how to start with amazon web services (aws) english version cloudwebops
TRANSCRIPT
[email protected] | www.cloudwebops.com
phone: +381 (0) 66 398 398 | skype: cloudwebops
HQ: Vojvodjanskih brigada 28, Novi Sad, SERBIA
AWS Standard Consulting Partner APN ID: 490243
How to start with Amazon Web Services (AWS) English version CLOUDWEBOPS Version: February 19, 2016. Author: CLOUDWEBOPS Purpose Purpose of this document is to make it easier for beginners to understand AWS, and also to enable them to perform basic setup needed for further exploring of the AWS Cloud platform and for work by themselves. This document will enable it by providing detailed instructions on how to perform it. CLOUDWEBOPS holds no responsibility for misuse of any of the instructions mentioned in this document. Any unauthorized copy of this document,any of it 's part, or publishing it without referencing to CLOUDWEBOPS as author, is strictly forbidden. Table of content:
Introduction Creating an account Creating and connecting to Ubuntu and Windows EC2 instance Monitoring AWS account expenses Basic AWS account security settings
2
Introduction To enter the Amazon Web Services (AWS, AWS Cloud) world, first step you have to do is to create an AWS account. The step of creating an account is quite intuitive. Required conditions for creating an AWS account are that your have an email, credit card, and a mobile phone. If you're asking yourself why would you need a mobile phone, well you need it in order to be able to accept an automatic phone call from Amazon to verify your identity by entering your PIN code. For your credit card, you can use any card with online transaction via internet functionality enabled.After creating an account, Amazon will perform a 1$ test transaction in order to confirm the validity of your bank account. Of course, for that 1$ you won't get charged. After we've fulfilled all previously required, we'll proceed to creating an account by opening the following link, it's the Amazon Web Services homepage.
3
Creating an AWS account On the homepage click the “Create a Free Account” option. In case someone logged in to AWS before you, thanks to „cookies“, instead of“Create a Free Account” option, you'll be introduced to the “Sign In to Console” option, so don't let this confuse you. After you chose the option „Create a Free Account“ “/“Sign In to Console”, a new popup window for „Sign In/Sign Up“ on AWS console will appear. AWS console is the central place for managing your AWS services.
Image 1. Sign In or Create AWS Account What you should notice is that on the right hand side you can see what you get for free as a new user in the first 12 months of using AWS. Amazon calls this offer the AWS Free Tier, and it enables new users to use some of their services for free, and have „handson“ experience without spending money. Of course, as you proceed to learn more about AWS, you'll notice that not all of their services have „free tier“ offer.
4
To start with the process of registering on AWS and creating your own account, type in your email and select the „I am a new user“ option, then click on „Sign in using our secure server“.
Image 2. Login Credentials
To proceed, after you've entered the required credentials, click on „Create account“. Then, you'll need to enter your contact information:
5
Image 3. Contact Information
NOTE: Amazon (in the time this post is written), doesn't allow registering with a name that contains letters (Č, Š, Ć, Č,Đ,Ž). After you've entered your contact information, in the next step, info about your credit card is required:
6
Image 4. Payment Information
Click on „Continue“, and in the next window on „Call Me Now“. Take into account that you need to erase the starting default zero from the Phone Number field, as in the „Country Code“ field the number for your country is already added.
7
Image 5. Identity Verification
After you've clicked on Call Me Now button, you'll automatically receive a call from Amazon on the enlisted number, and during the call, you'll see a PIN appearing on your screen. You'll need to enter that PIN after the automatic secretary gives you instructions. I received a call on Viber, and I've been told that it is an automatic call from Amazon, and that I'll need to enter the four digit PIN from the screen. If you make haste and enter the PIN (before the instructions are done), they'll tell you that the number you've entered isn't valid. In that case, erase the entered PIN on your phone, and repeat the input of the PIN. NOTE: If you type in a wrong PIN 12 times, you'll need to wait for 24 hours before Amazon calls you again on your same number.
8
Image 6. Identity Verification Enter PIN
After entering the PIN, and verifying your identity, you'll proceed to select your Support Plan. There are four plans to choose from:
Basic Developer Business Enterprise
Basic support plan is free and we'll choose it for our account. Basic plan includes contacting the support in case we don't succeed to pass the „health checks“. This doesn't refer to „health check status“ of EC2 instance. It refers to the „EC2 system status“, and access to AWS Forum, which is a much more useful option in this case. Of course, in the basic plan you can also contact the customer support about any questions regarding payment, your account, but support for any technical issues isn't included in this plan. If you scroll to the bottom of the window, you'll see the full list of of AWS Support Features
9
Slika 7. Support Plan
Confirmation, which is also the last step in creating your AWS account, is executed by clicking „Continue“ button, which will introduce you to a welcome page of the Amazon Web Services. Then, select the „Sign In to the Console“ option. After selecting to login to your console, a new page (Image 1.) will appear, and you'll select the „I am a returning user and my password is“ option, and enter your password. Now, just enter your password and sign in via „Sign in using our secure server“. New homepage, called the „Console Home“ will appear after you've successfully signed in to your console.
