Robert Kruk IT Professional

AWS PostgreSQL Demo - Database Audit Trail Solution

Robert Kruk — Thu, 11 Sep 2025 01:00:00 GMT

AWS PostgreSQL Demo Project

The Problem: "Who Accessed The Database?"

When your database audit trail looks like this...

I built an AWS PostgreSQL demonstration that solves the critical question: "Who accessed what data and when?" This project addresses the common issue of shared database credentials where multiple engineers use the same login, making it impossible to trace individual database actions or maintain proper audit trails.

🚀 Full Project Details

View the complete project →

The project page includes:

🎬 Live demo videos showing PII masking and audit trails
📊 Architecture diagrams with detailed explanations
🔧 Step-by-step setup instructions
💡 Security best practices and recommendations
📝 Complete documentation for replication

Quick Overview

What it demonstrates:

AWS Aurora PostgreSQL Serverless with PGaudit logging
Individual accountability through unique database logins
PII data masking for internal engineers
Complete audit trails streamed to CloudWatch
Infrastructure as Code using AWS CDK

Key benefits:

✅ Track who accessed what data and when
✅ Enhanced security and compliance posture
✅ Individual engineer accountability
✅ Automated infrastructure deployment
✅ Cost-effective serverless architecture

Repository

GitHub Repository →

Note: Remember to run npx cdk destroy after testing to avoid ongoing AWS charges! {: .prompt-warning }

Boosting AWS ECS Load Time

Robert Kruk — Wed, 24 May 2023 07:12:01 GMT

Recently I was using ECS on AWS with attached EFS storage, running a spikey workload. We encountered challenges with slow load times and redeployment issues, which we resolved by implementing Elastic Throughput mode for EFS.

The Problem: Slow Storage Layer

After a thorough examination, we noticed that while our ECS instance seemed to function properly during regular operations, it encountered significant challenges during redeployments. These issues manifested as prolonged load times and deployment complications. In certain cases, the ECS instance would even become trapped in a death loop, repeatedly failing health checks upon service restarts. Our investigation revealed that the root cause of these problems lay within the EFS storage layer. Specifically, the default Burst mode, which imposed throughput limitations determined by the file system's size, was leading to delays and performance bottlenecks within our application.

Bursting throughput utilization was reaching its limits.

The Solution: Elastic Throughput Mode

To address the issue, we decided to leverage Elastic Throughput mode for EFS, as recommended by AWS for workloads with unpredictable or spiky characteristics. This mode dynamically adjusts the throughput based on network traffic and the stored data volume. Further details can be found here: https://docs.aws.amazon.com/efs/latest/ug/performance.html#throughput-modes

By utilizing Elastic Throughput, we no longer encounter any "utilization warning."

The Results: Improved Load Time and Redeployment

Upon configuring EFS to use Elastic Throughput mode, we witnessed a substantial enhancement in load and redeployment times. The ECS task now takes approximately 8 minutes to redeploy, compared to over 15 minutes previously. Additionally, the web gateway (service) restart time matches the ECS task boot time at around 2.5 minutes. We have also eliminated any issues with the health check or the ECS task terminating itself.

Conclusion - EFS Elastic Mode for the Win

We are extremely pleased with the positive outcomes resulting from the adoption of Elastic Throughput mode for EFS. It has significantly reduced our load and redeployment times by nearly half while enhancing application reliability and performance. If you are utilizing AWS ECS with EFS storage and spikey workloads, we highly recommend exploring this (Elastic Throughput) mode and experiencing the difference firsthand.

Conecting to AWS CodeCommit using SSO

Robert Kruk — Wed, 09 Jun 2021 01:23:01 GMT

AWS CodeCommit using SSO

Using this method, you can quickly and easily switch between GIT repositories owned by different groups or even managed in separate AWS accounts.

User access is controlled with federated login via AWS SSO
You can grant access using AWS native authentication, which eliminates the need for a Git credential helper, SSH, and GPG keys.
Allows the administrator to control access by adding or removing the user’s IAM role access

Overview

SRC: https://aws.amazon.com/blogs/devops/federated-multi-account-access-for-aws-codecommit/

(!) This guide assumes you already have SSO access and permissions setup

Instructions

There are prerequisites to be installed on the local machine.

Prerequisites

Python 3.6 or higher installed on the developer’s local machine.
- See the Python website.
- For Mac OSX see the following GitHub repo.
Git installed on your local machine.
- To download Git, see Git Downloads.
PIP version 9.0.3 or higher installed on your local machine.
- For instructions, see Installation on the PIP website.
AWS CLI - AWS Command Line Interface - AWS CLI v2 can easily be installed on most standard platforms:
MacOS pkg installer
Linux executable installer
Windows MSI installer
You can find more detailed installation instructions here
Alternatively,
- you can use PIP - awscli · PyPI - pip install awscli
- or use homebrew (OSX only) - brew install awscli

Enable is AWS SSO login from the AWS Command Line Interface (AWS CLI) on our local machine.

Run the following command from the AWS CLI.

aws configure sso
SSO start URL [None]: start>
SSO region [None]: ap-southeast-2

You’re redirected to your default browser.
1. Sign in and you should see the following

When you return to the CLI, you must choose your account. See the following code example:

There are 2 AWS accounts available to you.
> DeveloperResearch, developer-account-admin@example.com (123456789123)
DeveloperTrading, trading-account-admin@example.com (123456789444)

Choose the account with your CodeCommit repository; e.g. Pick DeveloperResearch

DeveloperResearch, developer-account-admin@example.com (123456789123)

Next, you see the permissions sets available to you in the account you just picked

Using the account ID 123456789123
There are 2 roles available to you.
> ReadOnly
CodeCommitDeveloperAccess

Enter the following

CLI default client Region [None]: ap-southeast-2
CLI default output format [None]: json
CLI profile name [123456789011_ReadOnly]: DevResearch-profile

Repeat these steps for each AWS account you want to access.
Your ~/user/.aws/config file will look something like the following:-

[profile DevResearch] sso_start_url = https://domain-aws.awsapps.com/start sso_region = ap-southeast-2 sso_account_id = 123456789123 sso_role_name = DeveloperResearch region = ap-southeast-2 output = json

(i) Now that we have CLI and SSO installed and set up, we just need to install the recently released git-remote-codecommit and start working with our Git repositories!

Installing git-remote-codecommit

Install git-remote-codecommit with the following code:

pip install git-remote-codecommit

Clone the code from one of your repositories. For this use case, my CodeCommit repository is named aws-foo-repo.

git clone codecommit://DevResearch@aws-foo-repo aws-foo-repo
Cloning into 'aws-foo-repo'...
remote: Counting objects: 4597, done.
Receiving objects: 100% (4597/4597), 19.84 MiB | 2.61 MiB/s, done.
Resolving deltas: 100% (2910/2910), done.

You can also now perform CLI using --profile DevResearch; e.g.

aws s3 ls --profile DevResearch

You can also integrate into VisualStudio Code

No drama lama

Robert Kruk — Thu, 22 Apr 2021 08:53:50 GMT

No dramas

Lets bee friends...

Robert Kruk — Fri, 16 Apr 2021 05:31:49 GMT

Today I saved a native bee 🐝 that was stuck inside….

Video

In return I received two jars of honey 🍯 from @beeonethird #lawofattraction #honey #serendipity BeeOneThird

Exit...

Robert Kruk — Thu, 15 Apr 2021 01:37:17 GMT

---> exit this way <---

Hello World!

Robert Kruk — Wed, 14 Apr 2021 10:07:20 GMT

This is a test

Hello World