Tag Archives: AWS

How to access S3 Bucket from application on Amazon EC2 without access credentials

Assumptions

  1. You know the use of “AWS S3” and how to access the S3 bucket through the application with the help of Secret Key/Access Key
  2. In this Blog, We will use S3 Bucket – “parthicloud-test” as the bucket name where the static images like photos are stored for the application
  3. Developers usually use the Access Key/Secret Key for accessing the S3 Bucket in the application through SDK’s or AWS API.
  4. Managing the Access Key/Secret Key and keeping it secure becomes pain of the Developers and the Administrators

Use case

Developers want to Read/Write/List files in the “parthicloud-test” – S3 bucket programmatically from an EC2 instance without managing or configuring  the AWS secret key/Access Key.

Solution

We can use IAM role to manage temporary credentials for applications that run on an EC2 instance. When we use a role, we don’t have to distribute long-term credentials to an EC2 instance. Role supplies temporary permissions that application can use when they make API calls to S3 storage.

Advantages

  • Since role credentials are temporary and rotated automatically.
  • Developers don’t have to manage the credentials
  • We don’t have to worry about long-term security risks.
  • Flexibility to assign single role to multiple EC2 instances where application requires access to S3 storage
  • We can change the Role policy any time and the change is propagated automatically to all the instances.

Caution

  • IAM role cannot be assigned to an instance that is already running.
  • If we need to add a role to the running instance, We have the only option to create an image of the instance and then launch a new instance from the image with the desired role assigned.

How does it work?

Developer runs an application in EC2 instance that requires access to the S3 Bucket named “parthicloud-test”. AWS administrator creates the “ParthiCloud-S3” role. The role contains the policies that grant read/write/list permissions for the bucket.

When the application runs on the instance, it can use the role’s temporary credentials to access the parthicloud-test S3 bucket. AWS administrator doesn’t have to grant the developer permission to access the parthicloud-test bucket. The developer never has to share or manage credentials which is very risky in terms of security  compliance.

There is an other application running in EC2 instance which doesn’t have an IAM role attached. When the application in that instance tries to access the parthicloud-test bucket, Access will be denied because of secret Key/Access Key was missing. Refer the illustration below.

S3-Access-IAM-Role-EC2

Lets discuss the steps involved in detail from Creating VPC, Subnet, S3 Bucket, IAM Role and Policy, launching an Instance with IAM role and access to S3 bucket from an instance

Step 1 – Create VPC

Let’s create a VPC with a single subnet for the illustration purpose.

VPC

Step 2 – Create Key Pair

Create Key Pair by providing the friendly name. It will be used for accessing the instances using putty.

Key-Pair

<key pair name>.pem file will be downloaded. In our case it is ParthiCloud.pem. We need to have PuTTYgen to convert .PEM file to .PPK file.

PuttyGen

Click File–>Load Private Key and then Click Save private Key. We can save the .PPK in the desired location. We also have an option to provide password for the .PPK file. Password can be assigned in Key passphrase box as given in the above image.

 Step 3 – Create S3 Bucket

Create a S3 bucket named “parthicloud-test” in US Standard Region.

S3-bucket-create

Upload a test file – “Test.txt” in the S3 Bucket

S3-Upload

S3-Upload-1

Step 4 – Create IAM Policy and Role

Create policy to access S3 bucket. Select “Create Your Own Policy”

Policy-1

Enter Policy Name, Description and the Policy Document as given below

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": [
 "s3:ListBucket"
 ],
 "Resource": [
 "arn:aws:s3:::parthicloud-test"
 ]
 },
 {
 "Effect": "Allow",
 "Action": [
 "s3:PutObject",
 "s3:GetObject",
 "s3:DeleteObject",
 "s3:ListObject"
 ],
 "Resource": [
 "arn:aws:s3:::parthicloud-test/*"
 ]
 }
 ]
}

Policy-Create-1

Policy-Create-Success

 

Create Role by giving  the name

IAM_Role

Select Role Type as Amazon EC2

IAM_Role_Type

Then attach a policy – “ParthiCloud-S3-Policy”

Policy-Attach

Attach_Policy

Now IAM Role and Policy is ready. Let’s Launch the instance with IAM Role

Step 4 – Launching Instance

Launch a Ubuntu instance  – used Micro Instance for illustration.

