This final project involves building an environment in AWS using EC2 Instances, two subnets(one public, and one private), a NAT Gateway, and an Internet Gateway. This project also involves building a LAMP stack using the EC2 instances in the environment.

• Part 1 - Environment Setup and LAMP Stack
  • Part 1 Devilerable Screenshots

• Part 2 - Incorporating Cloudwatch and Cloudtrail
  • Part 2 - Cloudwatch Screenshots
  • Part 2 - Cloudtrail Screenshots

Part one of this project involves networking configuration and the building of the LAMP stack. This section will involve the steps that I took to implement each aspects of the networking and LAMP Stack.

Step 1:
From the VPC console, select create VPC

Step 2:
Add the following details:

• Name: ZMorrisFinalVPC
• IPv4 CIDR: 10.10.0.0/16

Step 3:
Click Create VPC to create the VPC.

To start adding subnets, in of the VPC console the left pane, select Subnets

Step 1:
Select Create Subnet

For the VPC ID choose ZMorrisFinalVPC

Set the following details for the VPC:

• Name: FinalSubnetPublic
• Availability Zone: us-east-1a
• IPv4 CIDR block: 10.10.0.0/16
• IPv4 subnet CIDR block: 10.10.10.0/24

Step 2:
Click Create Subnet to create the subnet

Step 1:
Select Create Subnet

Step 2:
For the VPC ID choose ZMorrisFinalVPC:

Step 3:
Set the following details for the Subnet:

• Name: FinalSubnetPrivate
• Availability Zone: us-east-1b
• IPv4 CIDR block: 10.10.0.0/16
• IPv4 subnet CIDR block: 10.10.15.0/24

Step 4:
Click Create Subnet to create the subnet

Step 1:
In the left pane, click “Internet Gateways”

Step 2:
Click Create Internet Gateway

Step 3:
Set the Name Tag: ZMorrisFinalIGW

Step 4:
Click “Create Internet Gateway” to create the IGW.

Step 1:
Select the “ZMorrisFinalIGW” Internet Gateway from the list

Step 2:
Select Actions > Attach to VPC

Step 3:
Choose the VPC with ZMorrisFinalVPC in the name

Step 4:\Click “Attach Internet Gateway”

Step 1:
Click Route Tables in the left pane

Step 1:
Click Create Route Table

Step 2:
Add Details to the route table:

• Name Tag: FinalPublicRouteTable
• VPC: Select ZMorrisFinalVPC from the list

Step 3:
Click Create Route Table

Step 1:
Click Create Route Table

Step 2:
Add Details:

• Name Tag: FinalPrivateRouteTable
• VPC: Select ZMorrisFinalVPC from the list

Step 3:
Click Create Route Table

The following section explains how to configure subnet associations for both the private and public subnets

Step 1:
In the Route tables list, check the box for the PublicRouteTable

Step 2:
In the bottom pane, select the subnet associations tab, and click Edit Subnet Associations

Step 3:
Select “FinalSubnetPublic” from the list, and click Save Associations.

Step 1:
In the Route tables list, check the box for the PrivateRouteTable

Step 2:
In the bottom pane, select the subnet associations tab, and click Edit Subnet Associations

Step 3:
Select “FinalSubnetPrivate” from the list, and click Save Associations.

Step 1:
Select the Public Route table from the list, go to the routes tab, and select edit routes

Step 2:
Click Add Route

Step 3:
Specify the following values:

• Destination: 0.0.0.0/0
• Target: Select Internet Gateway from the dropdown menu and choose the ZMorrisFinalIGW option from the list.

Step 4:
Click Save Changes

Step 1:
Go to the EC2 Console

Step 2:
In the left pane, click Elastic IP addresses

Step 3:
Click Allocate Elastic IP Address

💡 Make sure us-east-1 is selected at the border group

Step 4:
For the tags, add a tag with the following info:

• Key: Name
• Value: WebElasticIP

Step 5:
Click Allocate Elastic IP Address

Step 6:
Add another Elastic IP. Start by clicking "Allocate Elastic IP address".

Step 7:\Make sure us-east-1 is selected at the border group

Step 8:
For the tags, add a tag with the following info:

• Key: Name
• Value: JumpboxElasticIP

Step 1:
Go to the VPC Console in AWS

Step 2:
In the left pane, click NAT gateways

Step 3:
Click Create NAT Gateway

Step 4:
Use the following details:

• Name: FinalNATGateway
• Subnet: FinalSubnetPublic

Step 5:
Click “Allocate Elastic IP”

Step 6:
Click "Create NAT Gateway".

