DEV Community: Tanmay Shukla

Setup CloudFront & Amazon S3 to Deliver objects on the Web Apps (securely & efficiently)

Tanmay Shukla — Mon, 20 Mar 2023 12:08:15 +0000

What is S3 ?

AWS S3 (Simple storage service) is an object storage service offering industry-leading scalability, data availability, security, and performance.
Businesses can store and retrieve any amount of data, at any time, from anywhere on the web. S3 is highly durable and designed to provide 99.999999999% durability of objects over a given year, making it a reliable and secure solution for storing critical data.
S3 is widely used in storing and serving object on the internet, whether it is images, videos, or any other unstructured data. But when we use S3 with Cloudfront it provides lot of benefits

What is Cloudfront ?

Cloudfront is the AWS Content delivery network that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users.
CloudFront delivers your content through a worldwide network of data centers called edge locations.

Here are some applications of CloudFront:

Content Delivery: CloudFront accelerates the delivery of your content by caching your content at edge locations worldwide. This reduces the time it takes for users to access your content and improves the performance of your web applications.
Video Streaming: CloudFront can deliver high-quality video streaming to users worldwide. It can also integrate with AWS Elemental Media Services to provide a complete video streaming solution.
Website Security: CloudFront integrates with AWS Shield to provide protection against DDoS attacks. It also supports SSL/TLS encryption to secure your content in transit.
Global Applications: CloudFront provides a global presence to your application by caching your content at edge locations worldwide. This allows your users to access your content from a location that is geographically closer to them, reducing latency and improving their experience.
API Gateway: CloudFront can be used as a custom origin for API Gateway. This allows you to cache API responses at edge locations, reducing the load on your API backend and improving the performance of your APIs.

Serving S3 objects with CloudFront has several benefits:

1.) Improved performance: CloudFront is a content delivery network (CDN) that caches content at edge locations around the world. By serving S3 objects with CloudFront, you can improve the performance of your application by reducing latency and improving load times for users located far away from the S3 bucket.

2.) Reduced costs: Serving S3 objects with CloudFront can help reduce your data transfer costs by caching frequently accessed content at edge locations. This reduces the number of requests made to the S3 bucket, which can help reduce your data transfer costs.

3.) Improved security: CloudFront can help improve the security of your S3 objects by enabling you to restrict access to your content using a variety of authentication methods, such as signed URLs or AWS Identity and Access Management (IAM) policies.

4.) Customization: CloudFront provides a range of customization options, such as custom SSL certificates, custom error pages, and content compression, which can help you optimize the delivery of your S3 objects to your users.

5.) Scalability: CloudFront is designed to handle high levels of traffic and can automatically scale to accommodate increases in demand. This can help ensure that your application remains highly available and responsive, even during periods of high traffic.

Overall, serving S3 objects with CloudFront is a best practice for many AWS customers who need to distribute their content globally, improve the performance of their applications, and reduce their costs.

Setup the S3 and Cloudfront for serving objects through Web application.

Objective

1.) Sign in to AWS management console.

2.) Create and setup the S3 Bucket (Private) to store objects.

3.) Create the Cloudfront distrubution for your S3 bucket.

4.) Setup the IAM role and permissions for Web application.

5.) Finally, test the application !!!

Steps for Implementation of the project:

1.) Sign in to AWS management console.

First, sign in to the AWS console with your username and password and select the appropriate region like us-east-1.

2.) Create and setup the S3 Bucket (Private) to store objects.

Let's search for S3 and open th S3 console
Create S3 bucket:
- Give a globally unique name and region to your bucket.
- Set the object ownership and keep ACL's disabled.
- Block all public access - It provides an additional layer of security for your data, preventing unauthorized access and ensuring that your data is protected at all times.
- Enable the versioning - With S3 versioning, every time an object is updated or deleted, a new version of the object is created, allowing users to access and restore previous versions of the object.
- Enable the encryption - In Server-side encryption, Amazon S3 encrypts your objects before saving them on disks in AWS data centers and then decrypts the objects when you download them. All Amazon S3 buckets have encryption configured by default and all new objects uploaded to an S3 bucket are automatically encrypted at rest
- Object lock - It helps to prevent accidental deletion or modification of objects. With Object Lock, you can set a retention period for objects in a bucket, during which time the objects cannot be deleted or modified. For now we'll keep this default.
- Finally click on the Create bucket
Now let's upload some objects in S3 bucket for testing or project.

**3.) Create the Cloudfront distrubution for your S3 bucket.**

Search for clodufront in AWS console search bar & open the cloudfront dashboard.
Select the Origin domain of your bucket from drop down & give the name of the cloudfront distribution.
Set the origin access as Origin access control settings.
We also need to create the access control setting for this cloudfrony distro like below:
Enable the Shield as it helps to minimize your origin’s load, improve its availability, and reduce its operating costs.
In Default cache behaviour settings set configurations as below, else keep it default.
Let Function associations - optional be as default for now.
In the final section i.e. settings, choose as per your usecase and requirements like below:
- In this we need to choose the price class and AWS WAF web ACL we want to associate it with.
- If we want to add a custom domain to the clodfront distribution then we can add it here.
- In default root object, the object you specify will return if user requests root URL.
Once the Cloudfront Distribution got created then we need to add the given policy in the respective S3 Bucket policy. So copy the bucket policy from here.
Then go to S3 bucket > Permissions > Edit bucket policy.

4.) Setup the IAM role and permissions for Web application.

So now, you can use this cloudfront distribution in your applications. Usually Applications requires PutObject, GetObject and DeleteObject permissions for S3 bucket For that you need to give your application via IAM user or role (recommended)
The Get Operation (read access but only to web app user not anonymous) will be handled by Cloudfront.
For Put and delete object you need to create an IAM role and attach the below IAM policy.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::cloudfront-demo1-s3/*",
            ]
        }
    ]
}

Now, assign the IAM role to web application server** and you are good to go.

5.) Finally, test the Application !!

Now we can test the cloudfront domain which is setup to deliver the object from private S3 bucket.
By hitting the https://Distribution-domain-name/s3-object-name, it will return as below.
While if we just hit the domain https://Distribution-domain-name then it will show us the object that we had set in default root object.

🚩🚩 Note: Some helpful Links:

Jenkins 101 - Beginner to Advanced 🚀🚀 (PART -1/2)

Tanmay Shukla — Tue, 14 Mar 2023 15:41:03 +0000

Introduction

Jenkins is a free and open-source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.

Installation of Jenkins

There are multiple ways to install jenkins

1. Jenkins On Ubuntu:

First, install java:

sudo apt-get update
sudo apt-get -y upgrade
sudo apt search openjdk
sudo apt install openjdk-11-jdk
java -version

Now go to Jenkins download and follow instructions. Then run:

sudo systemctl status jenkins
sudo systemctl enable jenkins
sudo systemctl start jenkins

Finally go to:

http://ip_address_or_domain:8080

Run this to get initial password

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Select like below:
Create a first admin user
Now your jenkins is ready to use, Welcome to the world of jenkins: Note : Make sure you have enabled 8080 port(by enabling custom tcp/udp as 8080 inside inbound rules in your security group if using EC2)

2. On Docker container:

Install docker:

sudo apt-get update
sudo apt-get -y upgrade
sudo install docker.io

Now to download an jenkins image and run it as docker command we need to run the following command

docker run -p 8080:8080 -p 50000:50000 -d -v jenkins_home:/var/jenkins_home

8080:8080 --> specify the port(bind the host(server) port 8080 to jenkins port 8080)
50000:50000 --> port where jenkins master and slave will communicate(as jenkins can be build and started as a cluster). If we have large workloads that you are running with the jenkins, so this port is where communication between master and worker node is happening.
- -d : To run container in detached mode(background)
- -v : To mount the volumes jenkins_home
- jenkins/jenkins:lts : Official docker image for jenkins
- Now Check our jenkins container with docker ps:
- Finally, please go to: http://ip_address_or_domain:8080
- After opening the Jenkins dashboard, follow the above steps.
- Run docker exec -it ` bash --> To run a command in a running container(i.e. login as jenkins user)
- Run `docker volume inspect jenkins_home --> To get info about our created volume.

3. On Amazon Linux 2/ CentOS

First install java: sudo yum update -y sudo yum install java-1.8.0-openjdk
Now download latest jenkins package:

sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat/jenkins.repo

Import a key file from Jenkins-CI to enable installation from the package:

sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key

Install Jenkins

sudo yum install jenkins -y

Enable the Jenkins service to start at boot:

sudo systemctl enable jenkins
sudo systemctl start jenkins
sudo systemctl status jenkins

✨✨Note: For CentOS make sure to configure firewall as, Jenkins service uses port 8080 to communicate. If you’re using the default firewalld service, enter the following commands to allow access:

sudo firewall-cmd ––permanent ––zone=public ––add-port=8080/tcp
sudo firewall-cmd ––reload

Open a web browser, and enter the following URL: http://ip_address_or_domain:8080

4. Jenkins on Windows 10:

While it is recommended that you install jenkins controller on linux based server as windows has some complication like locking file sysytem semantics, but we can also install it on our local Windows machine also.
Just Go through these videos to get up & running:

5. Running jenkins as a WAR(Web Application Resource or Archive) file

Before installing jenkins make sure you have following
- Running jenkins using war file is platform/OS independent.
- Only requires that JRE or JDK be insatlled on target.
- Java 8 and 11 are supported only.
Go to jenkins download page and copy the link of Generic Java package(.war) file.
Then use wget <jenkins.war link> to download the war file inside your home directory.
Now all you need to run jenkins is invoke java by running:

java -jar jenkins.war

Finally go to

localhost or <your_ip_address>:8080

as jenkins by default runs on port 8080. Hence your jenkins is up and running.

Note:

We can do this other way also by installing tomcat and then deploy the war file. As eventually when we run java application on our servers. We require tomcat (Apache Tomcat is a web server and servlet container that is used to deploy and serve Java web applications)

sudo apt install openjdk-11-jdk
sudo apt install wget
Install tomcat 9 with wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.0.M10/bin/apache-tomcat-9.0.0.M10.tar.gz
- Extract the files tar xzf apache-tomat-9.0.0.M10.tar.gz
To make it simple we will move this extracted file to a new directory Tomcat9 using the mv command and to do that I will execute the following command: mv apache-tomcat-9.0.0.M10 tomcat9
Our next step is to provide a username and password for Apache Tomcat ---> vim /home/edureka/tomcat9/conf/tomcat-users.xml
Now replace the tomcat-users.xml content with following. This is to create tomcat users

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
    <role rolename="manager-gui"/>
    <role rolename="manager-script"/>
    <role rolename="manager-jmx"/>
    <role rolename="manager-jmx"/>
    <role rolename="admin-gui"/>
    <role rolename="admin-script"/>
    <user username="user1" password="password1" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>

In the above code, as you can see that I have defined several roles and for all these roles I have given one single username called user1 and password i.e. password. If you want to assign different username and password for different roles you can do that as well.
Now save it and close the file to go back to the terminal.

We need to start Apache Tomcat now, but before that I will change my directory to Tomcat9 by executing the below command: cd tomcat9
To start Tomcat use the below command: ./bin/startup.sh
Now we need to download Jenkins war File:

JENKINS FUNDAMENTALS

Roles in jenkins : In Jenkins we have two kinds of Roles.
We create jobs in jenkins to Automate app workflow
Build Tools: Maven(java app), Gradle, NPM(nodejs app)
- Install Nodejs and NPM on ubuntu:
Create simple freestyle jobs and Configure Git Repository.

Run Tests and build java application

Automating the deletion of specific inbound rules from any security groups in AWS via Config

Tanmay Shukla — Mon, 13 Feb 2023 23:29:36 +0000

Hello everyone 👋👋. Thanks for taking out time to read my blog. I hope you'll endup having little more knowledge and practical experience after completing this one.

Here is the simple workflow to understand what we want to achieve here.

As much as it is so much fun to create resources in cloud like AWS, it is also very important to keep your security checks in place. Because even one security breach is enough to take your cloud infrastructure down in some cases.
So i tell you a little story now, I used to create application on Elastic beanstalk as a developer since its very easy to create and managed which is aws managed service. Then after a while I noticed that elastic beanstalk creates the whole think as a cloudformation stack. One of the drawback of this is, it created the EC2 server with default security group rules (like SSH (port 22) open to anywhere i.e. 0.0.0.0/0 which is BIG NO NO !!)
So everytime EB create, rebuild or update the scurity groups, this SSH rule comes as default. Earlier i used manually delete those ssh rule after warning from Trust Advisor, which is very tedious but most important risky as we never know what could happen if we let SSH port open for even 5 minutes.

Now i found out a way by which you can automatically set the rule in AWS Config (it helps you assess, audit, and evaluate the configurations and relationships of your resources) and delete those rules with AWS SSM(Systems Manager) whenever config detects that rule in any of your security groups. So lets get started and understand the whole process.

AWS config continuously monitors the resources and configuration and takes the remediation actions on the basis of config rules.

Create the IAM Role for Systems Manager(AWS SSM)

1.) Go to AWS Management Console.

2.) Create a IAM role and give permissions to Allows SSM to call AWS services on your behalf.
Click on create a role, then select AWS services.

and usecase as Systems Manager.

On Next step choose the AmazonSSMAutomationRole policy from the list.

3.) Finally give the name and review the permissions of SSMAutomationRoleForConfig and create the Role

4.) After this attach one inline policy for giving the Role access to delete the Security groups. Below is the IAM policy for that.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}

Setup the AWS Config rules for Restricting the SSH access.

5.) Go to AWS Config, click on Add Rule.

6.) Now select the rule type as AWS Managed rule i.e. restricted-ssh from the Rules list.

7.) Configure the rule and give the intuitive name like restricted-ssh

then choose the Resources as security groups in the scope of changes section in Evaluation mode.

You can leave the other optionals like parameters and tags as default.
Finally review the Config rule and click on Add Rule once done.

Manage the remediation of Config rule.

8.) After creating, select the rule and in the Actions click on Manage Remediation.

Now select the Remediation action as automatic.

Then choose the remediation action as AWS-DisableincomingSShOnPort22. This will disable the unrestricted incoming SSH traffic on port 22 for EC2 security groups.

You can update the Rate limits as per your usecase or leave it default for now. And in the resource Id parameter, select the SecurityGroupIds(or else you can pass the resource ID of noncompliant resources to a remediation action by choosing a parameter that is dependent on the resource type.). But here we want do it for all security groups.

In the next section of parameters, the SecurityGroupIds will be greyed out, so no need to worry about that. And in the AutomationAssumeRole, put the ARN no. of Role that you created in above i.e. SSMAutomationRoleForConfig in our case.

Finally review everything and Save Changes.

Test if it really works 🤔.

Go that EC2 dashboard, select any instance and edit the inbound rule of that security group as 🚨🚨 SSH (port 22) allow to 0.0.0.0/0 (Warning: Please don't do that with production resources(or serious resources), use only testing servers that doesn't have anything to be compromised in any case.)

If some body trys to allow ssh (port 22) inbound rule to a critical server so that he can ssh inside it and take away any data or harm the Application in someway.
Even if it is 5 minutes, we won’t even know that someone has taken away the data or has done ssh into the virtual machine. You won’t get any alarm also. But with config we can completely resolve this issue and secure our AWS Cloud infrastructure.
In a while you will see the remediation like below.

And you'll found that ssh rule will be deleted by config rule and AWS SSM StartAutomaticExectionAPI.

BONUS:

If you want to setup alerts and notification if if find any resource as uncompliant. Get notified when an AWS resource is non-compliant using AWS Config?
If any problem while setting this up, you can troubleshoot failed remediation actions in AWS Config?

If you find any issue while doing this please let me know in comments or you ca connect me directly.

Bio.link Profile

Learn AWS (Amazon web services) for FREE😎😎 in 2023 (Updated)

Tanmay Shukla — Wed, 10 Aug 2022 13:10:00 +0000

Hello everyone, and thank you for taking out your precious time to read this blog and investing in your future. I have started my journey of learning cloud(AWS) around 6 months back in late 2021. It was a time during AWS re:invent. It got me somewhat interested, and I just keep learning and dabbling into it. Throughout this learning journey, I have used 100% free resources to learn, practice hands-on. So, today, I want to show you some of the best resources to learn AWS without spending any single penny 💸💸. The best part is they are not third party training providers, instead we got to learn from those who build AWS. Lets go!!!

AWS Skill Builder: Your learning center to build in-demand cloud skills
AWS Cloud Quest - Cloud Practitioner(GAME): AWS Cloud Quest is the only role-playing game to help you build practical AWS Cloud skills. Whether you’re starting your cloud learning journey or diving into specialized skills, AWS Cloud Quest helps you learn in an interactive, engaging way.
AWS Educate: AWS Educate offers hundreds of hours of self-paced training and resources for new-to-cloud learners—including hands-on labs in the AWS Management Console.
AWS Hands-on Tutorials: Discover tutorials, digital training, reference deployments and white papers for common AWS use cases.
AWS Workshops: This website lists workshops created by the teams at Amazon Web Services (AWS). Workshops are hands-on events designed to teach or introduce practical skills, techniques, or concepts which you can use to solve business problems.
AWS Heroes Content Library: AWS Hero authored content including blogs, videos, slide presentations, podcasts, and more.
Back to Basics: Back to Basics' is a video series that explains, examines, and decomposes basic cloud architecture pattern best practices.
AWS Whitepapers: Expand your knowledge of the cloud with AWS technical content authored by AWS and the AWS community, including technical whitepapers, technical guides, reference material, and reference architecture diagrams.
AWS Power Hour on twitch: AWS Training and Certification offers free live and on-demand training on Twitch.
AWS Architecture center: The AWS Architecture Center provides reference architecture diagrams, vetted architecture solutions, Well-Architected best practices, patterns, icons, and more. This expert guidance was contributed by cloud architecture experts from AWS, including AWS Solutions Architects, Professional Services Consultants, and Partners.

✨✨BONUS✨✨

Coursera's AWS Courses(Free to enroll via audit): AWS also provides various specializations in partnership with coursera
AWS podcast(Learn aws on the go, anytime)
AWS Solutions Architect Bootcamp by AWS usergroup Free bootcamp for preparing for aws solutions architect exam
re:Skill (In association with AWS) Make the best use of this platform to reskill yourself on AWS platform by going through the learning content and taking up the challenges.
AWS Ramp-Up guides: Downloadable AWS Ramp-Up Guides offer a variety of resources to help you build your skills and knowledge of the AWS Cloud.

Deploy a PHP(Laravel) app on AWS Elastic Beanstalk via CodePipeline

Tanmay Shukla — Fri, 29 Jul 2022 07:14:00 +0000

In this tutorial I will explain you to deploy a PHP laravel application on AWS Elastic Beanstalk service.
About : Amazon Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
Working: You simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, and automatic scaling to web application health monitoring, with ongoing fully managed patch and security updates.

