Search This Blog

Saturday, December 10, 2016

Part 5 - AWS - Managing access and security using the AWS CLI

Managing access and security using the AWS CLI

Configuring the AWS CLI is a very simple and straightforward process. All you need are the access ID and the secret keys from any one of your IAM users that we created during the earlier parts of this chapter. Next up, open up a terminal of your Linux box, which has the AWS CLI installed on it, and type in the following command:

# aws configure

Once entered, you will be prompted to enter the user’s Access Key ID and the Secret Access Key, along with the default region name and the default output format to use. The default region name is a mandatory field and can be any of the regions from which your users will be operating, for example, us-east-1, us-west-2, and so on:

AWS Access Key ID [None]:TH1$is$0MUC#fuN
AWS Secret Access Key [None]:iH@vEN01De@W#@T1@mD01ng#ERe
Default region name [None]: us-west-2
Default output format [None]: table

The output format accepts any of these three values as the preferred method to display the output of the commands: table, text, or json.
Note: Any of these values can be changed at any time by rerunning the aws configure command.
But what if I have multiple users and each of these users need to access the same Linux box to run the commands? Do I need to share the keys with all the users? A valid question with a simple answer, NO! You never share your keys with anyone! As an alternative, you can set up named profiles for each of your users using their own set of keys using this simple command:

# aws configure --profile jason

Here, we are creating a named profile for our user named Jason. Similarly, you can create multiple named profiles of individual IMA users using this same syntax:

Using IAM Roles in EC2

·       Roles are more secure than storing your access key and secret access key on individual EC2 Instances.
·        Roles are easier to Manage
·        Roles can only be assigned when that EC2 instance is being provisioned.
·        Roles are universal, you can use them in any region.

AWS EC2 Instance Metadata & Userdata

·        Used to get information about an instance (such as public ip)
·        curl http://169.254.169.254/latest/meta-data/
·        No Such thing as user-data for an instance

Overview

·        Instance metadata and user data can be used for Self Configuration allowing EC2 instance answer the question Who am I? and What should I do ?
·        Instance metadata and user data can be accessed from within the instance itself
·        Data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata and should not be used to any store sensitive data, such as passwords, as user data.
·        Both the metadata and user data is available from the IP address 169.254.169.254 and has the latest as well as previous versions available
·        Metadata and User data can be retrieved using simple curl orGET command and you are not billed for the requests

Instance Metadata

·        Instance metadata is data about your Instance and allows you to get answers to the Who am I?
·        Instance metadata is divided into two categories
o   Instance metadata
§  includes metadata about the instance such as instance id, ami id, hostname, ip address, role etc
§  Can be accessed from http://169.254.169.254/latest/meta-data/
o   Dynamic data
§  is generated when the instances are launched such as instance identity documents, instance monitoring etc
§  Can be accessed from http://169.254.169.254/latest/dynamic/
·        Instance metadata can be used for managing and configuring instances

User Data

·        User data can be used for bootstrapping your EC2 instance and helps answer the What should I do?
·        User data is supplied when launching a EC2 instance and executed at boot time
·        User data can be the form of parameters or user defined script executed when the instance is launched for e.g. perform software patch updates, load and update the application from an S3 bucket etc
·        User data can be used to build more generic AMIs which can then be configured at launch time dynamically
·        Can be accessed from http://169.254.169.254/latest/dynamic/
·        User data can be retrieved from http://169.254.169.254/latest/user-data
·        User data is executed only at launch. If you stop an instance, modify the user data, and start the instance, the new user data is not executed automatically.
·        User data is treated as opaque data and returned as is.
·        User data is limited to 16 KB. This limit applies to the data in raw form, not base64-encoded form.
·        User data must be base64-encoded before being submitted to the API. The EC2 command line tools perform the base64 encoding for you. The data is decoded before being presented to the instance.
·        User data is executed on first boot using Cloud-Init

EC2 – Getting Public IP address

·        Need to query the instances metadata
o   curl http://169.254.169.254/latest/meta-data/
o   get http://169.254.169.254/latest/meta-data
Key thing to remember is that it’s an instances META DATA, not user data.

1 comment:

Subscribe to: Post Comments (Atom)