AWS - Intro with EC2

Page content

Install AWS CLI 2

On MacOS

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html#cliv2-mac-install-cmd-all-users

% curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
% sudo installer -pkg AWSCLIV2.pkg -target /
% aws --version
aws-cli/2.0.18 Python/3.7.4 Darwin/19.5.0 botocore/2.0.0dev22

On Linux (Ubuntu)

https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$ unzip awscliv2.zip
$ sudo ./aws/install
$ aws --version
aws-cli/2.4.6 Python/3.8.8 Linux/5.15.5-76051505-generic exe/x86_64.*** prompt/off

### When you want to update the CLI version
### Download the latest version (zip) and
cd ./aws
sudo ./install --update

Create a CLI access key

  1. Login, and go IAM console.
  2. Users -> Add user
  3. Access type: Programmatic access
  4. Ignore a group, and add optional tags (e.g., env:free)
  5. Keep the “Access key ID” and “Secret access key”.

At this moment, the new user doesn’t have permission.

MFA

Don’t forget to set MFA for your root account.

Configure AWS CLI

Set the default credenmtial created above.

➜ aws configure
AWS Access Key ID : AKIA****************
AWS Secret Access Key : x8y************************************
Default region name [eu-central-1]: eu-central-1
Default output format [json]:

Create VPC

Add permissions on the user

  1. IAM -> Users -> user -> Add permissions
  2. Attach existing policies directly
  3. Check “AmazonVPCFullAccess”, and Next:Review
  4. Click Add permission

Get info about VPC

### Before adding permission
➜ aws ec2 describe-vpcs

An error occurred (UnauthorizedOperation) when calling the DescribeVpcs operation: You are not authorized to perform this operation.

### After adding permission 
❯ aws ec2 describe-vpcs
{
    "Vpcs": [
        {
            "CidrBlock": "172.31.0.0/16",
            "DhcpOptionsId": "dopt-0************",
            "State": "available",
            "VpcId": "vpc-0************",
            "OwnerId": "{{ 12_digits }}",
            "InstanceTenancy": "default",
            "CidrBlockAssociationSet": [
                {
                    "AssociationId": "vpc-cidr-assoc-0************",
                    "CidrBlock": "172.31.0.0/16",
                    "CidrBlockState": {
                        "State": "associated"
                    }
                }
            ],
            "IsDefault": true
        }
    ]
}

You can check that te default VPC was already created when I created an account.

Note. When you access to the VPC Dashboard at this moment, you can see

  • 1 VPC,
  • 3 Subnets,
  • 1 Route Table,
  • 1 Internet Gateway,
  • 1 DHCP option set,
  • 1 Network ACL, and
  • 1 Security Group

If you want to check the networks (subnets), try aws ec2 describe-subnets.

Create SSH key pair

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

This key is managed by AWS EC2 so that you can inject the ssh key in your EC2 easily.

Before creating key pair via CLI, add a permission on the user:

  1. IAM -> Users -> user -> Add permissions
  2. Attach existing policies directly
  3. Check “AmazonEC2FullAccess”, and Next:Review
  4. Click Add permission

And, create a key pair:

aws ec2 create-key-pair \
    --key-name MyAWSKey \
    --key-type ed25519 \
    --query 'KeyMaterial' \
    --output text > .ssh/MyAWSKey.pem

The public key is stored in EC2 -> Network & Security -> Key Pairs.

The key is not encrypted, and permission is 664, so change it:

chmod 600 .ssh/MyAWSKey.pem
ssh-keygen -o -p -f .ssh/MyAWSKey.pem

Import your own key

Note that the value is not file but fileb.

aws ec2 import-key-pair \
    --key-name "MyOriginalKey" \
    --public-key-material fileb://~/.ssh/id_ecdsa.pub

Cf) I can’t find a way to attach a Key Pair to an EC2 instance. It seems we should update .ssh/authorized_keys in EC2 intances manually.

Create security group

I want to allow SSH access only from my global IP.

