DEV Community: Kannan

VPC Lattice

Kannan — Wed, 09 Apr 2025 11:11:15 +0000

Amazon VPC Lattice is a fully managed application networking service that you use to connect, secure, and monitor the services and resources for your application

VPC Lattice, you should be familiar with its key components.

Service
service can run on EC2 instances or ECS/EKS/Fargate containers, or as Lambda functions, within an account or a virtual private cloud (VPC). A VPC Lattice service has the following components: target groups, listeners, and rules.
Resource
Amazon Relational Database Service (Amazon RDS) database, an Amazon EC2 instance, an application endpoint, a domain-name target, or an IP address.
Resource gateway
A resource gateway is a point of ingress into the VPC in which resources reside.
Resource configuration
A resource configuration is a logical object that represents either a single resource or a group of resources. A resource can be an IP address, a domain-name target, or an Amazon RDS database.
Service network
A client can be in a VPC that is associated with the service network. Clients and services that are associated with the same service network can communicate with each other
Service directory
A central registry of all VPC Lattice services that you own or are shared with your account through AWS RAM.
Auth policies
create a policy for how a payment service running on an auto scaling group of EC2 instances should interact with a billing service running in AWS Lambda.

Auth-policies are not supported on resource configurations. Auth policies of a service-network are not applicable to resource configurations in the service network.

Features of VPC Lattice

You need not be concerned about overlapping IP addresses between VPCs.

As the traffic is internal between VPCs, you do not need to modify the route table.

Here we go with the usecase - i have hosted 2 web server on 2 instance and make use of vpc lattice

I have created 2 linux EC2-instance as webserver "poc-server1","poc-server2"
Both have seperate vpc and security groups to access the port from 80 using http.
Here are the servers

poc-server1

poc-server2

request from local machine to verify the web server

VPC lattice connection between the webservers

Go to VPC dashboard
Click “Target groups” under the VPC Lattice section of the VPC Console.
Click “Create target group“.
Create the target group by instance type,protocol and VPC add the poc-server1 to the target group.
Follow the same steps for the poc-server2.

Under the VPC Lattice section, click “Services”

Need to create lattice service to associate the service with service network.
create vpc lattice service.
Click “Next”.
Click “Next” on the next page (the Define routing page).
Click “Next” on the next page (the Create network associations page).
Click “Create VPC Lattice Service” on the next page (the Review and create page).

Follow the same steps for the poc-server2.

VPC Console and click “Service networks” under the VPC Lattice section

Click “Create service network”. Create a service network
Under service association attach the services which we created as "poc-server1","poc-server2".
Under VPC association attach the VPC and security group which we created for the web servers.
Click “Create service network”

Go to the "poc-server1" service overview and Click “Routing”
Click “Add listener”

Follow the same steps for the service "poc-server2".
Return to the payment-svc overview and copy the domain name
VPC Lattice configurations have been completed. Let’s see how the setup works
Try to access the VPC Lattice domains from the EC2 instances

VPC lattice Domain address

How do I use the ResourceTag, condition keys to create an IAM policy for tag-based restriction

Kannan — Fri, 28 Feb 2025 08:12:56 +0000

The following IAM policies use condition keys to create tag-based restriction.

Before you use tags to control access to your AWS resources, you must understand how AWS grants access. AWS is composed of collections of resources. An Amazon EC2 instance is a resource. An Amazon S3 bucket is a resource. You can use the AWS API, the AWS CLI, or the AWS Management Console to perform an operation, such as creating a bucket in Amazon S3. When you do, you send a request for that operation. Your request specifies an action, a resource, a principal entity (user or role), a principal account, and any necessary request information.
You can then create an IAM policy that allows or denies access to a resource based on that resource's tag. In that policy, you can use tag condition keys to control access to any of the following:
Resource – Control access to AWS service resources based on the tags on those resources. To do this, use the_ aws:ResourceTag/key-name_ condition key to determine whether to allow access to the resource based on the tags that are attached to the resource.

ResourceTag condition key

Use the _aws:ResourceTag/tag-key _condition key to compare the tag key-value pair that's specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.

You can use this condition key with the global aws:ResourceTag version and AWS services, such as ec2:ResourceTag. For more information, see Actions, resources, and condition keys for AWS services.

The following IAM policy allows users to start, stop, and terminate instances that are in the test application tag

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:3817********:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/application": "test"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags"
                "ec2:Describedescribe-instance-status"
            ],
            "Resource": "*"
        }
    ]
}

Create the policy and attach the policy to user or role.

Created 2 instance one is with application tag and other is non tagged.

You can see the tagged instance are able to perform Start and Stop action using the IAM resources tag condition.
non-tagged instance we are not able to perform the same.

check the status of the instance

perform the Termination action

reference commands

aws ec2 start-instances --instance-ids "instance-id"

aws ec2 stop-instances --instance-ids "instance-id"

aws ec2 describe-instance-status  --instance-ids "instance-id"

aws ec2 terminate-instances --instance-ids "instance-id"

String condition operators

String condition operators let you construct Condition elements that restrict access based on comparing a key to a string value.

StringEquals - Exact matching, case sensitive
StringNotEquals - Negated matching
StringEqualsIgnoreCase - Exact matching, ignoring case
StringNotEqualsIgnoreCase - Negated matching, ignoring case
StringLike - Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.
Note
If a key contains multiple values, StringLike can be qualified with set operators—ForAllValues:StringLike and ForAnyValue:StringLike.
StringNotLike - Negated case-sensitive matching. The values can include multi-character match wildcards (*) or single-character match wildcards (?) anywhere in the string.

Script to list the S3 Bucket storage size

Kannan — Fri, 28 Feb 2025 05:41:38 +0000

If we need to fetch the S3 bucket storage size we need to trace via individual bucket under metrics we get the storage size.
on one go use the below script to get the bucket name with storage size.

s3list=`aws s3 ls | awk  '{print $3}'`
for s3dir in $s3list
do
    echo $s3dir
    aws s3 ls "s3://$s3dir"  --recursive --human-readable --summarize | grep "Total Size" 
done

create the .sh file
copy the code on the file
Excecute the script to get the s3 bucket details

AWS-Elastic Container Service

Kannan — Sat, 30 Dec 2023 02:28:18 +0000

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that helps you easily deploy, manage, and scale containerized applications.

EC2 is that it deploys isolated VM instances with auto scaling support, and ECS deploys scalable clusters of managed Docker containers.
Amazon Elastic Compute Service (ECS), Elastic Kubernetes Service (EKS), and AWS Fargate help deploy and manage containers
AWS Fargate is a technology that you can use with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances. With Fargate, you no longer have to provision, configure, or scale clusters of virtual machines to run containers.

Step-1. Create Cluster and task definition using AWS Fargate

Step-2. Create the services in the cluster.

Create the service with the task definition family which we created for nginx.

Once service created we can access the Public IP details from the Task tab.

Now you able to access the Nginx on the browser with the Public IP.

AWS-Lambda (Start/Stop EC2 Instance)

Kannan — Wed, 27 Dec 2023 16:30:45 +0000

AWS Lambda is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.

Lambda functions are efficient whenever you want to create a function that will only contain simple expressions
Each Lambda function runs in its own container. When a function is created, Lambda packages it into a new container and then executes that container on a multi-tenant cluster of machines managed by AWS.

Step-1.Create the EC2 Instance.

Step-2. Create IAM Roles and policies.

Create a policy > Select EC2 type >Access level -Write (Stop Instance).

Add Specific ARN (Details of the EC2 Instance which we need to start/stop)

We have created separate policy for start/stop the EC2 Instance.

Create a Role > select entity (AWS Service)>select the use case as "Lambda".

We have created separate Roles for start/stop the EC2 Instance.

Step-3. Create Lambda function.

We can add the trigger rule "Event Bridge"

The similar we create another lambda function for start the EC2 instance and schedule corn job using add trigger"Event bridge"
It will start/stop EC2 instance using Lambda function.

