cloud engineer
AWS has machine types that require ENA Support. You can run AWS CLI to find out if instance is ENA enabled.
aws ec2 describe-instances \ --instance-id i-xxxxxxxxxxxxxxxxx \ --profile default \ --region us-east-1 \ --query 'Reservations[].Instances[].EnaSupport' |
Login to the instance and verify.
sudo lspci | grep -i Amazon |
List driver details.
modinfo nvme |
Verify modules loaded at startup.
lsmod | grep nvme lsmod | grep ena |
If ENA drivers are missing, install them.
yum install pciutils |
Here’s a quick way to find the AWS Account ID via AWS CLI.
aws sts get-caller-identity --query Account --output text |
Output is a 12 digit number (redacted)
xxxxxxxxxxxx |
AWS Account ID is a 12 digit number unique to each AWS account. Occasionally, there are scripts and policies that need the ID of the account. The command above is one way of querying the account ID so they can be used for policies that need them.
Here’s how to list AWS Backup vaults and plans. You can filter the output by specifying a vault.
aws backup list-backup-vaults --query "BackupVaultList[?BackupVaultName=='my-vault']" --output json |
Output: (outputs are redacted for security reasons)
[ { "BackupVaultName": "my-vault", "BackupVaultArn": "arn:aws:backup:us-east-1:xxxxxxxxxxxx:backup-vault:my-vault", "CreationDate": "2019-02-10T11:38:42.556000-05:00", "EncryptionKeyArn": "arn:aws:kms:us-east-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "CreatorRequestId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "NumberOfRecoveryPoints": 3 } ] |
Display the BackupPlanId of a specific backup plan.
aws backup list-backup-plans --query "BackupPlansList[?BackupPlanName=='my-backup-plan'].BackupPlanId" |
Output: (outputs are redacted for security reasons)
[ "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ] |
AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.
#!/bin/bash # set variables instanceid='i-xxxxxxxxxxxxxxxx' region='us-east-1' profile='sample' # log and temp files output="ec2-sg.log" tmpfil="ec2-sg.tmp" # empty log at start > $output # get sg ids aws ec2 describe-instances \ --instance-ids $instanceid \ --region $region \ --profile $profile \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil while read -r id; do echo '============================================' >> $output echo $id >> $output echo '============================================' >> $output echo '---------------- INGRESS -------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output echo '---------------- EGRESS --------------------' >> $output aws ec2 describe-security-groups \ --group-ids $id \ --profile $profile \ --region $region \ --output text \ --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output done < $tmpfil |
Here’s a sample output.
============================================ sg-xxxxxxxxxxxxxxx ============================================ ---------------- INGRESS ------------------- 5985 5985 tcp 10.0.0.220/32 10005 10005 tcp 10.0.0.164/32 ---------------- EGRESS -------------------- 80 80 tcp 10.0.0.14/32 40000 65535 udp 10.0.0.0/8 3389 3389 tcp 10.0.0.96/32 9389 9389 tcp 10.0.0.0/8 5985 5986 tcp 10.0.0.96/32 |
The AWS CLI has a not so well-known comparison operator called “contains” which can be used to filter or query the output of your results. In this example, we want to show only instances that were not terminated.
Here’s a query containing “?!contains().”
aws ec2 describe-instances \ --query 'Reservations[*].Instances[?!contains(State.Name, `terminated`)].{Instance:InstanceId}' --output text |
Copy object or file to S3 bucket.
aws s3 cp filename.ext s3://bucketname/ --profile your-profile |
To make it publicly available, run this command.
aws s3api put-object-acl \ --bucket bucket-name \ --key filename.ext \ --acl public-read \ --profile your-profile |
Here is how to enable Amazon S3 Transfer Acceleration on a S3 bucket.
aws s3api put-bucket-accelerate-configuration \ --bucket bucketname \ --accelerate-configuration Status=Enabled \ --region us-east-1 |
Use an accelerate endpoint.
aws configure set default.s3.use_accelerate_endpoint true |
To copy files to S3 you can use the default copy.
aws s3 cp file.txt s3://bucketname/keyname \ --region us-east-1 |
Or use the acceleration endpoint.
aws configure set s3.addressing_style virtual aws s3 cp file.txt s3://bucketname/keyname \ --endpoint-url http://s3-accelerate.amazonaws.com \ --region us-east-1 |
How to install AWS CLI version 2.
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install |
Here’s how to add a GCP firewall rule with the AH (authentication header) and ESP (Encapsulating Security Payload) protocols.
gcloud compute firewall-rules update "firewall-name" \ --description="firewall description" \ --priority "1000" \ --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" \ --rules 50,51,tcp:80,udp:1000 |
There is no need to add protocols for AH and ESP. Just the port numbers.
Here’s the AWS CLI to register instances to a load balancer.
aws elb register-instances-with-load-balancer \ --load-balancer-name my-load-balancer \ --instances i-xxxxxxxxxxx i-xxxxxxxxxxx i-xxxxxxxxxxx |