/AWS

Amazon Web Service stuff

AWS

Amazon Web Service stuff

Create AWS Free Tier Account

  • Google aws free tier and create a free account
  • Go to aws.amazon.com and Sign in to the Console -> Root user and log in
  • Choose N.Virginia from the top right corner next to your username
  • Clone this repository for resources https://github.com/nealdct/aws-clf-code

Configure Account and Create a Budget and Alarm

Configure Account

  • Go to IAM Dashboard (choose IAM from services)
  • Create Alias from the AWS Account section on the right
  • Go to your account (Click your name on the top right -> Account)
  • Active IAM user role access to Billing information
  • Choose Billing Preferences on the left navbar under the Preferences and Settings
  • Edit Alert preferences -> put ticks on both boxes
  • Activate Invoice delivery preferences

Budget

  • Click Budget on the left under the Budgets and Planning
  • Create Budget -> Use a template -> Monthly cost budget -> Give a name and your budget (2e)
  • Cost Explorer under the Cost Analysis shows where you are spending your money

Creating IAM Users and Groups

Group

  • Go IAM -> Create User groups -> Create group
  • Group name Admins
  • Attach permission policies -> AdministorAccess -> Create group

Users

  • Click Users under the Access managment -> Create user
  • Give User name -> Provide user access to the AWS Managment Console -> I want to create an IAM user
  • Set Custom password -> Remove the tick from 'Users must create a new password at next sign-in' -> Next
  • Add user to group -> Admins -> Next -> Create user -> Return to users list
  • Try your new user -> Go to aws signin page -> Choose IAM user -> Account ID is the Account name of your root user -> Give the user name and password that you just created and it works
  • It's better to log in with the IAM user account than the root account

Install Tools and Configure AWS Cli

  • Install VS Code & AWS CLI Command Line Interface

Cloudshell

  • Search Cloudshell from AWS Services
  • Test it with command aws help (q) to quit

AWS Authentication and Access Control

Setup Multi-Factor Authentication (MFA)

  • Go IAM Dashboard -> Users from the left navbar -> Click your name -> Security credentials -> Assign MFA device
  • Give Device name -> Authenticator App -> Read the QR-code etc

Switching IAM Roles

  • IAM Dashboard -> Users -> Create user -> Give User name and Provide user access to the AWS Managment Console -> Create IAM user -> Custom Password -> Remove tick from Users must create a new password... -> Next -> Create user -> Return to users list
  • Sign in with that user -> A lot of Access denied everywhere
  • Go EC2 Service -> Lot of red -> Log out
  • Login with that IAM user with Admin access -> IAM -> Roles -> Create role -> AWS account -> Next -> Search EC2 -> AmazonEC2FullAccess -> Next
  • Role name: ec2-role -> Create role -> Copy the 'Link to switch roles in console'
  • Log in with the IAM user with no permissions in a incognito tab -> Click username in the top right navbar -> Switch role -> Insert fields manually OR open a new tab and paste the copied link
  • Add IAM role name to Display name also -> Switch role -> ?? Nothing happens because user doesn't have any permissions
  • Copy the ARN from the ec2-role summary with the IAM user with Admin permissions
  • Users -> click the username with no permissions -> Add permissions -> Create inline policy -> JSON from the top -> Add this (paste the ARN from role summary to "Resource")
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::279455171996:role/ec2-role"
  }
}

-> Next -> Policy name stsAssumeRole -> Create policy

  • Go back to that incognite window and try to Switch role -> now you see your role on the top right of the navbar
  • Go to EC2 and now most of the errors are gone -> Switch back to normal role

IAM Identity Center in Action

User with Admin permissions

  • Go to AWS Organizations -> Create an organization
  • Go to IAM Identity Center -> Enable
  • Manage permissions for multiple AWS accounts -> Click -> Create permission set -> Predefined permission set -> Next, Next, Create
  • Create another permission set -> Predefined -> ViewOnlyAccess -> Next, Next, Create
  • IAM Identity Center Dashboard -> Groups -> Create group -> Group name Management and Create group
  • IAM Identity Center Dashboard -> Users -> Add user -> Fill the fields -> Next -> Add user to the Management group -> Add user
  • IAM Identity Center Multi-account permissions -> AWS accounts -> Select the management account and Assign users or groups -> Management -> Next -> Select both ViewOnlyAccess and AdministratorAccess -> Next, Submit
  • Now check your email and accept the Invitation -> Set your password and sign in -> set MFA
  • You can see the AWS access portal URL in the IAM Identity Center Dashboard in Settings summary

AWS Compute Services

Launching Amazon EC2 Instances

  • EC2 Service -> Launch instance
Linux instance

  • Given instance name -> Quick Start Amazon Linux -> Instance type t2.micro -> Key pair Create new key pair -> Give key pair name, RSA, .pem, Create key pair downloads the file on your computer

  • Edit Network settings -> Create security group, give Security group name WebAccess and copy it also in the Description -> Launch instance