AWS-VPC (Peering Connections)

Kannan — Tue, 26 Dec 2023 17:46:26 +0000

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

VPC peering connections are limited on the number of active and pending peering connections that you can have per VPC.
VPC peering is a technique for securely connecting two or more virtual private clouds, or VPCs

Step-1. As per the above VPC Peering connection architect Create a VPC and subnet and Rout table.

Associate the subnet with the route table.

Step-2. Create the Internet Gateway and attach the VPC.

Edit and add the Internet Gateway in the route table.

Step-3. Create the EC2 Instance with VPC-A network settings and Publich IP enabled on the Subnet and Instance.

Step-4. As the above steps we have created another VPC, Subnet and Route table.

Associate the Subnet on the route table and create EC2 Instance.

Step-5. We need to copy the .pem key from local and paste in the Primary VPC-A to get SSH access for another VPC-B.

Not getting connect to the secondary VPC EC 2 Instance via SSH.

**Step-6. **Create a peering connection.

Accept the Peer Request.

Step-7. Add the Secondary IPV4 CIDR range and select the peering connection and save on the Primary Route table.

Step-8. Add the Primary IPV4 CIDR range and select the peering connection and save on the Secondary Route table.

Step-9. Now we able to access the Secondary VPC EC2 Instance through the Primary VPC EC2 Instance via Peering connection.

AWS-Virtual Private Cloud VPC(Subnet,Route table,Internet Gateway,NAT gateway)

Kannan — Tue, 26 Dec 2023 15:22:27 +0000

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups.

users can avoid underutilizing their resources during periods of low demand or overloading their infrastructure during peak periods. Overall, the advantages of using VPC for your infrastructure include improved security, greater flexibility, and scalability.
We are going to create a VPC on particular availability zone and differentiate with Public and private subnet/Route table as mentioned in the architect diagram.

Step-1. Create a VPC with tag of VPC-A

Select and make range for IPV4 CIDR, select the No IPV6 CIDR Block.

Step-2. Create a Subnet with the VPC ID we created.

verify the availability zone and IPV4 VPC CIDR and provide the range of subnet on IPV4 subnet CIDR to create the subnet.

Step-3.Create a Route table

select the VPC and create the route table
Once route table created associate the subnet with the table. and enable the "Auto assign public IP"

Step-4. Create an Internet gateway and attach it with the VPC which we created.

Add the Internet gateway on the route table.

Step-5. Create an EC2 instance

On Network settings select the VPC,subnet,and public IP enable.

we are able to access the EC2 instance using public IP via SSH.

Step-6. Now we need to create the private subnet and route table, associate the private subnet on the route table.

Step-7. Create an EC2 instance

On Network settings select the VPC,private subnet.

Login to the Public VPC Instance and copy the .pem key from the local to get SSH access for the private instance.
We are able to login public Instance and get connected to Private Instance via Local gateway.
If we need to access internet on private instance to install any application need to create the NAT gateway.

Step-8.Create a NAT Gateway

select the public instance subnet range and allocate the "Elastic IP".

Step-9. Add the NAT gateway on the private Route table to get internet access on the private Instance.

We are successfully login to the public instance via SSH and from the public-EC2 we are able to login to private and access the internet.

kannan@kannan-PC:~$ ssh -i apache.pem ubuntu@13.201.97.155
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1017-aws x86_64)

ubuntu@ip-192-168-1-99:~$ ssh -i apache.pem ubuntu@192.168.2.221
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1017-aws x86_64)

ubuntu@ip-192-168-2-221:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=1.90 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=1.55 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=1.56 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.546/1.671/1.904/0.164 ms
ubuntu@ip-192-168-2-221:~$ ping www.google.com
PING www.google.com (142.251.42.4) 56(84) bytes of data.
64 bytes from bom12s19-in-f4.1e100.net (142.251.42.4): icmp_seq=1 ttl=109 time=1.79 ms
64 bytes from bom12s19-in-f4.1e100.net (142.251.42.4): icmp_seq=2 ttl=109 time=1.58 ms

AWS-Key Management Service(KMS)

Kannan — Thu, 14 Dec 2023 18:53:19 +0000

AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and AWS services.

The service is integrated with other AWS services making it easier to encrypt data you store in these services and control access to the keys that decrypt it.
Creating KMS key. KMS > Customer managed Keys > Create key

Install the aws-encryption-cli to encrypt and decrypt the file via CLI.

sudo apt install python3-pip
sudo pip install aws-encryprion-sdk-cli
aws-encryption-cli --version

AWS CLI commands to encrypt the file

kannan@kannan-PC:~$ aws kms encrypt \
    --key-id alias/kannan1 \
    --plaintext fileb://kms.txt \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > kms_encrypt.txt
kannan@kannan-PC:~$ cat kms_encrypt.txt 
x����X�[���4u|��e�J�Q0X��U�
0f0d0_  `�He.0             p����gWI�u0s *�H��
              YU"�    I����2$y��|e!��l�\nų���5�%�����k�~d��~e�g=�+jI�N@g6ETkannan@kannan-PC:~$

AWS CLI commands to decrypt the file

kannan@kannan-PC:~$ aws kms decrypt \
    --ciphertext-blob fileb://kms_encrypt.txt \
    --key-id alias/kannan1  \
    --output text \                            
    --query Plaintext | base64 \
    --decode > kms_decrypt.txt
kannan@kannan-PC:~$ cat kms_decrypt.txt 
Test line for kms key

create directory to store the encrypted and decrypted files

mkdir encrypt
mkdir decrypt

create a variable to store the arn value which is genetrated for the KMS key

kannankey=arn:aws:kms:ap-south-1:155364343822:key/ef88420b-bbc5-4807-b1f3-c82eb5191c7f

kannan@kannan-PC:~$ cd encrypt/
kannan@kannan-PC:~/encrypt$ ls
example.txt.encrypted  kms.txt.encrypted
kannan@kannan-PC:~/encrypt$ cat kms.txt.encrypted 
xiCeJC�T��mb���w�����/'a8��_aws-crypto-public-keyDA9IoQRQ6f8U3WV8eoVxkQyhEZ1O/QXOXdr9L/Zx6bHP53ZEIfhYq26YJIshCIf8f8Q==aws-kmsLarn:aws:kms:ap-south-1:1550o0m0h��`�He.0���zp~0|-b*�H��807-b1f3-c82eb5191c7f�x4�u���l�\��?����<�Dya
              .�K�B�w
3����>����ǔXnL��U��cj9�1���g�%uray��߳�ɗ���x��0KYf�aE����6�j�@�Ϯ6�_k�!�Q�7x<�ǯ4u��V�6��G�������Vn�v<�%j��龎�����J��vz�u%aÌ�sg0e0b(��)!��
d9�G�Ɩ�.0$����%��
                 V�Ϗc;_���]��fl1�{
                                  o�檈R&\��\&��m6)L\,锌z!��S�<Ɪ,��kannan@kannan-PC:~/encrypt$ 
kannan@kannan-PC:~/encrypt$ cd ..
kannan@kannan-PC:~$ cd decrypt/
kannan@kannan-PC:~/decrypt$ ls
example.txt.encrypted.decrypted  kms.txt.encrypted.decrypted
kannan@kannan-PC:~/decrypt$ cat kms.txt.encrypted.decrypted 
Test line for kms key

We can encrypt and decrypt the S3 bucket using the KMS key

EC2 >EBS>Volumes >create volume >enable "Encrypt this volume".

create an S3 bucket using CLI

kannan@kannan-PC:~$ aws s3 mb s3://kannandemo-bucket
make_bucket: kannandemo-bucket

select the bucket > properties > edit default encryption
select "Server-side encryption with AWS Key Management Service keys (SSE-KMS)"
choose "Choose from your AWS KMS keys"

It will auto encrypt and decrypt the objects inside the S3 bucket.

To delete the KMS key we need to schedule the key deletion it took minimum 7 day

AWS -Relational Database Service(RDS)

Kannan — Thu, 14 Dec 2023 17:34:34 +0000

Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. Choose from eight popular engines: Amazon Aurora PostgreSQL-Compatible Edition, Amazon Aurora MySQL-Compatible Edition, RDS for PostgreSQL, RDS for MySQL, RDS for MariaDB, RDS for SQL Server, RDS for Oracle, and RDS for Db2. Deploy on premises with Amazon RDS on AWS Outposts or with elevated access to the underlying operating system and database environment using Amazon RDS Custom.
Now we are going to create Mysql DB using RDS.we need to confirm the ports allowed in the Security groups of your AWS.

install mysql-client on the local machine

sudo apt install mysql-client -y

Once DB is on available state select >modify >connectivity >public accessibility.

we can access the DB via terminal with the endpoint id,port username and password

mysql -h demomysqldb.cg35jaodi4xh.ap-south-1.rds.amazonaws.com -P 3306 -u admin -p

kannan@kannan-PC:~$ mysql -h demomysqldb.cg35jaodi4xh.ap-south-1.rds.amazonaws.com -P 3306 -u admin -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 8.0.33 Source distribution

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
4 rows in set (0.02 sec)

we can create a PostgreSQL DB with the "Easy create" method

sudo apt install postgresql-client

Lets see the another method to create a DB with "Standard create"

install postgresql-client on the local machine

sudo apt install postgresql-client -y

we can access the DB via terminal with the endpoint id,port username and password

psql --host=database-1.cg35jaodi4xh.ap-south-1.rds.amazonaws.com --port=5432 --username=postgres --dbname=demodb --password

AWS S3-Replication

Kannan — Sun, 03 Dec 2023 14:49:12 +0000

Amazon Simple Storage Service (S3) Replication is an elastic, fully managed, low cost feature that replicates objects between buckets.
To automatically replicate new objects as they are written to the bucket, use live replication, such as Cross-Region Replication (CRR). To replicate existing objects to a different bucket on demand, use S3 Batch Replication.

Step1. Now we create source S3 Bucket make sure to enable the versioning and upload one file.

Step2. Create a another Destination S3 bucket with versioning enabled.

Step3. Now on the source Bucket >management >Replication rules.
we need to create these replication rules on the source bucket.

Choose the destination bucket on the replication rules.alternative you can choose the different AWS account/S3 Bucket to replicate.

On the "IAM role" create new role for these job.

Once replication rule has been created need to confirm either you need to replicate existing objects or not.

Step4. At "Create Batch operation job" we are disabling the "Generate completion report" and create new IAM role.

The file which we uploaded on the source bucket is replicated on the Destination bucket using "Replication Rules".

Step5. If we upload new file/object on the source bucket it will automatically replicate on Destination bucket.

Similar we can use Cross-Region Replication (CRR).
To enable CRR, you add a replication configuration to your source bucket. The minimum configuration must provide the following:

The destination bucket or buckets where you want Amazon S3 to replicate objects

An AWS Identity and Access Management (IAM) role that Amazon S3 can assume to replicate objects on your behalf

AWS-S3 Bucket creation access and Life cycle policy

Kannan — Thu, 30 Nov 2023 17:58:39 +0000

Amazon S3 to store and retrieve any amount of data at any time, from anywhere.An object consists of a file and optionally any metadata that describes that file.

Amazon S3 is object storage built to store and retrieve any amount of data from anywhere. S3 is a simple storage service that offers industry leading durability, availability, performance, security, and virtually unlimited scalability at very low costs.
You can create up to 100 buckets in each of your AWS cloud accounts,If needed, you can request up to 1,000 more buckets by submitting a service limit increase.
Lets see how to creat a S3 Bucket and upload file.

-On the above we have seen to view the upload files via presigned URL.

Another way to view the files
select the file > permissions > Uncheck block all public access.
Bucket policy > edit bucket policy >Policy generator.

Open as new tab to generate policy, we have select the s3 bucket policy followed by "Get Object" and copy the Amazon Resource Name(ARN) from the uploaded file.

