SSM - How to setup Session Manager of Systems Manager AWS

https://www.youtube.com/watch?v=-ASMtZBrx-k - Follow this  - Just 2 Steps 

1) Install Agent on EC2 as per their OS

2) Attach SSMIAMRole to EC2

https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html

yum info amazon-ssm-agent

apt list amazon-ssm-agent

https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-ubuntu-64-snap.html

sudo snap list amazon-ssm-agent

snap list

sudo snap services amazon-ssm-agent

============

AWS SSM Session Manager for Shell Access to EC2 Instances | Temporary SSH Credentials | Security

============

AWS ASSUMEROLE

 Assume an IAM role using the AWS CLI (amazon.com)

Authenticating to AWS with Environment Variables | by Yevgeniy Brikman | Gruntwork

amazon web services - bash script for AWS assume-role - Stack Overflow

aws sts get-caller-identity

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session

export AWS_ACCESS_KEY_ID=RoleAccessKeyID export AWS_SECRET_ACCESS_KEY=RoleSecretKey export AWS_SESSION_TOKEN=RoleSessionToken

aws sts get-caller-identity

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN aws sts get-caller-identity

-------------------------------------------------------------------------------

Next, you call aws sts assume-role, passing it the ARN of the IAM Role you want to assume, plus a “role session name” that can be used to tell who is assuming the IAM Role and why (as the same IAM Role may be assumed by may different users):

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/dev-full-access \
  --role-session-name username@company.com

This will return a blob of JSON that contains Temporary Access Keys:

{
  "Credentials": {
    "SecretAccessKey": "secret-access-key",
    "SessionToken": "temporary-session-token",
    "Expiration": "expiration-date-time",
    "AccessKeyId": "access-key-id"
  }
}

You must now set these Temporary Access Keys as environment variables, overriding the old environment variables:

export AWS_ACCESS_KEY_ID=<Access-key-from-output>
export AWS_SECRET_ACCESS_KEY=<Secret-access-key-from-output>
export AWS_SESSION_TOKEN=<Session-Token-from-output>

AWS ELB : Listener : Rules: Multiple Ports

AWS ELB when target (backend) applications runs on multiple ports of the same EC2

https://stackoverflow.com/questions/54915981/aws-elb-when-target-backend-applications-runs-on-multiple-ports-of-the-same-ec/54917808#54917808

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html

AWS : EC2 :Full Troubleshooting List

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesServerError

Connection problems and errors

• Common causes for connection issues
• Error connecting to your instance: Connection timed out
• Error: unable to load key ... Expecting: ANY PRIVATE KEY
• Error: User key not recognized by server
• Error: Permission denied or connection closed by [instance] port 22
• Error: Unprotected private key file
• Error: Private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and end with "-----END RSA PRIVATE KEY-----"
• Error: Server refused our key or No supported authentication methods available
• Cannot ping instance
• Error: Server unexpectedly closed network connection
• Error: Host key validation failed for EC2 Instance Connect

AWS : EC2: EBS : Mounting /Attaching EBS Volume : Duplicate UUID : Issue

sudo   mount -o   nouuid    /dev/xvdf2    /mnt/temp
 

https://stackoverflow.com/questions/55833917/unable-to-mount-a-volume-on-an-ec2-instance/55845557#55845557

https://stackoverflow.com/questions/55833917/unable-to-mount-a-volume-on-an-ec2-instance

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesServerError

AWS : Capacity Reservation: AWS Calculator : Savings Plan: Reserved Instances :Compute Savings Plans : EC2 Instance Savings Plans

Capacity Reservation

 When you create a Capacity Reservation, we reserve the specified capacity for your use. The reserved capacity is charged at the selected instance type’s On-Demand rate whether an instance is running in it or not. You can also use your regional reserved instances with your Capacity Reservations to benefit from billing discounts.

https://calculator.aws/#/

AWS Calculator

Reserved Instances

 Platform[Linux, Windows], Tenancy[Default/Dedicated], Offering class[Convertible,Standard] 

 Instance type[c2.medium], Term[1 year/3 Years], Payment option[Partial, Upfront, None]

 