10
Image 8. Console Home
In the top right corner is your Username and your Region. After you sign in on AWS your default region is US West (Oregon) uswest2. Of course, you can select any region you want, the closest to your current location, or based on some other preference of your choice. AWS has data centers worldwide, representing regions, and each of them possesses it's own, distinguished physical data centers known as „Availability Zones“.
Image 9. Amazon Region and Availability Zones
11
We'll proceed our work in the uswest2 region, and in the console click on Services.
Image 10. AWS Services
After we clicked on Services, all available services, and service categories will appear on our screen. By creating an AWS account our goal is to also create two EC2 instances, one on Windows, and other on Ubuntu. We'll create both of them as „Free tier“, ie free of charge. In order to do that, we'll first choose the EC2 service. After choosing the AWS service, in case you didn't validate your account by following the link you received on your email, or if Amazon failed to check the validity of your credit card (failed to process the 1$ test transaction), you'll see this on your screen:
Image 11. Verify your email address
In my case, it's a matter of me not validating my account. If this happens, all you need to do is to check your email inbox and click on the link provided by Amazon. By doing so, you'll be transferred to the IAM service, which handles users' configuration and privileges.
12
Image 12. Security Credentials
We'll select the „Get Started with IAM Users option“, and in the window on the screen you'll see that you have no users created. At the moment, we won't create users, nor add them roles, instead, we'll continue the process as a „root user“, which is a bad practice. Again, we'll click on „Services“ and select „EC2“, which will open our „EC2 Dashboard“.
Image 13. EC2 Dashboard
To create an EC2 instance, we'll select the „Launch Instance option“, and the instance will be created in 7 steps.
13
Creating and connecting to Ubuntu and Windows EC2 instance Step 1: Choose an Amazon Machine Image (AMI) We'll select Amazon Machine Image, i.e. the template of a machine containing predefined software, such as OS, Web Server and other.
Image 14. Choose an Amazon Machine Image
It's important to select the AMI marked as „Free tier eligible“. We'll choose „Ubuntu Server“ and click on „Select“. Step 2: Choose an Instance Type Here, type of instance is being chosed, and its mandatory to select the one marked as „Free tier eligible“, as it is the case with t2.micro type instance. Click on Next: Configure Instance Details Step 3: Configure Instance Details In the 3rd step, we'll leave the default settings.
14
Image 15. Configure Instance Details
Click on Next: Add Storage Step 4: Add Storage This is the step where we choose and define the storage. We'll leave it on the default 8GiB. Attention on the warning: „Free tier eligible customers can get up to 30 GB of EBS General Purpose (SSD) or Magnetic storage. Learn more about free usage tier eligibility and usage restrictions.“ Click on Next: Tag Instance Step 5: Tag Instance Adding „tags“ to the instances, and to everything else inside the AWSa is of paramount importance. It ensures that later on we find it much easier to navigate through all our created services. Tagging, if not done properly, will result in that we'll never be sure for which purpose we created any of our services or instances.
15
Image 16. Tag instance
After adding tags, we'll proceed to configuring the Security Group. Click on Next: Configure Security Group Step 6: Configure Security Group You have a choice to choose an existing security group , or to create a new one. We'll choose the existing default security group, which we'll edit later on.
16
Image 17. Configure Security Group
Let's click on „Review and Launch“, check the instance settings, and click on „Launch“. After we clicked on „Launch“, we need to create a new key pair, i.e. to save on our machine a private key which we'll be using to connect to our instance.
Image 18. Save private key
17
After we've downloaded the private key, we'll click on „Launch instances“, and then on „View Instances“, after what we'll be automatically transferred to the „EC2 dashboard“ section intended for instances.
Image 19. EC2 Dashboard
Once the „Status Checks“ of our instance is finished, we can now connect to it. Connecting to a Ubuntu machine from a Windows OS is performed using putty, whereas from a Unix like system, we'll use the terminal. Firstly, we'll connect using the terminal.
18
Image 20. Connect To Your Instance
Default user name for ubuntu instance is ubuntu. Now we'll try to connect to our ubuntu instance using the terminal via the following command: ssh i "FreeTierInstancesKeyPair.pem" ubuntu@ec252363267.uswest2.compute.amazonaws.com
19
Image 21. Connecting using terminal
From the image above (Image 21.), we can see that our private key is unprotected, i.e. permissions over our private key aren't correct. We need to change (decreases) the permissions with the following command: chmod 400 FreeTierInstancesKeyPair.pem But, the error will appear again.
20
Image 22. Connecting error
Reason for that is that i don't have the „ssh port 22“ open for accessing our instance. It's been previously mentioned that security groups act as firewall for our instances, and in the process of creating our instance we selected the default security group which has inbound traffic allowed only from instances that are in the same security group. We can see that source sgde07a3b9 is the id of our security group.
21
Image 23. Edit Security Group
We need to add an exception for port 22 into our default security group. We'll do that by selecting Security groups from the left side of the EC2 Dashboard, mark our security group (currently we only have one), and edit the „Inbound rules“ by adding exception for incoming traffic for port 22 from any location.
Image 24. Add Inbound rule
Notice that this security group has an empty section for „Name“, which is a place intended for a „Tag name“. Now it ‘s clear that in case you haven't added tags previously, you'd have big problems
22
differentiating between all of your security groups. You can also add tags to your default security group by clicking on the „Name“ field. As we'll be using the same security group for our Windows instance, we'll add the exception for port 3389 which will be used for „RDP access“.
Image 25. Tagging Security Group Now, if we try to connect to our Ubuntu EC2 instance once again, we'll find that we'll connect successfully.
Image 26. Connected
23
To check basic information about our instance we'll use the link http://169.254.169.254/latest/metadata/ and command curl or GET. curl http://169.254.169.254/latest/metadata/ GET http://169.254.169.254/latest/metadata/
Image 27. Checking instance metadata
If we want to, for example, find out our public IP address, we'll perform it using the following command: curl http://169.254.169.254/latest/metadata/publicipv4
Image 28. Checking instance Public IP
We can see that our IP address is 52.36.32.67
24
To make sure that it is indeed our public IP address, we'll go to „EC2 dashboard“, and in the description we can see the value of the „Public IP“ attribute. Connecting from Windows OSa to Ubuntu EC2 instance is done via „putty“ i „putty key generatora“. First we'll convert our private key FreeTierInstancesKeyPair.pem into „putty format ppk“. We'll start the „putty key generator“, and go to „Conversions“, then „Import“, and finally do the import of the „.pem file“. After the key is imported, we'll click on „Save private key“, and then click on „Yes“ button.
Image 29. Import .pem file
After we saved our private key in ppk format, we'll start „putty“ and in the „Connection SSH Auth“ section, perform a Browse to the ppk private key.
25
Image 30. Connecting via putty
After that, we'll type in our public IP address in the „Session“ section, then select port 22, click on „Open“, then on „Yes“, and once we receive the „login as“ message, enter ubuntu as „user name“. Now we successfully connected to our ubuntu EC2 instance using putty.
26
Image 31. Connected Now we need to create a Windows Server instance. We'll do it through the same seven steps previously used for our Ubuntu instance. Only difference is that in the first step as „AMI image“ we'll select „Microsoft Windows Server 2012 R2 Base“ which is „Free tier eligible“. Once we get to the „key pair“ part, we'll select the same key we created previously for Ubuntu instance and click on „Launch Instance“.
27
Image 32. EC2 Dashboard with our instances
As we can see, in the EC2 Dashboard we have a new instance. We'll wait for it to successfully pass the „status check“, and then we'll connect to it. Click on „Connect“, then on „Get Password“ in order to decrypt the password from the private key FreeTierInstancesKeyPair.pem. We'll use this password to access „RDP“ on our Windows instance. Once that is done, we'll download the „Remote Desktop File“, and connect to our Windows instance
28
Image 33. Connecting to Windows Server instance
29
Image 34. Connected
Monitoring AWS account expenses After we've successfully logged in to our created EC2 instance, it's a good practice to set up control over expenses. Whether it is an account with focus on using free services as allowed by Amazon, or a production account, monitoring expenses is of paramount importance. NOTE: AWS provides free resources for a period of 12 months, for more information on specific services, visit: https://aws.amazon.com/free/. Nevertheless, if for any reason during the testing period, the limit for the resources is crossed (example: you created EC2 instance of a larger capacity and you forgot to shut it down), that excess will be charged over to your credit card. That's why it is very important to set up expense monitoring in order to receive email alerts for the amount you defined, and thus avoid unnecessary expenses. To enable expense monitoring, we'll be using the “CloudWatch” service.
30
Image 35. Cloud Watch
Once we select „CloudWatch service“, we'll be introduced to it's console, i.e. the „dashboard“.
