AWS LightSail Create Instance

How to create a LightSail instance from a snapshot via AWS CLI.

aws lightsail create-instances-from-snapshot \
--instance-names your-server-name \
--availability-zone us-east-1a \
--instance-snapshot-name your-snapshot \
--bundle-id nano_1_0 \
--key-pair-name your-key-pair

Route 53 Policy to Change Records

Here’s the IAM policy you’ll need to change Route 53 DNS records. Substitute with your own hosted zone id.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["route53:ChangeResourceRecordSets"],
      "Resource":"arn:aws:route53:::hostedzone/*HOSTEDZONEID*"
      }
   ],
   "Statement":[{
      "Effect":"Allow",
      "Action":["route53:GetChange"],
      "Resource":"arn:aws:route53:::change/*"
      }
   ]
}

Add to policy to a user.

EFS CloudFormation

Here’s a simple EFS CloudFormation template with a one mount target.

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "EFS example setup",
	"Parameters": {
		"VPC": {
			"Description": "VPC ID",
			"Type": "AWS::EC2::VPC::Id"
		},
		"Subnet": {			
			"Description": "Subnet ID",
			"Type": "AWS::EC2::Subnet::Id"
		},
		"EC2SecurityGroup": {
			"Description": "Security Group for EC2 instance",
			"Type": "AWS::EC2::SecurityGroup::Id"
		}	
	},
	"Resources": {
		"EFSFileSystem": {
			"Type" : "AWS::EFS::FileSystem",
			"Properties" : {
				"FileSystemTags" : [
					{"Key" : "Name", "Value" : {"Ref": "AWS::StackName"}}
				]
			}
		},
		"EFSMountTarget": {
			"Type": "AWS::EFS::MountTarget",
			"Properties": {
				"FileSystemId": {"Ref": "EFSFileSystem"},
				"SubnetId": { "Ref": "Subnet" },
				"SecurityGroups": [{"Ref": "EFSSecurityGroup"}]        
			}
		},
		"EFSSecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupDescription": "Allowing access to EFS",
				"VpcId": {"Ref": "VPC"},
				"SecurityGroupIngress": [{
					"IpProtocol": "tcp",
					"FromPort": 2049,
					"ToPort": 2049,
					"SourceSecurityGroupId": {"Ref": "EC2SecurityGroup"}
				}]
			}
		}				
	}
}

S3 Restrict IP Addresses

Here’s the policy to restrict access to S3 bucket to certain IP addresses.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyIPRestrict",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*" 
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition" : {
                "IpAddress" : {
                    "aws:SourceIp": "10.10.10.0/24" 
                },
                "NotIpAddress" : {
                    "aws:SourceIp": "10.10.10.100/32" 
                } 
            } 
        } 
    ]
}

Allow anyone in the 10.10.10.0/24 network except for 10.10.10.100/32.