Firewalls are mandatory in any computer environment which you wish to call secure.   AWS establishes  the Firewall rules in the system via Security Groups and Ports.   Basically Security Groups define where traffic is permitted to go via established network ports.   Basic characteristics of security groups:

    1.  Security Groups are the Fundamental building block of network security (The Firewall) in AWS.

    2.  They define how traffic is allows into and out of all EC2 Instances.

    3.  Security groups only contain allowed rules.

    4.  Security groups reference IP or other security groups.

    5.  Security groups reference access Ports.

    6.  Security groups can reference both IPv4 and IPv6 networking

    7.  Security groups control both Inbound and Outbound traffic.

    8.  Security groups can be attached to multiple instances.

    9.  Security groups are dedicated to region/VPC

    10.  Security groups are independent of the EC2 Instances they support.

    11.  Best practice to have SSH access in its own security group.

    12.  If connections time out, this is a security group block.

    13.  If Connection refused error, this is the application error.

    14.  By default all inbound traffic is blocked.

    15.  By default all outbound traffic is allowed.

1.  The following is required before you create IAM user for your AWS Free Tier Account.

• An Active AWS Account with admin level permissions. 
  • Already created EC2 Instance.   

2.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

3.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

4.  On the right hand menu bar select Instances.

5.  We currently have one EC2 Instances built out, click on the Instance ID you want.

6.  Select the Security tab and you will see the current security group for this session.   Retrieve the name of the security group attached to this Instance.  In this example the security group is  sg-0ce7968afc53f4bf6 (launch-wizard-1)

7.  On the left hand menu bar, scroll down to Network & Security ? Security Group.

8.  Click on the security group we found in the previous steps.  sg-0ce7968afc53f4bf6 (launch-wizard-1)

9.  On the Security group page we want to open the Inbound rules tab and select Edit inbound rules.

10.  On the Edit inbound rules page, select Add Rule

11.  We want to connect to this via HTTP and HTTPS, so we need to allow traffic on port 443 and 80 from any IP. Click Save rules.

12.  Back on the Security Group page you will see your new rules.

13.  This completes adding rules to a security group.

AWS has created multiple EC2 Instance types for various organizational applications.   An EC2 Instance is comparable to a Virtual Server in an on premises data center.   Depending on the use of the server, you will have varying CPU capacities, Memory allocations, number of Network Cards, different network speed allocations, and different type of storage allocated.  An EC2 Instance has the exact same types of different allocations.    An example of this is that a web server will not have the same ratio of CPU or Storage Capacity to network bandwidth that a database server will have.   You can view the standard type of AWS EC2 Instances at the URL:

https://aws.amazon.com/ec2/instance-types

Here you can see the Types of EC2 Instance available to you in the standard offering.   It is important to realize the a Type of Instance does not necessarily correlate to sizing.    Each Instance Type has a multitude of sizes offered.   The Instance types refer to the ratio or balance of server capacity to there intended use.   Note that within each Instance type you have a range of configuration capacity options.

The Instance Names can be broken down as follows:  We will use the example. M5.2xlarge

        –  m – is the instance class

        –  5 – the generation (improvement of class over time by AWS, normally changing with new hardware)

        –  2xlarge – size in the instance class

EC2 Instance Type

        –  General Purpose

   *  Balance between Compute, Memory and networking.

   *  Web servers

   *  Repositories.

                *  T and M Instances Classes

        –  Compute Optimized

   *  Intense computing uses

     *  Batch Processing

     *  Media manipulation

     *  High performance web servers

     *  HPC – High performing Computing

     *  Scientific Modeling

     *  Gaming servers

                *  C Instances Class

        –  Memory Optimized

     *  For processing large data sets in memory

                *  In-memory relation database

                          *  Distributed web cache

                            *  Business Intelligence – Reporting

                            *  Big unstructured data

                            *  R, X, Z Instances Classes

        –  Accelerated Computing

                *  Hardware accelerated comput

                *  Graphics systems

                *  Mathematical calculation system

                *  Data pattern matching

                *  P, G, T, D, F, V Instances Classes

        –  Storage Optimized

                *  Storage related computing – High Reads and Writes.