Step 1:
Click Route tables in the left pane

Step 2:
Click the check box for FinalPrivateRouteTable

Step 3:
In the bottom pane, go to the routes tab and click edit routes.

Step 4:
Click Add Route

Step 5:
Set the following options:

• Destination: 0.0.0.0/0
• Target: Select NAT Gateway from the dropdown menu to select the NAT Instance id #

In the EC2 or VPC console, select Security groups from the left pane. From here, we will set up a security group for each instance.

Step 1:
Click Create security group

Step 2:
Enter Details:

• Security Group Name: WebSecurityGroup
• VPC Info: ZMorrisFinalVPC

Step 3:
Set Inbound Rules:

• Rule 1

  • Type: HTTP
  • Source Type: Anywhere-IPv4

• Rule 2

  • Type: SSH
  • Source Type: Custom
  • Source: 10.0.0.30/32

Step 4:
Click Create security group

Step 1:
Click Create security group

Step 2:
Enter Details:

• Security Group Name: JumpSecurityGroup
• VPC Info: ZMorrisFinalVPC

Step 3:
Create Inbound Rules:

• Rule 1
  • Type: SSH
  • Source Type: Source Type: Anywhere-IPv4

Step 4:\Click Create security group

Step 1:
Click Create security group

Step 2:
Enter Details:

• Security Group Name: DBSecurityGroup
• VPC Info: ZMorrisFinalVPC

Step 1:\Inbound Rules:

• Rule 1 Type: SSH
  • Source Type: Custom
  • Source: 10.10.10.30/32
• Rule 2
  • Type: Custom
  • Protocol: TCP
  • Port Range: 3306
  • Source Type: Custom
  • Source: 10.10.10.25/32

Step 4:
Click Create security group

Step 1:
Go to the EC2 Console

Step 2:
In the left pane, click Instances

The next subsections outline how to create each instance.

Step 1:
Click Launch Instance

Step 2:
Change Details:

• Name: FinalEC2Web
• OS Image: Amazon Linux 2 AMI(HVM) Free Tier Eligible
• Instance Type: t2.micro
• Keypair: ZM_funkey

Step 3:
Under Network Settings:

• VPC: ZMorrisFinalVPC
• Subnet: FinalSubnetPublic
• Auto-assign public IP: Disable
• Security Group: WebSecurity group

Step 4:
Under Advanced Network Configuration:

• Primary IP: 10.10.10.25

💡 This sets the private IP

Step 5:
Click Launch Instance

Step 1:
Click Launch Instance

Step 2:
Change Details:

• Name: FinalEC2Jump
• OS Image: Amazon Linux 2 AMI(HVM) Free Tier Eligible
• Instance Type: t2.micro
• Keypair: ZM_funkey

Step 3:
Under Network Settings:

• VPC: ZMorrisFinalVPC
• Subnet: FinalSubnetPublic
• Auto-assign public IP: Disable
• Security Group: JumpSecurity group

Step 4:
Under Advanced Network Configuration:

• Primary IP: 10.10.10.30

💡 This sets the private IP

Step 5:
Click Launch Instance

Step 1:
Click Launch Instance

Step 2:
Change Details:

• Name: FinalEC2Database
• OS Image: Amazon Linux 2 AMI(HVM) Free Tier Eligible
• Instance Type: t2.micro
• Keypair: ZM_funkey

Step 3:
Under Network Settings:

• VPC: ZMorrisFinalVPC
• Subnet: FinalSubnetPrivate
• Auto-assign public IP: Disable
• Security Group: DBSecurity group

Step 4:
Under Advanced Network Configuration:

• Primary IP: 10.10.15.60

💡 This sets the private IP

Step 5:
Click Launch Instance

Step 1:
In the left pane, select Elastic IPs

Step 2:
Check the box for the Elastic IP for the Web Instance(WebElasticIP)

Step 3:
Click Actions > Associate Elastic IP Address

Step 4:
Set the following details

• Resource Type: Instance
• Instance: Select the FinalEC2Web instance from the list
• Private IP Address: Select 10.10.10.25 from the list

Step 5:
Click Associate

Step 6:
Check the box for the Elastic IP for the Jumpbox Instance(JumpboxElasticIP)

Step 7:
Click Actions > Associate Elastic IP Address

Step 8:
Set the following details

• Resource Type: Instance
• Instance: Select the FinalEC2Jump instance from the list
• Private IP Address: Select 10.10.10.30 from the list

Step 9:
Click Associate

This section explains the process of configuring the LAMP stack and shows the commands used..

