormation goodies 13 | 14 | * **wiki:** 15 | notes, etc. 16 | 17 | --- 18 | 19 | http://about.me/todd_murchison 20 | -------------------------------------------------------------------------------- /images/aws.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/toddm92/aws/35949ee8e7f3fac5316f25c2975bb8185ebabaa6/images/aws.png -------------------------------------------------------------------------------- /policies/iam/billing-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Action" : [ 6 | "aws-portal:View*" 7 | ], 8 | "Effect" : "Allow", 9 | "Resource" : "*" 10 | }, 11 | { 12 | "Action" : [ 13 | "aws-portal:Modify*" 14 | ], 15 | "Effect" : "Deny", 16 | "Resource" : "*" 17 | } 18 | ] 19 | } 20 | -------------------------------------------------------------------------------- /policies/iam/cfn-resource-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Action" : [ 6 | "cloudformation:*" 7 | ], 8 | "Effect" : "Allow", 9 | "Resource" : "*" 10 | }, 11 | { 12 | "Action" : [ 13 | "cloudformation:DeleteStack", 14 | "cloudformation:UpdateStack" 15 | ], 16 | "Effect" : "Deny", 17 | "Resource" : "arn:aws:cloudformation:us-west-2:XXXXXXXX2745:stack/*VPC*" 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /policies/iam/cloudtrail-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Action" : [ 6 | "cloudtrail:DescribeTrails", 7 | "cloudtrail:GetTrailStatus", 8 | "cloudtrail:LookupEvents" 9 | ], 10 | "Effect" : "Allow", 11 | "Resource" : "*" 12 | }, 13 | { 14 | "Action" : [ 15 | "cloudtrail:CreateTrail", 16 | "cloudtrail:DeleteTrail", 17 | "cloudtrail:StartLogging", 18 | "cloudtrail:StopLogging", 19 | "cloudtrail:UpdateTrail" 20 | ], 21 | "Effect" : "Deny", 22 | "Resource" : "*" 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /policies/iam/power-user-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "NotAction" : "iam:*", 6 | "Effect" : "Allow", 7 | "Resource" : "*" 8 | }, 9 | { 10 | "Sid": "AllowUserToManageTheirOwnCreds", 11 | "Action" : [ 12 | "iam:CreateVirtualMFADevice", 13 | "iam:DeleteVirtualMFADevice", 14 | "iam:EnableMFADevice", 15 | "iam:DeactivateMFADevice", 16 | "iam:ResyncMFADevice", 17 | "iam:CreateAccessKey", 18 | "iam:UpdateAccessKey", 19 | "iam:DeleteAccessKey", 20 | "iam:UpdateLoginProfile", 21 | "iam:ChangePassword" 22 | ], 23 | "Effect" : "Allow", 24 | "Resource" : [ 25 | "arn:aws:iam::XXXXXXXX5057:user/${aws:username}", 26 | "arn:aws:iam::XXXXXXXX5057:mfa/${aws:username}" 27 | ], 28 | "Condition": { 29 | "Bool" : { "aws:SecureTransport" : "true" }, 30 | "Null" : { "aws:MultiFactorAuthAge" : "false" } 31 | } 32 | }, 33 | { 34 | "Sid": "ViewReadOnlyOtherUserInfo", 35 | "Action" : [ 36 | "iam:List*", 37 | "iam:Get*" 38 | ], 39 | "Effect" : "Allow", 40 | "Resource" : "*" 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /policies/iam/route53-hostedzone-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Action" : "route53:*", 6 | "Effect" : "Allow", 7 | "Resource" : "*" 8 | }, 9 | { 10 | "Action" : [ 11 | "route53:ChangeResourceRecordSets", 12 | "route53:DeleteHostedZone" 13 | ], 14 | "Effect" : "Deny", 15 | "Resource" : "arn:aws:route53:::hostedzone/ZMYP5IX6PL8YW" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /policies/iam/subnet-access-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Action" : [ 6 | "ec2:RunInstances" 7 | ], 8 | "Effect" : "Allow", 9 | "Resource" : [ 10 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:subnet/subnet-*" 11 | ], 12 | "Condition" : { 13 | "StringEquals" : { 14 | "ec2:Vpc" : "arn:aws:ec2:us-west-2:XXXXXXXX5057:vpc/vpc-4671c623" 15 | } 16 | } 17 | }, 18 | { 19 | "Action" : [ 20 | "ec2:RunInstances" 21 | ], 22 | "Effect" : "Allow", 23 | "Resource" : [ 24 | "arn:aws:ec2:us-west-2::image/ami-*", 25 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:instance/*", 26 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:security-group/sg-*", 27 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:network-interface/*", 28 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:volume/*", 29 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:key-pair/*" 30 | ] 31 | }, 32 | { 33 | "Action" : [ 34 | "ec2:RunInstances" 35 | ], 36 | "Effect" : "Deny", 37 | "Resource" : [ 38 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:subnet/subnet-f3558184", 39 | "arn:aws:ec2:us-west-2:XXXXXXXX5057:subnet/subnet-a224d2fb" 40 | ] 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /policies/s3/cloudtrail-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2012-10-17", 3 | "Statement" : [ 4 | { 5 | "Sid" : "AWSCloudTrailAclCheck20131101", 6 | "Effect" : "Allow", 7 | "Principal" : { 8 | "AWS" : [ 9 | "arn:aws:iam::903692715234:root", 10 | "arn:aws:iam::859597730677:root", 11 | "arn:aws:iam::814480443879:root", 12 | "arn:aws:iam::216624486486:root", 13 | "arn:aws:iam::086441151436:root", 14 | "arn:aws:iam::388731089494:root", 15 | "arn:aws:iam::284668455005:root", 16 | "arn:aws:iam::113285607260:root", 17 | "arn:aws:iam::035351147821:root" 18 | ] 19 | }, 20 | "Action" : "s3:GetBucketAcl", 21 | "Resource" : "arn:aws:s3:::cloudtrail-logs" 22 | }, 23 | { 24 | "Sid" : "AWSCloudTrailWrite20131101", 25 | "Effect" : "Allow", 26 | "Principal" : { 27 | "AWS" : [ 28 | "arn:aws:iam::903692715234:root", 29 | "arn:aws:iam::859597730677:root", 30 | "arn:aws:iam::814480443879:root", 31 | "arn:aws:iam::216624486486:root", 32 | "arn:aws:iam::086441151436:root", 33 | "arn:aws:iam::388731089494:root", 34 | "arn:aws:iam::284668455005:root", 35 | "arn:aws:iam::113285607260:root", 36 | "arn:aws:iam::035351147821:root" 37 | ] 38 | }, 39 | "Action" : "s3:PutObject", 40 | "Resource" : [ 41 | "arn:aws:s3:::cloudtrail-logs/prod/AWSLogs/XXXXXXXX7354/*", 42 | "arn:aws:s3:::cloudtrail-logs/stage/AWSLogs/XXXXXXXX2745/*", 43 | "arn:aws:s3:::cloudtrail-logs/dev/AWSLogs/XXXXXXXX4557/*" 44 | ], 45 | "Condition" : { 46 | "StringEquals" : { 47 | "s3:x-amz-acl" : "bucket-owner-full-control" 48 | } 49 | } 50 | }, 51 | { 52 | "Sid": "EnableMFADelete", 53 | "Effect": "Deny", 54 | "Principal": "*", 55 | "Action": "s3:Delete*", 56 | "Resource": "arn:aws:s3:::cloudtrail-logs/*", 57 | "Condition": { 58 | "Null": { 59 | "aws:MultiFactorAuthAge": "true" 60 | } 61 | } 62 | } 63 | ] 64 | } 65 | -------------------------------------------------------------------------------- /policies/s3/public-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version" : "2008-10-17", 3 | "Statement" : [ 4 | { 5 | "Sid" : "AllowPublic", 6 | "Effect" : "Allow", 7 | "Principal" : { 8 | "AWS" : "*" 9 | }, 10 | "Action" : "s3:GetObject", 11 | "Resource" : "arn:aws:s3:::bucket/Public/*" 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /policies/s3/root-only-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2008-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Deny", 6 | "NotPrincipal": { 7 | "AWS": "arn:aws:iam::XXXXXXXXXXXX:root" 8 | }, 9 | "Action": "s3:PutObject", 10 | "Resource": "arn:aws:s3:::bucket/*" 11 | } 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /scripts/python/build-vpc/README.md: -------------------------------------------------------------------------------- 1 | ### Create an AWS VPC 2 | 3 | This Python script creates a two or three availability-zone VPC in the AWS region of choice. 4 | 5 | Moved into its own repo: 6 | 7 | https://github.com/toddm92/vpc-create 8 | 9 | API Flask version: 10 | 11 | https://github.com/toddm92/flask-vpc-create 12 | -------------------------------------------------------------------------------- /scripts/python/create-trails/README.md: -------------------------------------------------------------------------------- 1 | ### Create Trails 2 | 3 | This Python script will enable CloudTrail in all regions for an AWS account. 4 | 5 | Moved into its own reop: 6 | 7 | https://github.com/toddm92/trails-create 8 | -------------------------------------------------------------------------------- /scripts/python/default-vpc/README.md: -------------------------------------------------------------------------------- 1 | ### Remove AWS Default VPCs 2 | 3 | This Python script attempts to delete those pesky default VPCs in all regions from your AWS account. 4 | 5 | Moved into its own repo: 6 | 7 | https://github.com/toddm92/vpc-delete 8 | -------------------------------------------------------------------------------- /scripts/python/sg-chkr/README.md: -------------------------------------------------------------------------------- 1 | ### Security Group Checker 2 | 3 | This Python script checks your AWS security groups in all regions for "open" (i.e. 0.0.0.0/0) statements and reports the results. 4 | 5 | Moved into its own repo: 6 | 7 | https://github.com/toddm92/sg-chkr 8 | -------------------------------------------------------------------------------- /scripts/python/subnet-test/README.md: -------------------------------------------------------------------------------- 1 | ### VPC AZ Subnet Test 2 | 3 | It's not uncommon in older AWS accounts (i.e. with EC2-Classic) to come across a "depreciated zone" where VPC subnets are not permitted. 4 | This Python script tests creating a VPC subnet in each availability-zone for every AWS region. 5 | 6 | Moved into its own repo: 7 | 8 | https://github.com/toddm92/vpc-subnet-test 9 | -------------------------------------------------------------------------------- /scripts/shell/ebs-snapshot/README.md: -------------------------------------------------------------------------------- 1 | ### Automated EBS Volume Snapshots 2 | 3 | This BASH script will create a snapshot of AWS EBS volumes mathcing 4 | a specific TAG key/value pair. It will look for snapshots older than a retention 5 | period/date and remove them. 6 | 7 | Moved into its own repo: 8 | 9 | https://github.com/toddm92/ebs-snapshot 10 | -------------------------------------------------------------------------------- /scripts/shell/key-chkr/README.md: -------------------------------------------------------------------------------- 1 | ### Check IAM Users API Keys 2 | 3 | This BASH script checks the age of the API keys for all your AWS IAM users. 4 | It's good practice to rotate these keys every 60 to 90 days. 5 | 6 | Moved into its own repo: 7 | 8 | https://github.com/toddm92/key-chkr 9 | -------------------------------------------------------------------------------- /scripts/shell/r53-healthchk-sg/README.md: -------------------------------------------------------------------------------- 1 | ### R53 HealthCheck Security Group 2 | 3 | This BASH script creates a Route 53 healthcheck VPC security group. It grabs a list of AWS CIDRs used to perform health checks 4 | on your services (ELBs, EC2 instances, etc.) and builds a security group that only permits these CIDRs. 5 | 6 | Moved into its own repo: 7 | 8 | https://github.com/toddm92/r53-healthchk-sg 9 | -------------------------------------------------------------------------------- /scripts/shell/trail-chkr/README.md: -------------------------------------------------------------------------------- 1 | ### Check AWS CloudTrail Status 2 | 3 | This BASH script checks the name and status of CloudTrail in all regions of your AWS account. 