AWS LightSail now has the ability to restrict IP addresses in their firewall rules. LightSail instances can now be secured by limiting firewall rules from an IP CIDR block or a single IP address. For example, you can restrict who can SSH into your instance by limiting it to just your IP address, so only you can SSH into your machine. Another feature AWS added in their LightSail firewall is support for ping, which could be helpful for monitoring and checks.
If you use LightSail, AWS provides an easy way for you to connect to LightSail instances via Web SSH. I normally use a terminal (ssh client) to connect to LightSail instances, but using Web SSH is very convenient. If you try to do an OS upgrade, for example from Ubuntu 18.04 LTS to Ubuntu 20.04 LTS, you will break Web SSH. AWS has added a special Web SSH configuration on LightSail base images. The error you’ll get is “Upstream Error 515.” The only way to fix this is to get AWS Support to help you apply the fix. It’s not a make or break it deal, but it can be a nuisance if you prefer to use AWS Web SSH instead of a terminal. If you need a more secure SSH connection, consider uploading your ssh-key to the server, and disable password login.
Here’s my script to delete AWS LightSail snapshots. It can delete daily or weekly backups and scheduled via crontab. If you want longer or shorter retention, adjust the expired value. It’s in seconds. 604800 is 1 week. 2592000 is 1 month.
#!/bin/bash current=$(date +%s) if [ $# -eq 0 ]; then exit 1 fi if [[ $1 = 'daily' ]]; then prefix='daily' expired=$(($current-604800)) elif [[ $1 = 'weekly' ]]; then prefix='weekly' expired=$(($current-2592000)) else exit 1 fi snaps='/root/snapshots/snapshots.json' names='/root/snapshots/names.txt' parse='/root/snapshots/parse.txt' logfile='/root/snapshots/snapshots.log' /usr/local/bin/aws lightsail get-instance-snapshots > $snaps cat $snaps | jq -r '.instanceSnapshots | .name' > $names cat $names | grep $prefix > $parse while read -r line; do snapshot=$(echo $line | cut -d_ -f3) snapshotname=$line if [ `expr $snapshot + 1 2> /dev/null` ] ; then if [ $snapshot -le $expired ]; then echo 'Deleted: '$snapshotname >> $logfile /usr/local/bin/aws lightsail delete-instance-snapshot \ --instance-snapshot-name $snapshotname else echo 'Nothing: '$snapshotname >> $logfile fi else echo $snapshot is not numeric > /dev/null fi done < $parse echo 'Current time: '$current >> $logfile echo 'Expired time: '$expired >> $logfile echo '-----------------------------------' >> $logfile
Schedule deletes via crontab.
# run daily at 5am 0 5 * * * /bin/bash /root/snapshots/delete-snapshot.sh daily 2>&1 # run weekly every sunday at 6am 0 6 * * 0 /bin/bash /root/snapshots/delete-snapshot.sh weekly 2>&1