Instance-Launch

Select the VPC, Subnet and IAM role which was created earlier.

Add Storage-

Storage

Tag Instance.  It will be very helpful during billing analysis.

Tag

Create Security Group. Don’t give 0.0.0.0/0, Instance can be accessed from anywhere which is not recommended.

SG-1

Click Review & Launch. It will ask you select the Key pair, select the previously created Key pair and click Launch Instances.

Select-KP

ParthiCloud instance is launched.

Access Instance

Give ubuntu@<Elastic IP> in the Host Name, attach the Private key in the “Auth” section to connect to the instance.

Putty

Access S3 bucket from Instance

We had already uploaded the file named Test.txt in the parthicloud-test S3 bucket. Type the below command to verify the access and list the files in the bucket. We have not specified Access Key / Secret Key in the instance.

$ aws s3 ls s3://parthicloud-test

S3-Access-Ubuntu

Let’s try to upload a file to S3 Bucket

$ aws s3 cp newfile.txt s3://parthicloud-test/ --region us-east-1

S3-Copy

$ aws s3 ls s3://parthicloud-test

S3-Newfile

The new file was successfully uploaded to S3 bucket.

We had discussed in detail on how to use IAM policy in EC2 Instance where the application is running, which requires access to the S3 bucket.

Share this:

Amazon EC2 Dedicated Hosts – Competition to IBM softlayer Bare Metal servers

What is Amazon EC2 Dedicated Hosts?

Amazon announced the new variant of EC2 called Dedicated Hosts yesterday (6th Oct 2015).Amazon EC2 Dedicated Host is a physical server with EC2 Instance capacity fully dedicated to our use.  It helps us to reduce costs by allowing us to use our existing server-bound software licenses.

We can allocate a Dedicated Host in a Specific region and availability zone and for a particular type of EC2 instance.

Each Dedicated Host has a room for a predefined number of instances of a particular type. Say for example, if the specific host has room for ten m4.xlarge instances and we can launch up to ten m4.xlarge. It is very much similar to the virtualization we had done in Blade servers.

We will have predefined combination of CPU cores and memory – Instance types in Dedicated host unlike in pure play virtualization, we have an option to select CPU and Memory independently.

But not to forget, AWS offers state of art management console, API, CLI support to manage the Dedicated Host.

IBM Softlayer already has Bare-Metal servers and this EC2 Dedicated Hosts will be straight competition to that.  We will have to wait for the pricing information for the comparison

Licensing Benefit – Cut costs

It provides greater value add for the corporates who wants to migrate from on-premises to cloud. Dedicated Hosts allows to use the existing per-socket, per-core, or per-VM software licenses, including Microsoft windows Server, Microsoft SQL server, SUSE Linux Enterprise Server, or other software licenses that are bound to VMs, sockets, or physical cores.

Automatic Instance Placement

We have an option to launch instances onto a specific Dedicated Host, or you can let Amazon EC2 place the instances automatically. It helps us to address licensing and corporate compliance.

Affinity

Affinity is one of the important feature in Amazon Dedicated Host which allows us to specify which Dedicated Host an instance will run on after it has been stopped and restarted. This ensures that the instance will always run on the same physical server even through planned interruptions. It helps in reduction in licensing costs that requires license affinity for a period of time (X no. of days). It can be maintained using instance placement scheme

Greater Visibility

It provides us the greater visibility on the number of sockets, physical cores in the Dedicated Host. It helps us to manage licensing of our own server-bound software that is licensed per-socket or per-core

Reporting

We can use AWS config which records when the instances are launched, stopped or terminated on a Dedicated Host. It pairs this information with host-level information relevant to software licensing.

AWS config can be used as a data source for license reporting

Pricing Options

Amazon EC2 Dedicated Hosts will be available in Reserved and On-demand form. We will have to pay  regardless of whether we run instances on Dedicated Host or not.

So it’s important to do a home work in the assessing the requirement and workload before ordering the Dedicated Hosts. Please remember we are going to pay for the Giant server. AWS doesn’t care how many instances are you running in that Dedicated Host.  It’s up to us to have proper resource utilization.

Portability

We can easily bring our own machine images to AWS using VM import and vCenter portal

Recommendation

It is recommended for the ones who runs their infrastructure in on-premises,  have partnership with companies like Microsoft for Licensing and wish to migrate to cloud as part of their business strategy without diluting the software licenses procured already.

 

Share this:

Step by Step guide to install SSL in AWS ELB

SSL Installation in AWS ELB

Generate Private Key:

Generate a CSR in Microsoft IIS

1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
2. Click on the server name.
3. From the center menu, double-click the “Server Certificates” button in the “Security” section (it is near the
bottom of the menu). 

SSL-PrivateKey-Gen-1

4.  Next, from the “Actions” menu (on the right), click on “Create Certificate Request.” This will open the Request Certificate wizard.

SSL-PrivateKey-Gen-2

 

 

 

 

 

 

  1. In the “Distinguished Name Properties” window, enter the information as follows:
  1. Common Name– The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., domain.com or mail.domain.com).
  2. Organization– The legally registered name of your organization/company.
  3. Organizational unit– The name of your department within the organization (frequently this entry will be listed as “IT,” “Web Security,” or is simply left blank).
  4. City/locality– The city in which your organization is located.
  5. State/province– The state in which your organization is located.

SSL-PrivateKey-Gen-3

 

 

 

 

 

 

6. Click Next.
7. In the “Cryptographic Service Provider Properties” window, leave both the settings at their defaults (Microsoft RSA SChannel and 2048) and then click next.

SSL-PrivateKey-Gen-4

 

 

 

 

 

 

8. Enter a filename for your CSR file. 

9. Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

SSL-PrivateKey-Gen-5

Back Up Private Key

To back up a private key on Microsoft IIS 7.0 follow these instructions:

1. From your server, go to Start > Run and enter mmc in the text box. Click on the OK button.
2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.
3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.

SSL-PrivateKey-Gen-6

4. Select the Computer account option. Click on the Next button.

5. Select the Local computer (the computer this console is running on) option. Click on the Finish button.
6. Click on the Close button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window.
7. Click on Certificates from the left pane. Look for a folder called REQUEST or “Certificate Enrolment Request> Certificates

SSL-PrivateKey-Gen-7

 8. Select the private key that you wish to backup. Right click on the file and choose > All Tasks > Export 

SSL-PrivateKey-Gen-8

9. The certificate export wizard will start, please click Next to continue. In the next window select Yes, export the private key and click Next 

10. Leave the default settings selected and click Next.

SSL-PrivateKey-Gen-9

11. Set a password on the private key backup file and click Next 
12.  Click on Browse and select a location where you want to save the private key Backup file to and then click Next  to continue. By default the file will be saved with a .pfx extension.
13. Click Finish, to complete the export process

Convert to RSA Private Key Format

The private key is backed up as a ‘.pfx’ file, which stands for Personal Information Exchange.

To convert it to RSA Private Key format supported by inSync:

  1. Download and install latest version of OpenSSL for windows
  2. Open the command prompt and run the following commands
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out myserver.key

3. The private key will be saved as ‘myserver.key’.

4. Carefully protect the private key. Be sure to back up the private key, as there is no means to recover it, should it be lost.

Configure SSL in ELB

Select the desired load balancer from the list of available load balancers list in load balancer dashboard.

Click on “Listeners” tab of load balancer details page.

Click on Edit button in Listeners tab section to add HTTPS listener.

SSL-ELB-1

 

 

 

SSL-ELB-2

 

 

 

Click on Add button to add new listener (HTTPS).

Select protocol and port as shown in above screen shot.

Click on Change link for Cipher changes.

SSL-ELB-3

 

 

 

 

 

Select “Predefined Security Policy”. Make sure TLSv1 is disabled.

Click on Save.

Click on Change in “SSL Certificate”.

SSL-ELB-5

 

 

 

 

 

Select “Upload a new SSL Certificate” for Certificate Type.

Fill the following details.

  1. Certificate Name: Name of the certificate
  2. Private Key: RSA key generated in the above steps.
  3. Public Key Certificate: Received public key from SSL provider.

Certificate Chain: Intermediate and chain certificate provided by SSL provider.

SSL installation in AWS ELB is complete.

Share this: