Based on Xen. Get root access! Have console output. Usage time is rounded up to hours PER INSTANCE RUN. If you do 3 quick restarts, that's 3 hours! I guess avoid quick reboots. Gradle API hooks: https://github.com/classmethod/gradle-aws-plugin Set account alias (only usable for a few things, like console login and URL). At top in console's IAM dashboard. "Sign-in URL...", Customize. Set account "name" by logging into root account. Top right pulldown of you, My Account, Edit (Account Settings). s3 shows owner "DisplayName" as "axisdata". I have no idea where this is from. Doesn't show up under any AIM user. EC2 Virtualization types Gotcha: The cloud-init stuff will re-run if you boot up the disk on another VM. For archlinux-AMI-created instances this will overwrite ~root/.ssh/authorized_keys and /etc/hostname. Gotcha: Though console output retrieval via "aws ec2 get-console-output..." usually fails with "*instance type does not support*", you can still get the same thing through AWS Console at Actions > Monitor and troubleshoot > Get system log, and Get instance screenshot. HVM: Generally recommended. OS doesn't know it's virtualized. AMI provides MBR. High hardware usage. Graphics acceleration: For gaming-quality graphics you need a g* instance type. DIFFERENT from that is the inferior elastic graphics that you can attach to other instance types. PV: Paravirtualized. Hardware usage limitations, used to have better net performance but now worse performance. Requires PV-GRUB. Interrupt = Your spot instance is reclaimed According to a note in linux-ec2-'s Grub menu.lst,, this file is only used on PV. To connect to Windows EC2 instances (from Linux) use xfreerdp ~/data/*.rdp /p:'' /u:administrator /cert-ignore /f & OR xfreerdp ~/data/*.rdp /p:'' /u:administrator /cert-ignore /dynamic-resolution & To allow ping, add these rules to security group. (For Win instances also need to run the netsh commands in elevated CMD) Inbound > Custom ICMP, Echo Reply Inbound > Custom ICMP, Echo Request To use IE, add sites like https://www.google.com and my own sites to IE gear > Internet options, Security, Local Intranet or , Sites button Following probably not necessary after the premium support setting below. Check all option listings (other than the negative one) to allow font and file downloads. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-windows-file-download-ie/ Stops and restarts from AWS Console are graceful for both Win and Linux. They emulate CTRL+ALT+DELETE (and somehow distinguish between halt and re). From PowerShell if have privs from AMI profile can use https://docs.aws.amazon.com/powershell/latest/reference/ Options Dedicated hardware VPC = Amazon Virtual Private Cloud. IPsec VPN EBS = Elastic Block Store. Boot or 2ndary disks, can be backed by S3? Specified physical locations. Elastic IP Address. A static address that redirects to your live instances. ** Must reassign Elastic IP after reboot from management console! ** ** Do forward DNS through Route 53 or any regular DNS service; configure the reverse mappings right in the elastic ip config itself. It was preserved just now when I did a "shutdown -r...". Is not preserved after "shutdown -h...". I can only get "VPC" type (not EC2 type) to work! (Probably because I have a VPC). !! GOTCHA !! You always access instance by the "IPv4 Public IP" listed for the instance. If you add or remove an elastic IP from the instance then this value will change. A least now on my instances, the "IPv4 Public IP" value changes to/from the "Elastic IPs" value automatically when you allocate/deallocate an elastic IP to/from it. Pricing description is ambiguous. Is 1-per-running-instance free; or is it 1-total-on-any-running instance free? TODO: Check if not charged on bill under Elastic Comput Cloud > REGION for time period starting 2021-02-03, after which I'll make sure to give up elastic IPs that I'm not using. CloudWatch. Monitoring, Logging. Incl. Auto Scaling. Can feed it from non-AWS sources via SDK, API, CLI.: aws logs put-log-events Groups: /aws// Streams: lambda streams have name like: DATE/[VERSION]UUID Can: aws logs tail /aws// --follow Elastic Load Balancing. HPC Clusters VM Import. Import your VM images. I don't know what types are supported. Reserved Instances are just obligated resources at a better price rate. up to 75% discount from on-demand. A/P/N+URI for All/Partial/No Up-Front. Spot Instances are cheapo unused instances. Launch Template is kinda like CloudFormation only for EC2 instances (Can use this using any EC2-creation method like Console, CLI, SDK, auto-scaling, CloudFormation). I can't find out how to get launch templates to specif target network. Maybe by editing the underlying JSON/XML/whatever? Until then need to specify target network at runtime. How will this work for auto-scaling??? To launch with my ArchLinux template, just set target network + Name tag. When you update a LT, be sure to check that you're editing the desired version (should be latest or default, don't know which)-- double check that starting settings are what you expect. GOTCHA! Remember to update Default Version or you will need to change the version from default every time you launch with this. EC2 instance image configured using AMI = Amazon Machine Image pre-configured or custom AMI May contain apps, libraries, data, associated config settings. Access and security settings. Network addressing settings. From the instance itself, metadata is available via http://169.254.169.254/latest/meta-data/ e.g. ../instance-id To get current instance's name via tag Name: ws ec2 describe-tags --filters Name=resource-type,Values=instance Name=resource-id,Values=$(curl http://169.254.169.254/latest/meta-data/instance-id) Name=key,Values=Name | perl -nwe 'print "$1\n" if /"Value": "([^"]+)/;' Instances have either instance-store==ephemeral or ebs (persistent) You start your AMI by calling the RunInstances API or using Gui. You admin the instance using the Management Console, CLI, or API. The name specified in dummied-down UI really adds a key/value metadatum/tag record to the instance with key "Name". <= 10 metadata record/tags per instance. Low end Instance Types (there are several more expensive types) MICRO Small but allow for bursts. Api name: t1.micro 613 MB RAM, <= 2 ECUs (for short bursts), EBS storage only, 32 or 64 bit SMALL The default, 32 bit! 1.7GB RAM, 1 EC2 (1 virtual core w/ 1 EC2 CU) 160 GB local instance storage INSTANCE TYPE PRICING https://aws.amazon.com/ec2/pricing/on-demand/ *g instance types use Amazon's Gravitron processor which can't run Windows. 2019-10-27 per-hr vCPU RAM inst_store baseline % credit max $.0058 1 0.5 EBS Only t2.nano 5% 72 $.023 1 1 EBS Only t2.small 20% 288 (my "ec23" instance) $.0188 2 2 EBS Only t3a.small 20% 576 *Good compromise* $.0208 2 2 EBS Only t3.small 20% 576 *Good compromise* $.0255 1 2 EBS Only a1.medium n/a n/a (ARM RISC CPUs) What's distinctive about all t* models is CPU burst behavior. All consume CPU credits when CPU bursting above baseline perf %. All accumulate (up to specific limit) when below baseline perf %. t3 vs. t3a. t3 use slightly faster Intel CPUs vs. t3a AMD CPUs. standard mode uses CPU accumulated credits then throttles. Std for t2. "Unlimited" mode over accumulated gets charged at .05/vCPU hour instead of throttling. EXPENSIVE! Std for t3, t3a. RATES AT https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/burstable-credits-baseline-concepts.html t3 slightly less expensive and t3a slightly less expensive again. a* type are ARM (~ RISC). I find no mention of ARM at https://archlinuxarm.org/ or https://www.uplinklabs.net/projects/arch-linux-on-ec2/ 1 credit runs a CPU at 100% for 1 minute. Change burst mode for T* types ONLY via instance descript setting "T2/T3 Unlimited". Windows Server 2019 AMI requires >= 30G. Launch will abort otherwise. Gravitron c7g.xlarge (c6g.xlarge). COSTLY! compute-opt: 0.1445/hr 0.136/hr c7g performs much better than c6g. EC2 CU = Metric of CPU performance power. == 1.1 GHz 2007 Opteron or Xeon. FREE TIER only available for 1 year! exc. * starred items are free indefinitely Are these per calendar month or from day of signup or startup? 750 hours of EC2 Linux/Unix Micro instance usage 750 hours Elastic Load Balancing + 15 GB data processing 10 GB EBS + 1M IOs + 1 GB snapshot storage 5 GB S3 storage, 20k Get requests + 2k Put requests 15 GB bandwidth out (total) *25 SimpleDB Machine Hours and 1 GB Storage *100k requests of Simple Queue Service *100k requests, 100k HTTP notifications + 1k email notifications for Simple Notification Service *10 Cloudwatch metrics, 10 alarams, 1M API requests 1 GB regional data transfer EC2 Post-launch Automation = User Data Can only change User Data script when instance is stopped. Use the instance settings menu (in Admin Console). CloudFormation and OpsWorks allow for more complex setup automation. EC2 Post-launch Automation = User Data Windows Historically there were EC2Config then EC2Launch, now just deal with EC2Launch v2. Don't get an instance with pre-v2! I believe can verify that the legacy services by lack of these dirs: C:/ProgramData/Amazon/EC2-Windows EC2Launch pre-2 C:/PROGRA~1/Amazon/EC2ConfigService EC2Config There is EC2Launch + EC2Config <= Win 2019; EC2Launch v2 v2 version: C:/Progra~1/Amazon/EC2Launch/Ec2Launch.exe version Or check 'Programs and Features' version for 'Amazon EC2Launch' (Win server 2022 AMIs have v2; 2016-2019 may have either. (Win Server 2022 AMI of 2022-05-27 contains 2.0.698.0 Very High-level C:/ProgramData/Amazon/EC2Launch/log/agent.log Expected direct outputs (incl. copy of User Data script) to dir /C/Windows/system32/config/systemprofile/AppData/Local/Temp/Ec2Launch/ i.e. /AppData/Local/Temp/EC2Launch/. (Need privilege escalation to get into /C/Windows/system32/config/). PS code inside a top-level element in the User Data file. By default runs only at first boot. To run on every boot add true ENVIRONMENT: Executes as system or administrator. for me administrator. Runs in /C/Windows/system32 with home of /C/Windows/system32/config/systemprofile/ (why not /Users/Administrator??) From PowerShell if have privs from AMI profile can use https://docs.aws.amazon.com/powershell/latest/reference/ Great debugging support: To execute next boot despite no true run /C/PROGRA~1/Amazon/EC2Launch/Ec2Launch reset [-c] :: -c cleans logs To run NOW regardless of persist mode, run: NOT WORKING!!! Getting 0 output files even when run escalated :(. reset command above if persist not true in the script, then w/ escalation: /C/PROGRA~1/Amazon/EC2Launch/Ec2Launch run Doesn't work right if execute without escalation, writing 0 outputs. Sends the very high-level output to console + expected direct outputs to ~/AppData/Local/Temp/EC2Launch\ (instead of to under /C/Windows). EC2 Post-launch Automation = User Data UNIX Your User Data script is copied to /var/lib/cloud/instances//user-data.txt (*.i is encoded), with copy at.../scripts/part-001. Contrary to docs, this is not executed as that from this directory, but is executed from / as .../instance/scripts/part-001 by root. (/instance is a sym link). (file is not executable). > /var/log/cloud-init-output.log 2>&1 Script needs an interpreter line. If set to #cloud-config then can give cloud-init commands, which are less powerful. At very bottom of lauch step #3 'Configure Instance', upload script file. Can definitely access in hosts while the instance Statuts check is still reporting 'Initializing'. EC2 Recovery/troubleshooting If after reattach root volume get "Invalid value for instance id. Instance does not have a volume attached at root (/dev/sda1)". True for both Linux and Windows! you must reattach it specifying mount point as /dev/sda1 (MUST ENTER ABSOLUTE PATH!). AWS Management Console General console for root and interactive IAM: https://console.aws.amazon.com/ https://.signin.aws.amazon.com/console or https://.signin.aws.amazon.com/console Both service favorites are not account- or user-specific. Current region are saved in cookies and passed around in URL query string, so they are not user- or account-specific. OSes. In some places it says "any", elsewhere it lists only some Linuxes and Windows Server. No Java databases. MY FIRST INSTANCE Key file $HOME/.ssh/blaine-awskp.pem (and backed up in $HOME/Downloads) PUBLIC DNS: ec2-107-22-15-100.compute-1.amazonaws.com Account ec2-user has no password and can sudo anything, including su to root. Terminating an instance is zapping it. Instance store-based AMIs may not be stopped, but only terminated. They may be rebooted. Check whether EC2 instances has "Root device type" of "ebs". If not then you have instance store == ephemeral. GOTCHA: Swap is not reported via "swapon -s". GOTCHA: DON'T USE FDISK! It doesn't show the default devices, at least some of them (and very essential ones). Use yum or whatever to install 'parted'. GOTCHA: Though all docs and all Management Console information says that the EBS devices in the instances are /dev/sd*, with modern Linux kernels the mount points will actually be /dev/xvd*. (Even though you are not permitted to specify attachment with the /dev/xvd* names!) E.g. root mounts /dev/xvda1. AND kindacrazy but Storage tab of EC2 lists the actual mount device /dev/sda1 (allowing for xvd* ambiguity) instead of actual block device /dev/sda. So I guess "block devices" according to AWS are partitions not disks. /dev/sd* and /dev/xvd* are references to the exact same thing (so can use fdisk, probably fsck, etc. with either), but mount with the latter. The reported private IP and DNS (DNS hostname) are correct. "parted" not available, but fstab is. Swap is done magically apparently, and even top lists 0s (but a "cached" val?). Visibility of new disk devices on ArchLinux, without rebooting. Use lsblk to see available devs. Archlinux doesn't have the /sys/.../*scsi* dirs, so do: udevadm trigger udevadm settle To grow partition (not fs) after reboot use command like: growpart /dev/nvme0n1 1 # where last 1 is partition number. Then resize2fs or similar. IMPORTANT! Filesystem resize with Nitro (nvme) drivers requires special work. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html?icmpid=docs_ec2_console Organizations makes one "account" the billing/management/master account. From root user login to master account, can either invite existing accounts or can make new accounts (which don't have some basic things set, like alias or root user, and I see no way to set them other than removing them as Org member). AWS Account ID (for everything besides S3): 1065-2554-9830 For both root and IAM users, top right name menu, My Security Credentials has both ACCOUNT id and canonical ID. (N.b. account-specifice not user-specific). ASSIGNING (non-default) STORAGE Use CLI to add mappings like following I think IN THE LAUNCH COMMAND: (or when defining AMI) /dev/sdb=ephemeral0 /dev/sdc=ephemeral1 Use mount point of 'none' to not mount. BLOCK DEVICE REQUIRED USAGE CONVENTIONS (others possible but discouraged) /dev/sda ROOT DEVICE /dev/sd[b-e] INSTANCE STORES /dev/sd[f-p] /dev/sd[f-p][1-6] /dev/sda1 / /dev/sda2 /mnt (on mediums) /dev/sda3 /swap (on mediums) /dev/sdb /mnt (on larges) /dev/sdc Unmounted and unformatted /dev/sdd ? says mounted (on larges) Wed Apr 3 16:20:11 EDT 2013. New keypair: $HOME/.ssh/blaine01-awskp.pem Following instructions at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-s3-linux.html Using bucket http://admc_ec2.s3.amazonaws.com Specified image name of admc-ami-pv. (Doesn't display in main record, but does display in the details). Generated AMI ID ami-1ec1a477 This procedure definitely does copy the whole source root disk (less stated exceptions). WORKS but for unknown reason this mapping does not show up anywhere in the Management Console. "Block Devices:" displays nothing at all. xvda3 = sda3 = swap disk For some damned reason, after do this it won't let the instance Stop, and terms the instance when I shutdown. ARRRRRG! WTF!! Ah, original instance had ebs root device! Way to make a m?.* instance with persisting root device and the free ephemeral storage is to just create the new instance as usual and use the Instance Store Volumes panel WHEN CREATING to add the first mapping. (You can't specify size, etc.) STORAGE. Storage units are "volumes" (may be only EBS units are "volumes"). instance store = ephemeral store. Names like "emepheral0". Except that, according to docs, instance-store-backed images have instance store root volume and INSTANCE-STORE-BACKED ROOTS PERSIST! A.k.a. Virtual device. These are backed by S3. This is totally dedicated to a single instance lifespan. They survive "reboots", but not drive failures, stops, or terminations. 'instance store-backed' AMIs have an instance store VM root partition. Both 'instance store-backed' and 'EBS-backed' AMIs may have additional volume (non-root) instance stores. Can change DeleteOnTermination flag of instance stores???? Example of changing it in guide does not say it's only for EBS. ??? Can't add instance stores after instance launch. Amazon Linux instances will mount their first (?) ephemeral store onto /mnt/ephemeral0. Wed Apr 3 16:20:11 EDT 2013. For m1.small, says default device is Root device /dev/sda1 8 GiB w/ snapshot snap-X. "Standard" vol type. (But is really /dev/xvda1) BUT IT IS ebs!!!!!!! Listed with EBS vols. See "Root Device" col of instance records. 160 GB instance/ephemeral storage. (Does not persist after Stop) "tutorial: http://wishfulcode.com/2010/02/02/amazon-ec2-ephemeral-storage-on-ebs-backed-instances/ ec2-run-instances ami-4bebc03f -k myinstancekey -g my-security-group -b "xvdg=ephemeral0" -t c1.medium --availability-zone eu-west-1a The -b "xvdg=ephemeral0" indicates that you'd like to mount one of the ephemeral drives." EBS = Elastic Block Store Automatically block-level replicated within Availability Zone. You are billed while the volume exists, regardless of EC2 instances. EBSs created with instance created by default are zapped when the instance is terminated. I guess this means those specified in creation command or in AMI. (Change behavior with DeleteOnTermination flag of the vol./instance?). SNAPSHOTS: Stored in S3. Can instantiate new EBS volumes with them, specifying the size of the new EBS. (Obviously size >= snapshot size). Remember to resize2fs (or similar)! Written incrementally, but Amazon assures they are always retrieved as if non-incrementals. [Probably] Private by default. Can share or make public so other people can copy the data, create instances with it, etc. I think snapshots are the only way to pre-populate a volume or store. (Via manual copy, AMI, public-data). Can copy to another region. EBS volumes are restrict to an availability zone, but snapshots aren't. SCOPES. EBS volume = availability zone; snapshot = region I think can only create snapshots from EBS, but can use them to create instance storage. In (at least some) EBS volume listings, the listed snapshot is the source snapshot from which is was created (could possibly get updated if snapshots created from it, don't know). I believe can add metadata/tag key/value pairs to EBS volumes just like for instances. Volume types https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSVolumeTypes.html gp3: replacement for gp2. Cheaper and allows for more dynamic spec adjustments. gp2: general purposes SSD. Available 1GiB-16TiB st1: high access magnetic. Available 500GiB-16TiB sc1: low access magnetic. Available 500GiB-16TiB S3 = Simple Storage Service Object = Fundamental storage unit { object data metadata. Name/value pairs } Can only work with your own organizations's buckets in AWS Console. They are not appendable not updatable. All you can do is replace. Therefore it makes sense to have object create/delete privileges, but not update privileges. Gotcha: Object Permissions Edit screen lists "Specified objects" plural at bottom, but it can only ever list one object. Unfortunately you can't make object-specific settings on more than one-object-at-a-time. Objects accessed via URL which is Bucket + /key value. http://BUCKET.s3.amazonaws.com/OBJECT/PREFIX/NAME where the entire /OBJECT/PREFIX/NAME is the object KEY. the prefix is lso called a "folder" . e.g. http://johnsmith.s3.amazonaws.com/photos/mygarden.jpg Bucket = Top-level storage location. This key value designated owner. Region-specific. Automatically (always?) replicated across multiple (all??) facilities (AZs?) in a region. 'aws s3 ...' CLI works great. See file "tech/awsCli.txt" for details. Folders/directories are called "prefixes" and are listed like PRE name/ When specify prefixes that don't start with the bucket name, they are always absolute from bucket root, so start without / as if relative. Can restrict by prefix with policy setting "s3:prefix". Cross-account s3 reading. No object policy JSON object. Can do indirectly in bucket policy. Without complicated settings like via 'Bucket policy' JSON, Object LISTING and CREATE/DEL privileges can only be set for the entire bucket or not via 'Access for other...' Objects List and Write settings (correspondingly). Only readability may be set object-specifically by Object Privs screen, 'Acces for other...', Objects > Read setting. bucket 'ACL > Access for other...' section + object 'ACL > Bucket Policies override bucket and object ACLs and are more powerful. They can use wildcards to apply rules to subsets of objects. How??? Resource values: "arn:aws:s3:::bktname/*" == all objects in the bucket Need this for any ListBucket action! "arn:aws:s3:::bktname" == bucket itself, like for ListBucket "arn:aws:s3:::bktname/pre/fix/*" == obviously GOTCHA: Works for GetObject but not ListBucket actions Action values: ListBucketLocation I think only needed for console listing ListAllMyBuckets obviously ListBucket list all items of the bucket Condition values. Works at least with ListBucket action: "Condition":{ "StringLike":{"s3:prefix":["Development/*"] } } User policies . Can attach set-target action policies to users, groups, or roles. N.b. it wants to identify allowed ACCOUNT not user, via root user email addr (which sometimes doesn't work) or canonical ID (see elsewhere in this doc for that). See file amazonLinux.txt. yum comes pre-configured for the Amazon Linux repository. See file unit.txt. $30/month for 100GB micro 613 MiB RAM (t1.micro). http://calculator.s3.amazonaws.com/calc5.html?key=calc-123FBD22-E5E8-4F8D-9696-E01B83F90DC4 (1st year deal $12/month) Terrible deal for that much RAM. $45/month for 1.7GB (m1.small), $90 for 3.75GiB (m1.medium) $100/month for t1.medium Root device /dev/sda1 8 GiB w/ snapshot snap-X. "Standard" EBS vol type. vCPUs vs. ECUs. ECUs measure computing power. vCPUs are number of cores. 1 ECU = 1:20 for CPU benchmark test cf. 0:29 for beyla. I.e. 1/3 as fast. 2 ECU = 0:46 for CPU benchmark test Keeping SSH keypairs in ~/.ssh. Keeping cert pairs in ~/.as. The default security policy allows just 0.0.0.0/0 to :22. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html N.b. Can modify the security group but MAY NOT CHANGE WHICH SECURITY GROUP IS ASSIGNED TO AN INSTANCE after instance creation. Installing a sshadmind is rather a pain in the ass. cp /etc/init.d/sshd /etc/init.d/sshadmind # Apply major edits cp /etc/ssh/sshd_config /etc/ssh/sshadmind.config # Apply major edits cp /etc/sysconfig/sshd /etc/sysconfig/sshadmind # Add OPTIONS setting cp -av /etc/pam.d/ssh /etc/pam.d/sshadmind # No edits EBS / Storage WTF?? Magnetic storage not economical since costs only about $75 for a TB drive. $51.04 TB of magnetic with no snapshot (20 IOPS) $145.94 w/snap $45.00 TB of st1 magnetic with no snapshot (20 IOPS) $139.90 w/snap NEED TO BENCH MARK st1 (vs. mag) st1 must be at least 500 GiB mag stated 1 GiB to 1 TiB, but allow any size? Awesome that can umount and mount EBS volumes on the fly. Linux gets the devices immediately. Must specify a device name when attaching. Specify as /dev/sdX but Linux gets /dev/xvdX. Ignore the offered ranges. It says start with /dev/sdf but you can start with your next avialable X seen from "ls /dev/xvd?". At least with btrfs, refuses to mount if try to mount to same system with a device other than the original. Probably only during a single bootup. There is some magic about root disk EBSes. Can not copy to a non-root EBS and then use it as a root disk. Just does not work. Definitely is not the partition 'boot' flag. Get this root-disk-specific behavior regardless of that flag (though that could be one boot-up requirement). Can attach and detach ESB volumes to/from running instances only for non-root-disk EBSes. Global Infrastructure Resources must generally be allocated to same region to interact. Can manually copy stuff from region to region. Regions are largest division. Independent. Have all basic features like ec2 and s3 but not all optional services. Regions contain 1 or more availability zones. Independent data centers. Availability Zone == facility? Edge Locations host Amazon CloudFront. Seems to be independent of Regions/AZs. VPC: Virtual Private Cloud Mine: 172.30.0.0/16 Always within a private range? https://en.wikipedia.org/wiki/Private_network Region-specific. Can scan AZs. One AWS account can have multiple in one region. One VPC is a set of IP address ranges all within the master VPC range. (I guess these all must be private addresses?) By default they can all route and communicate to one another. Each IP range is AZ-specific. Public has direct Inet access. Requires an Internet Gateway with routes to it. OTHER SERVICES Route 53 = DNS service GOTCHA! Reverse for your elastic IPs is configured under the elastic IPs under the EC2 service not Router 53. Application Load Balancer. 2nd gen version of LB. Very intuitive RDS. RDBMS: *MySQL, *Aurora (Amazon), SQL Server, *PostgreSQL, *MariaDB, Ora * items support read replicas, can span Regions, can (manually) promote to non-ro HA option: Mirrors to an instance in another AZ in same Region. Sequential transaction replication. Uses RDS DNS endpoint service addrs for seamless failover. RDS CLI. Kenisis Stream filtering RedShift SNS = Simple Notification Service Microservices, event-handling Publish/subscribe and mobile comm. Main object is Topic. Email is just one of many supported transports. Elastic Beanstalk (don't confuse with EBS storage). PAAS Single container, multicontainer, preconfigured Docker Go, Java SE, Java with Tomcsat, .NET with IIS, Node.js, PHP, Python, Ruby Supports .war files. Environment: WebServer (http service) or Worker You get an URL CloudFront CDNs for static content. Origin is any content source. Edge locations are in high-population areas. Caching. RMP for video streaming; Web: other CloudFormation. Automated provisioning. There's some bug with it. Directly using an EC2 Launch Template with CF, with same subnet setting, CF aborts saying that I'm deploying non-VPC. Therefore, I am sticking with EC2 Launch codes without CF until this is resolved. Contrary to docs, you don't need to sign up for this explicitly. Reads template files that creates (or redeploys or removes) a 'stack' based on what resources specified in the template. Template: JSON or YAML. Use "depends-on" to specify sequence. Parameters. Conditions. Live in S3 buckets. Template repositories just like code repositories. UI DESIGNER AWS console has a click&drag UI designer to generate Template files. Bottom editor panel has auto-completion. RMB, ? to open properties doc in another tab. GOTCHA: To edit the Template, make sure to use "Template" tab at bottom! Stack: Deployment unit TEMPLATE Ref references another element name in the template (incl. a runtime parameter). Parameters are value mappings to use instead of hard-coding values. (You refer to these by replacing direct value with {"Ref":"key"} Prompted for input keypair values at execution time. How do these correspond to "Parameters"? Mappings are conditionals in format like a switch statement. Output element defines strings for cfn-describe-stacks that gets written to Console "Outputs" tab after stack created. Can refer to template-defined resources and existing resources. I see no way to specify standard CPU credit mode. Need launch template? SQS = Simple Queue Service. Point-to-Point message queues (no pub/sub) There's also Amazon MQ Web Hosting CloudTrail Detailed API logging. IAM = Identity and Access Management AWS Role: Authentication. Temporary credential+role for Operator are temporary Policy Document. Specifies authorization. Inline policies are not listed in the Policy list. JSON attaches to either User, Group, Role. Resource can sometimes be * (see below) Policies attached to resource, incl. bucket policies, must still specify the resource. Dumb. Role ~ Run-As. Create Role by specifying instance-type, policy, name. Then after drill down into the instance in console, do Actions > Instance Settings,* IAM Role Sets of APIs allowed against which resource sets with conditions (e.g. source IP or time). ARN can bet set to * to mean all target resources (of specified service type). Policy Doc rule precedence. Highest precedence are blacklist rules. White list rules. Any match allows. Ultimate default is deny. Inspector. Agent-based, API-based, service. Identifies vulnerabilities and deviation from best practices at development-time and Production-time. Examples of built-in rules: Remote login enabled. Vulnerable sw version installed. AWS Shield. Managed DDoS protection and mitigation. Standard tier (no extra charge, network layer, always-on stream detection and mitigations, priced explicit AWS WAF rules. Protections against most common but smaller attacks) or Advance tier (24x7 DDoS Response Team (will write rules), no charge for WAF rules, cost protection, monitors application layer accesses like DNS query floods, http floods). DDoS application layer attacks inter-site interfaces. WAFs protect against this: Web Application Firewall Trusted Advisor does checking against Best Practices in 4 sections: Cost, Performance, Security, Fault Tolerance SUPPORT: TAM=Technical Account Manager; Trusted Advisor; Support Concierge (last for non-technical billing and account issues). Plans: Basic/Developre/Business/Enterprise Support Login with Amazon. Amazon account login to your app, usually with payment ability. EFS = Elastic File System. Regular access 30cent/GB-month EFS IA = Infrequent Access 2.5cent/GB-month Docs push you to use custom AWS package that defines an "efs" filesystem type. Looks like good discussion of mount options at https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-general.html but for my purposes this works great: fs-XXXXXXXX_addr:/local /usr/local nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 0 0 The fs-XXXXXXXX IP address is AZ-specific and can be seen in Network list when you drill into the EFS. Decent but non-optimal strategy is to define addr for the fs-XXXXXXX name in /etc/host. (Just to prevent meaningless numerical IP addresses in /etc/hosts). Access points specify access-user and sub-branch within an EFS FS. I don't know if possible to use these through Linux, but you have to use them with Lambda FS mounting. Glacier. Infrequently-accessed S3. Storage classes are set per s3 object: Best and most economical for long-term storage = Deep Archive Looks like need to download the entire value unless pay more for Glacier Select. Just specify '--storage-class DEEP_ARCHIVE' when creating object. To read the object content (bytes) you need to restore it, which takes like 12-24 hours. GOTCHA! Confusingly, when the glacier object is restored to standard storage class, the object props still show it as the original (unrestored) storage class. WTF! Most convenient way to check status is through console's detail page for the object itself. Listings show 'Storage class' but that is insufficient when restoring, as it gives no indication whether the content is available for reading. While restoring, detail page will say something like "Restoration in progress". While readable, detail page will say "Restoration complete" and list the "Restoration expiry date" at which time content becomes unavailable and storage class really reverts back to the original. Counter-inutitively, you can extend this time by just running 'Initiate restore' again. Readable objects can be Opened/Downloaded from console or read from with CLI 'aws s3 cp', etc. PRICING Traffic-based charge only for region-outbound traffic. ECS is container service management. Fargate is ECS and Kubernetes container-as-a-service. Limiting cf. containers on ec2. Cloud Map Access by highly available DNS or regional API. API access: "aws servicediscovery" Has registry with this hierarchy { namespace common visibilty, resolution types. A.g. "cloudmapdemo.com" Visibilty is public=from-pubic-Internet OR private=specific-VPC-only. Res. types: SDK/API, DNS. service e.g. "backend.cloudmapdemo.com" service instance IPs, URLs or ARNs. Has n/v pairs "attributes". Convention is, all-caps for names used by system. A.k.a. resource?? } Registration: Use "aws servicediscovery {create|register}*" commands IP-svc registration: Specifing a DNS record. Include an IP in attributes. Non-IP-svc registration. Create an http namespace. Include ARN in attributes. For health checks include a port in attrs too. "aws servicediscovery discover-instances" List services of a service: "aws servicediscovery discover-instances --namespace-name X --service-name Y [--health-status UNHEALTHY|ALL] [query-parameters ready=yes other=something]" (health-status defaults to HEALTHY) List of APIs for API-based instances of a service: RESOLUTION limited by DNS prop ttls and can't do filtering. "dig +short A front.cloudmapdemo.com" Health statuses control traffic routing. Uses Route53 for health values. Removed from responses by default. "aws servicediscovery get-instance-health-status --service-id X" OR explicity set headl statuses with HealthCheckCustomConfig. Must enable service discovery for specified namespace when create services (like ECS). From info in discovered attributes can sometimes get service-type-specific configs like: aws ssm get-parameter -name /beta/payment-db (Systems Manager Agent) Privs: IAM Policies have 4 "awcloudmap" policies to allow different levels of cross-account servicediscovery access. For cross-account access (not related in same org), use policy ACL grantees. These specify the allowed account. I think it's up to that account to allow individual AMI users. Can share AMIs easily with other "accounts". Just make it private and add the other account ids. AWS Directory Service Check out gMSA, Group Managed Service Accounts! https://technet.microsoft.com/en-us/library/hh831782(v=ws.11).aspx They create a root AD admin account "\Admin" that is NOT a windows sysadmin! (NBNAME==netbios name for the new domain). "AWS has exclusive control of accounts with Enterprise Adminstrator and Domain Administrator privileges... includes... AD administrator account". Try using provided group 'AWS Delegated Server Administrators'. ('AWS Delegated Administrators' is a super-group of that). JOIN DOMAIN: 1. Set DNS servers to the AD DCs in ncpa.cpl (DHCP is better long-term). 2. Set Domain at sysdm.cpl to the full new domain (not netbios name!). ("Full computer name" will update automatically). 3. Reboot. Docs say to use an EC2 AIM Profile role to do probably just #2 automatically, but WHY? Otherwise need to figure out how to merge SSM and Dir Svc. roles. To manually install tools: Server Manager. Add roles and features, Next, Role-based-or-server-based, next, choose this server, forward to Feature step. Leave existing as they are and check Group Policy Management Remote Server... > Role Admin... > AD DS and AD LDS Tools Remote Server... > Role Admin... > DNS Server Tools Next, Install. But instead use PowerShell: install-windowsfeature -name rsat-ad-tools, gpmc, rsat-dns-server After that, Windows Adminstrative Tools will list Active Directory Users and Computers === dsa.msc DNS Group Policy Management MAY OR MAY NOT NEED TO DISABLE NLA in Remote TAB OF sysadm.cpl to allow non-admin or domain remote logins. (Need on wintmp; not outlook) If you have no configured domain administrator account to log in with, then Use sysad.cpl, Remote tab to temporarily allow DOMAIN\admin to RDP in without 'Remote Desktop Users' membership to run domain commands. Log in as a domain administrators user or NBNAME\Admin and run dsa.msc. Under your domain name > are Computers and Users. Managed AD ref page 'What Gets Created' to learn about the other things. Add a regular domain sysadmin account (member of Administrators), and add both Admin and this new user to group 'Remote Desktop Users'. (this automatically adds them to the sysad.cpl list too). Add a non-privileged user or any other users and groups if you like. Managed AD instances are REGION-SPECIFIC! Sharing AD among accounts in same org in same region. Owner -> Consumers. Use Share operation from Owner account, select Consumer accounts which will all get a (unique) 'Shared directory' object thats like a proxy for the AD instance. Represented in Scale and Share tab (I don't know if of owner and/or consumers). With this, they can add EC2 instances to the domain. DHCP setup allows EC2 instances to point to correct AD comain and resolve correctly, rather than using default AWS DNS. Probably doesn't matter for single-domain setups? Must change passwords (other than your own, or to bypass value policies) by using dsa.msc as admccloud\admin. Inter-VPC commn. VPC Peering, Transit Gateway Systems Manager TODO: Merge notes from my bmc/tech/addm/addm12.txt and bmc/tech/addm/myAwsInst.txt files into here. For SSM to do actions on instances need IAM instance profile + IAM service or assume role. GOTCHA: Remember after changing ec2 profile roles to restart ssm agent on effected hosts. Quick Setup does... 'Use the default role' does: * instance profile with + AmazonSSMManagedInstanceCore policy + this SSM-to-EC2 policy: princ. service "ec2.amazonaws.com"; action: "sts:AssumeRole" * service role with policies: + Allow several actions against * resource policy + princ. service "ssm.amazonaws.com"; action: "sts:assumeRole" archLinux-specific: Damned thing for archlinux requires snapd with classic mode WHICH REQUIRES apparmor!!! uggg! + squashfs-tools, libinih, go-2, go-tools-2, python-docutuls, xfsprogs (Need to enable classic snapd support) Then need to run snap commands instead of 'systemctl' to conrol it. WTF! Useful: sudo snap {services|start|stop|restart} amazon-ssm-agent TO GET AN EC2 INSTANCE MANAGED Set the SSM profile role as the instance's AIM profile role. [Re]start the SSM agent on the host. No reason to reboot the instance! TODO: Troubleshoot why BMC Discovery successfully captures independent CentOS Hosts but not ArchLinux. Check session logs and host-side SSM agent logs. Session Manager. Gives you an elevated PowerShell, but graphical commands are not visible so probably good idea to avoid that since they apparently do execute. This uses the local ssm agent account, which has local admin but of course can't run domain commands. GOTCHA! Non-running instances do not appear whatsoever in 'Managed instances' list. Compounding that, if 'Managed instances' list is empty, then the 'Managed instances' pages don't present an empty table but instead appears as if you have never used Systems Manager. Agent accounts: On Linux local account ssm-user with NOPASSWD:ALL via /etc/sudoers/ssm-agent-users. On Windows local account .\ssm-user belongs to about 20 groups including Administrators and 'Remote Desktop User' Java SDK Javadoc: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/ Gradle: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-project-gradle.html API generally: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingTheMPJavaAPI.html Examples: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services.html I don't know how to get Grape to use BOM dependency, so for now use version range specifier with Groovy Grape like: @Grab('com.amazonaws:aws-java-sdk-s3:[1.11.954,)') com.amazonaws.services.s3.transfer Normal high-level API. com.amazonaws.services.s3.model Low-level API. GOTCHA: Must remove ~/.aws/c* default profile entries to use EC2 profile roles. 'aws configure list' should show type 'iam-role'. Autoscaling I don't understand min and max. Desired must be within min and max, no shit. But what use are min and max since the system always automatically scales up or down to satisfy "desired"? When any scaling-group member instance is stopped, it auto-terminates, REGARDLESS OF TERMINATION PROTECTION!! The "Scale in protection" only prevents auto-removal of a specific EC2 instance. Does not prevent manual removal. Does not prevent the terminate-upon-stop behavior. GOTCHA To prevent accidental termination, do not add persistent instances into any autoscaling group. If you must (as a group canary or controller) then don't ever stop them. Reboot, at least of Linux, does not trigger scale-ins/outs, despite warnings in Console. Maybe that's because if your trigger is load-based or processing-based rather than simply number-of-instances, reboots would trigger. Secret Manager Very intuitive, except that "secretString" is JSON string of a map. At least for 'Other' type secrets, you grant access to Lambda functions by... 1. Find lambda function's Execution role name from Console, the lambda function > Configuration > Permissions 2. Copy the secret's ARN. 3. Open the IAM role and under Permissions, add an Inline policy with: Service: Secrets Manager Actions Access level: Read [- GetRandomPassword = 4 o them] Resources, Add ARN, paste ARN info 'Specify ARM...' (skip 3 fields below) Only difference between type 'Other DB' and RDS is PROBABLY that you have to manually specify the (same) attr values. N.b.! Only the same database types are supported! Only difference between type Other and RDS is that the secret string JSON attributes are different. [N.b. "user" vs. "username"!] Other type attributes: whatever you specify RDS type attributes: username password engine host port dbInstanceIdentifier Oracle RDS When create a new RDS instance with 'Public accessibility' and default security group, the security group says all open for incoming, yet I can not connect until I switch to a custom security group. I have dedicated security groups for the different db types. "Database" (optional) == SID == service name (identifier is not SID!) identifier leads the hostname Remember that with oracle, user==schema so that to create a table user.x, user needs extend ability on the underlying tablespace, so: alter user shared quota unlimited on users; To share listing and viewing to another user, GRANT SELECT on... Consider making a public alias so sharee doesn't need to specify the schema. As long as users can extend their tablespace, the can create (and therefor do anything else with) tables in their own schema. RedShift It appears there's a JDBC interface and SQL. Sample data set: sample database called TICKIT. Tickit contains individual sample data files: two fact tables and five dimensions. DNS Resolution To use AWS DNS Server, it's 169.254.169.253 + primary CIDR block network + .2 (mine 172.30.0.2).