When you are ready to start working with Amazon Web Services (AWS) instances, you have at least two choices for...
creating and then using them. One choice is using AWS API (application programming interface) calls. A second choice, and the one recommend that you use in most cases, is Amazon's Web-based interface, the AWS Management Console.
The AWS Management Console simplifies:
- Signing up to use AWS
- Creating security group(s) for your instance(s)
- Launching Amazon EC2 instances
- Connecting to Amazon EC2 instances
- Adding storage to your Amazon EC2 instances
Amazon provides simple examples for each of these five processes to help you get started with, and then use, Amazon EC2 instances. However, if you are using Amazon EC2 to run business applications that run in your on-premises data center, you need to know more (by several orders of magnitude) about AWS and Amazon EC2.
You need to know about EC2 instance types, pricing, Amazon storage services, regions, availability zones, security groups and much more to use AWS. Bernard Golden's book titled Amazon Web Services for Dummies is a good read for those who intend to move IT responsibility to AWS.
Following the discussion per the above processes, we provide a collection of best practices around Amazon EC2 instances.
Signing up for AWS
To get started signing up for AWS, go to http://aws.amazon.com and click on "Sign Up" and then follow the instructions on the subsequent screens. As part of this sign-up procedure you will get your AWS account number, something that you will need later.
When you initially sign up for AWS, you are given an account that is automatically set up for all services in AWS. This includes the Amazon EC2 service, S3 and EBS storage services, etc. Although, AWS allows you to sign up for free, giving you 750 hours of usage, you have to provide a credit card number that will be charged when you use services that are not covered by "free."
Amazon confirms your identity with a phone call to a number you provide. You will immediately receive a phone call from an automated system where you will be prompted to enter the pin you received. Once the pin is verified, your account will be activated.
Creating an IAM user
When you access an AWS service, the service determines whether you have permission to access the service resources. You create an IAM user and then add the user to an IAM group with various permissions. Following this, you can access AWS using a special URL. The "account-id" is your AWS account ID, without hyphens, that you got when you signed up for AWS.
To create an IAM user, open the IAM console, enter the email address and password that you chose when you signed up for AWS, and follow the instructions provided. After you create an IAM user, you will have the necessary credentials to sign in and use Amazon EC2 with the aforementioned special URL.
Creating security groups
A security group acts as a virtual firewall to control the traffic allowed into its associated instances. You add inbound and outbound rules to the security group to control traffic. Inbound rules regulate the traffic that is allowed to reach the instances associated with the security group, such as HTTP(S).
Outbound rules control destinations to which the instances associated with the security group can send traffic. However, return traffic, such as a response from the host that received the traffic, is automatically allowed. If you plan to launch instances in multiple regions, you will need to create a security group in each region.
To create a security group, open the Amazon EC2 console:
- Select a region for the security group
- Click on "create a security group," and enter a name for the new security group along with a description of the group
- On the Inbound tab, create rules such as:
- Allow HTTP(S) traffic to enter the instance
- Allow SSH traffic to enter the instance
For two instances to communicate within AWS, they must either belong to the same security group, or one instance's security group must be configured to receive traffic from another security group owned by the same AWS account. Security groups are scoped regionally, so you need appropriate security groups in every region in which you plan to run applications.
Launching an Amazon EC2 instance
You can launch an instance using the AWS Management Console. Before you launch an instance you must have completed the first to steps in "Signing Up to use Amazon EC2."
You begin the launching procedure by accessing the Amazon EC2 console and selecting "Launch Instance." Select an Amazon Machine Image (AMI) to create the template for your launched instance. Next, pick the hardware configuration for your instance by selecting an instance type. Choose a security group that you created earlier for the instance, and use the credentials that you created earlier to finally launch the instance.
Adding an EBS volume to your Amazon EC2 instance
After launching and connecting to an instance, you can add an EBS volume to it or add storage units from one of the other storage services. Open the Amazon EC2 console, select the region in which you created your instance (EBS volumes are region sensitive) and select the instance. You have a choice of selecting the volume type: Standard or Provisioned IOPS. Finally, attach the volume. If you created an empty volume, you need to format the volume before it can be mounted.
- Make sure that you have a good overall understanding of the many aspects of using AWS before offloading some of your company's IT responsibility onto it. You need to understand details around storage services, pricing, regions, compliance, etc.
- Create a staff position or group to monitor and understand AWS rules and pricing. Amazon makes changes to its pricing and makes new services available frequently.
- Understand your company's responsibility for security when working with AWS. In an on-premises computing organization, the IT group takes responsibility for all security throughout the organization. With Amazon EC2, Amazon takes responsibility for only a portion of the overall security. For Amazon EC2, the dividing line is located at the hypervisor. You have responsibility for security above the hypervisor, including application security, and Amazon has responsibility below the hypervisor.
- Do not give your AWS account credentials to anyone. Instead, create individual users for anyone who needs access to your AWS account.
- Choose your AWS account access keys carefully. The access key ID and secret access key for your AWS account give you access to all your resources, including your billing information. Protect your credentials until you absolutely need to use them. Use your account password to sign in to the AWS Management Console and create an IAM user for yourself that has administrative privileges instead.
- Create separate security groups for all network traffic rules. Do not use the predefined security group.
- To enable network access to your instance, you must allow inbound traffic by opening a port to your instance. Open only the ports that you need to open -- this reduces the number of attack opportunities for an intruder.
- Restrict system administration access.When it comes to accessing your instances, restrict admin privileges to computers that are located in places you trust. For staff working from home or traveling on business trips, set up virtual private networks (VPNs) from their computers to the company network and then forward traffic via the company network.
- Understand how traffic sources and security groups, along with region scoping, can work to make your applications more secure.
- Have sufficient Amazon EC2 instances across availability zones to survive the loss of any one availability zone.
- Use security groups to partition applications. Many organizations allow public network traffic to application Web servers, but do not allow public network traffic to access back-end database servers. To provide this kind of control in AWS EC2, you can use security groups to partition applications by placing application Web servers in one security group and database servers in another security group. Be aware that using security groups to partition applications does not protect applications from a direct attack, because each instance retains a public IP address.
- Address the vulnerability associated with using security groups to partition applications by using the AWS VPC (Virtual Public Cloud) service. AWS VPC allows you to have complete control over selection of your IP address range, creation of subnets and configuration of route tables and network gateways.
About the author
Bill Claybrook is a marketing research analyst with over 35 years of experience in the computer industry, with the last dozen years in Linux, open source and cloud computing. Bill was Research Director, Linux and open source, at The Aberdeen Group in Boston and a competitive analyst/Linux product-marketing manager at Novell. He is currently President of New River Marketing Research and Directions on Red Hat. He holds a Ph.D. in Computer Science.