This page contains resources pertaining to working with AWS. NOTE most of this content was recorded in the context to a lab - so if some information loops around on itself.

NOTE: LOT OF UNSORTED STUFF IN MISC - WOULD RECOMMEND USING CTRL+F TO FIND THE CONTENT YOU WANT FOR THE MOMENT

Topic covered:

• Accessing AWS Learner Lab

• EC2

  • Creating a Key Pair

  • Create a Security Group

  • Creating a Linux Instance

    • Setting up Key Pair on host example

    • Example - setting up HTTPd on Amazon Linux

  • Creating a Windows instance

  • Getting the login information

  • Terminating instance

• aws-cli

  • Setting up AWS CLI

  • Creating and terminate an EC2 instance in the CLI

  • Searching instances

  • Get the Windows password

• Amazon S3

  • Creating a bucket

  • Upload a file into an S3 bucket

  • Using aws-cli for S3 client keys

• KMS

  • Creating a KMS key

• EBS

  • Creating new EBS Volume

  • Attaching volume to EC2 instance

  • Make a filesystem on a EBS Volume from a Linux instance

  • EBS Snapshots

    • Creating a snapshot

    • Creating Volume from snapshot

• Connect to instance with Amazon EC2 connect

• Misc

Accessing AWS Learner Lab

Went to my AWS Learner lab (selected the only lab accessible):

Clicked "Start Lab":

Took awhile - once green I clicked the AWS button and accessed the AWS console:

(NOTE: I made sure that my region throughout the entire rest of the lab was "US East (N. Virginia) AKA"us-east-1")

EC2

Went to "Services" > "Compute" > then "EC2":

Brought me to the EC2 Dashboard.

Creating a Key Pair

From the side navigation panel scrolled down and accessed "Key Pairs"

Chose to "Create key pair" > created the following:

Once I clicked on the "Create key pair" which automatically downloaded the .pem key. I WOULD SAVE THIS!!!

Keypair created:

NOTE: To be able to SSH into a instance using this kepair on Linux the key would need to only be readable by the user (400), the following command could be used:

chmod 400 Oliver-Lab_6-1_AWS_Prep.pem

Create a Security Group

In the EC2 console, from the sidebar I selected "Security Groups":

Then I chose "Create security group" > set the following:

Set the basic details (VPC was left as default - i did not change anything!)

(NOTE: Below shows setting up a basic inbound rule for SSHing into the instance - see the HTTPd example for how to set an inbound rule for another port)

In the inbound rules I selected to "Add rule":

Then I filled it in with the following:

Set security group:

Nothing was set for Outbound rules and Tags. I would then select to "Create security group":

Security group created:

Creating a Linux Instance

I went to the EC2 dashboard:

I then selected "Launch instance" (also could have accessed the Instances screen from the sidebar > then launched an instance):

(NOTE: For the instance setup below the instance type and storage default/Advanced settings screenshots are from a different instance setup of Amazon Linux BUT is exactly the same as the default when set to Amazon Linux 2. Most important thing was that I left the instance type and storage default/Advanced settings sections default!)

For the Name and tags I set a name:

Set the "Application and OS Images" section to "Amazon Linux 2":

Instance type left default:

Selected to use my created key pair (see Creating a Key Pair):

Selected to use my security group (see Create a Security Group):

Left my storage default and did not touch Advanced details:

Then I chose to Launch instance:

Back in the EC2 screen, I navigated from the sidebar to instances where I saw my instance:

After selecting the instance, I could see its instance summary including the information needed to connect to it (either IPv4 address or DNS):

Setting up Key Pair on host example

I downloaded my key pair .pem file onto a linux machine > then I set the keys permissions:

chmod 400 Oliver-Lab_6-1_AWS_Prep.pem

Then I ssh'd to my instance (default username is ec2-user!):

ssh -i Oliver-Lab_6-1_AWS_Prep.pem [email protected]

NOTE: I could have included the -A flag to forward my SSH agent if SSH'ing across multiple boxes!

Example - setting up HTTPd on Amazon Linux

I installed httpd and created a basic html page on the EC2 instance:

sudo yum install httpd -y
sudo vi /var/www/html/index.html

Then from the "Security Groups" page I selected my created security group created in Create a Security Group:

Then I selected "Inbound rules" > "Edit inbound rules":

Then I selected to "Add rule" > dropdown > "HTTP":

And set the Destination to "Anywhere-IPv4":

I would do the same for "HTTPS":

Then I would save the rules with "Save rules":

Rules saved:

I could then access Apache from my Amazon EC2 DNS name!:

Creating a Windows instance

I selected from the instances menu (navigated from the EC2 sidebar) > Launch instances > created the following instance (see Creating a Key Pair for how to create the added keypair):

In the network setting I selected "Edit > set the following:

Getting the login information

In the instances tab I would also grab the Windows password from "Actions" > "Security" > "Get Windows password":

I would then be met with a screen where I selected "Upload private key file" and uploaded the key I associated with Windows in the setup "Key Pair (login)" section.