Once policy generated copy the policy and paste on the Bucket policy >policy >save.

Via file "object URL" You can access the file on public.

AWS S3 Object storage classes, by default comes with "Standard" you can modify via Action >Edit storage class.

If you modified the local file and uploaded to S3 you want version basis need to enable "Bucket versioning" Properties > Bucket versioning >Edit.

Once you enabled the versioning able suspend (not to disable)
the file1.txt was edited locally and uploaded to S3 bucket to see the versioning.

Life cycle rule

A lifecycle policy consists of one or more rules that determine which images in a repository should be expired.
Lifecycle policies help manage and automate the life of your objects within S3, preventing you from leaving data unnecessarily available. They make it possible to select cheaper storage options if your data needs to be retained, while at the same time, adopting additional security control from Glacier.

Click on your bucket.
Click on Management tab.
Click on Create lifecycle rule.
First, give a name for the rule.
Then choose a rule scope. ...
If you choose to apply the rule to all objects then choose “Apply to all objects in the bucket”. ...
You can specify the transition for each option.

AWS Auto Scaling with Load Balancer

Kannan — Thu, 30 Nov 2023 15:38:43 +0000

Create a instance with Ubuntu OS and with instance type as t2.nano and selected the existing key pair and security group and set 2 instance to create and launch.
Run the apdt update and install apache webserver and modify the index.html
sudo apt update sudo apt install apache2 -y sudo rm /var/www/html/index.html sudo vim /var/www/html/index.html <h1>Auto Scaling Group with Load Balancer</h1>
Go to Action >Image and Template > Create Image

Create an image template by enabling noboot option.

Now create Target group and Load Balancer

Target Groups was created as "demo-tg"

Load balancer also created as "demo-lb"

Launch template was created with the AMI Image.

Create Auto scaling Group >Select the template >Select all network availability zone >Select Load balancing.
On Load balancing setup select the "Attach to an existing Load Balancer"
Group size >Desired capacity as 2 >Traget tracking scaling policies,Set Execute policy with CPU utilisation exceeds 50.
Select instance maintance policy as "Launch before Terminating"
Add Notification >Create a topic and provide name of the topic and email ID to send notification > Unselect "Fail to launch & Terminate"

Auto Scaling group has been create and launch the Instance from the AMI Image Template. you can monitor on the Activity tab.

Verfiy the instance status

On Cloud watch > Alarms> verify the scaling target alarm in detail.

Login to the 2 instance created by Auto Scaling groups and execute these commands to see the CPU utilisation and execute the cmd to exceed the CPU utilisation. top yes > /dev/null &

ubuntu@ip-172-31-1-56:~$ yes > /dev/null &
[1] 918
ubuntu@ip-172-31-1-56:~$ top

top - 15:16:41 up 18 min,  1 user,  load average: 0.08, 0.02, 0.01
Tasks: 101 total,   2 running,  99 sleeping,   0 stopped,   0 zombie
%Cpu(s): 75.0 us, 25.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :    446.5 total,     24.5 free,    148.0 used,    274.0 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.    269.6 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                            
    918 ubuntu    20   0    5764   1920   1920 R  93.8   0.4   0:05.42 yes

It will exceed the CPU utilisation and trigger the ASG with Load balancer and create another instance.

Cloud watch Alram Notification.

To kill the cmd which we have run to exceed the CPU utilisation.Run the cmd with kill "PID".

ubuntu@ip-172-31-1-56:~$ kill 918
ubuntu@ip-172-31-1-56:~$ top

top - 15:33:28 up 35 min,  2 users,  load average: 0.85, 0.94, 0.68
Tasks:  98 total,   1 running,  97 sleeping,   0 stopped,   0 zombie
%Cpu(s):  0.0 us,  0.0 sy,  0.0 ni,100.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :    446.5 total,     17.4 free,    152.4 used,    276.6 buff/cache
MiB Swap:      0.0 total,      0.0 free,      0.0 used.    265.1 avail Mem 

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                            
      1 root      20   0  166200  11352   8280 S   0.0   2.5   0:04.58 systemd