Setting up separate environments on AWS

Denys Bochko — Mon, 15 Jul 2024 18:05:01 +0000

I recently faced the challenge of creating a separate locked-down environment on AWS to share the progress of a project with my designer. This environment needed to be accessible only via a VPN, as I don't have a static IP to associate with it.

I tried using Twingate VPN to connect to a private VPN on AWS, but it didn't work because the Twingate connector couldn't connect to the server from the private VPN.

After several days of struggle, I realized that I could achieve this even with a public VPN by setting up security groups to allow traffic only from that VPC, not from outside. Moreover, since I am using EC2 to host my web server, I can install a Twingate connector on the same instance. By allowing outbound connections in that security group, I enabled the connector to connect to the Twingate servers. This setup allows the VPN to function, and any users authorized on the VPN can access the site.

Another challenge was connecting a private hosting zone to the EC2 instance so I could have a domain name pointing to the dev site. This was easily solved by simply entering the EC2 internal IP address into the A record of that domain, and everything worked beautifully.

To summarize:

Public VPC
EC2 instance
Change the SSH port for better security; this port will need to be opened to the world so you can remotely SSH into the instance.
Security group that allows traffic only within that VPC (e.g., 172.0.0.0/16); I think it is the top choice in the source field when creating an incoming connection filter in the SG.
Add that security group to the EC2 instance.
Set up a private DNS zone with the domain name.
Create an A record and use the EC2 internal address as the destination.

Knowledge/experience sharing just in case somebody else is in the same situation

Mount S3 bucket to EC2 with IAM policy - step by step

Denys Bochko — Fri, 13 May 2022 17:38:15 +0000

I had to go through that process recently and I wanted to share what I had to do to accomplish that.

Prerequisite: ready and running EC2 instance and an S3 bucket has been created.

Install s3fs (S3 files system)

Update the system

sudo yum update

Install dependencies

sudo yum install automake fuse \
fuse-devel gcc-c++ git libcurl-devel \
libxml2-devel make openssl-devel

Download s3fs code from the source

git clone https://github.com/s3fs-fuse/s3fs-fuse.git

Install it

# cd s3fs-fuse\r\n# ./autogen.sh
# ./configure — prefix=/usr — with-openssl
# make 
# sudo make install

Make sure it is installed properly

which s3fs

This will give you the location of its binaries

IAM policy and role.

We need to create a policy that will give EC2 access to that S3 bucket and then we will assign that policy to a role that will be assigned to our EC2 instance.

Create an IAM policy

This is the JSON of the policy. You can modify it to your needs, this particular policy only needs to manage to read/write/delete files into that bucket.


    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your_bucket_here>/*",
                "arn:aws:s3:::<your_bucket_here>"
            ]
        }
    ]
}

Save the policy.

Create IAM role

Now we need to create a role based on that polity. Head to roles in IAM and click on "Create".

Select "AWS service" and EC2 under "Use case"

On the next screen select the policy you just created.

Hit "Next" will bring you to the next screen where you name the role and create its description.

Hit "Create role" and you are done.

Assign that role to your EC2 instance.
NOTE: the location specified is as of May 13, 2022, AWS UI can change

All the way to EC2 section, select your EC2 instance and under "Actions" which is on the top right select "Security"-> Modify IAM role.

That will lead to another page to select the role you just created and assign it to your EC2.

Ok, we are done here.

The mounting

Create a mounting point.
It can be a dir anywhere.

Mounting command

s3fs -o iam_role="<your_iam_role>" \
     -o url="https://<your_aws_zone>.amazonaws.com" \
     -o endpoint=<your_aws_zone> \
     -o dbglevel=info \
     -o umask=000,uid=1000 \
     -o curldbg \
     -o allow_other \
     -o nonempty \
     -o <s3_bucket_name> <mounting_point

your_iam_role is the role created and assigned to EC2
your_aws_zone is the AWS zone your bucket is in. It can be found in bucket properties. I am in Canada, so will be ca-central-1

umask 000 is what is going to make your dir writable if webserver needs to be put files there.
nonempty only needs if the dir has anything in it, otherwise skip it

This worked for me.

DEV Community: Denys Bochko

Setting up separate environments on AWS

Mount S3 bucket to EC2 with IAM policy - step by step

Install s3fs (S3 files system)

IAM policy and role.

The mounting