After pressing "Decrypt password" I was met with a screen where I could see the password:

Then on a Linux host I installed remmina:

sudo apt update
sudo apt install remmina -y

Then I opened remmina > left "New Connection Profile" button:

Filled in the following connection (using the username and password from above):

Then I pressed "Save and Connect":

(NOTE: Tried this a few times but the first time it asked to accept the certificate which I did)

Connected to Windows:

Terminating instance

I selected both of my created instances from Creating a Linux Instance and Creating a Windows instance.

Then I selected to terminate the instances with "Terminate instance":

Confirmation screen > pressed "Terminate":

Instances terminated:

aws-cli

Setting up AWS CLI

First installed https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Showing aws --version:

Then I turned on my Learner Lab:

I got my credential from pressing "AWS Details" > "Show":

Which revealed my AWS CLI credentials:

Then I created my .aws directory with aws configure with nonsense answers to the prompts (HAS TO BE SOME VALUE):

After I used notepad to access my credentials file (in powershell):

notepad $env:USERPROFILE\.aws\credentials

And then I used notepad to set my region correctly:

notepad $env:USERPROFILE\.aws\config

The region info:

[default]
region = us-east-1

Finally I checked that my connection was working correctly:

aws sts get-caller-identity

Creating and terminate an EC2 instance in the CLI

Before launching an instance I needed to determine the following:

• The name of your Key Pair

• The name of your Security Group

• The identifier of the AMI (image) that you want to launch:

I found my key pair in "EC2" > "Key pairs":

Then I go my security group from "EC2" > "Security Groups":

And finally found my AMI in the "EC2" > "AMI Catalog":

So for this case it would be following:

• The name of your Key Pair: oliver_keypair01

• The name of your Security Group: launch-wizard-2

• The identifier of the AMI (image) that you want to launch (did Amazon Linux): ami-0a3c3a20c09d6f377

And then the command would be:

aws ec2 run-instances --image-id ami-0a3c3a20c09d6f377 --count 1 --instance-type t2.micro --key-name oliver_keypair01 --security-groups launch-wizard-2 --region us-east-1

Then used the following to find the DNS:

aws ec2 describe-instances --query Reservations[].Instances[].PublicDnsName[]

After I could SSH in:

Then I terminated the instance:

aws ec2 describe-instances --query Reservations[].Instances[].InstanceId[]
aws ec2 terminate-instances --instance-ids i-00994a0e301186bb6

Searching instances

Below is some helpful searches for specifying instance types in AWS.

Get the instance IDs of all running instances:

aws ec2 describe-instances --filter "Name=instance-state-name,Values=running" --query Reservations[].Instances[].InstanceId[]

Get the instance-ids and public IP address of running instances:

aws ec2 describe-instances --filter "Name=instance-state-name,Values=running" --query 'Reservations[].Instances[].{InstanceId:InstanceId,PublicDnsName:PublicDnsName}'

Get all running instances IDs and public dns name BUT only Windows systems:

aws ec2 describe-instances --filter "Name=instance-state-name,Values=running" "Name=platform-details,Values=Windows" --query 'Reservations[].Instances[].{InstanceId:InstanceId,PublicDnsName:PublicDnsName}'

Get the Windows password

First add the RDP port to the security group (3389):

I get the password:

aws ec2 get-password-data --instance-id i-06f23a5954def369c --priv-launch-key .\Downloads\oliver_keypair01.pem

Then I could RDP'd in (username is Administrator):

Sources:

https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html

https://www.learnaws.org/2023/08/31/query-multiple-fields-with-aws-cli/

Amazon S3

Creating a bucket

Opened up my management console, then navigated to S3:

Then I clicked "Create bucket"

Used the following settings (only changed the name):

Then I pressed "Create bucket":

Upload a file into an S3 bucket

From the sidebar I navigated to buckets:

I then selected my bucket "om-s3-encrypt":

Then I selected "Upload"

I then pressed "Add files" and selected my file (make sure the file has some content, I didnt add any first time and had to reupload my file):

Looking in the Bucket:

Could have also why uploading go "Properties" > "Server-side encryption" > "Specify an encryption key":

Or I could have done it with SSE-KMS with my own key:

Using aws-cli for S3 client keys

Created a client key with:

.\openssl.exe enc -aes-128-cbc -k secret -P > ~/om-client-key.key

Copy a file to S3:

aws s3 cp /opt/docs/lab.txt s3://om-s3-encrypt

But I needed to encrypt it with my client key, so I added the "--sse-c" flags:

aws s3 cp --sse-c --sse-c-key {{ KEY_SECTION_FROM_OPENNSL_KEY_FILE }} .\testf1.txt s3://om-s3-encrypt

And then I could download my file:

aws s3 cp --sse-c --sse-c-key {{ KEY_SECTION_FROM_OPENNSL_KEY_FILE }} s3://om-s3-encrypt/testf1.txt .       

KMS

Creating a KMS key

First I navigated to Key Management Service:

Then I pressed "Create a key":

In step 1, setup Symmetric key type:

Step 2: Setup a label for my key:

Step 3: Because of using learner lab I needed to add "vocareum" and "vocstartsoft" admin permissions:

Step 4: Same things needed for key usage permissions:

Step 5: I pressed "Finish":

Completed key:

EBS

Creating new EBS Volume

Opened management console and navigated to EC2:

Then navigated to the Elastic Block Store > Volumes:

Then I pressed "Create volume":

And set the following specifications:

• Volume Type: General Purpose SSD (gp2)

• Size (GiB): 1

• Availability Zone: us-east-1a

I also added a (pressed "Add tag")...

…With a Key of "Name" and a Value of "My Volume":

Finally pressed "Create volume":

(Eventually moved into state "Available")

Attaching volume to EC2 instance

I selected my volume "My Volume" (clicked the checkbox to the right) > "Actions" dropdown in the upper right > selected "Attach volume":

In the instance dropdown (under "Instance") I selected my instance:

And then I pressed "Attach volume":

In my EC2 instance page, I could select my instance (in this case "Lab") with the checkbox > "Storage" tab and you could see my EBS volume (which is highlighted below):

(NOTE: check the "Volume ID" to see if your EBS volume attached, I had to press the refresh button, next to "Connect", once to get mine to show up)

Make a filesystem on a EBS Volume from a Linux instance

NOTE: EBS Volumes device name is assumed to be "/dev/sdf" (gets renamed to "/dev/xvdf" internally on Linux), change as need be in commands below

Following commands will create a filesystem, create a directory for mounting, mount the EBS Volume, and add a line to /etc/fstab so that the volume mounts on boot:

sudo mkfs -t ext3 /dev/sdf
sudo mkdir /mnt/data-store
sudo mkdir /mnt/data-store
echo "/dev/sdf   /mnt/data-store ext3 defaults,noatime 1 2" | sudo tee -a /etc/fstab

(NOTE: In Linux is seems you can either mount what Amazon gives you (eg "/dev/sdf") or what you can see in the system by using a tool like lsblk (eg "/dev/xvdf") and they will both be the same device. Useful!)

EBS Snapshots

Creating a snapshot

In the the EBS Volumes screen in EC2:

Selected "My Volume" > "Actions" dropdown > "Create snapshot":

In the "Create snapshot" screen I added a tag (like how I did when I created an EBS Volume) like the following:

Then pressed "Create snapshot":

After a time and pressed the refresh button next to the "Recycle Bin" button:

Creating Volume from snapshot

In the EBS Snapshots section of EC2, I selected "My Snapshot" > "Actions" menu > "Create volume from snapshot":

Default options except I gave it a tag of Key "Name" and Value "Restored Volume":

Then pressed "Create volume":

Connect to instance with Amazon EC2 connect

In EC2, select instance > press "Connect":

Use EC2 Instance connect, then press "Connect":

Then you get connected to your instance:

Misc

Amazon S3

Creating a bucket

Opened up my management console, then navigated to S3:

Then I clicked "Create bucket"

Used the following settings (only changed the name):

Then I pressed "Create bucket":

Upload a file into an S3 bucket

From the sidebar I navigated to buckets:

I then selected my bucket "om-s3-encrypt":

Then I selected "Upload"

I then pressed "Add files" and selected my file (make sure the file has some content, I didnt add any first time and had to reupload my file):

Looking in the Bucket:

Could have also why uploading go "Properties" > "Server-side encryption" > "Specify an encryption key":

Or I could have done it with SSE-KMS with my own key:

Using aws-cli for S3 client keys

Created a client key with:

.openssl.exe enc -aes-128-cbc -k secret -P > ~/om-client-key.key

Copy a file to S3:

aws s3 cp /opt/docs/lab.txt s3://ChampSYS360/Lab4-2

But I needed to encrypt it with my client key, so I added the "--sse-c" flags:

aws s3 cp --sse-c --sse-c-key {{ KEY_SECTION_FROM_OPENNSL_KEY_FILE }}
.testf1.txt s3://om-s3-encrypt

And then I could download my file:

aws s3 cp --sse-c --sse-c-key {{ KEY_SECTION_FROM_OPENNSL_KEY_FILE }}
s3://om-s3-encrypt/testf1.txt .

Managing Key Management Service

First I navigated to Key Management Service:

Then I pressed "Create a key":

In step 1, setup Symmetric key type:

Step 2: Setup a label for my key:

Step 3: Because of using learner lab I needed to add "vocareum" and "vocstartsoft" admin permissions:

Step 4: Same things needed for key usage permissions:

Step 5: I pressed "Finish":

Completed key:

EBS

Creating new EBS Volume

Opened management console and navigated to EC2:

Then navigated to the Elastic Block Store > Volumes:

Then I pressed "Create volume":

And set the following specifications:

• Volume Type: General Purpose SSD (gp2)

• Size (GiB): 1

• Availability Zone: us-east-1a

I also added a (pressed "Add tag")...

…With a Key of "Name" and a Value of "My Volume":

Finally pressed "Create volume":

(Eventually moved into state "Available")

Attaching volume to EC2 instance

I selected my volume "My Volume" (clicked the checkbox to the right) > "Actions" dropdown in the upper right > selected "Attach volume":

In the instance dropdown (under "Instance") I selected my instance:

And then I pressed "Attach volume":

In my EC2 instance page, I could select my instance (in this case "Lab") with the checkbox > "Storage" tab and you could see my EBS volume (which is highlighted below):

(NOTE: check the "Volume ID" to see if your EBS volume attached, I had to press the refresh button, next to "Connect", once to get mine to show up)

Make a filesystem on a EBS Volume from a Linux instance

NOTE: EBS Volumes device name is assumed to be "/dev/sdf" (gets renamed to "/dev/xvdf" internally on Linux), change as need be in commands below

Following commands will create a filesystem, create a directory for mounting, mount the EBS Volume, and add a line to /etc/fstab so that the volume mounts on boot:

sudo mkfs -t ext3 /dev/sdf

sudo mkdir /mnt/data-store

sudo mkdir /mnt/data-store

echo "/dev/sdf /mnt/data-store ext3 defaults,noatime 1 2" | sudo tee -a
/etc/fstab

(NOTE: In Linux is seems you can either mount what Amazon gives you (eg "/dev/sdf") or what you can see in the system by using a tool like lsblk (eg "/dev/xvdf") and they will both be the same device. Useful!)

EBS Snapshots

Creating a snapshot

In the the EBS Volumes screen in EC2:

Selected "My Volume" > "Actions" dropdown > "Create snapshot":

In the "Create snapshot" screen I added a tag (like how I did when I created an EBS Volume) like the following:

Then pressed "Create snapshot":

After a time and pressed the refresh button next to the "Recycle Bin" button:

Creating Volume from snapshot

In the EBS Snapshots section of EC2, I selected "My Snapshot" > "Actions" menu > "Create volume from snapshot":

Default options except I gave it a tag of Key "Name" and Value "Restored Volume":

Then pressed "Create volume":

Connect to instance with Amazon EC2 connect

In EC2, select instance > press "Connect":

Use EC2 Instance connect, then press "Connect":

Then you get connected to your instance:

Lab 5-1: LAMP Stack in AWS - Part 1

Made regular Amazon 2 instance (NOT DEFAULT - HAVE TO CHANGE AMI IMAGE) - called om-LAMP (default settings, used my keygroup and security group used before for ports 80,22,443)

Then I downloaded the needed packages:

sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2

sudo yum install -y httpd mariadb-server

And then I started httpd:

sudo systemctl start httpd

sudo systemctl enable httpd

Then I modified the file permissions on the /var/www directory so that ec2-user can manipulate files.

sudo usermod -a -G apache ec2-user

# Need to relog for groups

sudo chown -R ec2-user:apache /var/www

sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775
{} 

find /var/www -type f -exec sudo chmod 0664 {} 

After I setup a PHP file in the Apache document root

echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php

My PHP page:

Then I deleted it

rm /var/www/html/phpinfo.php

Lab 5-2: LAMP Stack in AWS Part 2

First I started mariadb:

Then I ran mysql_secure_installation with answering y to all options (by default root has no password, so for first prompt just press Enter)

sudo mysql_secure_installation

And enabled mariadb:

sudo systemctl enable mariadb

After I installed phpMyAdmin and restarted the necessary services:

sudo yum install php-mbstring -y

sudo systemctl restart httpd php-fpm

Then I downloaded phpMyAdmin, extracted it into /var/www/html, deleted the tarball

wget
[<u>https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz</u>](https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.tar.gz)

mkdir /var/www/html/phpMyAdmin && tar -xvzf
phpMyAdmin-latest-all-languages.tar.gz -C /var/www/html/phpMyAdmin
--strip-components 1

rm phpMyAdmin-latest-all-languages.tar.gz

Lab 5-3: Setting up WordPress on LAMP

First I downloaded the wordpress archive then extracted it:

wget
[<u>https://wordpress.org/latest.tar.gz</u>](https://wordpress.org/latest.tar.gz)

tar -xzf latest.tar.gz

Then I logged into mysql:

mysql -u root -p

And then ran the following to create a wordpress user , then a database, and finally granting full privileges on the database to the wordpress user (includes flushing the privileges and exiting.):

CREATE USER 'wordpress-user'@'localhost' IDENTIFIED BY
'your_strong_password';

CREATE DATABASE `wordpress-db`;

GRANT ALL PRIVILEGES ON `wordpress-db`.* TO
"wordpress-user"@"localhost";

FLUSH PRIVILEGES;

exit;

Then I copied the sample php file:

cp wordpress/wp-config-sample.php wordpress/wp-config.php

And edited the DB_NAME, DB_USER, DB_PASSWORD variables to reflect my environment, I also used the https://api.wordpress.org/secret-key/1.1/salt/ website to get keys and salts and updated the KEYS and SALTS accordingly:

(NOTE: I originally messed up the DB_USER user and had to change it later, above is the reflected changes - which is why the file is in /var/www/html/wp-config.php)

Then I copied the wordpress contents to /var/www/html:

cp -r wordpress/* /var/www/html/

Then I edited /etc/httpd/conf/httpd.conf to change AllowOverride None to AllowOverride All

sudo vim /etc/httpd/conf/httpd.conf

Finally I installed GD library for PHP :

sudo yum install php-gd

And restarted mariadb and httpd:

sudo systemctl restart httpd mariadb

This would allow my wordpress website to load, in which I filled it out like the following:

And pressed "Install WordPress":

I pressed Log In, and logged in by filling in the username and password:

Assignment 5-1 Protecting Data in Your Application

Current infrastructure setup for this assignment:

KMS

Creating an AWS KMS key

Searched and navigated to KMS in AWS console:

Then I selected to create a key, used the following settings:

Reviewed and pressed Finish at the end of the page:

S3

Storing an encrypted object in an S3 bucket

I navigated to S3 in the search bar > Buckets:

Selected the bucket (only one there) > went to the properties tab (could see default encryption):

In the objects tab of the bucket I pressed Upload, selected my file with "Add files":

In the properties section I expanded it (clicked on the arrow to get a dropdown) > changed it to the following (may not see all settings by default, have to select the ones available to get further settings! - also note I chose my "MyKMSKey" key!):

I then pressed Upload:

Change access permissions on AWS bucket

In Amazon S3, selecting my bucket, went to the "Permissions" tab:

Chose to "Edit" the "Block public access" settings > and cleared the

And Unchecked the "Block all public access" > the "Save changes":

(Did confirm)

I then pressed the "Edit" to the right of the "Object Ownership" tab:

Selected to have ACLS enabled, selected the acknowledgment, and kept bucket owner preferred checked, then pressed "Save changes":

Back in the buckets objects tab > I selected my object I wanted to make public ("clock.png") > selected "Actions" dropdown > selected "Make public using ACL":

(Did select "Make public" again to confirm)

I could then copy the URL from the objects overview and see an "Invalid Argument" error indicating it is public (object is encrypted):

CloudTrail

In AWS console, used search to navigate to cloudtrail:

Pressed 3 lines in upper right > selected "Event history":

Could use the "Lookup attributes" dropdown to select different attributes and accordingly look for specific strings like below:

EC2

Encrypt EBS root volume of existing EC2 instance

Navigated to EC2 > instances tab > selected my instance (LabInstance) and in its storage tab can see the volume is not encrypted (TAKE NOTE OF THE ROOT DEVICE NAME IS NOW!!!):

So I stopped the instance (agreed at popup):

I then clicked on the link of the Volume ID:

And then selected the instance > selected "Actions" > "Create snapshot":

I then created a snapshot with a tag of key "Name" and value "Unencrypted Root Volume":

Would then press "Create snapshot":

I then navigated in the right sidebar to "Snapshots" under "Elastic Block Store":

I waited for the snapshot to finish (refresh button to the left of the recycle bin was used) > Then "Actions" > "Create volume from snapshot":

I FIRST MADE SURE TO SELECT THE RIGHT AVAILABILITY ZONE FOR MY INSTANCE (in this case "us-east-1f"):

I scrolled down to the Encryption section > selected to enable encryption via the check box labeled "Encrypt this volume" > used the dropdown under "KMS key" to select my key:

Then I pressed "Create volume":

Back in the "Volumes" section of "Elastic Block Store", I used the pencil when hovering near each Volume and named them like the following (notice that the old volume has no encryption and the new one does!):

Then I selected to detach the old volume (select old volume > Actions

Detach volume), made sure to agree to popups:

Then I selected to attach the new volume (select old volume > Actions

Attach volume):

While attaching I selected my "LabInstance" instance from the instance dropdown:

And changed the device name to "dev/xvda" as that was the device name of the old volume in the instance:

After I pressed "Attach volume":

In services looked up services, and selected VPC:

Navigated to "Security groups" > selected "Create security group":

Created the following security group:

(Basic details, did have to select the VPC)

(Selected to Add a inbound rules > added a type for MySQL/Aurora (3306))

Overall:

And pressed at the bottom right "Create security group":

Searched for RDS in the services search:

Navigated to the "Subnet groups":

Then selected "Create DB subnet group" and entered the following:

(Used the dropdowns to select the availability zones and subnets)

Then pressed "Create":

Then I went to databases:

Then I pressed "Create database" > and filled it in with the following:

Then I pressed "Create database":

Then I accessed the lab-db instance > recorded the "Endpoint & port":

DynamoDB

Searched for and opened the DynamoDB console:

Then I selected "Create table" and entered the following table, partition, and sort key:

Then I scrolled to the bottom then I selected "Create table":

Then I pressed "Explore table items":

Then I pressed "Create item":

Then I selected "Add new attribute" and selected "Number":

Called it "Awards":

Then I did the same for "AlbumTitle", selecting String instead of number:

I filled in the values as follows:

And pressed "Create item":

I made 8 more entries:

In the Indexes tab I pressed "Create index":

Then I set the Partition key to "AlbumTitle" and then pressed "Create index":

Created a basic S3 bucket for the lab:

Uploaded the following files:

In Dynamodb I went to the "Import from S3" section:

Then I pressed "Import from S3" > filled in step 1 like the following:

Set this in step 2:

Defaults for step 3:

Overall:

It would fail but still show up in my Tables:

First I accessed Elastic Beanstalk:

Then I clicked on the Elastic Beanstalk application:

I could see that I have a domain link, which when put into a browser showed a 404 since I had not yet set any running code:

I downloaded this https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/samples/tomcat.zip example code. Then I selected the "Upload and deploy" button on my instance:

In the popup I would select "Choose file" > selected my downloaded zip "tomcat.zip":

Then I selected "Deploy", which AWS informed me was uploaded successfully:

After a minute or 2, I went back to my domain URL and saw it had updated:

I could also see these instances running in EC2:

Enabling TLS on server

First I booted up an AWS free tier EC2 Amazon Linux 2 (HVM) with the following settings (in the learner lab):

I then SSH'd into the instance:

Then I updated the system:

sudo yum update -y

Then I installed and enabled httpd:

sudo yum install httpd -y

sudo systemctl enable --now httpd

Confirmed it was running:

And installed mod_ssl:

sudo yum install -y mod_ssl

I then made a dummy self signed certificate:

sudo /etc/pki/tls/certs/make-dummy-cert /etc/pki/tls/certs/localhost.crt

Then in "/etc/httpd/conf.d/ssl.conf" file I commented out the following line "SSLCertificateKeyFile /etc/pki/tls/private/localhost.key":

And restarted httpd:

sudo systemctl restart httpd

Could navigate to HTTPS

Hardening

I change the following in "/etc/httpd/conf.d/ssl.conf":

Commented out "SSLProtocol all -SSLv3" to "SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2"

Then I got my Apache and Openssl version:

And entered it into the Mozilla SSL Configuration Generator:

(I would copy the "SSLCipherSuite" line)

Then I went back to "/etc/httpd/conf.d/ssl.conf" > commented out the "SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5" line and replaced it with the copied version from the Mozilla website:

Finally I uncommented the line "#SSLHonorCipherOrder on":

I would then restart httpd:

I would use Duck DNS to generate a DNS domain (would have to record the AWS instance IP > put it under "current ip" > then I clicked "update ip":

Testing it with a nslookup:

On my AWS EC2 instance, I downloaded EPEL =, installed the repository packages, and enabled EPEL:

sudo wget -r --no-parent -A 'epel-release-*.rpm'
https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/ sudo rpm -Uvh
dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*

Could see repolist:

Then in "/etc/httpd/conf/httpd.conf", I added the following under the "Listen 80" directive (for my domain):

<VirtualHost *:80>

> DocumentRoot "/var/www/html" ServerName "om-lab-82.duckdns.org"

ServerAlias "om-lab-82.duckdns.org"

</VirtualHost>

Then I restarted httpd:

sudo systemctl restart httpd

Then I installed certbot:

sudo yum install -y certbot python2-certbot-apache

And ran Certbot:

sudo cerbot

And filled it out like the following:

Do it with Windows 2022

Enable Detailed Monitoring

In EC2, selected my instance then "Actions" > "Monitor and Troubleshoot":

Then I selected "Enable" > pressed "Confirm":

Then I searched for and went to "CloudWatch":

Then I went to "Metrics" dropdown, pressed it, and selected "All metrics":

Then I selected "EC2" > "Per-Instance Metrics":

I could then select my instance and then it would graph above:

In "Graphed metrics" I could also change the period to 1 minute:

Add Cloudwatch alarm

I selected my EC2 instance > "Monitor and troubleshoot" > "Manage CloudWatch alarms":

In the Manage CloudWatch alarms, I turned off the "Alarm notification":

Then I set the alarm threshold for more than 10 packets (bytes) for "Network packets in":

Then I pressed "Create":

Via pings I could trigger the alarm:

Creating a CloudTrail trail with CloudWatch Logs enabled

I could access cloudtrail by searching for it:

Then I could go to "Event history" on the left side of the screen, where by default the lookup attribute is "Read-only":

I could change this to something like "Event source" and then use the text box to the right to filter the source:

I could then switch over the the "Trails" tab:

Here I could create a trail by pressing "Create trail" in the upper right > and filling in the trail attributes like follows:

I could then press the "Next" button…:

…and fill out the log events page like the following

I would then press the "Next" button to create the trail.

(Below shows what it might look like completed)

Creating an SNS topic and subscribing to it

First I went to the Amazon SNS console:

I then selected the menu icon in the top right corner > then selected "Topics":

I then pressed "Create topic" in the upper right corner and filled it out like the following:

(Note, did have to click on the "Access policy - optional" section to have it dropdown, where I filled out it's options)

I then pressed "Create topic":

I then pressed "Create subscription":

And filled it out like the following (did have to selected the protocol dropdown > selected "Email" as seen below, I also filled in the "Endpoint" section ):

I would then press "Create subscription":

I would then receive an email to confirm that subscription:

When pressed it generates the following:

Creating an EventBridge rule to monitor security groups

First I searched for Amazon EventBridge and went to its page:

Then I selected "Create a rule" > and filled it out step 1 with the following:

Then i filled out step 2 (after pressing the "Next" button on step 1):

(I did have to select the custom pattern button, and filled out the JSON with an event JSON pattern!)

Then i filled out step 3 (after pressing the "Next" button on step 2):

NOTE: I would press the "Configure input transform" and fill out the Target input transformer input path and Template field like the following:

And press confirm, then "Next" back in the main screen:

For step 4 I would simply choose next, and in step 5 "Review and create" I would simply scroll to the buttom and press create:

If I was to make a change that activated this eventbridge rule (such as change a security groups rules) I would receive an alert and an email:

Creating a CloudWatch alarm based on a metrics filter

First I searched for "Cloudwatch" and went to its console:

I then expand "Logs" section on the left side bar > "Log groups":

I then selected the log group I wanted using its right check box > "Actions" > "Create metric filter":

Then in step 1 I defined a filter pattern:

I then pressed "Next" in the lower left, where I filled in the following:

I then pressed "Next" > "Create metric filter":

(NOTE: I would later reassign the "Metric name" to "ConsoleLoginFailureCount"!)

