Category: Cloud

Cloud technology

Building a Serverless Event-Driven Architecture with AWS EventBridge, SQS, and Lambda

Posted on by Osama Mustafa in AWS, Cloud

In this blog, we’ll design a system where:

  1. Events (e.g., order placements, file uploads) are published to EventBridge.
  2. SQS queues act as durable buffers for downstream processing.
  3. Lambda functions consume events and take action (e.g., send notifications, update databases).

Architecture Overview

![EventBridge → SQS → Lambda Architecture]
(Visual: Producers → EventBridge → SQS → Lambda Consumers)

  1. Event Producers (e.g., API Gateway, S3, custom apps) emit events.
  2. EventBridge routes events to targets (e.g., SQS queues).
  3. SQS ensures reliable delivery and decoupling.
  4. Lambda processes events asynchronously.

Step-by-Step Implementation

1. Set Up an EventBridge Event Bus

Create a custom event bus (or use the default one):

aws events create-event-bus --name MyEventBus

2. Define an Event Rule to Route Events to SQS

Create a rule to forward events matching a pattern (e.g., order_placed) to an SQS queue:

aws events put-rule \
  --name "OrderPlacedRule" \
  --event-pattern '{"detail-type": ["order_placed"]}' \
  --event-bus-name "MyEventBus"

3. Create an SQS Queue and Link It to EventBridge

Create a queue and grant EventBridge permission to send messages:

aws sqs create-queue --queue-name OrderProcessingQueue

Attach the queue as a target to the EventBridge rule:

aws events put-targets \
  --rule "OrderPlacedRule" \
  --targets "Id"="OrderQueueTarget","Arn"="arn:aws:sqs:us-east-1:123456789012:OrderProcessingQueue" \
  --event-bus-name "MyEventBus"

4. Write a Lambda Function to Process SQS Messages

Create a Lambda function (process_order.py) to poll the queue and process orders:

import json
import boto3

def lambda_handler(event, context):
    for record in event['Records']:
        message = json.loads(record['body'])
        order_id = message['detail']['orderId']
        
        print(f"Processing order: {order_id}")
        # Add business logic (e.g., update DynamoDB, send SNS notification)
        
    return {"status": "processed"}

5. Configure SQS as a Lambda Trigger

In the AWS Console:

  • Go to Lambda → Add Trigger → SQS.
  • Select OrderProcessingQueue and set batch size (e.g., 10 messages per invocation).

6. Test the Flow

Emit a test event to EventBridge:

aws events put-events \
  --entries '[{
    "EventBusName": "MyEventBus",
    "Source": "my.app",
    "DetailType": "order_placed",
    "Detail": "{ \"orderId\": \"123\", \"amount\": 50 }"
  }]'

Verify the flow:

  1. EventBridge routes the event to SQS.
  2. Lambda picks up the message and logs:
Processing order: 123

Use Cases

  • Order processing (e.g., e-commerce workflows).
  • File upload pipelines (e.g., resize images after S3 upload).
  • Notifications (e.g., send emails/SMS for system events).

Enjoy
Thank you
Osama

Real-Time Data Processing with AWS Kinesis, Lambda, and DynamoDB

Posted on by Osama Mustafa in AWS, Cloud

Many applications today require real-time data processing—whether it’s for analytics, monitoring, or triggering actions. AWS provides powerful services like Amazon Kinesis for streaming data, AWS Lambda for serverless processing, and DynamoDB for scalable storage.

In this blog, we’ll build a real-time data pipeline that:

  1. Ingests streaming data (e.g., clickstream, IoT sensor data, or logs) using Kinesis Data Streams.
  2. Processes records in real-time using Lambda.
  3. Stores aggregated results in DynamoDB for querying.

Architecture Overview

![AWS Kinesis + Lambda + DynamoDB Architecture]
(Visual: Kinesis → Lambda → DynamoDB)

  1. Kinesis Data Stream – Captures high-velocity data.
  2. Lambda Function – Processes records as they arrive.
  3. DynamoDB Table – Stores aggregated results (e.g., counts, metrics).

