Tuesday, 30 May 2023

Definition of AWS

Amazon Web Services (AWS), a subsidiary of Amazon.com, has invested billions of dollars in IT resources distributed across the globe. These resources are shared among all the AWS account holders across the globe. These account themselves are entirely isolated from each other. AWS provides on-demand IT resources to its account holders on a pay-as-you-go pricing model with no upfront cost. Amazon Web services offers flexibility because you can only pay for services you use or you need. Enterprises use AWS to reduce capital expenditure of building their own private IT infrastructure (which can be expensive depending upon the enterprise’s size and nature). AWS has its own Physical fiber network that connects with Availability zones, regions and Edge locations. All the maintenance cost is also bared by the AWS that saves a fortune for the enterprises.

Security of cloud is the responsibility of AWS but Security in the cloud is Customer’s Responsibility. The Performance efficiency in the cloud has four main areas:-

Selection
Review
Monitoring
Tradeoff

Advantages of Amazon Web Services

AWS allows you to easily scale your resources up or down as your needs change, helping you to save money and ensure that your application always has the resources it needs.
AWS provides a highly reliable and secure infrastructure, with multiple data centers and a commitment to 99.99% availability for many of its services.
AWS offers a wide range of services and tools that can be easily combined to build and deploy a variety of applications, making it highly flexible.
AWS offers a pay-as-you-go pricing model, allowing you to only pay for the resources you actually use and avoid upfront costs and long-term commitments.

Disadvantages of Amazon Web Services

AWS can be complex, with a wide range of services and features that may be difficult to understand and use, especially for new users.
AWS can be expensive, especially if you have a high-traffic application or need to run multiple services. Additionally, the cost of services can increase over time, so you need to regularly monitor your spending.
While AWS provides many security features and tools, securing your resources on AWS can still be challenging, and you may need to implement additional security measures to meet your specific requirements.
AWS manages many aspects of the infrastructure, which can limit your control over certain parts of your application and environment.

AWS Global Infrastructure

The AWS global infrastructure is massive and is divided into geographical regions. The geographical regions are then divided into separate availability zones. While selecting the geographical regions for AWS, three factors come into play

Optimizing Latency
Reducing cost
Government regulations (Some services are not available for some regions)

Each region is divided into at least two availability zones that are physically isolated from each other, which provides business continuity for the infrastructure as in a distributed system. If one zone fails to function, the infrastructure in other availability zones remains operational. The largest region North Virginia (US-East), has six availability zones. These availability zones are connected by high-speed fiber-optic networking.

There are over 100 edge locations distributed all over the globe that are used for the CloudFront (content delivery network). Cloudfront can cache frequently used content such as images and videos(live streaming videos also) at edge locations and distribute it to edge locations across the globe for high-speed delivery and low latency for end-users. It also protects from DDOS attacks.

AWS Management Console

The AWS management console is a web-based interface to access AWS. It requires an AWS account and also has a smartphone application for the same purpose. So When you sign in for first time, you see the console home page where you see all the services provided by AWS. Cost monitoring is also done through the console.

AWS resources can also be accessed through various Software Development Kits (SDKs), which allows the developers to create applications as AWS as its backend. There are SDKs for all the major languages(e.g., JavaScript, Python, Node.js, .Net, PHP, Ruby, Go, C++). There are mobile SDKs for Android, iOS, React Native, Unity, and Xamarin. AWS can also be accessed by making HTTP calls using the AWS-API. AWS also provides a Command Line Interface (CLI) for remotely accessing the AWS and can implement scripts to automate many processes. This Console is also available as an app for Android and iOS. For mobile apps, you can simply download AWS console app.

AWS Cloud Computing Models

There are three cloud computing models available on AWS.

Infrastructure as a Service (IaaS): It is the basic building block of cloud IT. It generally provides access to data storage space, networking features, and computer hardware(virtual or dedicated hardware). It is highly flexible and gives management controls over the IT resources to the developer. For example, VPC, EC2, EBS.
Platform as a Service (PaaS): This is a type of service where AWS manages the underlying infrastructure (usually operating system and hardware). This helps the developer to be more efficient as they do not have to worry about undifferentiated heavy lifting required for running the applications such as capacity planning, software maintenance, resource procurement, patching, etc., and focus more on deployment and management of the applications. For example, RDS, EMR, ElasticSearch.
Software as a Service(SaaS): It is a complete product that usually runs on a browser. It primarily refers to end-user applications. It is run and managed by the service provider. The end-user only has to worry about the application of the software suitable to its needs. For example, Saleforce.com, Web-based email, Office 365 .

Friday, 26 May 2023

ec2

Amazon EC2 – Creating an Elastic Cloud Compute Instance

This article will educate you all about Amazon EC2. EC2 or Elastic Compute Cloud is a scalable computing service launched on the AWS cloud platform. In simpler words, EC2 is nothing but a virtual computer on which we can perform all our tasks and we have the authority to configure, launch or even dissipate this virtual computer. Hereby configuration, I mean RAM, ROM, storage, and so on, along with an extra secured environment. In return, AWS asks us to pay the bill for using their platform and their resources.

Advantages of EC2

EC2 instances can be easily scaled up or down as per the requirement, providing a highly scalable and flexible infrastructure.
EC2 instances are charged based on usage, making it cost-effective as you only pay for what you use.
It can be easily deployed and managed using Amazon Web Services (AWS) management console, APIs, or CLI.
It can be deployed in multiple availability zones to ensure high availability and data durability.
It can be customized with different operating systems, applications, and network configurations.

Disadvantages of EC2 instances

EC2 instances have limited customization options, which may not be sufficient for some applications.
it can be expensive, especially when scaling up, and it can be challenging to control costs.
This is vulnerable to security risks, such as unauthorized access, data breaches, and cyberattacks.
EC2 instances can be complex to set up and manage, especially for non-technical users.
It may experience latency due to the location of the instances and the data center, which can affect application performance.

Use cases of EC2 instances

EC2 instances can be used to host websites, applications, and APIs in the cloud.
It can be used to process large amounts of data using tools like Apache Hadoop and Apache Spark.
It can be used to perform demanding computing tasks, such as scientific simulations and financial modeling.
EC2 instances can be used to develop, test, and deploy software, allowing teams to quickly spin up resources as needed.

Now, let us look at the step-by-step process for creating an EC2 instance.

Step 1: First, login into your AWS account and click on “services” present on the left of the AWS management console, i.e. the primary screen. And from the drop-down menu of options, tap on “EC2”. Here is the image attached to refer to.

Under Resources >> Click on “Instances running” — It will show if any EC2 instances are running or not.

Click on launch instance

Click on launch instance, after clicking on it you will be redirected to a launch page where we can create instance.

Create a name for the instance.

Naming instance

Name the instance.

Select AMI – Required operating system from the available.

Selecting AMI

Amazon Machine Image

I am selecting windows AMI as we need to create windows instance.

By default, it selects a free tier storage.(IF YOU ARE ELIGIBLE FOR FREE TIER)

From the available storage specifications, select a free tier eligible storage service.

Select instance type

By default, instance type is “t2.micro” which is free tier eligible service.

Do not select any other which leads to billing amount.

Now, create a key value pair, by clicking on “Create new key pair”. A window will pop for creating key-pair as shown below.

Creating key pair

Create Key-Pair

Enter name>>Select “.pem” and create. Automatically key-pair which was created will be downloaded.

Select the created key-pair.

Keep the network settings as default settings and make changes if required.
Storage

As mentioned in the picture, Free tier eligible can get up-to 30 GB of EBS Storage. Keep it as default.

Configuring Storage

Launching Instance

Launching instance

At last, Check if all the selected are eligible for free tier or not and click on “Launch instance”.

That’s it, an instance will be created.

EC2 Instance All State in AWS :-

The common EC2 instance states are Pending, Running, Stopping, Stopped, Terminated, Shutting Down and Reebooted. It is important to keep track of the state of your EC2 instances so that you can manage them properly. You can view the state of your instances in the EC2 Console, AWS CLI, or AWS SDKs.

In AWS, EC2 (Elastic Compute Cloud) instances can have different states, which indicate what operations can be performed on them. Here are some of the common EC2 instance states:

1. Pending: When you launch an EC2 instance, it enters the pending state. This means that AWS is in the process of creating the instance and initializing all of the necessary components, such as the virtual machine and the associated networking resources. During this time, you won’t be able to access the instance, as it is not yet ready to be used.

