EC2

Running naked ec2?! Don't do it! Look at services like lambda/fargate/rds/etc.

But if you must...

Linux

Default amis for AWS

• default base ami should be recent Amazon Linux 2

  • how to find latest Amazon Linux 2 image?

    aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn2-ami-hvm-2.0.????????-x86_64-gp2' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'
    

    This is the description of this ami on 190201:

    aws ec2 describe-images --image-id `aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn2-ami-hvm-2.0.????????-x86_64-gp2' 'Name=state,Values=available' --output json | jq -r '.Images | sort_by(.CreationDate) | last(.[]).ImageId'` | jq .
    {
      "Images": [
        {
          "Architecture": "x86_64",
          "CreationDate": "2019-01-14T19:17:25.000Z",
          "ImageId": "ami-032509850cf9ee54e",
          "ImageLocation": "amazon/amzn2-ami-hvm-2.0.20190115-x86_64-gp2",
          "ImageType": "machine",
          "Public": true,
          "OwnerId": "137112412989",
          "State": "available",
          "BlockDeviceMappings": [
            {
              "DeviceName": "/dev/xvda",
              "Ebs": {
                "DeleteOnTermination": true,
                "SnapshotId": "snap-04359c6bb66cf4243",
                "VolumeSize": 8,
                "VolumeType": "gp2",
                "Encrypted": false
              }
            }
          ],
          "Description": "Amazon Linux 2 AMI 2.0.20190115 x86_64 HVM gp2",
          "EnaSupport": true,
          "Hypervisor": "xen",
          "ImageOwnerAlias": "amazon",
          "Name": "amzn2-ami-hvm-2.0.20190115-x86_64-gp2",
          "RootDeviceName": "/dev/xvda",
          "RootDeviceType": "ebs",
          "SriovNetSupport": "simple",
          "VirtualizationType": "hvm"
        }
      ]
    }
    

Do

• Install SSM

• Install CloudWatch agent

  • collect OS logs

  • collect system metrics

• Install Inspector agent

  • Run it every time you create a new image

• Deploy behind a Load Balancer

• Tag it like it's a blank freeway overpass

  • Tags should be used. If you're not using the tags for function or purpose then your tags are probably not the right ones or you're not paying attention.

Never do

• ssh - unless you're providing an ssh service, if so then look at AWS Transfer fof SFTP. If you need to access and ec2 then use ssm. But why would you need to do that? You've coded the deployment of your application in a pipeline right?

• Local Users

• Network Users like ldap

• Keep data on instances, keep it somewhere else like:

  • EFS
  • A managed database
  • S3

• Allow direct network access from outside AWS

• Allow EC2 instances to run for more than 30 days

  • You're creating new images and promoting them as the next version of your application right?