Step-by-Step Implementation

1. Set Up a Kinesis Data Stream

Create a Kinesis stream to ingest data:

aws kinesis create-stream --stream-name ClickStream --shard-count 1

Producers (e.g., web apps, IoT devices) can send data like:

{
  "userId": "user123",
  "action": "click",
  "timestamp": "2024-05-20T12:00:00Z"
}

2. Create a Lambda Function to Process Streams

Write a Python Lambda function (process_stream.py) to:

  • Read records from Kinesis.
  • Aggregate data (e.g., count clicks per user).
  • Update DynamoDB.
import json
import boto3

dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('UserClicks')

def lambda_handler(event, context):
    for record in event['Records']:
        payload = json.loads(record['kinesis']['data'])
        user_id = payload['userId']
        
        # Update DynamoDB (increment click count)
        table.update_item(
            Key={'userId': user_id},
            UpdateExpression="ADD clicks :incr",
            ExpressionAttributeValues={':incr': 1}
        )
    return {"status": "success"}

3. Configure Lambda as a Kinesis Consumer

In the AWS Console:

  • Go to Lambda → Create Function → Python.
  • Add Kinesis as the trigger (select your stream).
  • Set batch size (e.g., 100 records per invocation).

4. Set Up DynamoDB for Aggregations

Create a table with userId as the primary key:

aws dynamodb create-table \
    --table-name UserClicks \
    --attribute-definitions AttributeName=userId,AttributeType=S \
    --key-schema AttributeName=userId,KeyType=HASH \
    --billing-mode PAY_PER_REQUEST

5. Test the Pipeline

Send test data to Kinesis:

aws kinesis put-record \
    --stream-name ClickStream \
    --data '{"userId": "user123", "action": "click"}' \
    --partition-key user123

Check DynamoDB for aggregated results:

aws dynamodb get-item --table-name UserClicks --key '{"userId": {"S": "user123"}}'

Output:

{ "userId": "user123", "clicks": 1 }

Use Cases

  • Real-time analytics (e.g., dashboard for user activity).
  • Fraud detection (trigger alerts for unusual patterns).
  • IoT monitoring (process sensor data in real-time).

Enjoy
Thank you
Osama

Building a Scalable Web Application Using AWS Lambda, API Gateway, and DynamoDB

Posted on by Osama Mustafa in AWS, Cloud

s?

Let’s imagine we want to build a To-Do List Application where users can:

  • Add tasks to their list.
  • View all tasks.
  • Mark tasks as completed.

We’ll use the following architecture:

  1. API Gateway to handle HTTP requests.
  2. Lambda Functions to process business logic.
  3. DynamoDB to store task data.

Step 1: Setting Up DynamoDB

First, we need a database to store our tasks. DynamoDB is an excellent choice because it scales automatically and provides low-latency access.

Creating a DynamoDB Table

  1. Open the AWS Management Console and navigate to DynamoDB .
  2. Click Create Table .
    • Table Name : TodoList
    • Primary Key : id (String)
  3. Enable Auto Scaling for read/write capacity units to ensure the table scales based on demand.

Sample Table Structure

id (Primary Key)task_namestatus
1Buy groceriesPending
2Read a bookCompleted

Step 2: Creating Lambda Functions

Next, we’ll create Lambda functions to handle CRUD operations for our To-Do List application.

Lambda Function: Create Task

This function will insert a new task into the TodoList table.

import json
import boto3

dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('TodoList')

def lambda_handler(event, context):
    # Extract task details from the event
    task_name = event['task_name']
    
    # Generate a unique ID for the task
    import uuid
    task_id = str(uuid.uuid4())
    
    # Insert the task into DynamoDB
    table.put_item(
        Item={
            'id': task_id,
            'task_name': task_name,
            'status': 'Pending'
        }
    )
    
    return {
        'statusCode': 200,
        'body': json.dumps({'message': 'Task created successfully!', 'task_id': task_id})
    }

Lambda Function: Get All Tasks

This function retrieves all tasks from the TodoList table.

import json
import boto3

dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('TodoList')

def lambda_handler(event, context):
    # Scan the DynamoDB table
    response = table.scan()
    
    # Return the list of tasks
    return {
        'statusCode': 200,
        'body': json.dumps(response['Items'])
    }

Lambda Function: Update Task Status

This function updates the status of a task (e.g., mark as completed).

import json
import boto3

dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('TodoList')

def lambda_handler(event, context):
    # Extract task ID and new status from the event
    task_id = event['id']
    new_status = event['status']
    
    # Update the task in DynamoDB
    table.update_item(
        Key={'id': task_id},
        UpdateExpression='SET #status = :new_status',
        ExpressionAttributeNames={'#status': 'status'},
        ExpressionAttributeValues={':new_status': new_status}
    )
    
    return {
        'statusCode': 200,
        'body': json.dumps({'message': 'Task updated successfully!'})
    }

Step 3: Configuring API Gateway

Now that we have our Lambda functions, we’ll expose them via API Gateway.

Steps to Set Up API Gateway

  1. Open the AWS Management Console and navigate to API Gateway .
  2. Click Create API and select HTTP API .
  3. Define the following routes:
    • POST /tasks : Maps to the “Create Task” Lambda function.
    • GET /tasks : Maps to the “Get All Tasks” Lambda function.
    • PUT /tasks/{id} : Maps to the “Update Task Status” Lambda function.
  4. Deploy the API and note the endpoint URL.

Step 4: Testing the Application

Once everything is set up, you can test the application using tools like Postman or cURL .

Example Requests

  1. Create a Task
curl -X POST https://<api-id>.execute-api.<region>.amazonaws.com/tasks \
-H "Content-Type: application/json" \
-d '{"task_name": "Buy groceries"}'

Get All Tasks

curl -X GET https://<api-id>.execute-api.<region>.amazonaws.com/tasks

Update Task Status

curl -X PUT https://<api-id>.execute-api.<region>.amazonaws.com/tasks/<task-id> \
-H "Content-Type: application/json" \
-d '{"status": "Completed"}'

Benefits of This Architecture

  1. Scalability : DynamoDB and Lambda automatically scale to handle varying loads.
  2. Cost Efficiency : You only pay for the compute time and storage you use.
  3. Low Maintenance : AWS manages the underlying infrastructure, reducing operational overhead.

Enjoy the cloud 😁
Osama

Setting up a High-Availability (HA) Architecture with OCI Load Balancer and Compute Instances

Posted on by Osama Mustafa in Cloud, OCI

Ensuring high availability (HA) for your applications is critical in today’s cloud-first environment. Oracle Cloud Infrastructure (OCI) provides robust tools such as Load Balancers and Compute Instances to help you create a resilient, highly available architecture for your applications. In this post, we’ll walk through the steps to set up an HA architecture using OCI Load Balancer with multiple compute instances across availability domains for fault tolerance.

Prerequisites

  • OCI Account: A working Oracle Cloud Infrastructure account.
  • OCI CLI: Installed and configured with necessary permissions.
  • Terraform: Installed and set up for provisioning infrastructure.
  • Basic knowledge of Load Balancers and Compute Instances in OCI.

Step 1: Set Up a Virtual Cloud Network (VCN)

A VCN is required to house your compute instances and load balancers. To begin, create a new VCN with subnets in different availability domains (ADs) for high availability.

Terraform Configuration (vcn.tf):

resource "oci_core_virtual_network" "vcn" {
  compartment_id = "<compartment_ocid>"
  cidr_block     = "10.0.0.0/16"
  display_name   = "HA-Virtual-Network"
}

resource "oci_core_subnet" "subnet1" {
  compartment_id      = "<compartment_ocid>"
  vcn_id              = oci_core_virtual_network.vcn.id
  cidr_block          = "10.0.1.0/24"
  availability_domain = "AD-1"
  display_name        = "HA-Subnet-AD1"
}

resource "oci_core_subnet" "subnet2" {
  compartment_id      = "<compartment_ocid>"
  vcn_id              = oci_core_virtual_network.vcn.id
  cidr_block          = "10.0.2.0/24"
  availability_domain = "AD-2"
  display_name        = "HA-Subnet-AD2"
}

Step 2: Provision Compute Instances

Create two compute instances (one in each subnet) to ensure redundancy.

Terraform Configuration (compute.tf):

resource "oci_core_instance" "instance1" {
  compartment_id = "<compartment_ocid>"
  availability_domain = "AD-1"
  shape = "VM.Standard2.1"
  display_name = "HA-Instance-1"
  
  create_vnic_details {
    subnet_id = oci_core_subnet.subnet1.id
    assign_public_ip = true
  }

  source_details {
    source_type = "image"
    source_id = "<image_ocid>"
  }
}

resource "oci_core_instance" "instance2" {
  compartment_id = "<compartment_ocid>"
  availability_domain = "AD-2"
  shape = "VM.Standard2.1"
  display_name = "HA-Instance-2"
  
  create_vnic_details {
    subnet_id = oci_core_subnet.subnet2.id
    assign_public_ip = true
  }

  source_details {
    source_type = "image"
    source_id = "<image_ocid>"
  }
}

Step 3: Set Up the OCI Load Balancer

Now, configure the OCI Load Balancer to distribute traffic between the compute instances in both availability domains.

Terraform Configuration (load_balancer.tf):

resource "oci_load_balancer_load_balancer" "ha_lb" {
  compartment_id = "<compartment_ocid>"
  display_name   = "HA-Load-Balancer"
  shape           = "100Mbps"

  subnet_ids = [
    oci_core_subnet.subnet1.id,
    oci_core_subnet.subnet2.id
  ]

  backend_sets {
    name = "backend-set-1"

    backends {
      ip_address = oci_core_instance.instance1.private_ip
      port = 80
    }

    backends {
      ip_address = oci_core_instance.instance2.private_ip
      port = 80
    }

    policy = "ROUND_ROBIN"
    health_checker {
      port = 80
      protocol = "HTTP"
      url_path = "/health"
      retries = 3
      timeout_in_seconds = 10
      interval_in_seconds = 5
    }
  }
}

resource "oci_load_balancer_listener" "ha_listener" {
  load_balancer_id = oci_load_balancer_load_balancer.ha_lb.id
  name = "http-listener"
  default_backend_set_name = "backend-set-1"
  port = 80
  protocol = "HTTP"
}

Step 4: Set Up Health Checks for High Availability

Health checks are critical to ensure that the load balancer sends traffic only to healthy instances. The health check configuration is included in the backend set definition above, but you can customize it as needed.
Step 5: Testing and Validation

Once all resources are provisioned, test the HA architecture:

Verify Load Balancer Health: Ensure that the backend instances are marked as healthy by checking the load balancer’s health checks.

oci load-balancer backend-set get --load-balancer-id <load_balancer_id> --name backend-set-1
  1. Access the Application: Test accessing your application through the Load Balancer’s public IP. The Load Balancer should evenly distribute traffic across the two compute instances.
  2. Failover Testing: Manually shut down one of the instances to verify that the Load Balancer reroutes traffic to the other instance.

Automating Oracle Cloud Networking with OCI Service Gateway and Terraform

Posted on by Osama Mustafa in Cloud, OCI

Oracle Cloud Infrastructure (OCI) offers a wide range of services that enable users to create secure, scalable cloud environments. One crucial aspect of a cloud deployment is ensuring secure connectivity between services without relying on public internet access. In this blog post, we’ll walk through how to set up and manage OCI Service Gateway for secure, private access to OCI services using Terraform. This step-by-step guide is intended for cloud engineers looking to leverage automation to create robust networking configurations in OCI.

Step 1: Setting up Your Environment

Before deploying the OCI Service Gateway and other networking components with Terraform, you need to set up a few prerequisites:

  1. Terraform Installation: Make sure Terraform is installed on your local machine. You can download it from Terraform’s official site.
  2. OCI CLI and API Key: Install the OCI CLI and set up your authentication key. The key must be configured in your OCI console.
  3. OCI Terraform Provider: You will also need to download the OCI Terraform provider by adding the following configuration to your provider.tf file:
provider "oci" {
  tenancy_ocid     = "<TENANCY_OCID>"
  user_ocid        = "<USER_OCID>"
  fingerprint      = "<FINGERPRINT>"
  private_key_path = "<PRIVATE_KEY_PATH>"
  region           = "us-ashburn-1"
}

Step 2: Defining the Infrastructure

The key to deploying the Service Gateway and related infrastructure is defining the resources in a main.tf file. Below is an example to create a VCN, subnets, and a Service Gateway:

resource "oci_core_vcn" "example_vcn" {
  cidr_block     = "10.0.0.0/16"
  compartment_id = "<COMPARTMENT_OCID>"
  display_name   = "example-vcn"
}

resource "oci_core_subnet" "example_subnet" {
  vcn_id             = oci_core_vcn.example_vcn.id
  compartment_id     = "<COMPARTMENT_OCID>"
  cidr_block         = "10.0.1.0/24"
  availability_domain = "<AVAILABILITY_DOMAIN>"
  display_name       = "example-subnet"
  prohibit_public_ip_on_vnic = true
}

resource "oci_core_service_gateway" "example_service_gateway" {
  vcn_id         = oci_core_vcn.example_vcn.id
  compartment_id = "<COMPARTMENT_OCID>"
  services {
    service_id = "all-oracle-services-in-region"
  }
  display_name  = "example-service-gateway"
}

resource "oci_core_route_table" "example_route_table" {
  vcn_id         = oci_core_vcn.example_vcn.id
  compartment_id = "<COMPARTMENT_OCID>"
  display_name   = "example-route-table"
  route_rules {
    destination       = "all-oracle-services-in-region"
    destination_type  = "SERVICE_CIDR_BLOCK"
    network_entity_id = oci_core_service_gateway.example_service_gateway.id
  }
}

Explanation:

  • oci_core_vcn: Defines the Virtual Cloud Network (VCN) where all resources will reside.
  • oci_core_subnet: Creates a subnet within the VCN to host compute instances or other resources.
  • oci_core_service_gateway: Configures a Service Gateway to allow private access to Oracle services such as Object Storage.
  • oci_core_route_table: Configures the route table to direct traffic through the Service Gateway for services within OCI.

Step 3: Variables for Reusability

To make the code reusable, it’s best to define variables in a variables.tf file:

variable "compartment_ocid" {
  description = "The OCID of the compartment to create resources in"
  type        = string
}

variable "availability_domain" {
  description = "The Availability Domain to launch resources in"
  type        = string
}

variable "vcn_cidr" {
  description = "The CIDR block for the VCN"
  type        = string
  default     = "10.0.0.0/16"
}

This allows you to easily modify parameters like compartment ID, availability domain, and VCN CIDR without touching the core logic.

Step 4: Running the Terraform Script

  1. Initialize TerraformTo start using Terraform with OCI, initialize your working directory using:
terraform init
  1. This command downloads the necessary providers and prepares your environment.
  2. Plan the DeploymentBefore applying changes, always run the terraform plan command. This will provide an overview of what resources will be created.
terraform plan -var-file="config.tfvars"

Apply the Changes

Once you’re confident with the plan, apply it to create your Service Gateway and networking resources:

terraform apply -var-file="config.tfvars"

Step 5: Verification

After deployment, you can verify your resources via the OCI Console. Navigate to Networking > Virtual Cloud Networks to see your VCN, subnets, and the Service Gateway. You can also validate the route table settings to ensure that the traffic routes correctly to Oracle services.

Step 6: Destroy the Infrastructure

To clean up the resources and avoid any unwanted charges, you can use the terraform destroy command:

terraform destroy -var-file="config.tfvars"

Regards
Osama

Automating Block Volume Backups in Oracle Cloud Infrastructure (OCI) using CLI and Terraform

Posted on by Osama Mustafa in Cloud, OCI

Briefly introduce the importance of block volumes in OCI and why automated backups are essential.Mention that this blog will cover two methods: using the OCI CLI and Terraform for automation.

Automating Block Volume Backups using OCI CLI

Prerequisites:

  • Set up OCI CLI on your machine (brief steps with links).
  • Ensure that you have the right permissions to manage block volumes.

Step-by-step guide:

  • Command to create a block volume
oci bv volume create --compartment-id <your_compartment_ocid> --availability-domain <your_ad> --display-name "MyVolume" --size-in-gbs 50

Command to take a backup of the block volume:

oci bv backup create --volume-id <your_volume_ocid> --display-name "MyVolumeBackup"

Scheduling backups using cron jobs for automation.

  • Example cron job configuration
0 2 * * * /usr/local/bin/oci bv backup create --volume-id <your_volume_ocid> --display-name "ScheduledBackup" >> /var/log/oci_backup.log 2>&1

Automating Block Volume Backups using Terraform

Prerequisites

  1. OCI Credentials: Make sure you have the proper API keys and permissions configured in your OCI tenancy.
  2. Terraform Setup: Terraform should be installed and configured to interact with OCI, including the OCI provider setup in your environment.
Step 1: Define the OCI Block Volume Resource

First, define the block volume that you want to automate backups for. Here’s an example of a simple block volume resource in Terraform:

resource "oci_core_volume" "my_block_volume" {
  availability_domain = "your-availability-domain"
  compartment_id      = "ocid1.compartment.oc1..your-compartment-id"
  display_name        = "my_block_volume"
  size_in_gbs         = 50
}
Step 2: Define a Backup Policy

OCI provides predefined backup policies such as gold, silver, and bronze, which define how frequently backups are taken. You can create a custom backup policy as well, but for simplicity, we’ll use one of the predefined policies in this example. The Terraform resource oci_core_volume_backup_policy_assignment will assign a backup policy to the block volume.

Here’s an example to assign the gold backup policy to the block volume:

resource "oci_core_volume_backup_policy_assignment" "backup_assignment" {
  volume_id       = oci_core_volume.my_block_volume.id
  policy_id       = data.oci_core_volume_backup_policy.gold.id
}

data "oci_core_volume_backup_policy" "gold" {
  name = "gold"
}
Step 3: Custom Backup Policy (Optional)

If you need a custom backup policy rather than using the predefined gold, silver, or bronze policies, you can define a custom backup policy using OCI’s native scheduling.

You can create a custom schedule by combining these elements in your oci_core_volume_backup_policy resource.

resource "oci_core_volume_backup_policy" "custom_backup_policy" {
  compartment_id = "ocid1.compartment.oc1..your-compartment-id"
  display_name   = "CustomBackupPolicy"

  schedules {
    backup_type = "INCREMENTAL"
    period      = "ONE_DAY"
    retention_duration = "THIRTY_DAYS"
  }

  schedules {
    backup_type = "FULL"
    period      = "ONE_WEEK"
    retention_duration = "NINETY_DAYS"
  }
}

You can then assign this policy to the block volume using the same method as earlier.

Step 4: Apply the Terraform Configuration

Once your Terraform configuration is ready, apply it using the standard Terraform workflow:

  1. Initialize Terraform:
terraform init

Plan the Terraform deployment:

terraform plan

Apply the Terraform plan:

terraform apply

This process will automatically provision your block volumes and assign the specified backup policy.



Regards
Osama

Building a Secure and Scalable Serverless Application on AWS with AWS CLI

Posted on by Osama Mustafa in AWS, Cloud

Serverless architecture on AWS provides a highly scalable, cost-efficient way to build applications without worrying about the underlying infrastructure. In this blog, we’ll guide you through creating a secure and scalable serverless application on AWS using AWS CLI commands.

etting Up the AWS CLI

To interact with AWS services, you’ll need the AWS CLI installed and configured on your system.

  1. Install AWS CLI:
pip install awscli

Configure AWS CLI:

aws configure

You’ll be prompted to enter your AWS Access Key, Secret Key, region, and output format.

3. Designing and Deploying a Serverless Application

Architecture Overview

We’ll build a simple serverless web application using AWS Lambda, API Gateway, DynamoDB, and S3.

Creating an S3 Bucket

Store static content like HTML, CSS, and JavaScript files in S3.

aws s3 mb s3://my-serverless-app-bucket

Upload files:

aws s3 cp index.html s3://my-serverless-app-bucket

Creating a DynamoDB Table

Store application data in DynamoDB.

aws dynamodb create-table \
    --table-name Users \
    --attribute-definitions AttributeName=UserID,AttributeType=S \
    --key-schema AttributeName=UserID,KeyType=HASH \
    --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5

Deploying a Lambda Function

Create a Lambda function that handles backend logic.

  1. Create a deployment package (ZIP) with your code.
zip function.zip index.js

Create the Lambda function:

aws lambda create-function \
    --function-name MyServerlessFunction \
    --runtime nodejs14.x \
    --role arn:aws:iam::123456789012:role/lambda-ex \
    --handler index.handler \
    --zip-file fileb://function.zip

Setting Up API Gateway

Create an API to expose the Lambda function.

aws apigateway create-rest-api \
    --name 'MyServerlessAPI' \
    --description 'API for my serverless app'

Deploying the Application

Now, deploy the API using AWS CLI.

  1. Create a deployment stage:
aws apigateway create-deployment \
    --rest-api-id 1234567890 \
    --stage-name prod
  1. Test your API by invoking the endpoint.
curl https://{api-id}.execute-api.{region}.amazonaws.com/prod

Securing the Serverless Application

IAM Roles and Policies

Ensure your Lambda function has the appropriate permissions by attaching a policy to its role.

aws iam attach-role-policy \
    --role-name lambda-ex \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Encrypting DynamoDB Data

Enable server-side encryption for your DynamoDB table.

aws dynamodb update-table \
    --table-name Users \
    --sse-specification Enabled=true

Monitoring and Logging

Use AWS CloudWatch for monitoring your Lambda function.

Setting Up CloudWatch Logs

Ensure your Lambda function is logging correctly.

aws logs describe-log-streams --log-group-name /aws/lambda/MyServerlessFunction

Setting Up CloudWatch Alarms

Create an alarm to monitor the invocation errors.

aws cloudwatch put-metric-alarm \
    --alarm-name LambdaErrorAlarm \
    --metric-name Errors \
    --namespace AWS/Lambda \
    --statistic Sum \
    --period 300 \
    --threshold 1 \
    --comparison-operator GreaterThanOrEqualToThreshold \
    --dimensions Name=FunctionName,Value=MyServerlessFunction \
    --evaluation-periods 1 \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:NotifyMe

Regards
osama

Implementing Zero Trust Architecture in OCI

Posted on by Osama Mustafa in Cloud, OCI

In this blog, we will explore how to implement a Zero Trust architecture in Oracle Cloud Infrastructure (OCI). We’ll cover key principles of Zero Trust, configuring identity and access management, securing the network, and monitoring for continuous security assurance.

Introduction to Zero Trust Architecture

  • Overview of Zero Trust principles: “Never trust, always verify.”
  • Importance of Zero Trust in modern cloud environments.
  • Key components: Identity, network, data, device, and workloads.

Identity and Access Management (IAM) in OCI

Configuring IAM for Zero Trust

  1. Set Up OCI IAM:
    • Use OCI IAM to manage identities and enforce strict authentication.
    • Configure Multi-Factor Authentication (MFA) for all users.
  2. Conditional Access Policies:
    • Implement policies that require additional verification for high-risk actions.

Securing OCI Network with Micro-Segmentation

Implementing Micro-Segmentation

  1. VCN and Subnet Segmentation:
    • Create Virtual Cloud Networks (VCNs) and segment your network by function, sensitivity, and environment.
  2. Network Security Groups (NSGs):
    • Apply Network Security Groups to enforce micro-segmentation policies within your VCN.

Implementing Least Privilege Access

Access Control Policies

  1. Define Fine-Grained IAM Policies:
    • Use OCI IAM to define least privilege policies that restrict user and service access based on specific needs.
  2. Role-Based Access Control (RBAC):
    • Implement RBAC to ensure users have only the permissions necessary for their roles.

Continuous Monitoring and Threat Detection

Monitoring with Oracle Cloud Guard

  1. Enable Cloud Guard:
    • Use Oracle Cloud Guard to monitor and automatically respond to potential security threats.
  2. Logging and Auditing:
    • Enable OCI Logging and Audit services to keep track of all access and configuration changes.
  3. Integrate with SIEM:
    • Integrate with Security Information and Event Management (SIEM) tools for comprehensive threat detection and incident response.

Integrating with Third-Party Security Tools

Using External Security Services

  1. Integrate Third-Party Identity Providers:
    • Use OCI’s integration capabilities to bring in third-party identity providers like Okta or Azure AD.
  2. Connect with External Threat Detection Services:
    • Utilize third-party threat detection tools for enhanced monitoring and incident response.

Regards
Osama

Enhancing Security with OCI Vault for Secrets Management

Posted on by Osama Mustafa in Cloud, OCI

This blog will explore how to enhance the security of your Oracle Cloud Infrastructure (OCI) applications by implementing OCI Vault for secrets management. We’ll cover setting up OCI Vault, managing secrets and encryption keys, integrating with other OCI services, and best practices for secure secrets management.

Setting Up OCI Vault

Create a Vault:

  • Navigate to the OCI Console, go to “Security,” and select “Vault.”
  • Click “Create Vault,” name it, choose the compartment, and select the type (Virtual Private Vault for added security).
  • Define backup and key rotation policies.

Create Keys:

  • Within the Vault, select “Create Key.”
  • Define the key’s attributes (e.g., name, algorithm, key length) and create the key.