Savings Plan

Savings Plans also offer significant savings on your Amazon EC2 costs compared to On-Demand Instance pricing. With Savings Plans, you make a commitment to a consistent usage amount, measured in USD per hour. This provides you with the flexibility to use the instance configurations that best meet your needs and continue to save money, instead of making a commitment to a specific instance configuration

---------------------------------------

SageMaker Savings Plans

Compute Savings Plans

EC2 Instance Savings Plans

---------------------------------------

Compute Savings Plans [Better than EC2 Instance Savings Plan]

Applies to EC2 instance usage, AWS Fargate, and AWS Lambda service usage, regardless of region, instance family, size, tenancy, and operating system.

Term, Payment option, Purchase commitment [Hourly commitment]

---------------------------------------

EC2 Instance Savings Plans

Applies to instance usage within the committed EC2 family and region, regardless of size, tenancy, and operating system.

Region,Instance family, Term, Payment option, Purchase commitment [Hourly commitment]

AWS:CloudShell:CLI: aws ec2 describe-instances

https://thehftguy.com/2016/03/10/how-to-export-amazon-ec2-instances-to-a-csv-file/

https://gmusumeci.medium.com/how-to-export-aws-ec2-instances-in-multiple-aws-regions-and-multiple-aws-accounts-to-excel-csv-ce283af0ed90

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html

https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html

https://docs.aws.amazon.com/cloudshell/latest/userguide/working-with-cloudshell.html

AWS Cloud Shell 

aws ec2 describe-instances --filters "Name=tag:Environment,Values=QA"  --output json

aws ec2 describe-instances --filters "Name=tag:Environment,Values=QA" --output table  >  QA_EC2_Instances.tsv

InstanceId

InstanceType

PrivateIpAddress

aws ec2 describe-instances \

--filters "Name=tag:Environment,Values=QA" \

--query 'Reservations[*].Instances[*].{InstanceId:InstanceId,InstanceType:InstanceType,PrivateIpAddress:PrivateIpAddress}' \

--output json \

>  QA_EC2_Instances.json

aws ec2 describe-instances --filters Name=instance-state-name,Values=running --query "Reservations[*].Instances[*].InstanceId" --output text

aws iam list-access-keys --user-name  john_doe

aws iam list-access-keys --user-name  john_doe

AWS : Network interfaces and instance-level security groups can not be specified together

https://www.codethencloud.com/solved-network-interfaces-and-instance-level-security-groups-can-not-be-specified-together-aws/

AWS: Instance Types : Instance Families : Instance Sizes : Instance Pricing : EC2

https://aws.amazon.com/ec2/instance-types/

https://aws.amazon.com/ec2/instance-explorer

Instance type	Instance   size	Hypervisor	vCPUs	Architecture	Cores	Threads   per core	Sustained   clock speed (GHz)	Memory   (GiB)	Network performance	Maximum   number of network interfaces	IPv4 addresses per interface	IPv6 addresses per interface	On-Demand   Linux pricing
c5.4xlarge	4xlarge	nitro	16	x86_64	8	2	3.4	32	Up to 10 Gigabit	8	30	30	0.68 USD per Hour
c5.2xlarge	2xlarge	nitro	8	x86_64	4	2	3.4	16	Up to 10 Gigabit	4	15	15	0.34 USD per Hour
c5.xlarge	xlarge	nitro	4	x86_64	2	2	3.4	8	Up to 10 Gigabit	4	15	15	0.17 USD per Hour
c5.large	large	nitro	2	x86_64	1	2	3.4	4	Up to 10 Gigabit	3	10	10	0.085 USD per Hour

Analytics

• Elasticsearch Service  [Amazon Elasticsearch Service]
• MSK  [Amazon Managed Streaming for Apache Kafka]

https://aws.amazon.com/ec2/instance-types/

n/w performance and Clock Speed -  may stay same  in a instance family.