4 | 5 | Moved into its own repo: 6 | 7 | https://github.com/toddm92/trail-chkr 8 | -------------------------------------------------------------------------------- /templates/cfn/README.md: -------------------------------------------------------------------------------- 1 | ### AWS CloudFormation Templates 2 | 3 | These templates have been moved into their own repo: 4 | 5 | https://github.com/toddm92/cfn-templates 6 | 7 | Build an entire AWS environment with Templates: 8 | 9 | https://github.com/toddm92/mock-aws-env 10 | -------------------------------------------------------------------------------- /templates/other/stack-update-policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Statement" : [ 3 | { 4 | "Effect" : "Deny", 5 | "Action" : "Update:Replace", 6 | "Principal" : "*", 7 | "Resource" : "LogicalResourceId/*NATServer*" 8 | }, 9 | { 10 | "Effect" : "Allow", 11 | "Action" : "Update:*", 12 | "Principal" : "*", 13 | "Resource" : "*" 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /tools/create-nat-rt/LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Todd Murchison 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /tools/create-nat-rt/README.md: -------------------------------------------------------------------------------- 1 | ### Build VPC NAT Route Tables 2 | 3 | This Python tool creates one or more route tables in an existing VPC. Used for sending specific traffic (prefixes) thru a NAT gateway. 4 | 5 | **Requirements:** 6 | 7 | * Tested w/ python version 2.7 / boto version 2.38 8 | * Valid AWS API keys/ profile 9 | 10 | **Usage:** 11 | 12 | ``` 13 | create-nat-rt.py 14 | ``` 15 | 16 | **Output:** 17 | 18 | ``` 19 | ./create-nat-rt.py 20 | 21 | This tool creates one or more route tables in a VPC specified by the user. 22 | 23 | It depends on the following information: 24 | -A valid VPC Id (with an existing igw) - i.e. vpc-d74084b2 25 | -One or more valid NAT instance Ids - i.e. i-dda86df7 26 | -A plain text file named "routes.txt" located in the current working directory 27 | 28 | routes.txt should contain one CIDR address per line in the form: 29 | 54.246.41.217/32 30 | 176.34.169.223/32 31 | 54.228.73.202/32 32 | ... 33 | 34 | Modify the "PROFILE" variable as needed. 35 | 36 | 37 | Enter your vpc-id: vpc-d9b462bc 38 | Enter the NAT instance id for this route table: i-d807c102 39 | Populating routes.. 40 | Creating default route.. 41 | Route Table name? Nat-AZ-1 42 | New Route Table Id for nat-az-1 : rtb-bccaf3d9 43 | 44 | Create another Route Table? y 45 | Enter the NAT instance id for this route table: i-d807d203 46 | Populating routes.. 47 | Creating default route.. 48 | Route Table name? Nat-AZ-2 49 | New Route Table Id for nat-az-2 : rtb-86caf3e3 50 | 51 | Create another Route Table? n 52 | ``` 53 | 54 | New route-table: 55 | 56 | ``` 57 | aws ec2 describe-route-tables --route-table-ids rtb-bccaf3d9 --profile eng --region us-west-2 58 | { 59 | "RouteTables": [ 60 | { 61 | "RouteTableId": "rtb-bccaf3d9", 62 | "VpcId": "vpc-d9b462bc", 63 | "Routes": [ 64 | { 65 | "InstanceOwnerId": "757867887354", 66 | "DestinationCidrBlock": "46.137.161.154/32", 67 | "InstanceId": "i-d807c102", 68 | "NetworkInterfaceId": "eni-d6f1088c", 69 | "Origin": "CreateRoute", 70 | "State": "active" 71 | }, 72 | { 73 | "InstanceOwnerId": "757867887354", 74 | "DestinationCidrBlock": "54.220.89.165/32", 75 | "InstanceId": "i-d807c102", 76 | "NetworkInterfaceId": "eni-d6f1088c", 77 | "Origin": "CreateRoute", 78 | "State": "active" 79 | }, 80 | { 81 | "InstanceOwnerId": "757867887354", 82 | "DestinationCidrBlock": "54.246.95.224/32", 83 | "InstanceId": "i-d807c102", 84 | "NetworkInterfaceId": "eni-d6f1088c", 85 | "Origin": "CreateRoute", 86 | "State": "active" 87 | }, 88 | { ... 