Linux Training in Coimbatore & Best Linux Server Administration Training Institute NUX SOFTWARE SOLUTIONS FREE DEMO CLASSES AVAILABLE Call us 096263 53489
Use AWS official architecture icons available here.
Overview
Write a short paragraph giving some background information about the services your lab will use. Reference the AWS Documentation or any other sources that you find online and deem valid.
Break this section into subsections explaining all steps needed to complete the lab. Use screenshots to create visual aids for readers that are new to AWS.
Identity-base polices, as the name suggests, are policies that can be attached to identities (users, groups, or roles). In the scenario for this lab there is an s3 bucket named lab016-bucket that needs to be shared among two users: Lukas and Anita. User Anita should not have access to the confidential folder.
Repeat steps 1 and 2 of lab-013, changing the name of the bucket to lab016-bucket. The bucket's ARN (Amazon Resource Name) should be: arn:aws:s3:::lab016-bucket. Create a folder called confidential and upload the following files using the console:
To create a policy go to IAM - Policies - Create policy.
Step 1.1 - Lab016BucketAllowAccess
If an identify has this policy it will have full access to the lab016-bucket s3 bucket. To create this policy you can use the AWS Policy Generator tool or just copy the Lab016BucketAllowAccess file.
If an identify has this policy it will be denied access to folder confidentiallab016-bucket s3 bucket. To create this policy you can use the AWS Policy Generator tool or just copy the Lab016BucketAllowAccess file.
Step 2 - Create User Identities
To create a user go to IAM - Users - Add user.
Step 2.1 - Create User Lukas
Note that only the Lab016BucketAllowAccess policy is attached to user Lukas. Also, make sure to download the credentials for each user and configure an AWS CLI named profile.
Step 2.2 - Create User Anita
Note that both policies, Lab016BucketAllowAccess and Lab016BucketConfidentialFolderDenyAccess, are attached to user Anita.
Once the VPCs and subnets are created, the internet gateway and the EC2 instances are launched and configured, follow the steps described next.
Step 1 - Create the Peering Connection
Step 2 - Accept the Peering Connection
Step 3 - Modify Route Tables
First on the VPC A side:
Then on the VPC B side:
To test the setting, first ssh to the EC2 instance A (the one on VCP A). Then try to ssh to EC2 instance B (the on on VPC B) using its private IP address.
Fargate is a fully managed container service that automatically allocates computing resources to run containers with scaling capabilities. To best understand Amazon's Elastic Container Service let's break it into components:
Container: packaging of an application including code, runtime, system tools, libraries, and everything else needed to run an application (a container is created from an image);
Cluster: a logical group of tasks or services (this lab will create an ECS cluster containing a single task);
Task: specified in JSON format, a task defines what to do (the application itself), where to run it (minimum infrastructure requirements), and how to run it (logging, scaling configurations, security configurations, etc.);
Service: number of instances of tasks to run and launching parameters.
Note that a cluster can contain tasks that are running on distinct containers.
To start this lab go to ECS and click on Get started. This lab will create a Fargate cluster using the sample-app template.
Step 1 - Choose a Container's Image
Select the sample-app container image which has definitions to run a web server using a single task.
Step 2 - Provide Service Settings
For lab you can accept the default settings.
Step 3 - Configure your Cluster
Step 4 - Review
When the configuration is deployed, click on view service.
Benefits of connecting to an instance using Systems Manager:
it creates a log of all the sessions and
you don't have to distribute key pairs.
Step 1 - Create a Role
Create a role named EC2RoleForSystemsManager to be attached to the EC2 instance so it can use the Systems Manager service. Go to IAM - Roles - Create Role. Select AWS Service as the trusted entity (i.e., the entity that can assume the role). Then choose EC2 as the use case. Click Next: Permissions. Next select AmazonSSMFullAccess policy and click Next: Tags and then Next: Review. Conclude by giving a name for your role (EC2RoleForSystemsManager) and a description. Make sure you save the role.
Step 2 - Launch Instance
If you choose Amazon Linux 2 AMI it already comes with the SSM agent pre-installed. In step 3 (Configure Instance), make sure to select the IAM role you created previously. Therefore, your EC2 instance will have the ability to use the EC2RoleForSystemsManager role. Because we will be using Systems Manager to connect to our instance, we don't even have to enable ssh access this time.
Create two EC2 instances in different AZs (you can use public subnets). Create an NFS file system using EFS and mount it using one of the EC2 instances. Create some files for testing purposes. Then try to mount and access the file system from the other EC2 instance. Note that the access should work simultaneously.
Step 1 - VPC Setup
Make sure your VPC is configured to enable mounting using DNS names. You can do that by going to your VPC's action menu and selecting Edit DNS Resolution and Edit DNS Hostnames. Make sure both are set to Yes.
Step 2 - Create Security Group
Create a security group named nfs-access to allow access to the NFS file system to members of the security group.
First Create the security group.
Then edit its inbound rule to allow access from members of the group.
Step 3 - Launch EC2 Instances
Launch two EC2 instances, each on its own AZ. Use the user-data.sh to install Amazon's EFS utility package. Make sure your instances are members of the nfs-access security group and are also accessed via ssh.
Step 4 - Create an NFS File System
Go to Storage - EFS and click Create file sytem.
Copy the EFS file system ID.
Step 5 - Mount the NFS File System
Access one of the EC2 instances using ssh. Create a folder to be the mounting point (let's say data). Then using your EFS file system ID (mine was fs-9ee0b987) issue the command:
sudo mount -t efs fs-9ee0b987:/ data
You should be able to access the file system. Create a few testing files.