Welcome to AWS re:Post

Having spent some time on re:Post since it first launched, I've noticed that many questions are of extremely low quality, some completely unintelligible and unanswerable. Just a quick perusal of recent unanswered questions will demonstrate this. For example: [here](https://repost.aws/questions/QU1SMds69vSlC9vhngYga6uQ/not-able-to-access-aws-lambda-service-or-ec-2-service), [here](https://repost.aws/questions/QUJvnms_9NStiW20okor-QnQ/how-to-stop-instance-stuck-in-stopping), [here](https://repost.aws/questions/QUGu8B70A9QGS5kVoULX0p-A/yum-configuration-update-motd-conf-not-found), and this is just 20 seconds of browsing the first page of unanswered questions. Are there any plans to moderate the site and help askers to ask better questions? Other sites have a report feature to help with this. Maybe something similar would be appropriate here to keep questions in scope and on track?lg...

# Situation I am currently in the process of migrating on of my pet projects from another provider to AWS. As a first step, I have created a CloudFront distribution sending all requests as-is to the loadbalancer my application is currently running on (external provider). The CDK stack I started with looks like follows: ```java package mypackagename; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.certificatemanager.Certificate; import software.amazon.awscdk.services.cloudfront.*; import software.amazon.awscdk.services.cloudfront.origins.HttpOrigin; import software.constructs.Construct; import java.util.List; import java.util.Map; public class MyServiceNameCloudfrontCdkStack extends Stack { public MyServiceNameCloudfrontCdkStack(final Construct scope, final String id, final StackProps props, final Config config) { super(scope, id, props); Distribution.Builder.create(this, "cloudfront") .priceClass(PriceClass.PRICE_CLASS_ALL) .httpVersion(HttpVersion.HTTP2) .enableIpv6(true) .domainNames(List.of(config.domain())) .certificate(Certificate.fromCertificateArn(this, "sslcert", config.sslCertArn())) .minimumProtocolVersion(SecurityPolicyProtocol.TLS_V1_2_2021) .defaultBehavior( BehaviorOptions.builder() .origin( HttpOrigin.Builder.create("<hostname of the LB at external provider>") .protocolPolicy(OriginProtocolPolicy.HTTP_ONLY) .httpPort(8080) .customHeaders(Map.of( "Forwarded", String.format("host=%s;proto=https", config.domain()), "X-Forwarded-Host", config.domain(), "X-Forwarded-Proto", "https", "X-Forwarded-Port", "443" )) .build() ) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ) .enableLogging(false) .enabled(true) .build(); } public record Config(String domain, String sslCertArn) {} } ``` With this stack, everything works as expected. As a second step, I updated the CDK stack to have separate behaviors for each of the components I'm planning to split my logic to in the future. They all still use the same origin but with some minor changes to the behavior. The updated CDK stack looks like follows: ```java package mypackagename; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.certificatemanager.Certificate; import software.amazon.awscdk.services.cloudfront.*; import software.amazon.awscdk.services.cloudfront.origins.HttpOrigin; import software.constructs.Construct; import java.util.LinkedHashMap; import java.util.List; import java.util.Map; public class MyServiceNameCloudfrontCdkStack extends Stack { public MyServiceNameCloudfrontCdkStack(final Construct scope, final String id, final StackProps props, final Config config) { super(scope, id, props); // region custom response headers for the fallthrough behaviour (ui stuff) final ResponseHeadersPolicy uiResponseHeadersPolicy = ResponseHeadersPolicy.Builder.create(this, "ui-response-headers-policy") .securityHeadersBehavior( ResponseSecurityHeadersBehavior.builder() .frameOptions( ResponseHeadersFrameOptions.builder() .frameOption(HeadersFrameOption.DENY) .override(true) .build() ) .contentSecurityPolicy( ResponseHeadersContentSecurityPolicy.builder() .contentSecurityPolicy(String.join("; ", "default-src 'self'", "connect-src 'self' https://api.guildwars2.com", "script-src 'self' 'unsafe-inline'", "style-src 'self' 'unsafe-inline'", "img-src 'self' https://icons-gw2.darthmaim-cdn.com/ data:", "frame-src https://www.youtube.com/embed/" )) .override(true) .build() ) .build() ) .build(); // endregion // region the external loadbalancer origin config final IOrigin externalLBOrigin = HttpOrigin.Builder.create("<hostname of the LB at external provider>") .protocolPolicy(OriginProtocolPolicy.HTTP_ONLY) .httpPort(8080) .customHeaders(Map.of( "Forwarded", String.format("host=%s;proto=https", config.domain()), "X-Forwarded-Host", config.domain(), "X-Forwarded-Proto", "https", "X-Forwarded-Port", "443" )) .build(); // endregion // region additional behaviours (everything except ui) final Map <String , BehaviorOptions> additionalBehaviors = new LinkedHashMap<>(); additionalBehaviors.put( "/api*", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ); additionalBehaviors.put( "/oauth2*", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ); additionalBehaviors.put( "/.well-known/oauth-authorization-server", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_GET_HEAD) .cachePolicy(CachePolicy.CACHING_DISABLED) .build() ); // endregion Distribution.Builder.create(this, "cloudfront") .priceClass(PriceClass.PRICE_CLASS_ALL) .httpVersion(HttpVersion.HTTP2) .enableIpv6(true) .domainNames(List.of(config.domain())) .certificate(Certificate.fromCertificateArn(this, "sslcert", config.sslCertArn())) .minimumProtocolVersion(SecurityPolicyProtocol.TLS_V1_2_2021) .defaultBehavior( BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_GET_HEAD) .cachePolicy(CachePolicy.CACHING_OPTIMIZED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .responseHeadersPolicy(uiResponseHeadersPolicy) .build() ) .additionalBehaviors(additionalBehaviors) .enableLogging(false) .enabled(true) .build(); } public record Config(String domain, String sslCertArn) {} } ``` # Issue Most of the changes work as expected (for example, I see that caching now takes place for the default behavior). BUT: For `/oauth2*` requests, CloudFront does not send all or at least *some* of the defined `customHeaders` to the origin server. I don't know if it also affects the other behaviors, but I know for sure it does affect the `/oauth2*` behavior. This is especially weird because (as expected) the resulting CloudFront Distribution shows only one Origin, which correctly lists the Custom Headers I have set in CDK code. When rolling back to the previous version of my CDK stack everything works as expected again. # Versions Maven Versions: ``` <cdk.version>2.46.0</cdk.version> <constructs.version>[10.0.0,11.0.0)</constructs.version> ``` `cdk.out`: ``` {"version":"21.0.0"} ```lg...