89 | }, 90 | ], 91 | "Associations": [], 92 | "Tags": [ 93 | { 94 | "Key": "Name", 95 | "Value": "nat-az-1" 96 | } 97 | ], 98 | "PropagatingVgws": [] 99 | } 100 | ] 101 | } 102 | ``` 103 | -------------------------------------------------------------------------------- /tools/create-nat-rt/create-nat-rt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Python Version: 2.7 4 | # Boto Version 2.38 5 | # 6 | # Build VPC NAT route tables 7 | # Used for sending specified traffic thru a NAT gateway 8 | # 9 | 10 | # Must be the first line 11 | from __future__ import print_function 12 | 13 | import sys 14 | import boto.vpc 15 | 16 | # Modify variables as needed 17 | PROFILE = 'eng' # (from your ~/.boto) 18 | REGION = 'us-west-2' 19 | 20 | myregion = boto.ec2.get_region(region_name=REGION) 21 | conn = boto.vpc.VPCConnection(profile_name=PROFILE, region=myregion) 22 | 23 | def usage(): 24 | """ Usage statement """ 25 | 26 | print(""" 27 | This tool creates one or more route tables in a VPC specified by the user. 28 | 29 | It depends on the following information: 30 | -A valid VPC Id (with an existing igw) - i.e. vpc-d74084b2 31 | -One or more valid NAT instance Ids - i.e. i-dda86df7 32 | -A plain text file named "routes.txt" located in the current working directory 33 | 34 | routes.txt should contain one CIDR address per line in the form: 35 | 54.246.41.217/32 36 | 176.34.169.223/32 37 | 54.228.73.202/32 38 | ... 39 | 40 | Modify the "PROFILE" variable as needed. 41 | """) 42 | 43 | def create_rtb(vpc, igw = "None", instance = "None"): 44 | """ Create VPC route-table """ 45 | 46 | try: 47 | route_list = open('routes.txt', 'r') 48 | except Exception as e: 49 | print(e) 50 | exit(1) 51 | else: 52 | newrt = conn.create_route_table(vpc) 53 | 54 | print('Populating routes..') 55 | for route in route_list: 56 | route = route.replace('\n', '') 57 | conn.create_route(newrt.id, route, gateway_id=None, instance_id=instance, interface_id=None) 58 | 59 | print('Creating default route..') 60 | conn.create_route(newrt.id, '0.0.0.0/0', gateway_id=igw, instance_id=None, interface_id=None) 61 | route_list.close() 62 | 63 | return newrt.id 64 | 65 | def get_nat(): 66 | """ Get NAT Instance Id """ 67 | 68 | nat_id = '' 69 | while 'i-' not in nat_id: 70 | nat_id = raw_input('Enter the NAT instance id for this route table: '); nat_id = nat_id.lower() 71 | 72 | try: 73 | conn.get_all_instances(instance_ids=nat_id, filters=None, max_results=None) 74 | except Exception as e: 75 | print(e.message) 76 | exit(1) 77 | else: 78 | return nat_id 79 | 80 | def tag_it(resource): 81 | """ Tag our route-tables """ 82 | 83 | name = '' 84 | while len(name) == 0: 85 | name = raw_input('Route Table name? '); name = name.lower() 86 | 87 | conn.create_tags(resource, { 'Name' : name }) 88 | 89 | return name 90 | 91 | def main(): 92 | """ Do the work """ 93 | 94 | # Print usage and instructions 95 | usage() 96 | 97 | # Get the VPC Id 98 | vpc_id = '' 99 | while 'vpc-' not in vpc_id: 100 | vpc_id = raw_input('\nEnter your vpc-id: '); vpc_id = vpc_id.lower() 101 | 102 | try: 103 | conn.get_all_vpcs(vpc_ids=vpc_id, filters=None) 104 | except Exception as e: 105 | print(e.message) 106 | exit(1) 107 | 108 | # Get the igw Id 109 | try: 110 | igw = conn.get_all_internet_gateways(filters={'attachment.vpc-id': vpc_id}) 111 | except Exception as e: 112 | print(e.message) 113 | exit(1) 114 | else: 115 | igw = str(igw[0]) 116 | igw_id = igw[16:] 117 | 118 | # Create the first route table 119 | instance_id = get_nat() 120 | newrt_id = create_rtb(vpc_id, igw_id, instance_id) 121 | tag = tag_it(newrt_id) 122 | print('New Route Table Id for', tag, ':', newrt_id) 123 | 124 | # Ask to create