EC2 Getting Hands Dirty

  Amazon Web Services (AWS)

Main menu

 

Part 1: Creating an EC2 Instance

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/2050666?start=0

Definitions

AMI: Amazon Machine Image (it’s like an ISO)

Instructions

Log into AWS dashboard and select a Region.

  • Not all products are available in all Regions.

[Launch Instance] to start configuring the VMStep

Step 1: Choose an Amazon Machine Instance

  • Amazon Linux AM
  • [Select]

Step 2: Choose an Instance Type

  • [X] t2.micro (1 core, 1GB RAM)
  • [Next: Configure Instance Details]

Step 3: Configure Instance Details

  • # of instances = 1
  • Pricing Options [ ] Spot (Enables spot configuration options)
  • Leave most default except:
    • Enable Termination Protection
      • [X] (Optional)
      • If this option is enabled, it must be disabled before you can terminate the instance.
    • Tenancy
      • Shared – Run a Shared Hardware Instance (Pay by the hour)
  • [Next: Add Storage]

Step 4: Add Storage

  • 8GB G2 (General Purpose SSD)
  • [X] Delete on Termination (Deletes the storage when the instance is terminated)
  • Encryption
    • You cannot encrypt the root drive on a default AMI.
    • You can encrypt the root drive on Custom AMIs by
      • copying an existing AMI then encrypting it or
      • Using an API or
      • Use 3rd party software like Bit Locker for Windows
    • You can encrypt any additional volumes without issue
  • [Next: Add Tags]

 

Step 5: Add Tags (9:00)

  • Add as many tags as you can!  These are provided to help you control costs and can be used for tracking.
  • Tags are entered as Key = Value Pairs, so key=single word as always
  • Tag Examples:
    • Name = MyEC2Instance
    • Department
    • Team
    • StaffID (Instance Creator’s Employee Id)
  • [Next: Configure Security Group]

Step 6: Configure Security Group

  • Security Groups (SG) are simple Virtual Firewalls
  • SGs can ONLY be configured to ALLOW traffic, they cannot be used to Deny.
    • To Deny, you must use Network Access Control Lists (STATELESS, See Below)
  • By Default:
    • All Inbound traffic is DENIED.
      • Rules must be created to allow desired traffic.
    • All Outbound traffic is ALLOWED.
  • All Rules are STATEFUL
    • If a port is opened for Incoming Traffic, it is automatically opened for Outgoing as well.
  • IP Addresses are entered using CIDR notation x.x.x.x/x
  • Multiple SGs can be applied to an EC2 Instance
    • Since these are only used to allow traffic, all allowed traffic is added up and allowed in.
  • Multiple EC2 Instances can share the same SGs.
  • Any changes to an SG are implemented IMMEDIATELY!
  • The DEFAULT SG that is automatically created when you create your first instance allows all traffic from all other EC2 Instances that also use the DEFAULT SG, regardless of their region.
  • To add an additional SG to an Instance
    • Actions > Networking > Change Security Groups
  • [Review and Launch]

Step 7: Review Instance Launch

  • Review all of your configurations and edit as required.
  • [Launch]

 

Select a Key Pair

  • This is not technically a ‘step’ but pops up when you go to launch your instance.
  • Key Pairs contain both a Public and Private Key
    • Public Keys are like the ‘lock’ you place on an EC2 Instance
    • The Private Key is the ‘key’ that ‘unlocks’ the instance.
  • You can use the same Public Key on multiple EC2 Instances
  • Do Not Share your Private Key!  This will allow access to all of your instances and poses a HUGE security risk if the key is shared.
  • Options
    • Use and existing key pair: Select one you’ve already created.
    • Proceed without a key pair (Not Recommended)
      • [ ] I acknowledge that I will not be able to connect to this instance unless I already know the password for this AMI.
    • Create a new key pair: Use this one the first time. See below.

Creating a new key pair

  • Name = WebHeads
  • [Download Key Pair]
    • This is your ONLY chance to download the Private Key
    • The instance will be created with the Public key
    • Download the file to a safe, non-publicly accessible folder

 

You MUST securely set the permissions on a .pem file BEFORE you try to use it!!!

ssh ec2-user@IP.ADD.RE.SS -i WebHeads.pem
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0664 for 'WebHeads.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "WebHeads.pem": bad permissions
Permission denied (publickey).

OK, fix the permissions and try again…

chmod 400 WebHeads.pem
ssh ec2-user@IP.ADD.RE.SS -i WebHeads.pem
Permission denied (publickey).

 

This might be BS. The correct user for ubuntu instances is ‘ubuntu’. Switching to ssh ubuntu@IP.AD.RE.SS … resolved the issue.

 

Launch the Instance

  • [Launch Instances]

 

Part 2: Navigating the Dashboard

https://www.udemy.com/aws-certified-solutions-architect-associate/learn/v4/t/lecture/6351272?start=0

 

Description Tab

  • Instance ID
  • State (Running, stopped, etc)
  • Key Pair Name
  • Public and Private IP addresses
  • Public DNS
  • VPC ID
  • Subnet ID

 

Status Checks

  • System Status Checks
    • Checks the underlying hypervisor for issues
    • Networking, Power, Hypervisor software
    • If issues found, suggest to reboot the VM or replace with another.
  • Instance Status Checks
    • Checks to see if packets can be received by the VM’s OS.
    • If issues found, suggest to reboot the VM or investigate the VM’s OS and internal configurations.

 

Monitoring (CloudWatch?)

  • Basic Monitoring (Once every 5 minutes)
    • CPU
    • Disk operations
    • Networking
    • Will need to know the default options for the test!
  • Detailed Monitoring (Once per minute)
    • Additional fees

 

Tags

  • View and edit tags assigned to EC2 Instances

 

Reserved Instances

  • Dashboard > EC2 > Reserved Instance
  • Select Term (1 or 3 years)
  • Select Payment Options
    • All Upfront = largest discount

 

Exam Tips

  • Termination Protection disabled by default.  You’ll need to enable it manually.
  • EBS root filesystem deleted by default upon EC2 instance termination.  You can disable this manually.
  • EBS root volumes of default AMIs cannot be encrypted, however this can be done
    • 3rd Party programs like Bit Locker (Windows)
    • Copy the AMI then encrypt the copy
    • Use the APIs
  • Additional Volumes can be encrypted without issue.

 

LEAVE A COMMENT