Digital Age Experts, LLC

SHIFT Release – New Services, New Checks, and GovCloud

The latest update of SHIFT is a big one that includes new highly anticipated services and functionality, a brand new validation check for valid IAM Service Principals, and a BETA launch for SHIFT in GovCloud.  See below for details.

New services and functionality in SHIFT – Lambda and EC2 Tag on Create for Instances and EBS Volumes.

Lambda has been a much-anticipated service to finally be available in SHIFT for emulation in certain air-gapped regions.  This enables systems that leverage lambda in their architecture to test their configurations of their system and ensure they will operate as designed when deployed into target air-gapped regions.

The ability to Tag EC2 instances and EBS volumes on create is also available in SHIFT for emulation in certain air-gapped regions.  This feature applies specifically to the EC2 RunInstances Action with the TagSpecifications parameter.  This is a relatively large update as this enables common orchestration tools such as Terraform to operate without workarounds for creating EC2 Instances.  Typically, tools such as terraform tag EC2 instances and EBS volumes when being created, which is an AWS best practice. Prior, when this feature was unavailable, this would cause Terraform scripts to fail – forcing users to create workarounds.  Now that it is available, users can do away with these workarounds and be more in parity of their existing, commercial terraform scripts.

SHIFT gets a new validation check – IAM Service Principals

Did you know that IAM Service Principals are different in different regions?

If you are creating Service-linked Roles as part of your DevOps through Cloudformation, Terraform, or other means, you are likely creating an AssumeRolePolicyDocument with it.  This document typically is a single policy of sts:AssumeRole with a service principal that allows the role to be assumed by one or more services. See below.

{
 “Version”: “2012-10-17”,
 “Statement”: [
   {
     “Effect”: “Allow”,
     “Principal”: {
       “Service”: [
         “elasticmapreduce.amazonaws.com”,
         “datapipeline.amazonaws.com”
       ]
     },
     “Action”: “sts:AssumeRole”
   }
 ]
}

The above policy allows AWS’s EMR and DataPipeline services to assume this role.  However, if you attempted to use this policy in other AWS regions, such as certain AWS Asia regions or air-gapped regions there’s a good chance it will fail as they would be invalid principals.

service.amazonaws.com.cn

Additionally, the differences in service principals is not consistent, and thus requires specific testing to ensure validity.  This thread for the aws-cdk in github provides some examples – summarized below.

Services with a constant service principal:

  • sns.amazonaws.com
  • sqs.amazonaws.com

Services with a region-dependent service principal:

  • states.REGION.amazonaws.com

Services with a suffixed service principal:

  • lambda.amazonaws.com[.cn]
  • autoscaling.amazonaws.com[.cn]
  • application-autoscaling.amazonaws.com[.cn]
  • ec2.amazonaws.com[.cn]
  • events.amazonaws.com[.cn]

Services with region AND suffix:

  • logs.REGION.amazonaws.com[.cn]

Services that don’t follow a substitution pattern:

  • codedeploy.amazonaws.com -> codedeploy.cn-north-1.amazonaws.com.cn

These same inconsistencies exist in air-gapped regions as well.  Starting today with SHIFT, you can now test to ensure that your service principals are correct for your service-linked roles with our new Service Principal Check – the only platform on the market that can emulate and test for valid service principals and provided to our users at no cost.  

With this new check, this brings the total number of validation checks for air-gapped regions SHIFT performs on every single one of your systems calls and API requests to 11, over three times more than any other platforms.

SHIFT is going to GovCloud!

This latest release of SHIFT includes a lot of support for deployment into GovCloud and will soon be generally available to users in GovCloud.  If you’d like to learn more about leveraging SHIFT in GovCloud or participate in our GovCloud BETA – please contact shift@digitalageexperts.com

Leave a Reply

Close Menu