Amazon Web Service stuff
- Google
aws free tier
and create a free account - Go to
aws.amazon.com
and Sign in to the Console -> Root user and log in - Choose
N.Virginia
from the top right corner next to your username - Clone this repository for resources
https://github.com/nealdct/aws-clf-code
Configure Account
- Go to
IAM Dashboard
(choose IAM from services) - Create Alias from the
AWS Account
section on the right - Go to your account (Click your name on the top right -> Account)
- Active
IAM user role access to Billing information
- Choose Billing Preferences on the left navbar under the
Preferences and Settings
- Edit Alert preferences -> put ticks on both boxes
- Activate
Invoice delivery preferences
Budget
- Click Budget on the left under the
Budgets and Planning
Create Budget
-> Use a template -> Monthly cost budget -> Give a name and your budget (2e)- Cost Explorer under the
Cost Analysis
shows where you are spending your money
Group
- Go
IAM
-> Create User groups -> Create group - Group name
Admins
Attach permission policies
-> AdministorAccess -> Create group
Users
- Click Users under the
Access managment
-> Create user - Give User name -> Provide user access to the AWS Managment Console -> I want to create an IAM user
- Set Custom password -> Remove the tick from 'Users must create a new password at next sign-in' -> Next
- Add user to group -> Admins -> Next -> Create user -> Return to users list
- Try your new user -> Go to aws signin page -> Choose IAM user ->
Account ID
is the Account name of your root user -> Give the user name and password that you just created and it works - It's better to log in with the
IAM user
account than the root account
- Install VS Code & AWS CLI Command Line Interface
Cloudshell
- Search
Cloudshell
from AWS Services - Test it with command
aws help
(q) to quit
- Go
IAM Dashboard
->Users
from the left navbar -> Click your name -> Security credentials -> Assign MFA device - Give Device name -> Authenticator App -> Read the QR-code etc
IAM Dashboard
-> Users -> Create user -> Give User name and Provide user access to the AWS Managment Console -> Create IAM user -> Custom Password -> Remove tick from Users must create a new password... -> Next -> Create user -> Return to users list- Sign in with that user -> A lot of Access denied everywhere
- Go
EC2
Service -> Lot of red -> Log out - Login with that
IAM user
with Admin access ->IAM
-> Roles -> Create role -> AWS account -> Next -> Search EC2 -> AmazonEC2FullAccess -> Next - Role name: ec2-role -> Create role -> Copy the 'Link to switch roles in console'
- Log in with the IAM user with no permissions in a incognito tab -> Click username in the top right navbar -> Switch role -> Insert fields manually OR open a new tab and paste the copied link
- Add IAM role name to Display name also -> Switch role -> ?? Nothing happens because user doesn't have any permissions
- Copy the ARN from the ec2-role summary with the IAM user with Admin permissions
- Users -> click the username with no permissions -> Add permissions -> Create inline policy -> JSON from the top -> Add this (paste the ARN from role summary to "Resource")
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::279455171996:role/ec2-role"
}
}
-> Next -> Policy name stsAssumeRole -> Create policy
- Go back to that incognite window and try to Switch role -> now you see your role on the top right of the navbar
- Go to
EC2
and now most of the errors are gone -> Switch back to normal role
User with Admin permissions
- Go to
AWS Organizations
-> Create an organization - Go to
IAM Identity Center
-> Enable - Manage permissions for multiple AWS accounts -> Click -> Create permission set -> Predefined permission set -> Next, Next, Create
- Create another permission set -> Predefined -> ViewOnlyAccess -> Next, Next, Create
IAM Identity Center
Dashboard -> Groups -> Create group -> Group name Management and Create groupIAM Identity Center
Dashboard -> Users -> Add user -> Fill the fields -> Next -> Add user to the Management group -> Add userIAM Identity Center
Multi-account permissions -> AWS accounts -> Select the management account and Assign users or groups -> Management -> Next -> Select both ViewOnlyAccess and AdministratorAccess -> Next, Submit- Now check your email and accept the Invitation -> Set your password and sign in -> set MFA
- You can see the AWS access portal URL in the
IAM Identity Center
Dashboard in Settings summary
EC2
Service -> Launch instance
-
Given instance name -> Quick Start Amazon Linux -> Instance type t2.micro -> Key pair
Create new key pair
-> Give key pair name, RSA, .pem, Create key pair downloads the file on your computer -
Edit Network settings -> Create security group, give Security group name WebAccess and copy it also in the Description -> Launch instance
-
Then View all instances and it should be pending
- Give instance name -> Quick Start Windows (Microsoft Windows Server 2022 Base) -> Instance type t2.micro -> Choose the keypair that you created -> Network settings Select existing security group and choose the WebAccess what you just created -> Launch instance
- Choose Windows-Server -> Security tab, click on Security groups (WebAccess) -> Edit inbound rules, Add rule -> Type: RDP, Source Anywhere-IPv4 -> Save rules
- Choose the Linux-Server from the instances list and Connect on the top -> EC2 Instance Connect tab, Connect using EC2 Instance Connect -> Connect
- Now it opens a terminal in a new window -> Test that everything is working, 'ping google.com' and 'Ctrl-C' to quit pinging
- REMEMBER TO STOP THE SERVER
- Download
Microsoft Remote Desktop
(google it or 'rdp for mac' and download some program) - Choose the Windows-Server from the instances list and Connect on the top -> RDP client tab, Copy the Public DNS
- Open Microsoft Remote Desktop, add PC -> PC name:
Public DNS
that you just copied -> Add - Get the password for the PC -> Go back to the Connect to instance with the windows server and click on Get password on the bottom of the page -> Upload the private key file what you have done earlier -> Decrypt password
- Copy the password -> Go back to Microsoft Remote Desktop, double click on the pc, Username:
Administrator
Password:the copied password
-> Continue - If it doesnt work, make sure that you have port 3389 open in the Security rules
- REMEMBER TO STOP THE SERVER
EC2
-> Instances, Launch instances -> Name: WebServer, Amazon Linux, t2.micro, no need for key pair -> Network settings Select existing security group: WebAccessAdvanced details
at the bottom of the page and find User data -> Choose file ->(from the git repo that you cloned in the beginning)/amazon-ec2/user-data-web-server.sh
-> Launch instance- Instances, Choose WebServer, Security tab, click on the WebAccess security group -> Edit inbound rules -> Add rule, Type:
HTTP
Source:Anywhere-IPv4
-> Save rules - Details tab of your WebServer, copy Public IPv4 address -> Open browser, paste the address -> Press Enter
- REMEMBER TO STOP THE SERVER
- Connect to Linux-Server on
EC2 instances
(Connect using EC2 Instance Connect) -> new you have the Amazon Linux 2023 terminal open aws s3 ls
to terminal -> 'unable to locate credentials' -> OpenIAM
Service in a new tab -> Users, Choose user, Security credentials, Access keys, Create access key -> Command Line Interface (CLI), Next, No description needed, Create access key- Copy the Access key -> Go back to the Amazon Linux terminal ->
aws configure
, paste the access key -> Go back to the another tab and copy Secret access key, paste the secret access key -> Give the region name (us-east-1), Enter, Enter aws s3 ls
again and the error is gone- Make a
s3
bucket ->aws s3 mb s3://mybucket-something2323
->aws s3 ls
now shows the bucket just created - There is a security problem, you can see the credentials by just running
cat ~/.aws/credentials
command. So lets delete the the folders from .aws folder ->rm -rf ~/.aws/*
- Go back to
IAM
Service and find the Access keys -> Actions, Deactive -> Actions, Delete - Choose Roles on the navbar on the left -> Create role -> Trusted entity type: AWS service, Use case: EC2, Next -> Search s3, AmazonS3ReadOnlyAccess, Next -> Role name: S3ReadOnly, Create role
EC2 Service
, Instances -> Choose Linux-Server, Actions, Security, Modify IAM role -> S3ReadOnly, Update IAM role- Back to the terminal ->
aws s3 ls
should show your bucket now -REMEMBER TO STOP THE SERVER
- Search for
Amazon Elastic Container Service
, Clusters, Create cluster - Cluster name: my-fargate-cluster, Infrastucture: AWS Fargate, Create -> Check what happens in View in CloudFormation
- Task definitios on the left navbar, Create new task definition -> Task definition family name: nginx-container, others on default -> Container - 1, Name: nginx-container, Image URI: nginx:latest -> Create
- Now back to Clusters on the left navbar -> my-fargate-cluster -> Tasks tab -> Run new task
- On Deployment configuration Family: nginx-container -> On Networking, Choose security group: WebAccess -> Create
- Click on the Task id -> Networking tab Copy Public IP -> Test it in the browser
- Back to Clusters, my-fargate-cluster, Tasks tab, stop the running cluster
- Services tab -> Create -> Family: nginx-container, Service name: my-service, Desired tasks: 2 -> On Networking change to WebAccess security group -> Create
- REMOVE TO STOP/DELETE THE CLUSTER