Increase security with the click of a button!

Increase security with the click of a button!

Although at easytocloud we prefer to build serverless solutions wherever we can, we do have some EC2 instances and use a bastion host to access our – predominantly private – EC2 instances.

In an earlier posting you could read how we use our EC2 scheduler to stop and start our persistent instances based on the time of the day. The cost-savings of running an instance only during office-hours is a whopping 75% compared to leaving instances on ‘all the time’.

As for our bastion host, not only does it reduce costs, it also increases security. The bastion host being the only way into our AWS infra as (most) other instances do not even have a public IP address. So, whenever the bastion host is ‘off’, it is not possible to get into our AWS stuff.

Recently I got hold of a few AWS IoT buttons and thought it would be nice to be able to stop and start our bastion host with it. The IoT button can send 3 different ‘messages’ to AWS IoT; one click, double click or long press.


So now we start (one click) and stop (double click) our bastion host, hence increasing security with the (double) click of a button!

Some background?!

An IoT button uses a WiFi to send it’s messages. To connect it to a (new) WiFi network, it becomes an access point that you can connect to with your laptop. The button features a webserver that you then browse to, so you can setup the button to connect to your WiFi.

The next step is to configure the IoT button to be a trigger for a lambda function. Each button has a unique ID and you can configure a particular button to trigger your function to be executed.

Your lambda function receives information from the button when it is pressed: the button-ID, the type of ‘click’ and the remaining voltage of the battery.

All that is needed now is some code that changes the powerstate of your instance. With only few modifications to (a copy of) the python code of the previous post it was   an easy last step.

The next thing for me to do is write a cloud formation template so you can increase your security too – with just the click of a button!


Alexa, Lambda & One Time Passwords – A match made in heaven

By now, you must have heard of the amazing Amazon Echo devices; echodotsmart speaker/microphone devices backed up by the Alexa voice service.

Now, the cool thing is you can build your own skills quite easily. Register as a developer and start building your custom skill so your Echo reacts to things like “what’s up for dinner?” or maybe something more useful. Your custom skill does require some programming but where to host this? Sounds event-driven… And yes, your custom skill can be implemented as a Lambda function running on AWS; reliable, scalable and only consuming resources when actually invoked.

So what shall we build? Since we are well into AWS anyway, we’ve choosen to build a skill that can interact with AWS itself:

You                      Alexa responds
Alexa, open easytocloud  <welcome tune>Welcome
List instances           You have the following instances..
Describe kinesis shards  You have a four shard Kinesis stream in Ireland

Now, we would like to be able to actually modify resources as well. This, however, would be rather unsafe. Anyone in the same room as the Alexa Echo can now stop and start our EC2 instances (i.e. ‘splunk‘) We need authentication:

You                      Alexa responds
Start splunk             You need to authenticate

Speaking the password out loud would not make sense:

Authenticate secret123

Luckily, AWS is a very secure place and it’s IAM users can be authenticated by both a password and a one time token; multi-factor authentication or MFA. We are already using the following devices for secure access to AWS:gemalto

You can validate a token from your Lambda skill by using the AWS SDK and make a call to the AWS STS service requesting a ‘session token’. Don’t worry; we are not really interested in this ‘session token’ but it is a neat trick to leverage the existing AWS MFA integration for your own use 🙂

So now we have (supposing the OTP device is displaying 123456):

You                      Alexa responds
Start splunk             You need to authenticate
Authenticate 123456      Access granted
Start splunk             I have started splunk

Done already? Not just yet… If you don’t not have an MFA device you can use a virtual MFA application on your phone instead. But AWS can offer something cooler. Remember the AWS notification service SNS; it can send messages to a variety of destinations; email, webserver, SQS and it also supports text messaging (SMS). And that’s what we are going to use. By indicating ‘text’ we request the skill to send a one-time-password to our phone. Then, we use that code to authenticate:

You                      Alexa responds
Authenticate text        I've sent the code to your phone

Almost instantly, your phone displays how to proceeed:


You follow instructions and gain access:

You                      Alexa responds
Authenticate 5143        Access granted
Start splunk             I have started splunk

In reality, there is much more around the solution then explained in the previous steps. To name a few;

  • DynamoDB to store user profiles (including phone numbers)
  • API Gateway with a second Lambda function for a re-usable implementation of the MFA-authentication service
  • Logging into CloudWatch Logs

Feel free to contact us by email for more detailed instructions.

Visualize EC2 Performance and Pricing

As a Unix expert, I used to think everything is a file. Now I know better: everything is an API (or should be). AWS took this to the max by even disclosing their prices and specifications through an API. That allows us to write code that presents the EC2 specs and prices in a whole new way.

We ingest the AWS specs and prices daily and store it in a bucket for future reference. When you direct your browser to you get a view on this data. Hitting the big green ‘graphics’ button changes the view. From the traditional ‘table’ view we have got used to over the last hundreds of years, to a more modern 3D graphics representation.


The page your browser downloads from an S3 bucket, contains the code to do the visualisation. Another example of a serverless application on the AWS platform.

You can filter the family and see the different sizes. This reveals the difference in memory and CPU capacity for the sizes large, xlarge and 2xlarge and so on. You can also see that the ‘c’ family has relatively much compute power compared to an ‘r’ instance, which is more geared towards memory (RAM) intensive workloads. This all can be visualisesd in either 2D or 3D graphs, as Alexa (!)
explains in this video.

And although the website is hosted as a static page in a S3 bucket, the content it shows is not static at all: when the Bombay region became available, the region appeared in our selec2or without any modification to the code.

Thanks to the “Everything is an API” way of life.