Getting started with AWS

Getting started with AWS

This is a collection of things which should be done before a first POC (Probe of Concept) or a first deployment can happen. These hints are not sufficient to setup a production and final development environment. Be ready to abandon the entire account to recreate a production account by using the AWS Landing Zone concept.

The goal of this page is to help you to build a save environment which is using a minimum set of AWS features.

Stefan Schneider Thu, 03/26/2020 - 13:45

Media transfers to EC instances

Media transfers to EC instances

Most users will have to transfer installation media to the targeted EC systems. Copying data to a Bastian host or a jum start server is the straight forward approach. AWS acually allows to simplify this transfer with the help of S3. The idea is

  • Copy installation media to a (private) S3 bucket
  • Download media to the target systems for the installations

S3 will store the installation media savely for a future use. S3 costs are relatively low. Delete the S3 files after you don't need them anymore. This will help to keep costs at a minimum.

The AWS IAM (Identity and access management) will help you to keep your data private. This requires a few extra steps.

1. Create a S3 Bucket to store your Installation Media

S3 buckets are world wide uniformly accessible. Make sure that you store your media files in the region you work. This saves costs and it expedites the data transfer.

  1. Become a user with administration rights in your AWS console
  2. Go to the S3 screen
    1. Select "Services" (upper left corner)
    2. Look or search for "S3" and click on this button
  3. Pick "Buckets" in the left column (most likely already being shown)
  4. Pick "Create bucket"
    1. Choose a name (This name will be unique, world wide across AWS!)
    2. Pick the region in which you work (a remote region will create a bit of costs, increase access latency and it may put your data under a different legislation)
    3. Do not pick any other option. The default setting will create a user private bucket. The costs will be OK. Access speed will be OK as well. All options, but the region can be changed later on.
    4. Consider to create some subfolders in your bucket. It's straight forward...

Test the entire setup. The AWS console allows you to up and download files as well

  • Use the console to upload a file to a bucket.
  • Try accessing the file through it''s URL. This shouldn't work.
  • Use the download option to download it again

Background information: You have the authority of the user with whom you logged into the console to perform these operations.

2. Uploading your Media Files

There are a number of options:

  • The AWS console. See above
  • There are S3 tools out there. Search for them. You will have to provide these tools with a public and a secret user key in order to authenticate the AWS users.
  • Use the AWS CLI (Command Line Interface).¬†You will have to provide these tools with a public and a secret user key in order to authenticate the AWS users.
    • The AWS CLI needs to be installed on on-premises systems manually.
    • Most Linux and Windows AMIs have it preinstalled. Check your EC2 system and install it manually if needed.

3. Downloading the Media Files to the EC2 Systems

Downloads within a region are very fast. We will use the AWS CLI which is preinstalled on most AMIs. Download it here if it is not installed. The EC system will need access to an S3 end point. This is given as long as the system has Internet and DNS access (very common). A in VPC S3 end point is an alternative (unlikely in a new setup).

The AWS CLI allows for save and secure resource access in AWS. The work we will have to do is:

  • Create an access policy which allows to work with one given S3 bucket.
  • Attach the policy to a role
  • Attach the role to the instance.

This will allow any user on the EC2 instance to access the S3 bucket without any extra authenticaten. No IAM user will have to leave the individual credentials on the machine. User on the machine can allow perform a well defined scope of actions.

3.1 Creation of a Bucket Access Policy

Perform the following steps on the AWS console

  1. Select Services (upper left corner in window)
  2. Search for "IAM", select it.
  3. Pick "Policies" from the left column
  4. Push "Create Policy" button
  5. Select tabulator "JSON"
  6. Replace content with the following content:
{ 
   "Version":"2012-10-17",
   "Statement":[ { 
         "Effect":"Allow",
         "Action":[ "s3:ListAllMyBuckets" ],
         "Resource":"arn:aws:s3:::*"
       }, 
       { "Effect":"Allow",
         "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ],
         "Resource":"arn:aws:s3:::examplebucket"
       }, 
       { "Effect":"Allow", 
         "Action":[ "s3:PutObject",
                    "s3:PutObjectAcl",
                    "s3:GetObject",
                    "s3:GetObjectAcl",
                    "s3:DeleteObject" 
                 ], 
                 "Resource":"arn:aws:s3:::examplebucket/*" 
      } 
    ] 
 }

Replace the string examplebucket with your individual bucket name. Give it a name. For example "mediaaccess". Save everything.

3.2 Create a Role for EC2 Systems

It'll take a role which we associate with the EC2 systems which need to access the bucket with the installation media.

  1. Use the console. Use "Services" in the upper left corner
  2. Search for "IAM" and select it
  3. Select "Roles" in the left column
  4. Push "Create Role"
  5. "AWS service" with EC2 is high lighted
  6. Click on "Nect: Permissions" in the lower right corner
  7. Enter the name of your policy ("mediaaccess") in the search field.
  8. Mark the policy and click on "Nect: Tags"
  9. Optional: Add a tag
  10. Click on "Next: Review"in the lower right corner
  11. Provide a Role name and a description
  12. Click on "Create Role" in the lower right corner

3.3 Associate the Role with all relevant Instances

The EC2 inszances need to be enabled to act with this role

  1. Use the console. "Use "Services" in the upper left corner
  2. Search for "EC2" and select it
  3. View all instances
  4. Pick your instance
  5. Select "Actions" -> "Instance Settings" -> "Attach/Replace IAM Role"
  6. Select your role in "IAM role"
  7. Click on "Apply"

There may be two different situations:

  • You create a new instance: Consider to assign the IAM role when you create the instance
  • Your instance already has a role: Consider to add the policy to the existing role.

4. Downloading media on your Instance

Your instance now has the right to access this bucket without having to add a local user!

Do not add user credentials with "aws configure"!

Run "aws configure" and add the region to be used only. This may have to be done for every Linux user who wants to download media.

You can now download a file install.zip from the bucket examplebucket your media with a command like

$ aws s3 cp s3://examplebucket/install.zip install.zip

The aws s3 sync command is very useful as well. It acts similary to the Linux rsync command.

Stefan Schneider Thu, 03/26/2020 - 14:28