DEV Community: mostafamedhat1983

Connect to EC2 using instance connect endpoint - A SIMPLE GUIDE

mostafamedhat1983 — Fri, 29 Sep 2023 20:47:53 +0000

EC2 Instance Connect Endpoint allows you to connect to an instance without requiring the instance to have a public IPv4 address. You can connect to any instances that support TCP.
For more info and its limitations please visit this link.

To create an EC2 instance connect endpoint open VPC service from the management console, select Endpoints then Create endpoint.

Fill in the endpoint name, choose EC2 Instance Connect Endpoint. then select the desired VPC.

you can use the option "Preserve Client IP" if you want the endpoint to use your IP when establishing the connection (for example if you configured the EC2 instance's security group to only accept connections from your IP)

select desired subnet and endpoint security group, no need to open any ports in inbound rules.
then click create endpoint. note that creation will take some time.

To create an EC2 instance, in the management console go to EC2 service. Choose Instances then launch Instances.

fill in the EC2 instance name and choose the AMI

choose the key pair if you want, it is optional. and select the instance type

choose the VPC and subnet (subnet I choose is private). I disabled the auto assign public IP options as I don't need it. Select the security group and make sure the appropriate port is enabled in the inbound rules (22 for linux and port 3389 for windows). If you limited the source connection to your IP, you need to use an endpoint with option "Preserve Client IP" enabled.

My EC2 instance is now created, in a private subnet with no public IP and no key pair, still I can connect to it using the ec2 instance connect endpoint.

In EC2 service page select your instance and click connect

select EC2 Instance Connect, Connect using EC2 Instance Connect Endpoint, choose the end point you created then click connect.

you are now connected to the EC2 instance

To connect using CLI, you have to install AWS CLI first (check this link ) , create an access key (check this link ) and configure CLI using " aws configure "command.
Afer that use the following command to connect to your EC2 instance
" aws ec2-instance-connect ssh --instance-id i-1234567890example --connection-type eice "
replace i-1234567890example with your EC2 instance id

If you face the following error:
aws: error: argument operation: Invalid choice, valid choices are:
send-ssh-public-key | send-serial-console-ssh-public-key help
please update you AWS CLI and the problem will be solved.

Enable S3 MFA delete using AWS CLI - A SIMPLE GUIDE

mostafamedhat1983 — Tue, 26 Sep 2023 23:48:29 +0000

S3 MFA delete adds another layer of security as you can't delete files unless you have the MFA device authentication code.

first you need to register MFA device with your account, check the following link to do so:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

In your S3 bucket properties, bucket versioning click edit

Note that you cant enable MFA delete, it can only be enabled using AWS CLI, AWS SDk or S3 REST API.

if you need to install AWS CLI check the following link :
https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

to use AWS CLI you need to create an access key, click on your account name in the top right and then security credentials

*copy the MFA device identifier as we will use it later.

in Access Keys click Create access key.

mark " I understand that creating a root access key is not a best practice " and click Create access key

download the csv file that contains the access key and secret access key, if you don't you will have to create another access key as you can't retrieve the secret access key later.

open the cli and configure AWS cli using the "aws configure" command. Enter the access key, secret access key, default region and default output format.

check if AWS cli is working, use command "aws s3 ls" to show your S3 buckets.

enable MFA delete using the following command:
aws s3api put-bucket-versioning --bucket bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "MFA-device-identifier mfa-code".
Replace the underlined text with its appropriate value.

check your S3 bucket properties to confirm MFA delete is enabled.

If you delete an object without showing versions a delete marker will be added to this object, but it will not be permanently deleted. you have to show versions and choose the version you want to delete.

If you try to permanently delete an object version, you will get an error.

Trying from cli have the same result

To delete a file you need to add the MFA device ID and code, if you delete an object with a delete marker it will be shown in the result.

Deleting object with delete marker.

Deleting object with no delete marker.

To disable MFA delete use the same command as enabling it and replace " MFADelete=Enabled " with " MFADelete=Disabled " .

After disabling MFA delete don't forget to delete your access key.
you have to deactivate the access key first then delete it.

Migration Strategies - 7Rs

mostafamedhat1983 — Wed, 30 Aug 2023 19:16:54 +0000

1-Retire — Get rid of
Remove the applications that are no longer needed, or causing security risk because it is not supported any more.

2-Retain — “revisit” or do nothing
keep the applications that are not ready to migrate.

3-Rehost — lift-and-shift
move the applications to cloud without making any changes to them.

4-Relocate — hypervisor-level lift and shift
Move infrastructure to the cloud without purchasing new hardware, rewriting applications, or modifying. This migration scenario is specific to VMware Cloud on AWS.

5-Repurchase — drop and shop
commonly a move to a SaaS platform. Moving a CRM to Salesforce.com, an HR system to Workday, a CMS to Drupal, and so on.