  • Then View all instances and it should be pending

Windows instance
  • Give instance name -> Quick Start Windows (Microsoft Windows Server 2022 Base) -> Instance type t2.micro -> Choose the keypair that you created -> Network settings Select existing security group and choose the WebAccess what you just created -> Launch instance
  • Choose Windows-Server -> Security tab, click on Security groups (WebAccess) -> Edit inbound rules, Add rule -> Type: RDP, Source Anywhere-IPv4 -> Save rules

Connecting to Amazon EC2

Linux
  • Choose the Linux-Server from the instances list and Connect on the top -> EC2 Instance Connect tab, Connect using EC2 Instance Connect -> Connect
  • Now it opens a terminal in a new window -> Test that everything is working, 'ping google.com' and 'Ctrl-C' to quit pinging
  • REMEMBER TO STOP THE SERVER
Windows
  • Download Microsoft Remote Desktop (google it or 'rdp for mac' and download some program)
  • Choose the Windows-Server from the instances list and Connect on the top -> RDP client tab, Copy the Public DNS
  • Open Microsoft Remote Desktop, add PC -> PC name: Public DNS that you just copied -> Add
  • Get the password for the PC -> Go back to the Connect to instance with the windows server and click on Get password on the bottom of the page -> Upload the private key file what you have done earlier -> Decrypt password
  • Copy the password -> Go back to Microsoft Remote Desktop, double click on the pc, Username: Administrator Password: the copied password -> Continue
  • If it doesnt work, make sure that you have port 3389 open in the Security rules
  • REMEMBER TO STOP THE SERVER

Create a Website with User Data

  • EC2 -> Instances, Launch instances -> Name: WebServer, Amazon Linux, t2.micro, no need for key pair -> Network settings Select existing security group: WebAccess
  • Advanced details at the bottom of the page and find User data -> Choose file -> (from the git repo that you cloned in the beginning)/amazon-ec2/user-data-web-server.sh -> Launch instance
  • Instances, Choose WebServer, Security tab, click on the WebAccess security group -> Edit inbound rules -> Add rule, Type: HTTP Source: Anywhere-IPv4 -> Save rules
  • Details tab of your WebServer, copy Public IPv4 address -> Open browser, paste the address -> Press Enter
  • REMEMBER TO STOP THE SERVER

Practise with Access Keys and IAM Roles

  • Connect to Linux-Server on EC2 instances (Connect using EC2 Instance Connect) -> new you have the Amazon Linux 2023 terminal open
  • aws s3 ls to terminal -> 'unable to locate credentials' -> Open IAM Service in a new tab -> Users, Choose user, Security credentials, Access keys, Create access key -> Command Line Interface (CLI), Next, No description needed, Create access key
  • Copy the Access key -> Go back to the Amazon Linux terminal -> aws configure, paste the access key -> Go back to the another tab and copy Secret access key, paste the secret access key -> Give the region name (us-east-1), Enter, Enter
  • aws s3 ls again and the error is gone
  • Make a s3 bucket -> aws s3 mb s3://mybucket-something2323 -> aws s3 ls now shows the bucket just created
  • There is a security problem, you can see the credentials by just running cat ~/.aws/credentials command. So lets delete the the folders from .aws folder -> rm -rf ~/.aws/*
  • Go back to IAM Service and find the Access keys -> Actions, Deactive -> Actions, Delete
  • Choose Roles on the navbar on the left -> Create role -> Trusted entity type: AWS service, Use case: EC2, Next -> Search s3, AmazonS3ReadOnlyAccess, Next -> Role name: S3ReadOnly, Create role
  • EC2 Service, Instances -> Choose Linux-Server, Actions, Security, Modify IAM role -> S3ReadOnly, Update IAM role
  • Back to the terminal -> aws s3 ls should show your bucket now -REMEMBER TO STOP THE SERVER

Launch Docker Containers on AWS Fargate

  • Search for Amazon Elastic Container Service, Clusters, Create cluster
  • Cluster name: my-fargate-cluster, Infrastucture: AWS Fargate, Create -> Check what happens in View in CloudFormation
  • Task definitios on the left navbar, Create new task definition -> Task definition family name: nginx-container, others on default -> Container - 1, Name: nginx-container, Image URI: nginx:latest -> Create
  • Now back to Clusters on the left navbar -> my-fargate-cluster -> Tasks tab -> Run new task
  • On Deployment configuration Family: nginx-container -> On Networking, Choose security group: WebAccess -> Create
  • Click on the Task id -> Networking tab Copy Public IP -> Test it in the browser
  • Back to Clusters, my-fargate-cluster, Tasks tab, stop the running cluster
  • Services tab -> Create -> Family: nginx-container, Service name: my-service, Desired tasks: 2 -> On Networking change to WebAccess security group -> Create
  • REMOVE TO STOP/DELETE THE CLUSTER

AWS Storage Services0