Step-1) Create a Beanstalk Environment and APP

Select environment as web server environment
Create the Application and Environment name:
Choose the Platform on which you want to deploy your app.Here We will choose PHP for our laravel project.
The next step is to upload the code(for now we will go with sample code as we will push the original code in the next version with the code pipeline.)
Click on create and let the enviornment get created. Finally It will show something like this And when you click the APP url like this http://laravelapp-env.eba-muin3rqg.us-east-2.elasticbeanstalk.com/ it will open your app with sample code.

Step-2) Create the CodePipeline

Go to searchbar, type codepipeline and click create codepipeline

Now Add the source stage, connect to your version control system(like Github here) and select the repository(laraval-demo) and branch(dev)
Check the Start the pipeline on source code change to automatically starts your pipeline when a change occurs in the source code.
Skip the Build stage for now. Add Deployment stage (Pipelines must have at least two stages. Your second stage must be either a build or deployment stage.)
Choose Elastic Beanstalk at the place of Deployment Provider, application name and environment name.

Click Next and Review all the steps and cofiguration.
Finally Click on Create Pipeline
After Pipeline is succesfull create and deployed it will look something like this:
Now Go to Beanstalk enviornment dashboard and open the application version you will found out that the latest version deployed is via codepipeline
See the health of our app as OK
Click on Beanstalk App URL like http://laravelapp-env.eba-muin3rqg.us-east-2.elasticbeanstalk.com/ to see our deployed laravel app.

Summary:

The CodePipeline will trigger whenever we will push the changes into the git. Hence it is our Continuous integration pipeline.

How to create a SFTP server on EC2(CentOS/Ubuntu) ?

Tanmay Shukla — Thu, 28 Jul 2022 18:59:00 +0000

In this tutorial you'll learn to create a SFTP server. SFTP stands for SSH File Transfer Protocol, and is a secure way to transfer files between machines using an encrypted SSH connection. Although similar in name, this is a different protocol than FTP (File Transfer Protocol), but SFTP is widely supported by modern FTP clients.

SFTP is available by default with no additional configuration on all servers with SSH access enabled. Though it’s secure and fairly straightforward to use, one disadvantage of SFTP is that in a standard configuration, the SSH server grants file transfer access and terminal shell access to all users with an account on the system. In many cases, it is more secure to apply granular control over user permissions. For example, you may want to allow certain users to only perform file transfers, but prevent them from gaining terminal access to the server over SSH.

Here you’ll set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on a per-user basis.

Pre-requisite: First update the machine



sudo yum check-update
sudo yum update -y

Note : For Ubuntu just use apt instead of yum(CentOS) pkg manager.



sudo apt update
sudo apt upgrade

Install the OpenSSh server ```

sudo yum install openssh-server


###Step-1) Create a new user(s) out of which first two will be granted access to sftp server.

adduser sftp-user1
adduser sftp-user2
adduser normal_user

After this you will be prompted to create password and fill some additional info about user. To check the SFTP working we will not add normal_user to sftpusers groups hence it will not get access to SFTP server.
Now you have created users that will be granted the access to restricted directory.
Let's create a group and add the users into it.

groupadd sftpusers
sudo usermod -a -G sftpusers sftp-user1
sudo usermod -a -G sftpusers sftp-user1

If you want to give access of sftp server to multiple users then you can create group and add those users into group and specify in the below(Step-4) sshd-config file the name of group as **Match Groups <group name>**

### Step-2) Create a directory for Restricted access
In order to restrict SFTP access to one directory, you first have to make sure the directory complies with the **SSH server’s** permissions requirements, which are very specific.
Specifically, the directory itself and all directories before it in the filesystem tree must be owned by **root** and not writable by anyone else. At the same time, it’s not possible to give restricted access to a user’s home directory because home directories are owned by the user, not root.
- As there are different ways to work around this ownership issue. Here we will create **/var/www/public_ftp** as a target upload directory. **/var/www** will owned by root and will not be writable by other users. The subdirectory public_ftp will be owned by sftp-user1

mkdir -p /var/www/public_ftp

Set the owner of /var/www to root:

sudo chown root:root /var/www

Give root write permissions to the same directory, and give other users only read and execute rights:

sudo chmod 755 /var/www

Now change the ownership of public_ftp directory that you have just created. The following command will make the owner of this directory to **sftp-user1** or its corresponding group.
Now the directory structure is in place, you can configure the SSH server itself.

sudo chown sftp-user1:sftpsusers /var/www/public_ftp/

$ ls -lrt
total 0
drwxr-xr-x. 2 sftp-user1 sftpusers 26 Jul 28 12:06 public_ftp


### Step-3) Restricting Access to only one directory.
In this step, you’ll modify the SSH server configuration to disallow terminal access for sftp-user1 but **allow file transfer access**.
Open the SSH server configuration file using nano or vim.

sudo vim /etc/ssh/sshd_config

Scroll to the very bottom of the file and add the following configuration snippet:

Match User sftp-user1
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no


🚨 Note: Here’s what each directive does:
- **Match User** tells the SSH server to apply the following commands only to the specified user. Here, we specify sftp-user1. Again, make sure to update this with your own user’s name, if different.
- **ForceCommand internal-sftp** forces the SSH server to run the SFTP server upon login, disallowing shell access.
- **PasswordAuthentication yes** allows password authentication for this user.
- **ChrootDirectory /var/www/** ensures that the user will not be allowed access to anything beyond the **/var/www/** directory.
- **AllowAgentForwarding no, AllowTcpForwarding no, and X11Forwarding no** disables port forwarding, tunneling, and X11 forwarding, respectively. The purpose of adding these directives is to further limit this user’s access to the server.
This set of commands, starting with Match User, can be copied and repeated for different users too. Make sure to modify the username in the Match User line accordingly.

### Step-4 Run the sshd command to test the changes, then restart the service and Verify the configuration

`Important: If this step is performed incorrectly, it might break your SSHD configuration.`

sshd -t
service sshd restart

**Now to Verify the Configuration**
Let’s ensure that our new  user can only transfer files. As mentioned previously, SFTP is used to transfer files between machines. You can verify this works by testing a transfer between your local machine and server.
First, try logging into your server as the user you created in Step 1. Because of the settings you added to the SSH configuration file, this won’t be possible:

ssh sftp-user1@your_server_ip

You’ll receive the following message before being returned to your original prompt:

Output
This service allows sftp connections only.
Connection to your_server_ip closed.

This means that sftp-user1 can no longer access the server shell using SSH.

Next, verify if the user can successfully access SFTP for file transfer:

sftp sftp-user1@your_server_ip

Instead of an error message, this command will generate a successful login message with an interactive prompt:

Output
Connected to your_server_ip
sftp>

You can list the directory contents using ls in the prompt:

sftp> ls

This will show the **public_ftp** directory that was created in the previous step and return you to the sftp> prompt:

Output
uploads

#### Final check 
For sftp-user1:
![user1](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pyqlb1c5v6u6wmlhdlfn.png)
For sftp-user2:
![sftp-user2](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/r2gwwfb59xbib6l7l4md.png)

How can I connect or access an AWS S3 bucket from an Amazon EC2 Instance?

Tanmay Shukla — Wed, 20 Jul 2022 18:30:00 +0000

In this tutorial I'll show you step by step to connect & access your S3 bucket from EC2 instance via IAM Roles.

Step-1) Create an IAM instance profile that grants access to Amazon S3.

Open the IAM console.
Choose Roles, and then choose Create role.
Select AWS Service, and then choose EC2.
Select Next: Permissions.
Create a custom policy that provides the minimum required permissions to access your S3 bucket.

Note: Creating a policy with the minimum required permissions is a security best practice. However, to allow EC2 access to all your Amazon S3 buckets, you can use the AmazonS3ReadOnlyAccess or AmazonS3FullAccess managed IAM policy.

Select Next: Tags, and then select Next: Review.
Enter a Role name, and then select Create role.

Step-2) Create an EC2 instance and attach IAM instance profile to this instance

Create the EC2 instance (Launch an EC2 instance in 1 min)
For this click on checkbox on that instance and go to Actions tab > Security > Modify IAM role.
Now select the IAM role that you created in step-1 then save it. This will assign the IAM role to your ec2 instance.

Step-3) Validate S3 to check permissions, if it has any denying policy attached to it.

Go to Permissions>Bucket Policy then search fo Effect:Deny
Now in your bucket policy, edit or remove any Effect: Deny statements that are denying the IAM instance profile access to your bucket.

Step-4) Check the network connectivity from EC2 instance to Amazon S3.

Verify if EC2 has network connectivity to S3 Endpoints
We need to make sure that our instance must possess one of the following quality
- [] EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway.
- [] Private EC2 instance with a default route through a NAT gateway.
- [] Private EC2 instance with connectivity to Amazon S3 using a Gateway VPC endpoint.

Step-5) Validate access to S3 buckets

First we need to Install AWS CLI Install or update AWS CLI
To Verify access to your S3 buckets by running the following command. Replace BUCKET-NAME with the name of your S3 bucket. This command will list all the objects in your bucket: ```

aws s3 ls s3://BUCKET-NAME

![Image 4](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3tblxhd6h4dbu0fqm4il.png)
![Image 5](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/aom8g08cxzhlkivt34l3.png)

**Note:** Run the AWS s3 **cp** command to copy the files to the S3 bucket and vice versa but remember to give IAM role **AmazonS3FullAccess** or **AdminsterAccess**. 
Now as we have also installed the aws command line you can simply use the following commands to copy the files to S3 Bucket from EC2.

To List the S3 Bucket

aws s3 ls s3://

To copy the files from EC2 to S3

aws s3 cp s3://

**<u>Addition resources:</u>**
- https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-access-s3-bucket/
- https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html

## Connect with me 
- [Github](https://github.com/tanmaycode2)
- [Linkedin](https://www.linkedin.com/in/tanmay-shukla/)

Amazon Elastic Container Service (ECS)- Practical Guide 🚀🚀(Cheat Sheet)

Tanmay Shukla — Sat, 16 Jul 2022 12:22:21 +0000

Amazon Elastic Container Service is a highly scalable, fast, container management service that makes it easy to run, stop and manage docker containers on a cluster of amazon EC2 instances.

It let's you launch and stop contianer-enabled applications with simple API calls, that allows us to get the state of our cluster from a centralized service, and gives us access to many familiar EC2 features.
Through ECS we can schedule the placement of containers across our cluster based on resource needs, isolation policies, and availability requirements.
ECS eliminates the need for you to operate you own cluster (management) and configuration management or even worry about scaling your management infrastructure.
ECS also has integration with the Application Load balancer to expose your service to the world.

ECS has two launch types:

1. Amazon ECS - EC2 launch Type:

ECS = Elastic Container Service
Launch Docker containers on AWS = Launch ECS Tasks on ECS Clusters
EC2 Launch Type: you must provision & maintain the infrastructure (the EC2 instances)
Each EC2 Instance must run the ECS Agent to register in the ECS Cluster
AWS takes care of starting / stopping containers.

2. Amazon ECS - Fargate Launch Type:

Launch Docker containers on AWS.
We do Not have to provision the infrastructure(EC2 instances), which makes it simpler and easy to use!
It's all Serverless.
AWS runs the contaiers for us based on the CPU/RAM we need.
We just create task definitions. Then the fargate service will launch the task and there is no need to create EC2 instance beforehand(which makes it lot easier).
To access this fargate tasks, we're going to have elastic network interfaces(ENI) that are also going to launched within our VPC to bind this task to a network IP. So, the more tasks we have, more ENI's(distinct and private IP; so make sure we have enough IP addresses in our VPC) will be created and they are going to be unique for all of these tasks.
To scale, we just need to increase the number of tasks. Much simpler than EC2 instances.

🚩🚩🚩 Note: All these ECS Tasks will maybe perform some operations on you AWS services. For example they may need to interact with DynamoDB or S3, so therefore they need IAM roles. So lets look at IAM roles for ECS tasks now.

IAM Roles for ECS Tasks

EC2 Instance Profile (EC2 Launch Type only):
- Used by the ECS agent
- Makes API calls to ECS service
- Send container logs to CloudWatch Logs
- Pull Docker image from ECR
- Reference sensitive data in Secrets Manager or SSM Parameter Store.
ECS Task Role:
- When you create a task you attach task role to it.
- Tasks Role is defined in the task defintion.
- It Allows each task to have a specific role. While it's also advisable to create new ECS task role for new task, as it ensures better security when accessing services.
- That's why we use different roles for the different ECS Services we run.
- As its a much better separation of security & you have as many task roles as different types of tasks.

🚩🚩🚩 Note: You can question like how these services share data? It's much more complex topic that you think so I'll cover this in another blog but for now let take a high level understanding.

ECS Data Volumes:

ECS has an integration with the EFS(Elastics file system) which is a NFS(network file sysytem).
If we have an EC2 instance and multiple tasks running, it is possible to create an EFS file system and to mount the file system directly onto these ECS tasks. - It works for both EC2 Tasks and Fargate tasks.
Tasks launched in any AZ will be able to share same data in the EFS volume.
With the combination of Fargate + EFS we get truly serverless offering (i.e. serverless, data storage without managing servers)
The main Usecase is during persistent multi-AZ shared storage for your containers.

Connect with me

Launch an EC2 instance with AMI in 1 minute (Step by Step guide) Updated 2022

Tanmay Shukla — Fri, 15 Jul 2022 15:23:09 +0000

This article will guide you to get started with AWS EC2, launch your first EC2 instance and Configure it.
After this step by step tutorial you will understand EC2 practically.

First of all, Go to AWS management console and login with root or IAM user. Then select EC2 by searching it on global search box.

Launch Your Amazon EC2 Instance

In the AWS Management Console on the Services menu, click EC2.
Click Launch instances > Launch instances.

Step-1: Give name and tags

First, give the name and tags to your instance. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment.
Click Add Tag then configure:
- Key: Name
- Value: Web Server

Step-2: Choose Application and OS Images [Amazon Machine Image(AMI)]

Then choose instance type as 2nd step.
An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. AMI includes
- A template for the root volume for the instance (for example, an operating system or an application server with applications)
- Launch permissions that control which AWS accounts can use the AMI to launch instances
- A block device mapping that specifies the volumes to attach to the instance when it is launched
We can also create our own AMI but Quick Start list contains the most commonly-used AMIs.
Click select next Amazon Linux 2 AMI (at the top of the list).

Step-3: Choose an Instance Type

Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications.
Under Instance type, from the Instance type list, you can select the hardware configuration for your instance.
A t2.micro instance has 1 vCPU and 1 GiB Memory.
Choose the t2.micro instance type, which is selected by default. The t2.micro instance type is eligible for the free tier. In Regions where t2.micro is unavailable, you can use a t3.micro instance under the free tier.

Step-4: Create Key pair (login)

We use key pair to securely connect to our instance.

Create new key-pair if don't have any, then give it name and select RSA. Finally download the PEM or PPK file.

🚨 ⚠️ Warning
Do not choose Proceed without a key pair (Not recommended). If you launch your instance without a key pair, then you can't connect to it.

Step-5: Configure Network settings

Next to Network settings, choose Edit. For Security group name, you'll see that the wizard created and selected a security group for you.
We can use this security group, or alternatively you can select the security group that you created when getting set up using the following steps:
- Configure Security Group:
  - Keep the default selection, and select Create a new security group.
  - Security group name: Web Server security group
  - Description: Security group for my web server
Add SSH(port-22) and HTTP(port-80) rules in Inbound security groups rules to access our instance from putty(ssh) and through web browser(internet) respectively.
Keep the default selections for the other configuration settings for your instance.

Step-6: Configure Storage

Amazon EC2 stores data on a network-attached virtual disk called Elastic Block Store.
We will launch the Amazon EC2 instance using a default 8 GiB disk volume. This will be your root volume (also known as a 'boot' volume).

Step-7: Advanced Details

A field for User data will appear.
- When you launch an instance, you can pass user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts.
- Your instance is running Amazon Linux, so you will provide a shell script that will run when the instance starts.
Copy the following commands and paste them into the User data field:

#!/bin/bash
yum -y install httpd
systemctl enable httpd
systemctl start httpd
echo '<html><h1>Hello From Your Web Server!</h1></html>' > /var/www/html/index.html

Leave everything else as default.

Review the Summary and Click `Launch`

Connect to your Instance

There are multiple ways to connect to your instance.

Connect to EC2 instance using PuTTY
- Open PuTTY
- Provide the public IPv4 address( of your ec2 instance in the Host Name section.
- On the left menu, expand SSH and click on Auth
- Click on Browse and open the .ppk file
- Now click open and accept if comes in prompt then login as `ec2-user.
🚩🚩 Important
You can't connect to your instance unless you launched it with a key pair for which you have the .pem file and you launched it with a security group that allows SSH access from your computer. If you can't connect to your instance, see Troubleshoot connecting to your instance for assistance.
Connect using EC2 Instance Connect
- Supported Linux distributions:
  - Amazon Linux 2 (any version)
  - Ubuntu 16.04 or later

To connect to your instance using the browser-based client from the Amazon EC2 console
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose Instances.
- Select the instance and choose Connect.
- Choose EC2 Instance Connect.
- Verify the user name and choose Connect to open a terminal window.
- When you hit coonect it will open terminal in your browser lik this:

Amazon EC2 (Elastic compute cloud ☁🖥) -Zero to Hero🚀🚀 (Cheat Sheet)

Tanmay Shukla — Fri, 15 Jul 2022 07:58:52 +0000

In this series I am going to share multiple articles that will teach you from basic to advanced about EC2. So Lets start !!!

What is EC2 ?

EC2 is a web service that provides resizable compute capacity in the cloud.
It is designed to make web-scale cloud computing easier for developers.
Most popular and most used AWS offering.
EC2 = Elastic Compute Cloud = Infrastructure as a service(IaaS)
- It mainly consists of: – Renting Virtual machines(EC2)
- Storing data on Virtual drives(EBS)
- Distributing load across machines(ELB)
- Scaling the services using an auto-scaling group(ASG)
In this you pay only for capacity that you actually use.
EC2 Provides developers the tools to build failure resilient applications and isolate themselves from common failure scenarios.

Below are some features of EC2:

1. Reliability

EC2 provides 99.9% availability in each region. The services are highly reliable, where replacement of instances can be done easily and rapidly.

2. Cost Saving

EC2 is inexpensive as it allows the user to select plans as per the requirement. It helps the users to save cost and utilize the resources fully.
User's also get benefits from the AWS scale, which enables the users to pay less for virtual servers than other cloud providers.
EC2 works on pay-as-you go model and as a customer we only pay for the time we use EC2.
With the use of EC2, we can eliminate the need to invest upfront cost on Capex for hardware (servers).