In the metrics filter tab of my log group (where it puts you when creating the log group) I could select the checkbox on my "ConsoleLoginErrors" > "Create alarm":

I would fill out the alarm like the following:

(NOTE: I would later change "CloudTrailMetrics" to "ConsoleLoginFailureCount")

Then I pressed "Next" and in step 2 filled out the following:

I pressed "Next" and in step 3 gave an alarm name:

I would press "Next" and in step 4 press "Create alarm":

After making some failed login data (using a test IAM user, copying there console sign in on a incognito browser, failing the login a few times) I could go to the "Metrics" dropdown in Cloudwatch > "All metrics":

After a few seconds my custom namespace appeared:

I could select it > "Metrics with no dimensions" (may have to reload the page to see it):

I could select my wanted metric > "Graph this metric only":

I also received an email:

I could then go to "Log insights" under "Log" dropdown on the left:

Select "Browse log groups" > selected my log group:

With this I could run queries against my logs:

Creating a VPC

First I went to the VPC console:

Then I could select "Create VPC" on the top of the page:

Then I specified the following specifications:

Then I pressed "Create VPC":

After it finished I pressed "View VPC":

I could then see my subnet in "Subnets" panel:

I could then see my Internet Gateway in "Internet Gateways" panel:

I could also see my route table:

Launching an instance into my VPC

I could then an EC2 instance > in the instance setup press "Edit" to the right on the "Network settings" dropdown > could select my VPC.

I could also specify a subnet:

I then added an additional security group rule for HTTP (had to first press "Add security group rule" and then filled it out like the following)

I also ensured that my keypair was selected:

I then selected to "Launch instance":

Assign an elastic ip to my instance

I went into the VPC console > "Elastic IPs" on the left:

I then selected "Allocate Elastic IP address" > pressed "Allocate":

I then selected the allocated address > "Actions" > "Associate Elastic IP address":

Then selected my instance in the page:

And then I pressed "Associate":

I could then in my instance see a public address for my instance:

And I could SSH into it:

Creating VPC from scratch

Selected to Create a VPC from the VPC console page > "VPC only" > filled it out like the following:

I would then press "Create VPC":

I then went to the subnets panel and selected "Create subnet":

And filled it out with the following (selected my new VPC. set a subnet name, us-east-1a as the availability zone, and set the IPv4 subnet CIDR block to '10.0.1.0/24'):

Then I would press "Create subnet":

I then pressed "Create subnet" again > set the following:

Selected to create that subnet:

I went into "Internet gateways" > "Create internet gateway":

I set it to the following:

And pressed "Create internet gateway":

I went back to the internet gateways page > selected "IGW" > "Actions"

"Attach to VPC":

I would select my VPC from the "Available VPCs" page > then press "Attach internet gateway":

I then went to "Route Tables" > "Create route table":

I then could set a name of "PublicRouteTable" and also my VPC:

Then I selected "Create route table":

I would do the same for a different table named "PrivateRouteTable":

I would select my public route table > "Subnet associations" > "Edit subnet associations":

I would then select my public subnet:

Pressed "Save associations":

I would do this same process for the private route table and subnet:

Back on the public route table > "Routes" > "Edit routes":

I would add a route with "Add route" > then filled out the destination (0.0.0.0/0) and selected to use my made internet gateway:

I pressed "Save changes":

I then created an instance using the public subnet:

And one on the private subnet:

NOTE: I would go back later and create/assign a security group that allows ping and ICMP

AWS NAT Gateway

First I went to the VPC section, then "NAT gateways":

Then I pressed "Create NAT Gateway" > set a name, subnet, and set the connectivity type to Public, as well I pressed "Allocate Elastic IP" and used the dropdown to assign it:

I went to the private route table:

Then I pressed "Edit routes" > set to the following to select my NAT gateway:

AWS VPC NACLs

I set my subnet to auto assign public IPv4 addresses:

First I setup 2 Amazon Linux hosts with the following names "apache-lab11" and "jump-lab11" (both were configured with my testVPC, PublicSubnet, as well a security group allowing SSH from anywhere as well as adding my key):

Then I ran the following on the web host sudo yum install httpd -y and changed the line in /etc/httpd/conf/httpd.conf that is "Listen 80" to "Listen 8080":

And started apache with sudo systemctl restart httpd

On the jump box I would scp my ssh key and set the right permissions:

scp -i C:Usersoliver.mustoeDownloadsoliver_keypair01.pem
C:Usersoliver.mustoeDownloadsoliver_keypair01.pem
ec2-user@ec2-54-173-163-

80.compute-1.amazonaws.com:

ssh -i C:Usersoliver.mustoeDownloadsoliver_keypair01.pem
[<u>[email protected]</u>](mailto:[email protected])

chmod 400 oliver_keypair01.pem

I would make sure my Apache system had proper security groups for ports 80,443:

I went to VPC > Network ACLs:

I would then press "Create network ACL" > named it "Private-Lab11" in my VPC (I would make another acl called "Public-lab11"):

Created ACLs:

For my ACLs I needed to fit the following criteria:

• Public Subnet:

  • Allow Internet access to port 80 on your Public Instance (web

    server)

  • Allow Private Subnet access to port 8080 on your Public Instance

    (web server)

  • Block Internet access to port 8080 on your Public Instance (web

    server)

  • Allow all other inbound access

  • Allow outbound Internet access

• Private Subnet:

  • Allow inbound SSH to your Private Instance from your Bastion-Jump

    Box Only

  • Allow all other inbound access

  • Block outbound access to FTP (port 21) from Private subnet

  • Allow all other outbound access from the Private subnet

In my Public acl I would add the following rules (would use "Edit inbound rules" or "Edit outbound rules" to set the rules, like a security group!):

In my Private acl I would add the following rules (would use "Edit inbound rules" or "Edit outbound rules" to set the rules, like a security group!):

Inside my Public subnet I would press "Edit network ACL association" and change it to my newly created ACL:

I would press "Save":

I would do this same process but for my private subnet/newly created private acl:

First I went to the CloudWatch Console:

I went to log groups > "Create log group":

I would enter log group information:

Then I pressed "Create":

Then I went to CloudTrail:

Then I pressed Trail > "Create a trail":

I set the general details for the trail:

I then pressed Next - filled in log events:

I reviewed and then pressed "Create trail":

This gives an error in learner lab, but still works:

Then launched a given stack, entered the following details:

Confirmed subscription:

Then I went to Amazon EventBridge:

I would then go to "Rules" > and pressed "Create rule":

I would fill out the rule like the following:

No tags, and on the last screen I clicked to create the rule:

I then went to IAM > Users > Create user:

I will then specify the following user:

Reviewed and pressed "Create user":

Will give error, but did receive email:

I went back to eventbridge > rules > create rule > created the following:

Pressed "Skip to Review and create" then "Create rule":

I then went to S3 > pressed "Create bucket" > gave it a bucket name 'aws-athena-query-results-oliverlab12':

Everything else was left default, then I pressed "Create bucket":

Then I went to the Athena console:

I then pressed "Query editor" > "Edit settings":

Selected my bucket:

"Save":

I then went to CloudTrail > "Event history" > "Create Athena table":

Selected my S3 bucket location:

Back in athena a "default" database was selected and I saw the table name:

I could then query:

Create an AMI for Auto Scaling

Go to ec2, and select an instance that is running (like "Web Server 1"):

Then I selected "Actions" > "Image and templates" > "Create image":

I then gave the image a name, a description, and pressed "Create Image":

Task 2: Create a Load Balancer

In EC2, I went to "Target Groups" in the left side panel

I then selected "Create target group" > selected the target type to be instances, set the name, and selected the VPC I wanted from the dropdown:

I pressed "Next" > on step 2 I selected simply to "Create target group":

I then went to "Load Balancers" (navigated with the left hand dropdown):

I then clicked the right hand dropdown arrow next to "Create load balancer" and selected "Create Application Load Balancer":

In the setup I would set the load balancer name, which VPC to use, selected both availability zones and the 2 public subnets within them, and selected to only use my "Web Security Group" instead of the "default", and set the listener for HTTP:80 default action to forward to "LabGroup":

I then pressed "Create load balancer":

Task 3: Create a Launch Template and an Auto Scaling Group

In EC2 I went to "Launch Templates" on the side menu > then I pressed "Create launch template":

I would set the following settings:

• Launch template name: LabConfig

• Under Auto Scaling guidance, select *Provide guidance to help me

  set up a template that I can use with EC2 Auto Scaling*

• In the Application and OS Images (Amazon Machine Image) area, choose

  My AMIs.

  • Amazon Machine Image (AMI): choose Web Server AMI

• Instance type: choose t2.micro

• Key pair name: choose vockey

• Firewall (security groups): choose *Select existing security

  group*

  • Security groups: choose Web Security Group

• Scroll down to the Advanced details area and expand it.

  • Scroll down to the Detailed CloudWatch monitoring setting.

    Select *Enable
    *Note: This will allow Auto Scaling to react quickly to changing utilization.

(All of the rest of the settings were left default!)

I then pressed "Create launch template":

With this complete I went back to the launch templates menu > selected my template > "Actions" > "Create Auto Scaling group":

In step 1 I set the auto scaling group name and the launch template:

In step 2 I set the VPC, and the availability zones/subnets (private subnets this time!):

In step 3 I attached the auto scaling group to a load balancer and enabled group metrics collection within CloudWatch:

In step 4 I set a group size, and scaling policy:

In step 5 I left settings to default, and in step 6 I added a tag named "Name" and set it appropriately:

In step 7 I pressed the "Create Auto Scaling group" at the bottom of the page:

Task 4: Verify that Load Balancing is Working

In EC2 > "Target Groups" > selecting the "LabGroup" now shows 2 instances up:

In "Load Balancers" the load balancer exists, and when you copy it's DNS name you can open it in a new tab and see details on it: