Uly.me

cloud engineer

ec2

AWS Copy AMI to another Region

by ·

Here’s how to copy an AMI to another region.

aws ec2 copy-image \
  --source-image-id ami-xxxxxxxxxxx \
  --source-region us-east-1 \
  --region us-east-2 \
  --name "My DR server"

Output:

{
    "ImageId": "ami-xxxxxxxxxxx"
}

AWS EC2 List Firewall Rules

by ·

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

AWS CLI Display Tags

by ·

This command lists the EC2 instance id and the tag name using query.

aws ec2 describe-instances \
--query 'Reservations[].Instances[].[InstanceId,Tags[?Key==Name]|[0].Value]' \
--profile tfc \
--region us-east-2 \
--output text

Output:

i-xxxxxxxxxxxxxxxxx     server-one
i-xxxxxxxxxxxxxxxxx     server-two
i-xxxxxxxxxxxxxxxxx     server-three

|[0].Value insures output is one instance record per line.

AWS Enable Enhance Network Support

by ·

When changing machine types, you may be asked to enable the latest ENA driver for Enhanced Network Support on an Amazon EC2 instance. There are several instructions depending on the Linux OS flavor. Here are the instructions to enable. In some cases, you may need to rebuild the kernel module. To verify that the ena module is installed, use the modinfo command as shown in the following example.

modinfo ena

You also may have to enable the enhanced networking attribute on the instance.

aws ec2 modify-instance-attribute --instance-id instance_id --ena-support

EC2 Password Authentication

by ·

When you stand up an AWS instance, it’s only accessible via SSH key using the default user, typically ec2-user.

Add password to ec2-user, then enable password authentication to ‘yes’ in SSH.

# Add password to ec2-user
sudo passwd ec2-user
# edit ssh config
vim /etc/ssh/sshd_config
# enable password authentication
PasswordAuthentication yes
# save file and exit

Restart SSH service.

systemctl restart sshd.service

AWS EC2 Describe Snapshots

by ·

Here’s how to describe snapshots using query with tags.

aws ec2 describe-snapshots \
--owner-ids xxxxxxxxxxx \
--profile default \
--region us-east-2 \
--output text \
--query "Snapshots[*].[SnapshotId,Tags[?Key=='Name'].Value[] | [0]]"

Result.

snap-xxxxxxxxxxxxxxxxx	Server1
snap-xxxxxxxxxxxxxxxxx	Server2

EBS DeleteOnTermination

by ·

Here’s how to set the DeleteOnTermination setting on EBS volumes. The DeleteOnTermination flag determines if an EBS volume will be kept or deleted when an EC2 instance is terminated. The DeleteOnTermination setting can be set during EC2 instance creation, or it can be applied to an existing or a running EC2 instance. The settings can be placed in a JSON file and loaded using –block-device-mappings option upon creation.

During creation.

aws ec2 run-instances \
--count 1 \
--region us-east-2 \
--key-name tfc-ohio \
--image-id ami-xxxxxxxx \
--instance-type t2.large \
--subnet-id subnet-xxxxxxx \
--private-ip-address 10.0.4.100 \
--iam-instance-profile Name=machinerole \
--security-group-ids sg-xxxxxxxxxxxxx \
--block-device-mappings file://mapping.json

Contents of mapping.json

[
  {
    "DeviceName": "/dev/sda1",
    "Ebs": {
      "DeleteOnTermination": true,
      "VolumeSize": 30
      "VolumeType": "gp2"
    }
  }
]

Device name is /dev/sda1. Termination is set to true. Volume size is 30GB and EBS type is gp2.

Modifying an existing EC2 instance.

aws ec2 modify-instance-attribute \
--instance-id i-xxxxxxxxxxxxx \
--block-device-mappings file://mapping.json

Here’s the mapping.json file.

[
  {
    "DeviceName": "/dev/sda1",
    "Ebs": {
      "DeleteOnTermination": false,
    }
  }
]

Obviously, you can’t change Volume size and type to an existing EBS volume, but you can flip the DeleteOnTermination flag and vice versa.

AWS Boto3 Client

by ·

Boto is the Amazon Web Services (AWS) SDK for Python. It enables Python developers to create, configure, and manage AWS services, such as EC2 and S3. Boto provides an easy to use, object-oriented API, as well as low-level access to AWS services.

Here’s a quick example how to query for AWS resources.

import logging
import boto3
from botocore.exceptions import ClientError
 
# set aws profile
session = boto3.Session(profile_name="default")
 
# get buckets
s3 = session.client('s3')
results = s3.list_buckets()
 
# display buckets
print('Existing buckets:')
for key in results['Buckets']:
    print(f'{key["Name"]}')
 
# get ec2 instances. set region.
ec2 = session.client('ec2', region_name='us-east-1')
results = ec2.describe_instances()
 
# display instances
for key in results["Reservations"]:
      for instance in key["Instances"]:
           instance_id = instance["InstanceId"]
           instance_type = instance["InstanceType"]
           availability_zone = instance["Placement"]["AvailabilityZone"]
           print(instance_id + "\t" + instance_type + "\t" + availability_zone)
 
# get list of users
client = session.client('iam')
results = client.list_users()
 
# display list of users
for key in results['Users']:
    print (key['UserName'])

AWS Instance Type to M5 or C5

by ·

If you have changed instance type to either C5 or M5 and it no longer boots, it’s due to the following reasons.

  1. The Elastic Network Adapter (ENA) enaSupport attribute is disabled for the instance.
  2. The ENA module isn’t installed on the instance
  3. The NVMe module isn’t installed on the instance, or, if installed, the NVMe module isn’t loaded in the initramfs image of the instance.
  4. You are trying to mount the file systems at boot time in the “/etc/fstab” file using a device name. Amazon Elastic Block Store (Amazon EBS) volumes are exposed as NVMe devices to these instance types, and the device names are changed. To avoid this, mount the file systems using UUID/Label. For more information, see Amazon EBS and NVMe.

You will need to run a Bash script to update the current instance to be able to support a C5 or M5 instance.

AWS CLI EC2 Describe Tags

by ·

Here’s how to get a list of EC2 tags.

aws ec2 describe-tags \
--filters "Name=resource-id,Values=i-xxxxxxxxxxxxx" \
--query 'Tags[][Key,Value]'  \
--profile default \
--region us-east-1 \
--output text