3. Elasticity

Companies can easily increase or decrease capacity within minutes. They can also provision thousands of server instances simultaneously.
Apart from that, all the server instances are handled by web service APIs that can scale up and down the servers as per the requirements.

4. Scalability

In EC2 we can scale-in and scale-out depending on load. It also provides autoscaling capabilities
Auto-scaling is the capability built into AWS that allows you to ensure you have the right number of EC2 instances provisioned to handle the load of your application.
We can use EC2 to launch as many virtual machines as per our needs.
It provides scalable computing capacity in AWS cloud.
It also helps in building application with redundancy and resilience.

5. Security

AWS works with Amazon VPC to provide robust networking and security for the compute resources.
All the compute instances are located in a VPC (Virtual Private cloud) in a specific range. This specific functions help the user in deciding which instances are exposed to the internet and which remains private

EC2 sizing & configuration

We can choose from various options in EC2 like below:

Operating System(OS): Linux, Windows or macOS
Compute power, processors and cores(CPU)
Random-access memory(RAM)
Storage space:
- Hardware(EC2 Instance Store)
- Network-attached storage(EBS & EFS)
Firewall Rules: Security group
Network card: speed of the card, Public IP address

EC2 User Data

We can bootstrap our instances using an EC2 User data script.
Bootstrapping means launching commands when a machine starts
This script only run once when the instance start.
Usecase of EC2 user data is to automate boot tasks such as:
- Installing updates
- Installing softwares
- Downloading common files from the internet
- A lot more
The EC2 user data script runs with the root user

Security Groups

Security groups(SG) are the fundamentals of network security in AWS.
SG controls, how the traffic is allowed into or out of our instances.
SG only contain allow rules
SG rules can reference by IP or by security group.
Security groups acts as a "firewall" for EC2 instances.
Security groups regulates :
- Authorized IP ranges -IPv4 and Ipv6
- Access to ports (like SSH, HTTP and HTTPS)
- Control of inbound network(from other to the instance)
- Control of outbound Network(from instance to other)

EC2 Image Builder

It is used to automate the creation of virtual machines and container images.
Its a free service i.e. we only for uderlying resources.
Crux- Automates the creation, maintain, validate and test EC2 AMIs.
We can run it via scheduling(weekly or whenever packages are updated).

Connect with me

AWS Identity and Access management-Practical Guide 🚀🚀(Cheat sheet)

Tanmay Shukla — Thu, 14 Jul 2022 17:36:06 +0000

This is the Practical guide to understand and revise AWS IAM service. This can also be looked as quick review cheat sheet.

IAM: Users & Groups

IAM = Identity and Access Management, Global service
Root account created by default, shouldn’t be used or shared
Users are people within your organization, and can be grouped
Groups only contain users, not other groups
Users don’t have to belong to a group, and user can belong to multiple groups

IAM: Permissions

Users or Groups can be assigned JSON documents called policies.
These policies define the permissions of the users.
In AWS you apply the least privilege principle: don’t give more permissions than a user needs.

IAM Policies Structure

1. IAM Policies Consists of

Version: policy language version, always include “2012-10-17”
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required).

2. Statements consists of

Sid: an identifier for the statement (optional)
Effect: whether the statement allows or denies access (Allow, Deny)
Principal: account/user/role to which this policy applied to
Action: list of actions this policy allows or denies
Resource:list of resources to which the actions applied to
Condition: conditions for when this policy is in effect (optional). Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
    },
    {
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
        "s3:List*",
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::confidential-data",
        "arn:aws:s3:::confidential-data/*"
      ],
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}

IAM – Password Policy

Strong passwords = higher security for your account
In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use.

Multi Factor Authentication - MFA

Users have access to your account and can possibly change configurations or delete resources in your AWS account
You want to protect your Root Accounts and IAM users
MFA = password you know + security device you own

MFA devices options in AWS

Virtual MFA device: Google authenticator, Authy.
Universal 2nd Factor (U2F) Security Key: YubiKey by Yubico (3rd party)

How can users access AWS ?

To access AWS, you have three options:
1. AWS Management Console (protected by password + MFA)
2. AWS Command Line Interface (CLI): protected by access keys
3. AWS Software Developer Kit (SDK) - for code: protected by access keys
Access Keys are generated through the AWS Console
Users manage their own access keys
Access Keys are secret, just like a password. Don’t share them
Access Key ID ~= username
Secret Access Key ~= password

IAM Roles for Services

Some AWS service will need to perform actions on your behalf
To do so, we will assign permissions to AWS services with IAM Roles
Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation

IAM Guidelines & Best Practices

• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account with the IAM Credentials Report
• Never share IAM users & Access Keys

IAM – Summary

• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM Credential Reports & IAM Access Advisor

Connect with me

How to Install LAMP(Linux Apache Mysql PHP) on Ubuntu 20.04(AWS-EC2)

Tanmay Shukla — Thu, 14 Jul 2022 09:02:00 +0000

What is LAMP Stack?

The LAMP stack is a popular open-source solution stack used primarily in web development.
LAMP consists of four components necessary to establish a fully functional web development environment. The first letters of the components' names make up the LAMP acronym:
This term is actually an acronym which represents the Linux operating system, with the Apache web server. The site data is stored in a MySQL database, and dynamic content is processed by PHP.

The illustration below shows how the layers stack together:

Step-1 Install Apache and Update the Firewall.

First we need to install apache on our Virtual machine but before that lets update the necessary softwares by following command. Just to remind, ubuntu used apt package manager and Red hat based distros like centos uses yum package manager.

$ sudo apt update

$sudo apt install apache2

To see Apache version on a Debian/Ubuntu Linux, run:

apache2 -v

For CentOS/RHEL/Fedora Linux server, type command:

httpd -v

You can locate apache2 or httpd path using the type command or command command. For instance:

type -a httpd
type -a apache2
whereis httpd
command -v httpd

Now you need to update the firewall so that your firewall allow HTTP and HTTPS traffic. To check the UFW (uncomplicated firewall) which is a firewall configuration tool that runs on top of iptables, included by default within Ubuntu distributions.

$ sudo ufw app list

Output
Available applications:
  Apache
  Apache Full
  Apache Secure
  OpenSSH

If you look at the Apache Full profile details, you’ll see that it enables traffic to ports 80 and 443:

sudo ufw app info "Apache Full"

Output
Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web
server.

Ports:
  80,443/tcp

Now to allow incoming HTTP and HTTPS traffic for this server, run:

sudo ufw allow "Apache Full"

OUTPUT

Rules updated
Rules updated (v6)

Then to check , go to your instance public IP address

http://your_server_ip

Note: To know your IP address,we can use following commands:

$ sudo apt install curl
$ curl http://icanhazip.com
$ curl ifconfig.me

It will show something like this with apache information:

Step-2 Installing MYSQL.

As we have now our webserver up and running, its time to install Mysql.

$ sudo apt install mysql-server
$ sudo mysql --version

This command will show you a list of the packages that will be installed, along with the amount of disk space they’ll take up. Enter Y to continue.
When installation is done, run a simple security script to remove some dangerous defaults and lock down access to your database system.

$ sudo mysql_secure_installation

Now read and complete the installtion steps like password set etc.
When it's done test if you are able to logged in to the mysql console

Answer Y for yes, or anything else to continue without enabling.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No:

If you’ve enabled password validation, you’ll be shown the password strength for the root password you just entered and your server will ask if you want to change that password. If you are happy with your current password, enter N for “no” at the prompt:

Using existing password for root.

Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : n

Finally type the following to enter into mysql console

$ sudo mysql

Output
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

and type

exit

to get out of the console.

Step-3 Installing PHP

Why? to install it. Because PHP can run scripts, connect to your MySQL databases to get information, and hand the processed content over to your web server so that it can display the results to your visitors.
Type the below command:

$ sudo apt install php libapache2-mod-php php-mysql

We've installed three packages in the above command:

php package
libapache2-mod-php to integrate PHP into Apache webserver.
php-mysql package to allow PHP to connect to MySQL databases.

To extend the functionality of PHP, you have the option to install some additional modules.

$ apt search php- | less

Use the arrow keys to scroll up and down, and press Q to quit.

The results are all optional components that you can install. It will give you a short description for each:

For example, to find out what the php-cli module does, you could type this:

$ apt show php-cli

If you decided that php-cli is something that you need, you could type:

sudo apt install php-cli

Step-4 Test the PHP Processing on your Web Server

To test that your system is properly configured for PHP, create a PHP script called info.php. In order for Apache to find this file and serve it correctly, it must be saved to your web root directory.

$ sudo nano /var/www/**your_domain**/info.php

Insert the following command to show the php information.

<?php
phpinfo();
?>

Save and close it
The address you will want to visit is:

http://your_domain/info.php

The page that you come to should look something like this:

Now that you have a LAMP stack installed, you have many choices for what to do next. You’ve installed a platform that will allow you to install most kinds of websites and web software on your server.

DEV Community: Tanmay Shukla

Setup CloudFront & Amazon S3 to Deliver objects on the Web Apps (securely & efficiently)

What is S3 ?

What is Cloudfront ?

Here are some applications of CloudFront:

Serving S3 objects with CloudFront has several benefits:

Setup the S3 and Cloudfront for serving objects through Web application.

Objective

Steps for Implementation of the project:

1.) Sign in to AWS management console.

2.) Create and setup the S3 Bucket (Private) to store objects.

3.) Create the Cloudfront distrubution for your S3 bucket.

4.) Setup the IAM role and permissions for Web application.

5.) Finally, test the Application !!

🚩🚩 Note: Some helpful Links:

Jenkins 101 - Beginner to Advanced 🚀🚀 (PART -1/2)

Introduction

Installation of Jenkins

1. Jenkins On Ubuntu:

2. On Docker container:

3. On Amazon Linux 2/ CentOS

✨✨Note: For CentOS make sure to configure firewall as, Jenkins service uses port 8080 to communicate. If you’re using the default firewalld service, enter the following commands to allow access:

4. Jenkins on Windows 10:

5. Running jenkins as a WAR(Web Application Resource or Archive) file

Note:

JENKINS FUNDAMENTALS

Automating the deletion of specific inbound rules from any security groups in AWS via Config

Hello everyone 👋👋. Thanks for taking out time to read my blog. I hope you'll endup having little more knowledge and practical experience after completing this one.

Create the IAM Role for Systems Manager(AWS SSM)

Setup the AWS Config rules for Restricting the SSH access.

Manage the remediation of Config rule.

Test if it really works 🤔.

BONUS:

Learn AWS (Amazon web services) for FREE😎😎 in 2023 (Updated)

✨✨BONUS✨✨

Deploy a PHP(Laravel) app on AWS Elastic Beanstalk via CodePipeline

Step-1) Create a Beanstalk Environment and APP

Step-2) Create the CodePipeline

Summary:

How to create a SFTP server on EC2(CentOS/Ubuntu) ?

How can I connect or access an AWS S3 bucket from an Amazon EC2 Instance?

Step-1) Create an IAM instance profile that grants access to Amazon S3.

Step-2) Create an EC2 instance and attach IAM instance profile to this instance

Step-3) Validate S3 to check permissions, if it has any denying policy attached to it.

Step-4) Check the network connectivity from EC2 instance to Amazon S3.

Step-5) Validate access to S3 buckets

To List the S3 Bucket

To copy the files from EC2 to S3

Amazon Elastic Container Service (ECS)- Practical Guide 🚀🚀(Cheat Sheet)

ECS has two launch types:

IAM Roles for ECS Tasks

ECS Data Volumes:

Connect with me

Launch an EC2 instance with AMI in 1 minute (Step by Step guide) Updated 2022

Launch Your Amazon EC2 Instance

Step-1: Give name and tags

Step-2: Choose Application and OS Images [Amazon Machine Image(AMI)]

Step-3: Choose an Instance Type

Step-4: Create Key pair (login)

Step-5: Configure Network settings

Step-6: Configure Storage

Step-7: Advanced Details

Review the Summary and Click Launch

Connect to your Instance

Amazon EC2 (Elastic compute cloud ☁🖥) -Zero to Hero🚀🚀 (Cheat Sheet)

What is EC2 ?

EC2 sizing & configuration

EC2 User Data

Security Groups

EC2 Image Builder

Connect with me

AWS Identity and Access management-Practical Guide 🚀🚀(Cheat sheet)

IAM: Users & Groups

IAM: Permissions

IAM Policies Structure

IAM – Password Policy

Multi Factor Authentication - MFA

MFA devices options in AWS

How can users access AWS ?

IAM Roles for Services

**3.) Create the Cloudfront distrubution for your S3 bucket.**

Review the Summary and Click `Launch`