My application is rendering the CAPTCHA challenge from a WAF intercepted 405 response in an iframe. While successful completion of the puzzle renders the "That is correct, Success! You will be redirected shortly" text, the aws_waf_token cookie does not get updated in the chrome/firefox/safari/edge browser. Looking more closely at the network traffic, when user submits the puzzle answer a successful POST call from the challenge.js to the "verify" endpoint completes but the subsequent POST request to the "voucher" endpoint fails with an 'InvalidRequest' 400 error. The request payload for the failed voucher call has two properties: 1. a 'captcha_voucher' with the value taken from the verify response 2. a 'existing_token' property with a value of null. Given that the CAPTCHA challenge is essentially a black box, I'm at a loss on how to address this issue. Has anyone else run into this?lg...

Can you tell me how to include a preview image to display before the live video starts and then after the live video is over? I want to embed the video into a website and do the following: 1. Show a static preview image on the page until the live broadcast starts 2. When the live broadcast starts, automatically replace the preview image with the live video feed 3. When the live broadcast ends, it should automatically display the same preview image as before Thank you!lg...

I've created a Lightsail Instance. I have not created any addition 'attached disks'. I'm running an IP PBX application in this Lightsail instance. This IP PBX application includes voice mail. So voice mails are created and stored in a folder. It works very well. My question involves encryption. Is the data that is created and stored by this application in this Lightsail instance encrypted at rest? Or do I need to use an additional 'attached disk', in which to store data that I wanted encrypted at rest?lg...

I am able to send messages from the the STM32L4 Discovery Kit Board to the AWS Cloud as I have gone through the fist steps guide https://docs.aws.amazon.com/freertos/latest/userguide/freertos-prereqs.html. Although now I would like to display sensor data specifically temperature from the board to the cloud, how can I do this? (I asked this question before although I am still unsure)lg...

AWS Technical Essentials (Japanese) Japanese live-action version ID: E-04YMDV hands-on. At the end of the content, the following error message was displayed in ELB + EC2 Auto Scaling hands-on. An instance was taken out of service in response to an ELB system health check failure. I have read the following articles in the user guide, but I have not been able to resolve the issue. https://docs.aws.amazon.com/ja_jp/autoscaling/ec2/userguide/ts-as-healthchecks.html I tried Solution 2 for the event "ELB system health check detects failure and instance service is stopped", but the problem could not be resolved. I understand that I am proceeding according to the hands-on video, but I do not know how to troubleshoot, and I do not know the contents of the web application provided in the content, so I would like to contact you. rice field. I'm sorry to trouble you, but I would appreciate it if you could tell me how to solve it. Thank you.lg...

I have an ECR in a prod account that I want to grant push access to from the dev role. This is my current policy ```json { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account:role/rolename", "arn:aws:sts::account:assumed-role/rolename/instance", "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" ] }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:PutLifecyclePolicy", "ecr:SetRepositoryPolicy", "ecr:StartLifecyclePolicyPreview", "ecr:UploadLayerPart" ] } ] } ``` Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push. I receive the following until timeout. > The push refers to repository > [account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying > in 4 seconds My non-prod account does exist in us-east-1. but my login command specifies west. task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com Any ideas what may be my problem on this repo? (this works with my production account so the registry is valid) Also this works when I use my dev account and allow the user IAMlg...

I've tried to Import a Windows 11 Virtual Machine to Amazon AWS, but when I go to launch it Initializing requests Succeeded Creating security groups Succeeded Creating security group rules Succeeded Launch initiation Failed Instance launch failed The t3.micro instance type does not support an AMI with TPM version v2.0. Specify an instance type that supports TPM version v2.0, and try again.lg...

Hello, got an issue after updating our Windows OS where user are unable to connect thru Remote Desktop. I'm doing this troubleshooting guide [https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshoot-connect-windows-instance.html](AWSSupport-TroubleshootRDP) Got an error: ``` Status Failed Output ----------ERROR------- failed to run commands: fork/exec C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe: Access is denied. OutputPayload {"Status":"Failed","ResponseCode":1,"Output":" ----------ERROR------- failed to run commands: fork/exec C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe: Access is denied.","CommandId":"86fc373f-4d1a-4ec1-95a0-38e7d624229c"} ```lg...

Hi, I have followed steps provided by AWS account team and was not able to view or use AWS lambda service or ec2 service. There appears the issues with the account. However, any public URLs I cannot view and when I ping the url I get 'unknown host'.lg...

Dear all, I am new to AWS and trying the free tier service. According to this guideline: https://aws.amazon.com/rds/free/?nc1=h_ls, I think I can have a free oracle database for free for 12 months, however, after I create an oracle instance, it starts to charge me... Anyone can guide me how to create a free oracle rds instance? or there is no free instance for oracle? Thanks in advance!!lg...

In my account, I can't generate the reports using as delivery options a bucket S3. Even with proper permissions, the delivery options cannot verify. I think this is a bug. I have others account in AWS, and it works well. How could I report this problem? This account that has a problem is my personal account as a sandbox.lg...

The instance is i-0c7d61f1a53cbe45a It was unresponsive, did not ping, etc. Attempted to stop and stuck in stopping. Tried force stop and it is still stuck in stopping.lg...

yum Configuration update-motd.conf not found my ec2 yum tell me this problem, how can i solve this?lg...

I am learning AWS and using free tier root account but the account was dormant for a few months. Yesterday I again started to use the account and then I got informed that my account could be compromised. I changed the password, resolved the message sent to me but AWS Lambda page still shows "You do not have sufficient permission. Access denied." message. I signed up for Virginia zone and when trying out tutorial I chose Oregon as the tutorial suggested I use that zone. How do I fix this issue of Lambda access?lg...

Is anyone at AWS testing Glue? I created a new table in my Glue Catalog, which is defined as a Kinesis stream. Then when I go to the Jobs editor and use the Visual Editor for a "Glue Catalog table -> S3" job, it won't let me select the Type as "Spark Streaming"... even after I select the Kinesis table from my glue cataloglg...

Dear Amazon. Please either sort out this IP address (76.223.180.3) or remove it from your pool for ap-south-1. Refer to see bounce notification below: ``` {"notificationType":"Bounce","bounce":{"feedbackId":"01090183ba5cfe35-d0fed3b5-ca5e-4c55-9b88-e88081ca576d-000000","bounceType":"Transient","bounceSubType":"General","bouncedRecipients":[{"emailAddress":"REDACTED@hotmail.fr ","action":"failed","status":"5.7.1","diagnosticCode":"smtp; 550 5.7.1 Unfortunately, messages from [76.223.180.3] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors . [AM6EUR05FT060.eop-eur05.prod.protection.outlook.com ]"}],"timestamp":"2022-10-09T01:30:00.000Z","remoteMtaIp":"104.47.18.97","reportingMTA":"dns; c180-3.smtp-out.ap-south-1.amazonses.com "},"mail":{"timestamp":"2022-10-09T01:29:58.460Z","source":"info@REDACTED ","sourceArn":"arn:aws:ses:ap-south-1:REDACTED:identity/REDACTED","sourceIp":"REDACTED","callerIdentity":"ses-smtp-user.20201217-221145","sendingAccountId":"REDACTED","messageId":"01090183ba5cf7bc-444ec2e6-b96f-4f6f-b8a7-46bcec8a2dac-000000","destination":["REDACTED@hotmail.fr "],"headersTruncated":false,"headers":[{"name":"Received","value":"from REDACTED ([REDACTED]) by email-smtp.amazonaws.com with SMTP (SimpleEmailService-d-0NU5RY97J) id YEblTafH6wWTtpnr5wO0 for REDACTED@hotmail.fr ; Sun, 09 Oct 2022 01:29:58 +0000 (UTC)"},{"name":"MIME-Version","value":"1.0"},{"name":"From","value":"\"REDACTED\" <info@REDACTED >"},{"name":"To","value":"REDACTED@hotmail.fr "},{"name":"Date","value":"9 Oct 2022 04:29:58 +0300"},{"name":"Subject","value":"=?utf-8?B?TmV3IEZlYXR1cmUg8J+OiSBJbWFnZSBSZW9yZGVyaW5nIPCf?=\r\n =?utf-8?B?lIA=?="},{"name":"Content-Type","value":"text/html; charset=us-ascii"},{"name":"Content-Transfer-Encoding","value":"quoted-printable"}],"commonHeaders":{"from":["REDACTED <info@REDACTED >"],"date":"9 Oct 2022 04:29:58 +0300","to":["REDACTED@hotmail.fr "],"subject":"REDACTED"}}} ``` We've got loads of these from Outlook and Hotmail recipients. By the way, if anyone reading this can recommend another SES region which is more reliable than ap-south-1 for sending email then please let me know.lg...