2. Running: Once an EC2 instance has finished initializing, it enters the running state. This means that the instance is up and running and is ready to be used. In this state, you can log in to the instance and start using it to run your applications and services.

3. Stopping: If you manually stop an EC2 instance, or if it is part of an auto-scaling group and is being terminated, it enters the stopping state. During this state, AWS prepares the instance for shutdown by stopping any processes or applications running on the instance and disconnecting it from the network. However, the instance’s configuration and data are preserved, so you can start the instance again later if you need to.

4. Stopped: Once an EC2 instance has been stopped, it enters the stopped state. In this state, the instance is not running and is not available for use. However, the instance’s configuration and data are preserved, so you can start the instance again later if you need to. You might stop an instance if you don’t need it for a period of time but don’t want to terminate it entirely.

5. Terminated: If you manually terminate an EC2 instance, or if it is part of an auto-scaling group and is being terminated, it enters the terminated state. In this state, the instance is permanently deleted, and all of its configuration and data are lost. You might terminate an instance if you no longer need it, or if you want to replace it with a new instance.

6. Shutting-down: If AWS is retiring an instance, it goes into the “Shutting-down” state for a brief period before the instance is terminated. During this time, the instance is no longer available for use, and the data and configuration are preserved. This state is similar to the stopping state, but with an added step of preparing the instance for retirement.

7. Rebooting: If you choose to reboot an EC2 instance, it enters the rebooting state. During this state, the instance’s operating system is shut down and then restarted, but the instance’s configuration and data are preserved. You might reboot an instance if you need to apply updates or make changes to the instance’s configuration.

You can view the state of your EC2 instances in the EC2 Console, AWS CLI, or AWS SDKs. It is important to keep track of the state of your instances so that you can manage them properly, such as starting, stopping, or terminating instances as needed. When you use Amazon Web Services (AWS) to run virtual servers, or instances, these instances can be in different states depending on what’s happening with them. For example, an instance might be “running” when it’s up and running properly, or “stopped” when it’s not currently being used.

AWS CloudWatch to monitor your EC2 instances and their associated resources in real-time. CloudWatch provides a wealth of data on your instances, including CPU usage, disk activity, and network traffic, which can help you identify performance issues and other problems before they have a chance to impact your users.

Another important aspect of managing EC2 instances is understanding the various instance types available in AWS. Different instance types have different performance characteristics and are optimized for different types of workloads. For example, some instances are optimized for CPU-intensive workloads, while others are better suited for memory-intensive applications. By choosing the right instance type for your workload, you can ensure that your applications are running efficiently and cost-effectively.

Overall, understanding the different states of EC2 instances in AWS is just one aspect of effectively managing your infrastructure in the cloud. By taking advantage of tools like AWS CloudWatch, choosing the right instance types for your workloads, and following best practices for security and maintenance, you can ensure that your applications and services are always available to your users, and that you’re getting the most out of your investment in the cloud.

IAM in AWS

Amazon Web Services – Denying Access using IAM policy for EC2 and EBS Instance

In this article, we will look into how to use AWS identity and access management policy conditions to create an IAM policy that denies access to create amazon elastic compute cloud instances and amazon elastic block store volumes when the required tags are not passed along with the creation request.

We will also look into how you can use the IAM policy tags to restrict the launch of EC2 instances by using Deny with the StringNotLike condition operator.

If your policy operates under multiple conditions or has multiple keys attached to a single condition operator then all the conditions are evaluated by making the use of the AND logic. In the case of Deny multiple tags, each tag key needs to be used in a separate statement to get the same AND logic. We’ll demonstrate the below use case. For launching any new instance from the EC2 console you need to have all four tags present to successfully launch it.

The cost_center tag must have a null value.
The EC2 instance has a tag key named production.
The identifier tag must be a combination of any five characters.
The value must be one among sandbox, dev, or prod.

Now log into the AWS management console and navigate to the IAM console. In the IAM navigation page under policies choose to Create policy.