$ aws ec2 create-security-group \
    --group-name my-security-group \
    --description "This is my-security-group, generated by aws cli"
{
    "GroupId": "sg-0****************"
}

You can check the created security group as follows:

aws ec2 describe-security-groups --group-names my-security-group

Allow SSH access from my IP.

aws ec2 authorize-security-group-ingress \
    --group-id sg-{{ my_security_group_id }} \
    --protocol tcp \
    --port 22 \
    --cidr {{ my_global_IP }}/32
{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-0****************",
            "GroupId": "sg-{{ my_security_group_id }}",
            "GroupOwnerId": "************",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 22,
            "ToPort": 22,
            "CidrIpv4": "{{ my_global_IP }}/32"
        }
    ]
}

Or, we can add tags and description together:

aws ec2 authorize-security-group-ingress \
    --group-id sg-{{ my_security_group_id }} \
    --tag-specifications ResourceType='security-group-rule',Tags='[{Key="env",Value="free"}]' \
    --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp={{ my_global_IP }}/32,Description="SSH from home"}]'

AMI

AMI stands for “Amazon Machine Images”. You can get the list of default available images as follows, but don’t do this (too many lines):

aws ec2 describe-images --owners self amazon

Instead of the command, go EC2 -> Images -> AMI Catalog, and check the images. In this tutorial, I use Amazon Linux 2 AMI (HVM) - Kernel 5.10, SSD Volume Type. The AMI number is 05d34d340fb1d89e5 (64-bit (x86)) in eu-central-1 region.

Note that Amazon Linux is based on RHEL.

Create an EC2 instance

I play with Free Tier, so the instance type is t2.micro:

aws ec2 run-instances \
    --image-id ami-05d34d340fb1d89e5 \
    --count 1 \
    --instance-type t2.micro \
    --security-group-ids sg-{{ my_security_id }} \
    --key-name MyAWSKey

I got the error at the first time:

➜ aws ec2 run-instances \
    --image-id ami-05d34d340fb1d89e5 \
    --count 1 \
    --instance-type t2.micro \
    --security-group-ids sg-0************ \
    --key-name MyAWSKey

An error occurred (Blocked) when calling the RunInstances operation: This account is currently blocked and not recognized as a valid account. Please contact aws-verification@amazon.com if you have questions.

I sent an email to aws-verification@amazon.com:

Hi AWS verification.

I created my Free Tier account today and tried to create an EC2 instance from AWS CLI 2.
But the CLI response said my account was blocked:

$ aws ec2 run-instances \
    --image-id ami-05d34d340fb1d89e5 \
    --count 1 \
    --instance-type t2.micro \
    --security-group-ids sg-0************ \
    --key-name MyAWSKey

An error occurred (Blocked) when calling the RunInstances operation: This account is currently blocked and not recognized as a valid account. Please contact aws-verification@amazon.com if you have questions.

I tried similar CLI in two regions, us-west-2 and eu-central-1, and both returned the same error

Could you kindly grant my account as a valid account?
My account ID is ************.
I want to create an instance in the Frankfurt region (eu-central-1).

Best regards,
atlex00

After 2 hours, I got an email that my request has been validated in the Frankfurt region. And I could create the instance with the command above :)

Check the global IP of the instance:

aws ec2 describe-instances

And try to connect! The default user is ec2-user.

ssh -i .ssh/MyAWSKey.pem ec2-user@{{ global_IP_of_the_instance }}

Configure client ~/.ssh/config:

Host aws-free
    user ec2-user
    Hostname {{ global_IP_of_the_instance }}
    Port 22
    identityFile ~/.ssh/MyAWSKey.pem
    TCPKeepAlive yes
    IdentitiesOnly yes

You can SSH by ssh aws-free. By default, PasswordAuthentication in /etc/ssh/sshd_config is no 🔒.

I need to review below.

Route53

get Hosted zone

aws route53 list-hosted-zones

create a record. https://aws.amazon.com/de/premiumsupport/knowledge-center/simple-resource-record-route53-cli/

{
  "Comment": "CREATE a record ",
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "free.{{ my_domain }}",
      "Type": "A",
      "TTL": 3600,
      "ResourceRecords": [{ "Value": "{{ IP_of_the_instance }}"}]
    }
  }]
}

aws route53 change-resource-record-sets --hosted-zone-id Z************* --change-batch file://sample.json

S3 bucket

Cretae S3 bucket.

$ aws s3api create-bucket --bucket atlex00free --region eu-central-1 --create-bucket-configuration LocationConstraint=eu-central-1
{
    "Location": "http://atlex00free.s3.amazonaws.com/"
}

I have to set ACL. I set it at WEB UI. permissions -> blockpublic access

not tested with api.

aws s3api put-bucket-acl --bucket atlex00free --grant-full-control emailaddress=myemail@gmail.com --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

cf. s3 and s3api

Create folder free-folder aws-kms: aws/s3