Step 1:
SSH Into the EC2-Web Instance

Step 2:
Update Packages

[ec2-user ~]$ sudo yum update -y

Step 3:
Install Apache:

[ec2-user ~]$ sudo yum install httpd

Step 4:
Install PHP:

[ec2-user ~]$ sudo amazon-linux-extras install -y php7.2

Step 5:
Start and Enable Apache:

[ec2-user ~]$ sudo systemctl start httpd

[ec2-user ~]$ sudo systemctl enable httpd

Step 1:
Update Packages

[ec2-user ~]$ sudo yum update -y

Step 2:
Install Mariadb and PHP

[ec2-user ~]$ sudo amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2

Step 3:
Install MariaDB server:

[ec2-user ~]$ sudo yum install -y mariadb-server

Step 4:
Start the MariaDB Server:

[ec2-user ~]$ sudo systemctl start mariadb

Step 5:
Run a Secure Installation of MySQL

[ec2-user ~]$ sudo mysql_secure_installation

• When prompted, type a password for the root account, which by default is blank, so you can press enter
• Type Y to set a password, and type a secure password twice. . Make sure to store this password in a safe place.
• Type Y to remove the anonymous user accounts.
• Type Y to disable the remote root login.
• Type Y to remove the test database.
• Type Y to reload the privilege tables and save your changes.

Step 6:
Set the MariaDB server to start at every boot, type the following command.

[ec2-user ~]$ sudo systemctl enable mariadb

Step 7:
Login to database as root user:

[ec2-user ~]$ mysql -u root -p

Step 8:
Create a user for wordpress:

MariaDB [(none)]> CREATE USER 'wordpressuser'@'10.10.10.25' IDENTIFIED BY 'password';

Step 9:
Create a database for wordpress:

MariaDB [(none)]> CREATE DATABASE wordpressdb;

Step 10:
Grant Privileges to Wordpress User:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON wordpressdb.* TO 'wordpressuser'@'10.10.10.25' IDENTIFIED BY 'password';

Step 11:
Update Privilege Changes:

MariaDB [(none)]> FLUSH PRIVILEGES;

Step 12:
Exit MySQL:

MariaDB [(none)]> exit

Step 1:
Install Wordpress:

[ec2-user ~]$ wget https://wordpress.org/latest.tar.gz

Step 2:
Unzip the Wordpress Download:

[ec2-user ~]$ tar -xzvf latest.tar.gz

Step 3:
Copy the Wordpress Config:

[ec2-user ~]$ cp wordpress/wp-config-sample.php wordpress/wp-config.php

Step 4:
Edit wp-config.php file:

[ec2-user ~]$ nano wordpress/wp-config.php

Change config settings in the wp-config.php file my changing the following code.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpressdb');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', 'password');

/** Database hostname */
define( 'DB_HOST', '10.10.15.60' );

Go to this link to generate salts for the Authentication keys and salts: https://api.wordpress.org/secret-key/1.1/salt/

Paste the content generated by the link in the section of wp-config.php that looks like this.

Step 5:
Copy the contents of the wordpress directory to /var/www/html/

[ec2-user ~]$ sudo cp -r wordpress/* /var/www/html/

Step 6:
Edit httpd.conf

[ec2-user ~]$ sudo nano /etc/httpd/conf/httpd.conf

Find the section that starts with <Directory "/var/www/html">. Change the AllowOverride None line in the above section to read AllowOverride All

Step 7:
Install php dependency:

[ec2-user ~]$ sudo yum install php-gd

Step 8:
Change file Permissions:

Grant file ownership of /var/www and its contents to the apache user.

[ec2-user ~]$ sudo chown -R apache /var/www

Grant group ownership of /var/www and its contents to the apache group.

[ec2-user ~]$ sudo chgrp -R apache /var/www

Change the directory permissions of /var/www and its subdirectories to add group write permissions and to set the group ID on future subdirectories.

[ec2-user ~]$ sudo chmod 2775 /var/www 

[ec2-user ~]$ find /var/www -type d -exec sudo chmod 2775 {} \;

Recursively change the file permissions of /var/www and its subdirectories to add group write permissions.