Now choose JSON view and then copy and paste the policy mentioned below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions1",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/cost_center": "?*"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions2",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAllValues:StringNotLike": {
                    "aws:TagKeys": "Production"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions3",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/identifier": "?????"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions4",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/env": [
                        "sandbox",
                        "dev",
                        "prod"
                    ]
                }
            }
        },
        {
            "Sid": "AllowRunInstances1",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ]
        },
        {
            "Sid": "AllowCreateTagsOnRunInstance",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

All four request tags must be present for the EC2 instance to launch successfully.

The first request stack contains a tag key cost_center and a tag value with a question mark followed by a wildcard. This value enforces that at least one character is present in the value field so that if two instances can’t launch with an empty tag.

The AWS stack keys have a value production. The AWS stack keys value enforces checks on case sensitivity of production.

The third request stack contains a tag key identifier and a tag value with 5 question mark. This value enforces that the combination of any 5 characters can be used leading or trailing spaces are ignored.

The fourth aws request stack contains tag key as env and tag value as sandbox, dev or prod.

Then next choose review and enter a name for your policy and then choose the Create policy option.

Now go to the Users tab in the left navigation pane and choose users. We already have a user named user1. For this choose the Add permissions option and then choose the Attach existing policies directly tab. Then choose the check box next to your policy and then choose the Next review option.

And then choose the Add permissions.

Now let’s demonstrate the policy valuation by logging in with my user user1 now navigate to the EC2 console. Now let’s add the missing tag by choosing back to the review screen. Now scroll down and choose the Edit tags option and choose Add another tag. Then provide tag key as env and provide one value among sandbox, dev or prod.

Here we’ll provide prod and choose the Next configure security group option. Finally, select the existing security group.

At this stage, we can now launch the instance, and we’ll see the message your instances are now launching. Choose View instances option to see the launched instance.

IAM in AWS

How to Create IAM roles for Amazon EC2?

In this article, we will cover how we can easily create an IAM role and can use it with an EC2 instance easily, and provide the required permissions with the S3 policies. These IAM Roles are the identities that we are creating in our account so that we can provide specific permissions to the users. So these Roles provide us the temporary credentials of security for our session.

Use of Roles:

Consider the Scenario in which we want to grant access to our account to third parties which can perform operations such as audits of our resources or consider another scenario in which we want to access users who have identities prior outside the Aws like in our corporate Directory.

So we can use the roles for access to users’ services or applications that don’t have access to AWS resources.

How To Use Roles:

The followings are the methods for using Roles:

AWS Management Console
Assume-Role CLI
Assume-role-with-web-identity
Console URL Construct with AssumeRoleWithSAML

Steps to Create an IAM role for the EC2 Instance:

Step 1. First, we need to go to the IAM table Dashboard, and then we will go to the roles option and click on create roles.

Step 2. Next under trusted entity type we will select AWS services and under Use case, we will select EC2 and click on next:

Step 3. Next under permission policies, we will search for S3 policies and will select S3readonly policy, and click on next.

Step 4. Next we will give our role a name and review all the changes and will click on next.

Now we need to add Permission

adding policy name to provide readaccess

Step 5. Now our IAM roles are created and if we click on the role that we just created we will be welcomed to this screen. Here we can see the details of our role. We can see that our myS3Role has been created

Step 6. Next, we will go to the EC2 dashboard and create an EC2 instance:

We need to create a new instance

Step 7. While creating the EC2 instance under configure instance we will select the IAM role that we just created and we will proceed with our EC2 instance creation:

Note: we have to select IAM role we created earlier inside Iam role tab

while creating EC2 in Add storage add 8 GB(GIB) and volume type General purpose SSD

During launching the instance download the key pair RSA file and launch the instance

Step 8. Next, we will connect to the EC2 instance that we just created

Secure Shell also known as SSH is a cryptographic network protocol that helps secure network services over an unsecured network. It securely helps users to log in to a server with SSH than using a password alone. SSH keys are nearly impossible to decipher by brute force alone unlike passwords

Step 9. Now we will use the command “aws s3 ls” which will then let us see all the S3 buckets we created because we have set the policies of the IAM role to S3readonly through this we can just read our S3 buckets:

Step 10. Now in order to avoid any charges we will delete our ec2 instance and our s3 bucket.