David Paul Solutions Architect Resume and Projects

AWS Projects

Please click on the introductory text fields or drop down arrows to see the full breakdown of the project it pertains to.

Solutions Architecture for Website Version 3 (Rebuild of version 2 shown on main projects page.
INProgress…..

EC2 Instance Terminator!! (CRYPTO Mining Scam Prevention)

Background to Project, Introduction in full breakdown.
-This project was engineered quite a while back due the prevalent News of Crypto currency mining scams among Cloud users, specifically AWS. In where an unaware victim (usually a student or new user of AWS) would have their account added to an AWS Organisation, the Evil-doer would then proceed to switch off any billing alarms and provision very large EC2 instances to the tune of 25x m5.large. These would then run for 30days. The Ec2 instances and evidence (logs, API calls) were then erased and the victims accounts removed from the AWS Organisation, leaving the victim with an astronomical AWS bill while they walked away with about half a bit coin. Worth(£20k)($24K). This one method to help prevent large type EC2 costs. Another method involves using control tower SCP’s to prevent the provisioning of EC2 types entirely.
INTRODUCTION….

Introduction
-This architecture is a serverless automation designed to terminate any Ec2 instance that does not conform to a pre-determined instance type. For example; “t3.micro”,”m2.medium”,”t2.small”. These are Terminated during the setup phase though depending on the time the function takes to run you may still see small amounts of usage if they reach a provisioned state, but I think you can agree this will be much better than having large instance running for hours or even days. This can even help new users or students from building up unnecessary charges they are unaware of when they provision resources using services like SAM, CDK or Cloudformation being unaware of what they are provisioning due to lack of experience or the knowledge to read the code correctly.

AWS Config

-AWS config monitors for Ec2 instance changes specifically Creation events.
-The event then triggers a lambda function through a pre-configured rule, which you should define. selecting the option to monitor EC2 changes before they are provisioned will allow the function to start quicker and terminate the denied instance quickly and efficiently.
-Iam Policies are required (Lambda:Invoke and Lambda:AddPermssion) These should be added to the AWS config role you can work to least privilege by specifying the lambda function ARN rather than a * wildcard.
AWS Config Costs:-AWS Config rules incur costs based on the number of rules and the frequency of evaluations. Be mindful of this as you design your own solution.

AWS config with AWS Lambda

-Parses the Event payload for AWS::EC2::Instance changes from AWS config.
-Checks the EC2 against the list of allowed Instance types, (This can be customised to your own requirements. While also adding further functionality such as, preventing specific actions against instance types.)
-If the Ec2 is outside of the allowed range a termination request is made and the instance is terminated.
-Iam policies are required( Ec2:describeinstance and Ec2:TerminateInstance) These should be added to the lambda role along with SNS or SES policies as required.
-Function code can be found at my Github here.

AWS SNS/SES (optional)

-I have used SNS in my example architecture, though SES is another option if you wish to use it instead.
-By adding a destination to the lambda function after a prohibited Instance is terminated you can trigger an event notification via an SNS topic or a Simple email via SES to alert you of the occurrence.
-SES – The lambda function code can be updated to publish a simple email via SES. don’t forget to secure private information using parameter store or secrets manager. (additional SES setup will be required for this.)
-SNS – Create a topic and register any user who needs a notification to the topic then allow lambda to publish to the topic. additional Iam policies should be added to the lambda functions role.

There are various other uses for this architecture it can be adapted to automate thousands of other functions with a few simple changes to the AWS config rules and lambda code. Though through this project even if I help to save one person from making a mistake or becoming a victim it will be worth publishing it here.
Enjoy the project.



IOT “Function”
This IOT architecture is designed to initiate any function of your desire within your AWS account, From clean-up of resources to starting a set workflow. The possibilities here are endless. So grab your Dash buttons or sensors and see what uses you can find for this.

IOT Device:
-Iot devices or edge computing nodes that send a signal to initiate the “function/Process”.
1)Connects IOT to the AWS cloud.
2)Receives the “Function” initiation signal from the IOT device(s).
AWS Lambda Function:
-Processes your code for the function required, using your choice of operations, services or queries.
for simple clean-up script see my Git-hub.
AWS CloudWatch Events/Logs:
-Captures events and logs of operations.
-Provides a source to initiate various triggers.
AWS Identity and Access Management(IAM):
-Manage permissions for the Lambda Function to ensure it can perform the operations requested.
Amazon SNS(simple notification service):
-Sends notifications about the Status of the intended operation. (Failure, Success, Start, Finish)
IOT Computing Node:
-A button press or sensor sends data to the IOT Core.
IOT Core:
-Retrieves messages from the IOT device.
-Triggers the Lambda function.
Lambda Function:
-Parses the information from IOT Core.
-Performs your necessary operation(s).
-Triggers SNS
-Don’t forget to use Boto3/Boto3core to initiate your services. This was a small issue I faced during the creation of the Function.
IAM Permissions
Make sure to assign the relevant IAM Roles and permissions to your Services.
such as:

-Cloudwatch logs
-SNS publish
-Lambda Execution Role
-Any Service permissions like Get, Put, Delete, CRUD operations.
Using this architecture, Account Administrators will receive notifications of all operations assuming correct setup. Allowing accountability and awareness, Using IAM keeps everything secure and within the account, NEVER ADD PRIVATE INFORMATION to you CODE! Use services such as secrets manager and parameter store instead.
Finally: Enjoy the application!

Portfolio Application
Python
Terraform
Kubernetes/Docker
Home Page
About Me
Aws News
Contact
Projects
Certifications