DEV Community: joahna

Securely Connect to EC2 Instances Using Systems Manager (SSM)

joahna — Mon, 24 Jan 2022 10:18:33 +0000

AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view and control your infrastructure on AWS. With AWS Systems Manager, you can perform routine operations, proactively act on events and address security issues on multiple instances at the same time.

Usually, when we connect to EC2 instances using our local machines, we need to grant SSH (port 22) or RDP (port 3389) permissions from our IP address and we also need to provide the key pair.

In this post, I will share the steps on how you can securely connect to your EC2 instances using AWS Systems Manager, even without SSH permission in your EC2’s security group and not using a key pair.

For this, you will need to perform the following:

Create an IAM Instance Profile
Create and Launch an Amazon EC2 Instance
Connect to EC2 using AWS Systems Manager

Steps
Step 1: Create an IAM Instance Profile

Open the AWS IAM console, and then choose Roles from the navigation pane
Select Create Role
For the type of trusted entity, select AWS service
For the use case, choose EC2
Choose Next: Permissions
For the policies to attach, search and select AmazonSSMManagedInstanceCore
Choose Next: Tags and add tags as needed
Enter a Role name and choose Create Role

Step 2: Create and Launch an Amazon EC2 instance

Open the Amazon EC2 console, and then choose Launch instances
Select an Amazon Machine Image (AMI). In this example, I will choose an Amazon Linux 2 AMI Note: In order to use AWS Systems Manager, an SSM Agent must be installed on the instance. By default, SSM Agent is preinstalled on instances created from some AMIs, including Amazon Linux 2.
Choose an instance type. For this I will choose t2.micro
Choose Next: Configure Instance Details
Configure the instance details. Make sure to choose the IAM role that you created earlier
Choose Next: Add Storage and modify storage as needed
Choose Next: Add Tags and add tags as needed
Choose Next: Configure Security Group
Choose Create a new security group and remove the default SSH inbound rule
Choose Review and Launch
Choose Launch
In the key pair window, select Proceed without a key pair and check the acknowledgement
Choose Launch Instances
Navigate to the launched instance and wait until the Instance state is Running

Step 3: Connect to EC2 using AWS Systems Manager

Option A – EC2 Console

In the Amazon EC2 console, select the instance and then click on Actions and choose Connect from the dropdown
Select Session Manager tab and choose Connect
You are now connected to your EC2 instance using Systems Manager

Option B – Systems Manager Console

Open the AWS Systems Manager console, and then choose Session Manager under Node Management from the navigation pane
Choose Start Session
Select your instance from the Target instances list and then choose Start Session
You are now connected to your EC2 instance using Systems Manager

Monitor for Launched EC2 Instances Not Within Free Tier and Receive Customized Email Notifications

joahna — Mon, 24 Jan 2022 07:50:22 +0000

AWS offers a Free Tier to provide new users the ability to explore and try out AWS services free of charge up to specified limits for each service.

Amazon EC2 is one of the services available to use in the AWS Free Tier, which includes up to 750 hours of Linux and Windows t2.micro instances, (t3.micro for the regions in which t2.micro is unavailable) each month for one year for new AWS customers. This is extremely helpful to those who are just getting started with AWS.

In this post, I will share how to monitor EC2 instances launched that is not within the free tier (t2.micro) and receive customized notifications in your email.

Hopefully, this will help you avoid unnecessary costs in your account, especially when you are just starting to learn AWS.

Solution Overview

The following diagram illustrates the solution architecture:

For this, you will perform the following steps:

Setup Amazon SNS
Create an Amazon EventBridge Rule
Test the Solution

Prerequisites

You should have the following prerequisites:

CloudTrail logging turned on for your AWS account. This is needed to be able to receive AWS API action events

Steps

Step 1: Setup Amazon SNS

Open the Amazon SNS console, and then choose Topics from the navigation pane
Select Create topic
In the Details section, use the following details:
Type: Standard
Name: Enter a name for your topic
Select Create topic
On the Subscriptions tab of the newly created topic, choose Create subscription
In the Details section of Create subscription page, use the following details:
Protocol: Email
Endpoint: Enter the email address where you want to receive the notifications
Select Create subscription
After your subscription is created, a subscription confirmation email is sent to the address you entered. Click on the Confirm subscription link in the email

Step 2: Create an Amazon EventBridge Rule

Open the Amazon EventBridge console, and then choose Rules from the navigation pane
Select Create rule
Enter a Name for your rule
In Define pattern section, select Event pattern
In Event matching pattern, choose Custom pattern

In Event pattern text box, enter the following:

{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"],
"requestParameters": {
  "instanceType": [{
    "anything-but": "t2.micro"
  }]
}
}
}

Click on Save
In Select targets section, choose SNS topic from the Target dropdown list
For Topic, choose the topic name that you created earlier
Expand Configure input
Choose Input Transformer

For Input Path text box, enter the following:

{"account":"$.account","eventid":"$.detail.eventID","eventsource":"$.source","instance-type":"$.detail.requestParameters.instanceType","region":"$.region","time":"$.time","user":"$.detail.userIdentity.userName"}

For Input Template text box, enter the following:

"An EC2 instance with a non-t2.micro instance type was launched with the following details:"
"Instance Type: <instance-type>"
"Event Time: <time> (UTC)"
"AWS Account: <account>"
"AWS Region: <region>"
"User: <user>"
"Event Source: <eventsource>"
"Event ID: <eventid>"

Click on Create

Step 3: Test the Solution

Open the Amazon EC2 console, and then choose Launch instances
Select an Amazon Machine Image (AMI)
In the Instance Type, choose t2.small
Click on Review and Launch
Click on Launch
Select a key pair
Click on Launch Instances
After a few seconds, you should receive an email about the created EC2: Please don’t forget to terminate the EC2 instance after testing is completed.

Congratulations! You are now able to monitor your EC2 instances with non-free tier instance types and receive a customized email notification about it as well.

Create a Unique S3 Bucket Name Using CloudFormation

joahna — Sat, 22 Jan 2022 20:29:34 +0000

An Amazon S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. This means that once you create an S3 bucket named “my-test-bucket”, you or anyone else cannot create a bucket with the same name even in any other AWS regions or accounts until you delete that bucket.

This is particularly challenging when you are creating S3 buckets using CloudFormation and you want to reuse the template multiple times (e.g. when you are deploying your application in different AWS accounts).

To help with bucket naming, here is a template to create an S3 bucket with a unique name using CloudFormation:

Parameters:
  BucketPrefix:
    Description: Value that will be prefixed to the bucket name

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Join 
        - '-'
        - - !Ref BucketPrefix
          - !Ref AWS::AccountId
          - !Ref AWS::Region
          - 'bucket'
          - !Select 
            - 0
            - !Split 
              - '-'
              - !Select 
                - 2
                - !Split 
                  - /
                  - !Ref AWS::StackId

In this template, we used CloudFormation pseudo parameters AWS::AccountId, AWS::Region and AWS::StackId to create a unique bucket name.

The AWS::StackId helps give your bucket a random name. The CloudFormation intrinsic functions Select and Split were used to select the last range of the CloudFormation Stack ID.

Connect to Amazon Aurora Serverless MySQL DB cluster from MySQL Workbench

joahna — Sat, 22 Jan 2022 09:28:11 +0000

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora. It automatically scales compute capacity up or down based on your application's needs.

An Aurora Serverless DB cluster resides in the private subnet of Amazon VPC. You can’t give an Aurora Serverless DB cluster a public IP address. You can only access it from within a VPC.

If you want to access your Amazon Aurora Serverless DB cluster from MySQL Workbench, one way to do this is via an SSH tunnel through a bastion host (jump box).

In this post, I will share the steps for setting up a bastion host using an Amazon EC2 instance. Then use MySQL Workbench to connect to the bastion host via an SSH tunnel.

Solution Overview

The following diagram illustrates the solution architecture:

For this, you will perform the following steps:

Setup networking configurations in Amazon VPC
Create and launch an Amazon EC2 instance
Configure MySQL Workbench

Prerequisites

You should have the following prerequisites:

Amazon Aurora Serverless DB cluster with MySQL-compatible edition
MySQL Workbench installed in your local machine

Steps

Step 1: Setup networking configurations in Amazon VPC

Open the Amazon VPC console

A. Security Group

Create a security group for Amazon EC2 within the same VPC where your Amazon Aurora Serverless DB cluster resides and add the following inbound rule:
Type: SSH
Protocol: TCP
Port Range: 22
Source: Enter the IP address of your local machine or choose My IP
Update your DB cluster’s security group and add the following inbound rule:
Type: MySQL/Aurora
Protocol: TCP
Port Range: 3306
Source: Enter the Amazon EC2 security group ID

B. Internet Gateway

Create an Internet Gateway and attach it to your VPC

C. Subnet

Create subnets in the same Available Zone (AZ) as the subnet group of your DB cluster

D. Route Table

Create a routing table
Associate the created subnets in the routing table
Add a route in the routing table that directs internet-bound traffic to the internet gateway

Note: If a subnet is associated with a route table that has a route to an internet gateway, it is now a public subnet.

Step 2: Create and launch an Amazon EC2 instance

Open the Amazon EC2 console and choose Launch instances
Select an Amazon Machine Image (AMI). In this example, I will choose an Amazon Linux 2 AMI
Choose an Instance Type. For this, I will choose t2.micro
Choose Next: Configure Instance Details and make sure to use the following settings:
Network: Choose the VPC that the Amazon Aurora Serverless DB cluster uses
Subnet: Choose a public subnet (the subnet that has an internet gateway in its routing table)
Auto-assign Public IP: Enable
Choose Next: Add Storage and modify storage as needed
Choose Next: Add Tags and add tags as needed
Choose Next: Configure Security Group and select the security group created earlier for EC2
Choose Review and Launch
Choose Launch
Create a new key pair and download it
After downloading the key pair, click on Launch Instances
Navigate to the launched instance and wait until it's in Running state. Take note of the public IP address of the instance

Step 3: Configure MySQL Workbench

Open MySQL Workbench, and choose the ⊕ sign beside MySQL Connections to set up a new connection
In Setup New Connection, enter a name for your connection and select Standard TCP/IP over SSH for the Connection Method
In the Parameters section, enter the following settings:
SSH Hostname: Enter the public IP address of your EC2 instance
SSH Username: Enter the username for your EC2 instance. In our example, we will use "ec2-user" (this is the default username for EC2 Linux machines)
SSH Key File: Select the private key (.pem file) that was downloaded when the EC2 instance was created
MySQL Hostname: Enter the Aurora Serverless DB cluster endpoint
MySQL Server port: Enter 3306
Username: Enter the username that you use to connect to your of the Aurora Serverless DB cluster
Password: Enter the user’s password of your Aurora Serverless DB cluster
Click on Test Connection
If this is the first time you are connecting to the EC2 host, you will get the following error message:
Click OK
After the test is successful, choose OK

Note: If you receive an error when you test the connection, check if you configured the network correctly.
In the Setup New Connection, choose OK again to save the connection

Congratulations! You are now able to connect to your Amazon Aurora Serverless MySQL DB cluster from MySQL Workbench.