The latest update of SHIFT is a big one that includes new highly anticipated services and functionality, a brand new validation check for valid IAM Service Principals, and a BETA launch for SHIFT in GovCloud. See below for details.
New services and functionality in SHIFT – Lambda and EC2 Tag on Create for Instances and EBS Volumes.
Lambda has been a much-anticipated service to finally be available in SHIFT for emulation in certain air-gapped regions. This enables systems that leverage lambda in their architecture to test
The ability to Tag EC2 instances and EBS volumes on create is also available in SHIFT for emulation in certain air-gapped regions. This feature applies specifically to the EC2 RunInstances Action with the TagSpecifications parameter. This is a relatively large update as this enables common orchestration tools such as Terraform to operate without workarounds for creating EC2 Instances. Typically, tools such as terraform tag EC2 instances and EBS volumes when being created, which is an AWS best practice. Prior, when this feature was unavailable, this would cause T
SHIFT gets a new validation check – IAM Service Principals
Did you know that IAM Service Principals are different in different regions?
If you are creating Service-linked Roles as part of your DevOps through Cloudformation, Terraform, or other means, you are likely creating an AssumeRolePolicyDocument with it. This document typically is a single policy of sts:AssumeRole with a service principal that allows the role to be assumed by one or more services. See below.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: [
“elasticmapreduce.amazonaws.com”,
“datapipeline.amazonaws.com”
]
},
“Action”: “sts:AssumeRole”
}
]
}
The above policy allows AWS’s EMR and DataPipeline services to assume this role. However, if you attempted to use this policy in other AWS regions, such as certain AWS Asia regions or air-gapped regions there’s a good chance it will fail as they would be invalid principals.
service.amazonaws.com.cn
Additionally, the differences in service principals
Services with a constant service principal:
- sns.amazonaws.com
- sqs.amazonaws.com
Services with a region-dependent service principal:
- states.REGION.amazonaws.com
Services with a suffixed service principal:
- lambda.amazonaws.com[.cn]
- autoscaling.amazonaws.com[.cn]
- application-autoscaling.amazonaws.com[.cn]
- ec2.amazonaws.com[.cn]
- events.amazonaws.com[.cn]
Services with region AND suffix:
- logs.REGION.amazonaws.com[.cn]
Services that don’t follow a substitution pattern:
- codedeploy.amazonaws.com -> codedeploy.cn-north-1.amazonaws.com.cn
These same inconsistencies exist in air-gapped regions as well. Starting today with SHIFT, you can now test to ensure that your service principals are correct for your service-linked roles with our new Service Principal Check – the only platform on the market that can emulate and test for valid service principals and provided to our users at no cost.
With this new check, this brings the total number of validation checks for air-gapped regions SHIFT performs on every single one of your systems calls and API requests to 11, over three times more than any other platforms.
SHIFT is going to GovCloud!
This latest release of SHIFT includes a lot of support for deployment into GovCloud and will soon be generally available to users in GovCloud. If you’d like to learn more about leveraging SHIFT in GovCloud or participate in our GovCloud BETA – please contact shift@digitalageexperts.com