[ec2-user ~]$ find /var/www -type f -exec sudo chmod 0664 {} \;

Step 9:
Restart Apache:

[ec2-user ~]$ sudo systemctl restart httpd

Step 10:
In a browser, navigate to the web server public IP address. You should see a wordpress page to finish installation:

Fill in the Information to finish installation:

• Site Title: ZMorrisFinalSite
• Username: YOUR_USERNAME
• Password: YOUR_PASSWORD
• Your Email: Provide an email address
• Check “Discourage search engines from indexing this site”

Step 11:
Click “Install WordPress”. You should see a Success page. Click “Log In” and use the credentials you just made to log in

You should see a wordpress dashboard when you log in. It should look like the following screenshot:

On the Web Server and the jumpbox, install “nc”

Test 1:
Nc from Web Server to Database on tcp/3306(should be successful)

[ec2-user ~]$ nc -v -z 10.10.15.60 3306

Test 2:
Nc from Jump Box to Database on tcp/3306(Should Fail)

[ec2-user ~]$ nc -v -z 10.10.15.60 3306

Part two of this project involves setting up cloudwatch and cloudtrail to monitor and audit what is happening in the AWS environment.

Step 1:
Go to the EC2 Console

Step 2:
Navigate to the instances page in the left navigation pane.

For each instance:

• Check the box for the instance
• Click Actions > Monitor and Troubleshoot > Manage detailed monitoring
• Click “Enable” Under detailed monitoring

No actions are needed

Step 1:
Open the cloudwatch console

Step 2:
Choose Metrics > All Metrics in the navigation pane.

Step 3:
Click the EC2 Namespace in the bottom pane.

Step 4:
Choose Per-Instance Metrics in the bottom pane. We will be setting up the monitorization of four metrics. The metrics to be monitored are CPU Utilization, Network Traffic In, Network Traffic Out, and CPU Credit Usage

CPU Utilization Metrics:
Step 1:
In the search field, enter CPUUtilization and press enter

Step 2:
Check the boxes for all three instances (Web, Jump, and Database)

Step 3:
Above the graph that appears, click the pencil icon to rename the graph, “FinalCPUGraph”, and click apply.

Step 4:
Note: The graphed metrics tab can be used to change the period in which metrics are graphed.

Step 5:
Set the period for Web and Database to 1 Minute.

Step 6:
Click Actions > Attach to Dashboard

Step 7:
Click Create New under the dashboard search bar.

Step 8:
Set the name to “FinalCloudWatchDashboard” and click Create

Step 9:
Click “Add to Dashboard”

Step 10:
Click Save in the top right corner to save the dashboard.

NetworkIn Metrics:
Step 1:
In the search field, enter NetworkIn and press enter

Step 2:
Check the boxes for all three instances (Web, Jump, and Database) for NetworkIn

Step 3:
Above the graph that appears, click the pencil icon to rename the graph, “FinalNetworkInGraph”, and click apply.

Step 4:
Note: The graphed metrics tab can be used to change the period in which metrics are graphed.

Step 5:
Set the period for Web and Database to 1 Minute.

Step 6:
Click Actions > Attach to Dashboard

Step 7:
Select the “FinalCloudWatchDashboard” dashboard

Step 8:
Click “Add to Dashboard”

Step 9:
Click Save in the top right corner to save the dashboard.

NetworkOut Metrics:
Step 1:
In the search field, enter NetworkOut and press enter

Step 2:
Check the boxes for all three instances (Web, Jump, and Database) for NetworkOut

Step 3:
Above the graph that appears, click the pencil icon to rename the graph, “FinalNetworkOutGraph”, and click apply.

Step 4:
Note: The graphed metrics tab can be used to change the period in which metrics are graphed.

Step 5:
Set the period for Web and Database to 1 Minute.

Step 6:
Click Actions > Attach to Dashboard

Step 7:
Select the “FinalCloudWatchDashboard” dashboard

Step 8:
Click “Add to Dashboard”

Step 9:
Click Save in the top right corner to save the dashboard.

CPUCreditUsage Metrics:
Step 1:
In the search field, enter CPUCreditUsage and press enter

Step 2:
Check the boxes for all three instances (Web, Jump, and Database) for CPUCreditUsage

Step 3:
Above the graph that appears, click the pencil icon to rename the graph, “FinalCPUCreditUsageGraph”, and click apply.

Step 4:
Note: The graphed metrics tab can be used to change the period in which metrics are graphed.

Step 5:
Set the period for Web and Database to 1 Minute.

Step 6:
Click Actions > Attach to Dashboard

Step 7:
Select the “FinalCloudWatchDashboard” dashboard

Step 8:
Click “Add to Dashboard”

Step 9:
Click Save in the top right corner to save the dashboard.

Step 1:
Go to the EC2 Console

Step 2:
Navigate to the instances page in the left navigation pane.