                *  OLTP systems

                *  Relation Databases

                *  Cache Database

                *  Data Warehouses

                *  Distributed file systems

                *  I and D Instances Classes

        –  HPC Optimized

                *  High Performance Computer offering

                *  Engineering

                *  Weather modeling

                *  molecular modeling

                *  H Instance Class

•  

An EC2 Instance in AWS can be considered a server and as such can reside in your AWS environment without executing.   In an AWS environment this has sever ramifications on Cost,  because an EC2 instance that is not currently executing only incurs storage costs and the customer avoids virtual machine costs and network utilization costs.   In this article we will review the process for starting, stopping and terminating already created EC2 instances.

1.  The following is required before you create IAM user for your AWS Free Tier Account.

 –  An Active AWS Account with admin level permissions..

2.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

3.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

4.  On the right hand menu bar select Instance.

5.  We currently have one EC2 Instances built out, select your instance with a check marki and press the Instances state.  NOTE:  Record the instance ID for each of your EC2 instances to control them from the CLI.   In this example our Instance ID is i-0a223b5a7b0e24408

6.  From this menu you can start, stop and terminate the instance.  Note:   Terminating an instance is recoverable, but the resources you had before are not guarantied to be available, so insure that you will not need the instance before terminating and place it in a stop state if there are any doubts.

7.  You can also start, stop and terminate EC2 instances from you CLI application without logging into the console with the following commands and the instance id shown in setup 5 and the region id of the instance.   In this example our Instance ID is i-0a223b5a7b0e24408 and the region_id is  us-east-1   NOTE:   You have to have

   – Reports the details of your instance

  aws ec2 describe-instances –instance-ids i-0a223b5a7b0e24408 –region us-east-1

   – Stops the instance

  aws ec2 stop-instances –instance-ids i-0a223b5a7b0e24408 –region us-east-1

   – Starts the instance

  aws ec2 start-instances –instance-ids i-0a223b5a7b0e24408 –region us-east-1

   – Deletes the instance

  aws ec2 terminate-instances –instance-ids i-0a223b5a7b0e24408 –region us-east-1

The creation of an AWS EC2 Instance is normally accomplished via the AWS Console, but can be performed via the Command Line Interface (CLI).   In this example we will create a simple EC2 virtual instance with various parameters.  We will start the instance using a User Data script defined for mysql configuration.

1.  The following is required before you create IAM user for your AWS Free Tier Account.

        –  An Active AWS Account with admin level permissions..

2.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

3.  From the Home Console type EC2 in the search bar, select the star next to EC2, and select EC2

4.  On the right hand menu bar select Instance.

5.  We currently have no EC2 Instances built out so this screen will be empty,  press the Lauch Instances to begin

6.  There are multiple sections on a single screen so we will take the inputs section by section.  First provide a name for the new instance and select RHEL as the OS.

7.  Next select the AMI (Amazon Machine Image) and the architecture, here insure that you select the one which states “Free tier eligible”.

8.  Next in the section Instance Type select t2.micro which is free tier and in Key pair (login) click Create new key pair.

9.  On the Create key pair page, name you key pair, select RSA, and Private key file format of .pem and select Create key pair.    NOTE:  if you are using windows 10 or below or Mac you may want to select .ppk if you intend to use Putty.   Most will be using OpenSSH.

10.  Insure that you store your .pem file in a secure location

11.  The next section is Network settings and will except the general defaults.  A public IP will be assigned to our instance with the security group of launch-wizard-1 but you do have the option of selecting your owner security group for firewall configuration.   We are creating a database EC2 instances so will only allow SSH traffic from outside, but if you where configuring a webserver or boundary server you may allow HTTPS and HTTP connections.  

 12.  In the next section Configure Storage, you will select the type and speed of storage you like. We will leave the defaults.

13.  Next click the Advanced details section to expand.  This is a simple EC2 database instance, so we will select all of the defaults, except the User data section.  We will cut and past our own code to install a mysql database, start the database, and enable the database at first startup. Note: User Data is only executed at first instance startup.

14.  Next select you can execute Launch instance button.

15.  You will get a confirmation windows of Successful EC2 Instance startup.

16.  Moving back to the EC2 ? Instances Console and selecting refresh, you can see that the new EC2 Instance is in a Running state by is currently initializing (meaning the user data is still executing).

17.  Once completed, the status will change to green and is available for user,  insure that you note the IP address for future connections via CLI.

18.  This completes creating of a database EC2 Instance.

AWS EC2 stands for Elastic Compute Cloud and is the most popular Infrastructure as a Service offering by Amazon.  Knowledge of EC2 components and works is fundamental to working in the AWS Cloud.  

Capabilities of AWS EC2

 -Virtual Machine offering (EC2)

 -Virtual data storage Drives (EBS)

 -Distribution of Load or Load Balancing across EC2 Instance (ELB

 -Scaling service via auto-scaling groups (ASG)

EC2 Instance sizing and configuration options must be considered like a normal Data Center Server.  AWS provides standard EC2 sizing for any solution or organizational needs and you can build your own configuration.

 –  OS: Linux, Windows or Mac OS

 –  Number of Computer Cores per Instance (CPU)

 –  Amount of memory per Instance

 –  Storage and Type

  – Network-attached (EBS or EFS)

  – Hardware-attached (Per EC2 Instance)

 –  Number network cards and speeds

                – Public IP address

                – Private IP address

 –  Firewall Rules: security group

 –  Bootstrap script (Configure EC2 Instance): EC2 User Data

EC2 User Data is the startup instructions of your EC2 Instance and can contain:

 –  Installing updates

 –  Installing software

 –  Downloading files, data or update.

 –  Any other organizational processes necessary at startup.

To maintain proper security and access to your AWS environment, it is important that we follow some basic security guidelines.  The following list is not all encompassing.

1.  Never user the root account except for setting up your AWS environment and creating initial IAM Administrators.

2.  Never create share accounts which are used by more than one user.

3.  Avoid assigning permissions to users directly and grant permissions via groups.

4.  Create groups for users and place each user in one or more groups.

5.  Ensure that you create a strong password policy which meets your organizational requirements.

6.  Ensure that you use roles to grant permissions to AWS Services.

7.  Ensure MFA is enabled for all users.

8.  Use only Access Keys for CLI/SDK connections.

9.  Audit unused permissions through IAM Access reports and IAM Credential reports and remove permissions not utilized.

10.  Do not share Access Keys or IAM User credentials.

AWS provides security tools in the form of reports and advisors that allow you to see the actions of users and gain knowledge of their behaviors within AWS.   We will cover IAM Credentials Reports and  IAM Access Advisor.

1.  The following is required before you create IAM user for your AWS Free Tier Account.

• An Active AWS Account with admin level permissions..  

2.  Logon to AWS as an IAM user at URL:  https://signin.aws.amazon.com/

3.  In the search bar type IAM, highlight the Star next to IAM (So it will appear on you Console) and select IAM.

4.  On the left hand side of the screen, scroll down and select Credential reports.

5.  Select Download credentials report

6.  A CSV file will be downloaded showing you the activities of each user and other pertenate information about their activities.

7.  Now we will go to the IAM Access Advisor.  Back on the IAM left hand menu bar select Users.

8.  Click on the Users Name you are interested in,  this example ljcatt_aws

9.  Click on Last Accessed to view the AWS Services used

10.  You will see the report of services used or not used.  

1.  Logon to AWS as the root user at URL:  https://signin.aws.amazon.com/

2.  Prove that you are not a machine.

3.  Provide you password

4.  Retrieve you code from your email account and enter it.

5.  Type IAM in the search bar and select IAM Console.

6.  On the left hand menu bar, scroll down and select Account settings.

7.  On the next page, select custom.   And select any options you desire for your password requirements.  To Complete, select Save Changes.