Instance Family : Processor Speed /N.W Performance:  a1,t2, t3 [General Purpose]          c4, c5 [Compute Optimised]                   [Memory Optimized/RAM]           [Accelerated Computing/HW Accelerator]     [Storage Optimized/EBS]

Instance Size :  vCPU, Cores,  Memory(RAM)    :    nano, micro, small, medium, large, xlarge, 2xlarge, 4xlarge

30.5 Days

Large has 4GB RAM, 1 Core, 2 VCPUs

similarly, xlarge has 8 GB RAM, 2 Core, 4 VCPUs

n/w performance and Clock Speed -  may stay same  in a instance family.

Burst is related to EC2 Performance

Amazon EC2 allows you to choose between Fixed Performance Instances (e.g. M5, C5, and R5) and Burstable Performance Instances (e.g. T3). Burstable Performance Instances provide a baseline level of CPU performance with the ability to burst above the baseline.

New Generation is cheaper as compared to Old/deprecated - if other features stay same.

AWS : Mount EFS on EC2 - Part II - V Important

 sudo mkdir -p /efs

sudo chmod -R ugo+rwx /efs     

ls -ld /efs 

sudo vi /etc/fstab

fs-face524e.efs.us-east-1.amazonaws.com:/ /efs nfs4 rw,intr,hard,_netdev,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport

sudo mount -a

sudo reboot now

chmod -R 777 /efs  is not safer

chmod -R ugo+rwx /efs is safer - Does not override SETUID AND SETGID BITS - Just Appends permissions

https://unix.stackexchange.com/questions/296675/is-chmod-r-ugorwx-safer-than-chmod-r-777

cd / && sudo umount /efs && sudo mv /efs /fileshare && sudo chmod ugo+w /fileshare  && cat /etc/fstab 

sudo sed  -i 's+/efs+/fileshare+g' /etc/fstab 

sudo mount -a && sudo reboot now

ls -l /fileshare 

df -h

ls -l /fileshare ; df -h

ls -l /fileshare && df -h

umount /efs 

sudo mv /efs /fileshare

sudo chmod ugo+w /fileshare

sudo vi /etc/fstab

sudo reboot now

https://www.cyberciti.biz/faq/how-to-use-sed-to-find-and-replace-text-in-files-in-linux-unix-shell/

sudo sed   's/efs/fileshare/g' /etc/fstab   //Replace content and its temporary

sudo sed   's+/efs+/fileshare+g' /etc/fstab  // Change Delimiter

sudo sed  -i 's+/efs+/fileshare+g' /etc/fstab //-i save changes to file/stream

sudo sed  -e '/fs-face524e/s/fileshare/helloooo/' /etc/fstab //Replace only if lines contain specific string "fs-face524e"

AWS : S3API vs S3

aws s3api create-bucket --bucket my-bucket --region us-east-1

aws s3 mb s3://myeucentral1bucket --region eu-central-1

aws s3 sync s3://DOC-EXAMPLE-BUCKET-SOURCE s3://DOC-EXAMPLE-BUCKET-TARGET

--------------------------------------------------

aws s3api create-bucket --bucket cca-product-dev-s3bucket --region us-east-1 --acl public-read

aws s3 sync s3://cca-product-s3-bucket s3://cca-product-dev-s3bucket --dryrun

--------------------------------------------------

https://docs.aws.amazon.com/cli/latest/reference/s3api/create-bucket.html

https://aws.amazon.com/blogs/developer/leveraging-the-s3-and-s3api-commands/

https://aws.amazon.com/premiumsupport/knowledge-center/move-objects-s3-bucket/

https://stackoverflow.com/questions/27932345/downloading-folders-from-aws-s3-cp-or-sync

AWS : EFS : Mount Target and Mount in EC2

sudo apt-get -y install nfs-common
sudo yum -y install nfs-utils
sudo service nfs start
sudo service nfs status

sudo su -
sudo mkdir -p /efs
sudo chmod -R ugo+rwx /efs     
ls -ld /efs 

echo 'fs-face524e.efs.us-east-1.amazonaws.com:/ /efs nfs4 rw,intr,hard,_netdev,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0' >> /etc/fstab

sudo mount -a

sudo reboot now

umount -f efs
sudo mount -a

#fs-face524e.efs.us-east-1.amazonaws.com:/ /efs nfs4 rw,intr,hard,_netdev,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0

#echo 'fs-face524e.efs.us-east-1.amazonaws.com:/ /efs nfs4 rw,intr,hard,_netdev,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0' | sudo tee -a /etc/fstab

#sudo vi /etc/fstab

chmod -R 777 /efs  is not safer

chmod -R ugo+rwx /efs is safer - Does not override SETUID AND SETGID BITS - Just Appends permissions

https://unix.stackexchange.com/questions/296675/is-chmod-r-ugorwx-safer-than-chmod-r-777

https://www.thegeekdiary.com/understanding-the-configuration-file-for-mounting-file-systems-etc-fstab/

https://askubuntu.com/questions/9939/what-do-the-last-two-fields-in-fstab-mean

The EFS mount helper is part of the amazon-efs-utils package. 

The amazon-efs-utils package is an open-source collection of Amazon EFS tools. 

For more information, see Manually installing the Amazon EFS client.

https://docs.aws.amazon.com/efs/latest/ug/installing-amazon-efs-utils.html#installing-efs-utils-amzn-linux

https://docs.aws.amazon.com/efs/latest/ug/installing-amazon-efs-utils.html#installing-other-distro

Before the Amazon EFS mount helper was available, 

we recommended mounting your Amazon EFS file systems using the standard Linux NFS client.

https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-old.html#mounting-fs-install-nfsclient

https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html

https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-ip-addr.html

https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html#mount-fs-auto-mount-onreboot

To view and copy the exact commands to mount your EFS file system using the mount target IP address

Open the Amazon Elastic File System console at https://console.aws.amazon.com/efs/.

In the Amazon EFS console, choose the file system that you want to mount to display its details page.

To display the mount commands to use for this file system, choose Attach in the upper right.

The Attach screen displays the exact commands to use for mounting the file system.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

https://kichik.com/2020/09/08/how-does-ec2-instance-profile-work/

https://computingforgeeks.com/mount-aws-efs-file-system-on-ec2/

https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html#mounting-access-points

sudo mkdir /efs

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-face524e.efs.us-east-1.amazonaws.com:/ efs

fs-face524e.efs.us-east-1.amazonaws.com:/ efs nfs4 defaults,_netdev 0 0

umount -f efs

sudo mount -a

Mounting on Amazon EC2 with a DNS name

Mounting with an IP address [https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html]

Mounting your Amazon EFS file system automatically[https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-ip-addr.html]

[https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html#mount-fs-auto-mount-onreboot]

NFS client

nfs-utils for RHEL, CentOS, Amazon Linux, and Fedora distributions

nfs-common for Debian and Ubuntu distributions

Network File Sharing (NFS) is a protocol that allows you to share directories and files with other Linux clients over a network

Record Set, Hosted Zone, DNS , Route 53, AWS

 DNS has Record Set Types:

A record   --> Domain URL points to IP address at TCP Level [ dummy.com   -> StaticIP_LoadBalancer]

CNAME record --> dummy.com   -> Alternate.com

NS record -> its not actually a website, but at Nameserver Level [Not very usual[

SSL can be embedded in DNS - DNS is Network level , Not Http Level

DNS is LEVEL4 - N/W Layer

HTTPS/SSL is Layer 7(6)  - Above 4

So, DNS is merely Server resolving , it does not know anything at SSL TLS HTTPS level

So, We direct DNS to Load Balancer 

Load Balancer has a listener which redirects traffic internally 

Load Balancer is at TCP Port 80

TCP Port 80 redirects to Port 443 at Load balancer Level

here at LB SSL offloading Happens

PFX File, CER File is issued to "DNS Name " and "Subject Alternative Names" to FQDN of Host Backends

DNS has Record Set Types:

A record

CNAME record

NS record

Lambda Application vs Lambda Function

 

1. Lambda
2. Applications
3. Create application
4. Scheduled job

By combining AWS Lambda with other AWS services, developers can build powerful applications that automatically scale up and down and run in a highly available configuration across multiple data centers – with zero administrative effort required for scalability, back-ups or multi-data center redundancy.

Lambda Functions are like bare-bones standalone

They have to be provided IAM Role

They have to be mapped to a trigger

If There was a way, to do all this in 1 Place - Its called "Lambda Application"