Image 36. Cloud Watch Dashboard
If we read the “Alarm Summary” we'll see the following message: “You can now use Amazon CloudWatch alarms to monitor the estimated charges on your AWS bill and receive email alerts whenever charges exceed a threshold you define. Visit the CloudWatch US East (N. Virginia) region to manage your billing alarms.” So, in order to perform monitoring of our expenses, we'll need to change the region to our current location, as for now, the default US West region is selected (Take a look at the upper right corner , next to you username, info about which region you're in is listed.) Change the region by clicking on
31
the link Go to CloudWatch US East (N. Virginia) region, or to change it on your upper right corner as mentioned before. After you've changed the region, perform these steps: 1. Open up „Biling and Cost Management“console available on the following link: https://console.aws.amazon.com/billing/home?# , or click on your Username, and from the list below select “Billing & Cost Management”
2. In the navigation panel from the left hand side select „Preferences“, and then check the „Receive Billing Alerts“ option, and save the settings.
NOTE: While performing this, be sure to check on which region you're on.
Image 37. Billing Preferences
Our next step is to create an „Alarm“ which will warn us in the case we've exceeded our defined amount. To create an „Alarm“, we'll perform the following:
1. Open“ Cloud Watch console“ on: https://console.aws.amazon.com/cloudwatch/, or as pointed out on Image 35. Be wary that you have to be on the US East (N. Virginia) region.
2. Within the „Cloudwatch console“,as represented on the Image 36., click on „Create Alarm“ 3. In the „CloudWatch Metrics by Category, Billing Metrics“ section, select „By Service“.
32
Image 38. Cloud Watch Metrics
4. After that, you'll see all available services for monitoring (as you proceed with using AWS, the list of services will increase), as well as in the lower part of the window there will be a graphical representation of your expenses through time. Select the service you want to monitor, in this case it's the „Amazon EC2“, and then click „Next“.
33
Image 39. Select Metric
5. In the „Define Alarm“ section, we'll define the conditions for the „Alarm“. We'll do that in „Actions“ by selecting the „Notification“ setting to create an email notification to our „Account Manager“ which will be warned by the „Alarm“ that the defined limit has been exceeded.
34
Image 40. Define Alarm 6. For setting Whenever this alarm we'll select the option State is ALARM, and for “Send notification to” setting we'll click on „New list“ and create a new SNS topic, and add the recipient's mail. .
35
Image 41. Set Up notifications
Then, click on „Create Alarm“ NOTE: After creating an „Alarm“, you'll receive an email: “AWS Notification Subscription Confirmation”, where you'll be asked whether you'd like to subscribe to this „Alarm“. After you've gone through all of these steps, you'll have the following situation as represented on the image below:
36
Image 42. CloudWatch console
As we can see on the Image, the state of our alarm is OK, and in case of any changes, we'll be notified via email. By doing this, we are safe of any unwanted expenses on our AWS account.
Basic AWS account security settings In the process of creating our account, i've mentioned that we'll be using a „root account“ for this tutorial, which isn't a good practice at all. We should make accounts for all users, by creating „users“ with belonging credentials, and in no case use „root account“ for further work. AWS Identity and Access Management (IAM) is a service that enables us to have full control over users and their access to the AWS. The Basic security settings for our AWS account can be summed up in just a few basic settings which are enough for starting level of using AWS:
1. Create a new user through the IAM console and appoint him only the roles that are really necessary.
2. Enable AWS CloudTrail – a service which performs logging of the API calls. By using this service, we can store log files on our S3 bucket, and later on if necessary perform their analysis to find out which user performed what action on our AWS account.
3. Password policy is also very important, because you have to make pressure on users of your AWS account to make, and use strong passwords including special characters etc. You have to make them change their passwords on a regular basis, as it's not a rare case you see a very complicated password next to a monitor, and in most cases that is exactly the password for AWS account.Our biggest security hole in the system is the human, so this part is very important.
37
4. Ensuring Multifactor authentification for our root user is one the most important settings. We say that, because in case the root user gets compromised, all our AWS account and all of it's infrastructure is compromised and endangered. Multifactor authentication in AWS can be performed via virtual or physical MFA device. The point of MFA is to enable using another form of proving your identity besides your username and password. In most cases for MFA authentication we'll use at least two ways of proving your identity, one is the data that we know (username and password), and something we possess, i.e. an MFA device.
By these four phases, which are creating an AWS account, creating an AWS account and connecting to Ubuntu and Windows EC2 instance, setting up an Alarm for monitoring expenses, creating users and setting up the basic security settings, we are ready to proceed and explore with more detail the wast amount of Amazon Web Services resources.