Ticker

6/recent/ticker-posts

AWS EC2

bySatish Kumar February 07, 2025

 

Virtualization: https://aws.amazon.com/what-is/virtualization/

Amazon EC2 supports Xen and Nitro hypervisorshttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html



EC2 Basic monitoring and detailed monitoring in CloudWatch:

  • Many AWS services offer basic monitoring by publishing a default set of metrics to CloudWatch with no charge to customers. By default, when you start using one of these AWS services, basic monitoring is automatically enabled.
  • Detailed monitoring is offered by only some services. It also incurs charges. To use it for an AWS service, you must choose to activate it.
  • Detailed monitoring options differ based on the services that offer it. For example, Amazon EC2 detailed monitoring provides more frequent metrics, published at one-minute intervals, instead of the five-minute intervals used in Amazon EC2 basic monitoring.

64 bit x86 vs 64 bit arm

  • When comparing 64-bit x86 and 64-bit ARM AWS EC2 instances, the main difference is power efficiency. ARM processors (called "Graviton" on AWS) usually offer better cost-performance because they use less power while still giving similar performance to x86. This makes ARM a good choice for tasks where saving money is important, especially for lighter computing work. However, for heavy, computational tasks, x86 might still give slightly better performance.

Credit specification

A credit specification is only available for T2, T3, and T3a instances. Selecting Unlimited for the credit specification allows applications to burst beyond the baseline for as long as needed at any time.


Agent installation

IAM permissions for the instance: The following AWS managed policies must be added to an IAM role that is attached to the instance:
  • AmazonSSMManagedInstanceCore – Enables an instance to use Systems Manager to install and configure the CloudWatch agent.
  • CloudWatchAgentServerPolicy – Enables an instance to use the CloudWatch agent to write data to CloudWatch.




EC2 Instances Purchasing Options

  • On-Demand Instances: short workload, predictable pricing
  • Reserved: (MINIMUM 1 year)
    • Reserved Instances: long workloads
    • Convertible Reserved Instances: long workloads with flexible instances
    • Scheduled Reserved Instances: example – every Thursday between 3 and 6 pm
  • Spot Instances: short workloads, cheap, can lose instances (less reliable)
  • Dedicated Hosts: book an entire physical server, control instance placement
  • Dedicated Instances: no other customers will share your hardware

Amazon Data Lifecycle Manager

  • Automated snapshot and AMI creation
  • Fast snapshot restore integration
  • Built-in cross-Region copy
  • Automated cross-account snapshot copy


Snapshot vs AMI

  • A snapshot is of an EBS volume where you are able to save state and reboot with the same data at a certain point in time.
  • An AMI is similar, but it's for the EC2 instances themselves. You cannot take a snapshot of a non-ebs backed instance, but you can create an AMI (system image) of one. Mostly, you can use EBS snapshots as backup solutions for a database volume and an AMI to save instance configuration.
  • Assume EC2 instance as PC/Laptop EBS Storage as Hardisk and AMI as the Operating System Image So ,AMI is a Amazon Machine Image and EBS Snapshot is Elastic Block storage snapshot at any movement of time.
  • AMI are used to launch EC2 instance newly , where as EBS snapshots you can backed up before terminating EC2 instance and can be attached to any EC2 instance for storage and retrieval purpose.
  • EBS Volume is the underlying disk behind EC2. Snapshot is a point in time backup of specific volume while AMI is is backup of the entire EC2 instance that might have multiple attached volumes, exactly like virtual machines.



Status Checks

System status checks
It is automated checks to identify hardware and software iusses for example issues on the physical host, loss of system power, etc. basically it checks personal health dashboard for any scheduled critical maintenance by aws to your instance's host.
To resolve this you need to stop and start so that instance migrate to a new host and that is the reason behind getting a new IP address
Instance Status checks
It monitors software/network configuration of your instance for example invalid network configuration, exhausted memory, etc.
To resolve you just need to reboot the instance or change instance configuration
Attach EBS status checks
It monitors volumes attached to your instance(reachable & complete I/O operation)
To resolve you just need to reboot the instance or replace affected EBS volumes



Status Checks - CW Metrics & Recovery

  • CloudWatch Metrics (1 minute interval)
    • StatusCheckFailed_System
    • StatusCheckFailed_Instance
    • StatusCheckFailed_AttachedEBS
    • StatusCheckFailed (for any)
  • Option 1: CloudWatch Alarm
    • Recover EC2 instance with the same private/public IP, EIP, metadata, and Placement Group
    • Send notifications using SNS
  • Option 2: Auto Scaling Group
    • Set min/max/desired 1 to recover an instance but won't keep the
    • same private and elastic IP



Share AMI(cross account):

  • When you share AMI with customer managed KMS key to another account, you need to share KMS key as well to the destination account ID or specific IAM role.
  • When you copy the shared AMI from destination account to destination account itself, it would use the default ebs key if you don't provide custom KMS key from destination account.
  • Volumes that are created from encrypted snapshots are automatically encrypted using the same key as the snapshot, or using a different key that you specify. Volumes that are created from unencrypted snapshots are automatically unencrypted, but you can choose to encrypt them using a specific key. If no snapshot is selected, you can choose to encrypt the volume and specify your own key.



  • When you choose option to create volume basically you are sharing snapshot as well to another account along with AMI and independently you can create volume as well without creating EC2 instance.
  • When you don't choose option to create volume while sharing the AMI then in destination account you would not be able to copy the AMI, ofcourse you can launch the instance(it will use aws/ebs KMS key) and create another AMI.



Default Encryption and IMDS default settings:




Start/Stop behaviour of EC2 on instance store backed storage

  • Instance Store is disk storage directly-attached to the Amazon EC2 host machine. When an EC2 instance is Stopped, the virtual machine is removed and it loses the CPU, RAM and Instance store so that it can be allocated to another user.
  • Data saved on Amazon EBS disk volumes are retained because this is network-attached storage that is kept separate from the Host computer.
  • The only way to "save" your data is to copy it to another location (eg an EBS volume or Amazon S3 bucket) before stopping the instance.
  • When you stop or hibernate your EC2 instance you will lose public IP address attach to it



Stop behaviour of EC2

  • When you stop an EC2 instance, the instance will be shutdown and the virtual machine that was provisioned for you will be permanently taken away and you will no longer be charged for instance usage. The key difference between stopping and terminating an instance is that the attached bootable EBS volume will not be deleted. The data on your EBS volume will remain after stopping while all information on the local (ephemeral) hard drive will be lost as usual. The volume will continue to persist in its availability zone. Standard charges for EBS volumes will apply. Therefore, you should only stop an instance if you plan to start it again within a reasonable timeframe. Otherwise, you might want to terminate an instance instead of stopping it for cost saving purposes.
  • The ability to stop an instance is only supported on instances that were launched using an EBS-based AMI where the root device data is stored on an attached EBS volume as an EBS boot partition instead of being stored on the local instance itself. As a result, one of the key advantages of starting a stopped instance is that it should theoretically have a faster boot time. When you start a stopped instance the EBS volume is simply attached to the newly provisioned instance. Although, the AWS-id of the new virtual machine will be the same, it will have new IP Addresses, DNS Names, etc. You shouldn't think of starting a stopped instance as simply restarting the same virtual machine that you just stopped as it will most likely be a completely different virtual machine that will be provisioned to you.






  • Ec2 image builder is used for automated creation of virtual machines or container images
  • It automates the creation, maintain, validate and test EC2 AMIs
  • It can run of schedule basis(weekly, whenever packages are updated, etc)
  • It is free service you just pay for the underlying resources
  • It can publish AMI to multiple regions and multiple accounts






EC2 Security Group:

  • Modifying security group rule never disrupt its tracked connection i.e existing connections are kept until they time out.
  • Use NACLs to interrupt/block connections immediately(NACL inbound deny to ALL rule #90)


Self Refrencing in SG:

When you create an inbound security group rule you need to specify where the originating traffic is allowed is from. This could be an IP address, subnet, CIDR block, prefix list, or a security group. When you specify self = true, you are saying the originating traffic must come from some resource with that same security group applied. For example, an EC2 instance with that security group assigned would be able to reach another EC2 instance with that same security group.



Steps to address compromised instances(Reference from Stephan Maarek Course):

  • Capture the instance's metadata
  • Enable Termination Protection
  • Isolate the instance(replace instance's SG - no outbound traffic authorized)
  • Detach the instance from any ASG(Suspend processes)
  • Deregister the instance from any ELB
  • Snapshot the EBS volumes (deep analysis)
  • Tag the instance (e.g investigation ticket)
  • Offline investigation: shutdown instance
  • Online investigation (e.g snapshot memory or capture network traffic)
  • Automate the isolation process: Lambda
  • Automate memory capture: SSM Run Command


AWS Backup:

  • Backup as a service
  • AWS Backup is a cost-effective, fully managed, policy-based service that simplifies data protection at scale.
  • Define Backup plans, schedule backups, automate backup retention management, centrally monitor backup activity, and restore backups.




Compute Optimizer

compute optimizer is an ML product designed to literally answer this question for you. Run your workload, check the recommendation. it will find the best price for the performance



Lost KeyPair of EC2, How to regain access

  1. Using EC2 user data
    • Create a new keypair and copy the public key 
    • Stop the instance, update the EC2 user data(cloud-config format)
    • It doesn't override the existing public keys
  2. Using systems manager
    • Use AWSSupport-ResetAccess automation document
    • It will create and apply a new key pair
    • It will store the private key encrypted in SSM parameter store /ec2rl/openssh/instance_id/key
    • Make sure IAM role has sufficient permission and ssm agent installed on ec2
    • Works for Linux and Windows
  3. Using EC2 instance connect
  4. Using EC2 serial console
  5. Using EBS volume swap
  6. Windows
    • Verify EC2Launch v2 service is running
    • (Windows AMIs with the EC2Launch v2 service)
    • Detach the EBS root volume
    • Attach the volume to a temporary instance as a secondary volume
    • Delete file %ProgramData%/Amazon/EC2Launch/state/.run-once
    • Re-attach the volume to the original instance, then restart the instance, you will be able to set a new password


EC2 Rescue tool

  • Install manually or using AWSSupport- TroubleshootSSH Automation Document
  • Install manually or using AWSSupport-RunEC2RescueForWindowsTool
  • Use AWSSupport-ExecuteEC2Rescue Automation Document to troubleshoot connectivity issues


FinOps in EC2

  • Reserved instance
  • Savings plan
  • ASG
  • Spot instance
  • Right sizing of EC2
  • Using trusted advisor
  • Using scheduled instance
  • Using graviton instance
  • Compute optimizer
  • Understand the concepts of data transfer
  • Managing EBS volume effectively


Enhanced networking with ENA

The command modinfo ena is typically used in a Linux environment to display information about the "ENA" driver, which is the Elastic Network Adapter driver. This driver is primarily used for Amazon Web Services (AWS) EC2 instances to enable high-performance networking.
Here is what you might see when running modinfo ena:
  1. filename: The path to the ena module file, such as /lib/modules/$(uname -r)/kernel/drivers/net/ethernet/amazon/ena/ena.ko.
  2. version: The version of the ena driver.
  3. description: A brief description of the driver (e.g., "Amazon ENA Ethernet Driver").
  4. author: Information about the driver author(s).
  5. license: The license under which the driver is released (e.g., GPL).
  6. parameters: Any configurable parameters that can be passed when loading the driver.
If you have the ena driver installed and would like to see this information, running the modinfo ena command on your Linux terminal should show details about the driver.


Hands on EC2 instance:



What is Pem file:

  • A PEM file may contain just about anything including a public key, a private key, or both, because a PEM file is not a standard. In effect PEM just means the file contains a base64-encoded bit of data. It is called a PEM file by allusion to the old Privacy-Enhanced Mail standards which preceded S/MIME as a mail security standard. These standards specified the format of various keys and messages in a particular base64 format. See RFC 1421 for example.
  • Typically a PEM file contains a base64 encoded key or certificate with header and footer lines of the form -----BEGIN <whatever>----- and -----END <whatever>----. Over time there have evolved many possibilities for <whatever>, including private keys, public keys, X509 certificates, PKCS7 data, files containing multiple certificates, files containing both the private key and the X509 certificate, PKCS#10 certificate signing requests

Give Access to EC2 to another user via Public Key Authentication:

  • Each user generates their own SSH key pair:
ssh-keygen -t rsa -b 4096
  • Share only the user's public key with the administrator.
  • EC2 store public key in root volume ~/.ssh/authorized_keys file
  • You can also create key pairs outside of AWS and upload them to AWS, ED25519 and 2048-bit SSH-2 RSA keys are supported
  • Add the public key to the instance under the user's account:
  • Key pairs don't get deleted from EC2 instance's root volume when keypair is removed from AWS console, Launching an EC2 instance with prebuilt AMI, the old keypair will exist alongside with the new keypair
echo "user-public-key.pub" >> ~/.ssh/authorized_keys


Access EC2 from ec2 instance connect:




Ec2 Serial Console:

  • Use cases: troubleshoot boot, troubleshoot network configuration, analyze reboot issues
  • Supported with nitro based instance and it doesn't require any network capabilities
  • you must have user and password before hand while logging into the instance, there is only one active session per ec2 and Serial console is disabled in EC2 by default

Remediation of exposed EC2 key pairs

Remove all the public keys ~/.ssh/authorized_keys file from all the EC2 instance
Create new key pair and add its public key to the  ~/.ssh/authorized_keys file on all ec2 instances, you can automate this using SSM Run command


EC2 Instance metada - Restrict access

  • You can use local firewall rules to disable access for some or all processes
  • iptable for linux
    • sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner --uid-owner apache --jump REJECT
  • Turn off access using AWS Console or AWS CLI (HttpEndpoint=disabled)


IMDSv2 vs IMDSv1

  • IMDSv1 is accessing http://169.254.169.254/latest/meta-data directly
  • IMDSv2 is more secure and is done in two steps:
    1. Get session token (limited validity) - using headers & put
      • $TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"
    2. Use Session Token in IMDSv2 calls - using headers
      • $curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"


Requiring the usage of IMDSv2

  • The CloudWatch Metric MetadataNoToken provide information on how much IMDSv1 is used
  • You can also force Metadatav2 at instance launch using either AWS Console or AWS CLI "HttpTokens: required"
  • You can require IMDSv2 when registering an AMI: --imds-support v2.0



Require EC2 Role Credentials to be retrieved fro IMDSv2
  • AWS credentials provided by the IMDS now include an ec2:RoleDelivery IAM context key
    • 1.0 for IMDSv1
    • 2.0 for IMDSv2
  • Attach this policy to the IAM role of the EC2 instance
  • Or attach it to an S3 bucket to only require IMDSv2 when API calls are made by an IAM role
  • Or attach it as an SCP in your account


Prevent the launch of an EC2 instance using old instance metadata (IMDSv1)

Prevent modifying a running EC2 instance using ModifyInstanceMetadataOptions API to re-enable old instance metadata(IMDSv1)

Root Volume encryption



Sample User data:


References:

Reactions

Post a Comment

0 Comments