6-Replatform — lift and reshape
move the application to the cloud and take advantage of the cloud optimization and capabilities. For example, replatform a Microsoft SQL Server database to Amazon RDS for SQL Server.

7-Refactor/re-architect
Re-imagine how the application is architected and developed using cloud-native features. Example: Migrate on-premises Oracle database to the Amazon Aurora PostgreSQL-Compatible Edition.

HOW TO ATTACH AND USE EBS VOLUME ON EC2 LINUX INSTANCE- A SIMPLE GUIDE

mostafamedhat1983 — Thu, 17 Aug 2023 18:28:43 +0000

To create new EBS volume navigate to EC2, Elastic Block Store, Volumes then click Create volume.

-choose the desired volume type and size, make sure the EBS volume is in the same AZ as the EC2 instance it will be attached to. Then click Create.

-choose the EBS volume you created, Actions then Attach volume

-select the EC2 instance you want to attach the EBS volume to it. EBS volume name will be /dev/sdf or /dev/xvdf by default

-EBS volume is successfully attached

-connect to your EC2 instance (to use EC2 instance connect you must allow SSH in the inbound rules of attached security group).

sudo lsblk
view your available disk devices and their mount points.

the EBS volume we attached is xvdf (1G) and it has no mount point.

sudo lsblk -f
get information about all of the devices attached to the instance.

sudo file -s /dev/xvdf
show file system for disk xvdf

sudo mkfs -t xfs /dev/xvdf
create a file system xfs on the volume xdvf
If you get an error that mkfs.xfs is not found, use the following command to install the XFS tools and then repeat the previous command: sudo yum install xfsprogs

sudo mkdir /ebs
create directory ebs, we will use this directory to mount our EBS volume
sudo mount /dev/xvdf /ebs
mount the volume at the directory you created

**To mount an attached EBS volume on every system reboot, add an entry for the device to the /etc/fstab file.

You can use the device name, such as /dev/xvdf, in /etc/fstab, but it is recommended to use the device's 128-bit universally unique identifier (UUID) instead. Device names can change, but the UUID persists throughout the life of the partition.**

sudo cp /etc/fstab /etc/fstab.orig
Create a backup of your /etc/fstab to restore it in case of any problems

sudo blkid
find the UUID of the device

EBS volume UUID is 0bce0506-dd1d-4ee7-9aef-642eac6501bb

sudo vim /etc/fstab
edit the fstab file
press i to enter insert mode
Add the following entry to /etc/fstab
UUID=0bce0506-dd1d-4ee7-9aef-642eac6501bb /ebs xfs defaults,nofail 0 2
0 to prevent the file system from being dumped, and we specify 2 to indicate that it is a non-root device.

esc
:wq
w stands for write (save) and q stands for quit.

to check unmout the device then mount all file systems in /etc/fstab
sudo umount /ebs
sudo mount -a

Errors in the /etc/fstab file can render a system unbootable. Do not shut down a system that has errors in the /etc/fstab file

restore fstab backup in case of error
sudo mv /etc/fstab.orig /etc/fstab

CONNECT TO EC2 USING SESSION MANAGER- A SIMPLE GUIDE

mostafamedhat1983 — Wed, 16 Aug 2023 22:26:55 +0000

To be able to connect to ec2 instance using session manager, SSM agent must be installed on this instance.

some AMIs come with SSM agent already preinstalled:

Amazon Linux Base AMIs dated 2017.09 and later
Amazon Linux 2
Amazon Linux 2 ECS-Optimized Base AMIs
Amazon Linux 2023 (AL2023)
Amazon EKS-Optimized Amazon Linux AMIs
macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (Big Sur)
SUSE Linux Enterprise Server (SLES) 12 and 15
Ubuntu Server 16.04, 18.04, 20.04, and 22.04
Windows Server 2008-2012 R2 AMIs published in November 2016 or later
Windows Server 2016, 2019, and 2022

you can also check these guides to install SSM agent on your instance:

For macOS https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install-macos2.html

-For win server:
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html

-For Linux :
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html

-first you need to create a role to enable ec2 to use AWS Systems Manager service core functionality.

-Navigate to IAM, Roles then create role

-select EC2 then Next

-search for AmazonSSMManagedInstanceCore policy ancd check it then Next

enter the role name then Next

role is now created

-when launching EC2 instance at the end of the page click Advanced details

-in advanced details select IAM instance profile and choose the role you created

-Navigate to EC2 ,instances. then check your EC2 instance and click connect

-choose Session Manager then Connect

-you are now connected to your EC2 instance using session manager

if the EC2 instance was already created you have to modify its IAM role

-Navigate to EC2, Instances and click on your EC2 intance , Actions , Security then Modify IAm role

-after that choose the role you created and click Update IAM role

connecting to EC2 using session manager is more secure than using SSH as session manager doesnt need an open port to connect