AWS Security Groups IP Cidr

Here’s how to search for AWS Security Groups containing this IP Cidr.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Search with ports.

aws ec2 describe-security-groups \
--filter Name=egress.ip-permission.cidr,Values='10.8.8.8/32' \
         Name=egress.ip-permission.from-port,Values='22' \
         Name=egress.ip-permission.to-port,Values='22' \
--query "SecurityGroups[*].{Name:GroupName}" \
--output text \
--profile default \
--region us-east-1

Query will only display the Security Group name.

MySQL Backup To S3 Bucket

Here’s my MySQL backup script to the S3 Bucket.

Just a couple of things about the script. It’s using …

  1. AWS CLI
  2. Mysqldump

They must be setup and configured to work properly.

#!/bin/bash
cd /root/database
TIMESTAMP=$(date +%Y-%m-%d)
S3FILE="s3://bucketname/sqlbackup/backup-$TIMESTAMP.sql"
/usr/bin/mysqldump dbname > dbname.sql
/usr/local/bin/aws s3 cp dbname.sql $S3FILE
sleep 3s
rm dbname.sql

Finally, set the S3 bucket with a 7 day retention. Backups older than 7 days are automatically deleted.

AWS RDS Start and Stop Policy

Here’s a IAM policy that you can add to an IAM user or an IAM role so they are able to start and stop a specific RDS instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "rds:db-tag/Application": "application-name"
                }
            },
            "Action": [
                "rds:DescribeDBInstances",
                "rds:StartDBInstance",
                "rds:StopDBInstance"
            ],
            "Resource": "arn:aws:rds:us-east-1:xxxxxxxxxxxx:db:db-instance-name",
            "Effect": "Allow"
        }
    ]
}

AWS Instance Type to M5 or C5

If you have changed instance type to either C5 or M5 and it no longer boots, it’s due to the following reasons.

  1. The Elastic Network Adapter (ENA) enaSupport attribute is disabled for the instance.
  2. The ENA module isn’t installed on the instance
  3. The NVMe module isn’t installed on the instance, or, if installed, the NVMe module isn’t loaded in the initramfs image of the instance.
  4. You are trying to mount the file systems at boot time in the “/etc/fstab” file using a device name.¬†Amazon Elastic Block Store (Amazon EBS) volumes are exposed as NVMe devices to these instance types, and the device names are changed. To avoid this, mount the file systems using UUID/Label. For more information, see¬†Amazon EBS and NVMe.

You will need to run a Bash script to update the current instance to be able to support a C5 or M5 instance.