Create Secrets:

  • Navigate to the “Secrets” section within the Vault.
  • Click “Create Secret,” provide a name, and input the secret data (e.g., API keys, passwords).
  • Choose the encryption key you created earlier for securing the secret.

Managing Secrets and Encryption Keys

Rotating Keys and Secrets

  • Configure automatic rotation for encryption keys and secrets based on your organization’s security policies.
  • Rotate secrets manually as needed via the OCI Console or CLI.

Access Controls

  • Use OCI Identity and Access Management (IAM) to define who can access the Vault, keys, and secrets.
  • Implement fine-grained permissions to control access to specific secrets or keys.

Integrating OCI Vault with Other Services

OCI Compute

  • Securely inject secrets into OCI Compute instances at runtime using OCI Vault.
  • Example: Retrieve a database password from OCI Vault within a Compute instance using an SDK or CLI.

OCI Kubernetes (OKE)

  • Integrate OCI Vault with OKE for managing secrets in containerized applications.
  • Example: Use a sidecar container to fetch secrets from OCI Vault and inject them into application pods.

Automating Secrets Management

Using Terraform

  • Automate the creation and management of OCI Vault, keys, and secrets using Terraform.
  • Example Terraform snippet for creating a secret:
resource "oci_kms_vault" "example_vault" {
  compartment_id = var.compartment_id
  display_name   = "example_vault"
  vault_type     = "DEFAULT"
}

resource "oci_kms_key" "example_key" {
  management_endpoint = oci_kms_vault.example_vault.management_endpoint
  key_shape {
    algorithm = "AES"
    length    = 256
  }
}

resource "oci_secrets_secret" "example_secret" {
  compartment_id = var.compartment_id
  vault_id       = oci_kms_vault.example_vault.id
  key_id         = oci_kms_key.example_key.id
  secret_content {
    content = base64encode("super_secret_value")
  }
}

Using OCI SDKs

  • Programmatically manage secrets with OCI SDKs in languages like Python, Java, or Go.
  • Example: Retrieve a secret in Python:
import oci

config = oci.config.from_file("~/.oci/config", "DEFAULT")
secrets_client = oci.secrets.SecretsClient(config)
secret_id = "<your_secret_ocid>"
response = secrets_client.get_secret_bundle(secret_id)
secret_content = response.data.secret_bundle_content.content.decode("utf-8")

Notes

  • Regularly rotate encryption keys and secrets to minimize exposure.
  • Implement least privilege access controls using OCI IAM.
  • Enable auditing and logging for all key and secret management activities.
  • Use the Virtual Private Vault for sensitive data requiring higher security levels.

Implementing Multi-Region Resiliency with OCI Load Balancer

Posted on by Osama Mustafa in Cloud, OCI

This blog will focus on building a highly resilient and globally available architecture using Oracle Cloud Infrastructure (OCI) Load Balancer. We’ll cover setting up a multi-region architecture, configuring global load balancing, and managing failover to ensure uninterrupted service availability.

Introduction to Multi-Region Resiliency

  • Overview of multi-region architecture benefits.
  • Importance of global availability and disaster recovery in cloud deployments.

2. Setting Up OCI Load Balancer

Step-by-Step Configuration

  1. Create Load Balancer:
    • Navigate to the OCI Console and access the Load Balancer service.
    • Select the load balancer type (public or private), and configure the backend sets and listeners.
  2. Configure Health Checks:
    • Set up health checks for backend servers to ensure only healthy instances receive traffic.

3. Configuring Global Load Balancing

Cross-Region Load Balancing

  • Set up load balancers in multiple OCI regions.
  • Configure policies to distribute traffic across regions based on proximity, load, or other factors.

4. Implementing DNS Failover

Using OCI DNS

  • Set up DNS zones and records for your application.
  • Implement DNS failover to route traffic to the next healthy region in case of failure.

5. Monitoring and Managing Traffic

Using OCI Monitoring

  • Monitor traffic distribution and load balancer performance using OCI Monitoring.
  • Set up alerts for traffic spikes or health check failures.

6. Optimizing for Performance and Cost

  • Use auto-scaling to adjust the number of backend instances based on demand.
  • Implement cost-saving strategies, such as traffic routing based on regional costs.

Regards
osama