Step 3:
For this project, we will configure CloudWatch alarms for the Database instance. The alarms will be for CPU utilization, Network In traffic, Network Out traffic, and CPU Credit Usage. Instructions for each are lister below:\

**Step 1:Check the box for the database instance\

Step 2: Click Actions > Monitor and Troubleshoot > Manage CloudWatch alarms\

Step 3: Choose create an alarm\

Step 4: Turn Alarm Notification toggle to off\

Step 5: Leave Alarm Action Off\

Step 6: Set alarm thresholds:

• Type of data: CPU utilization
• Alarm When: >=
• Percent: 70
• Consecutive Period: 1
• Period: 5 Minutes
• Alert Name: DatabaseCPUUtilizationAlarm

**Step 1:**Check the box for the database instance\

Step 2: Click Actions > Monitor and Troubleshoot > Manage CloudWatch alarms\

Step 3: Choose create an alarm\

Step 4: Turn Alarm Notification toggle to off\

Step 5: Leave Alarm Action Off\

Step 6: Set alarm thresholds:

• Type of data: Network in
• Alarm When: >=
• Bytes: 100000
• Consecutive Period: 1
• Period: 5 Minutes
• Alert Name: DatabaseNetworkInAlarm

Step 1: Check the box for the database instance\

Step 2: Click Actions > Monitor and Troubleshoot > Manage CloudWatch alarms\

Step 3: Choose create an alarm\

Step 4: Turn Alarm Notification toggle to off\

Step 5: Leave Alarm Action Off\

Step 6: Set alarm thresholds:

• Type of data: Network out
• Alarm When: >=
• Bytes: 100000
• Consecutive Period: 1
• Period: 5 Minutes
• Alert Name: DatabaseNetworkOutAlarm

Step 1: Check the box for the database instance\

Step 2: Click Actions > Monitor and Troubleshoot > Manage CloudWatch alarms\

Step 3: Choose create an alarm\

Step 4: Turn Alarm Notification toggle to off\

Step 5: Leave Alarm Action Off\

Step 6: Set alarm thresholds:

• Type of data: CPU credit usage
• Alarm When: >=
• Count: 5
• Consecutive Period: 1
• Period: 5 Minutes
• Alert Name: DatabaseCPUCreditUsageAlarm

Step 1:
Go to the Cloudtrail Console

Step 2:
On the left pane, click Dashboard.

Step 3:
Click “Create Trail” in the Trails pane.

Step 4:
Name the trail “FinalManagementInsightTrail”

Step 5:
Select the option to Create new S3 Bucket

Step 6:
In the dialogue box for trail log and bucket folder, enter “finalbucketforcloudtraillogs”

Step 7:
Uncheck the enabled box for Log file SSE-KMS encryption(so we can see the logs).

Step 8:
Select New under Customer managed AWS KMS key

Step 9:
For the AWS KMS alias, type “SYS360-Final-KMS”

Step 10:
Leave Additional settings as default

Step 11:
DO NOT Enable Cloudwatch logs

Step 12:
Add two tags with the following values

• Tag 1
  • Key: Compliance
  • Value: Auditing
• Tag 2
  • Key: FinalProject
  • Value: Complete

Step 13:
Click Next

Step 14:
In the Events pane, select Management Events and Insight Events

Step 15:
In the Management Events pane, choose Read and Write for API activity

Step 16:
In the Insight Events pane, choose API call rate and API error rate under Insight Types

Step 17:
Click next

Step 18:
Read over the review and edit page and click “Create trail”

Viewing the Trails:
Step 1:
In the left pane of the cloudtrail console, select Trails

Step 2:
Find the FinalManagementInsightTrail trail, and in the S3 Bucket column, select the name of the S3 bucket(finalbucketforcloudtraillogs)

Step 3:
To view management logs, click the “Cloudtrail/” object. To view the insight logs, click the “CloudTrail-Insight/” object.

💡 Logs can be downloaded and viewed using a text editor or JSON formatter.

The Cloudtrail management logs will show any management events that occurred in AWS. These event include but are not limited to API calls, VPC creations, Subnet creations, and Cloudtrail creations.The Cloudtrail insights report anomolous activity found in logs. If something that isn't normal or expected happens, then this is reported by cloudtrail insights.

The screenshot below shows some of the logs how they appear in AWS:

The screenshot below shows the contents of a management event log. This log shows the creation of an AWS bucket and related information such as the user, created bucket name, region, and other info. Some of the important information is highlighted:

Since there is no anomalous behavior, there are no cloudtrail insights recorded