additional route tables 125 | reply = 'yes' 126 | while reply not in ('n', 'no'): 127 | reply = raw_input('\nCreate another Route Table? '); reply = reply.lower() 128 | if reply in ( 'y', 'ye', 'yes' ): 129 | instance_id = get_nat() 130 | newrt_id = create_rtb(vpc_id, igw_id, instance_id) 131 | tag = tag_it(newrt_id) 132 | print('New Route Table Id for', tag, ':', newrt_id) 133 | 134 | if __name__ == "__main__": 135 | 136 | main() 137 | -------------------------------------------------------------------------------- /tools/create-nat-rt/routes.txt: -------------------------------------------------------------------------------- 1 | 54.246.41.217/32 2 | 176.34.169.223/32 3 | 54.228.73.202/32 4 | 54.220.43.7/32 5 | 54.217.131.215/32 6 | 79.125.53.236/32 7 | 54.220.89.165/32 8 | 54.216.123.35/32 9 | 54.216.76.132/32 10 | 54.195.183.124/32 11 | 54.220.160.201/32 12 | 54.228.47.133/32 13 | 54.216.232.31/32 14 | 54.217.125.186/32 15 | 54.217.131.206/32 16 | 54.195.44.233/32 17 | 54.195.28.81/32 18 | 54.228.27.0/32 19 | 54.220.240.129/32 20 | 54.220.177.133/32 21 | 54.217.66.231/32 22 | 79.125.33.211/32 23 | 54.220.10.164/32 24 | 54.195.58.35/32 25 | 54.246.95.224/32 26 | 46.137.161.154/32 27 | 54.246.103.8/32 28 | -------------------------------------------------------------------------------- /tools/s3-object-storageclass/LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Todd Murchison 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /tools/s3-object-storageclass/README.md: -------------------------------------------------------------------------------- 1 | ### Lambda: Change S3 Object StorageClass 2 | 3 | An S3 'put object' triggers this function. It checks the storage class of the new S3 object (by default STANDARD) and converts the object to STANDARD_IA. 4 | 5 | **Requirements:** 6 | 7 | * Tested w/ python version 2.7 8 | * The s3-object-role.json policy/IAM Role 9 | 10 | ![Lambda Flow Diagram](https://s3-us-west-2.amazonaws.com/toddm92/public/diagrams/sclass-flow.jpg) 11 | -------------------------------------------------------------------------------- /tools/s3-object-storageclass/s3-object-role.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": [ 7 | "logs:CreateLogGroup", 8 | "logs:CreateLogStream", 9 | "logs:PutLogEvents" 10 | ], 11 | "Resource": "arn:aws:logs:*:*:*" 12 | }, 13 | { 14 | "Effect": "Allow", 15 | "Action": [ 16 | "s3:GetObject", 17 | "s3:PutObject", 18 | "s3:ListBucket" 19 | ], 20 | "Resource": [ 21 | "arn:aws:s3:::*" 22 | ] 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /tools/s3-object-storageclass/s3-object-storageclass.py: -------------------------------------------------------------------------------- 1 | import json 2 | import boto3 3 | 4 | print('Loading function...') 5 | 6 | s3 = boto3.client('s3') 7 | 8 | def lambda_handler(event, context): 9 | # print("EVENT: ", event) 10 | 11 | # Get the object from event 12 | bucket = event['Records'][0]['s3']['bucket']['name'] 13 | prefix = event['Records'][0]['s3']['object']['key'] 14 | source = bucket + '/' + prefix 15 | 16 | try: 17 | # Find the object storage class 18 | object = s3.list_objects(Bucket=bucket, Prefix=prefix) 19 | storage = object['Contents'][0]['StorageClass'] 20 | 21 | # Change object to STANDARD_IA class storage 22 | if storage != 'STANDARD_IA': 23 | s3.copy_object(Bucket=bucket, CopySource=source, Key=prefix, StorageClass='STANDARD_IA') 24 | print('StorageClass for object ' + source + ' changed to STANDARD_IA') 25 | else: 26 | print('No change to object ' + source) 27 | 28 | except Exception as e: 29 | print(e) 30 | print('Error getting object ' + source) 31 | --------------------------------------------------------------------------------