aws

Links

awsnow.info | Prices & Limits
- Displays consolidated AWS prices and limits in one page. See api.awsnow.info for a RESTful API.
Getting Good IO from Amazon's EBS
AWS: the good, the bad and the ugly
Account / Credentials
- Manage Credentials: Access,Sign In, 2 Factor/MFA, Account ID
- IAM home (manage MFA device from here.)
- Viewing Your Account ID
- Account Activity
- How to Create an X.509 Certificate and Private Key
  - Creating and Uploading Server Certificates
- Delegating API access by using roles
  - Enabling Cross-Account API Access
    - Only IAM users can assume a role. If you use AWS account credentials, access is denied.
  - Using Temporary Security Credentials to Access AWS
- Multi-Factor Authentication Info | FAQs
  - Supported virtual MFAs
Tagging Your Resources
EC2
- Broken PMTUD on Amazon EC2
  - The fix, ec2-authorize default -P icmp -t 3:4, can be applied universally by all users.
- FAQ
- Instances
  - Instance Families and Types
    - Micro
    - Cluster compute
  - HVM-Based AMIs
  - Instance Metadata
    - Metadata Categories
    - curl http://169.254.169.254/latest/meta-data/ami-launch-index
    - curl http://169.254.169.254/latest/user-data
    - curl http://169.254.169.254/latest/meta-data/local-ipv4
    - curl http://169.254.169.254/latest/meta-data/public-ipv4
    - All instances launched together get the same user-supplied data. You can use the AMI launch index as an index into the data.
    - User data is limited to 16K. This limit applies to the data in raw form, not base64 encoded form.
    - The user data must be base64 encoded before being submitted to the API. The API command line tools perform the base64 encoding for you.
  - Ensuring Idempotency
  - Root Device
    - Storage for the Root Device
    - Root Device Volume
  - Block Device Mapping
  - Stopping Instances
  - Creating Your Own AMIs
    - Instance Store-Backed
      - Creating an Instance Store-Backed AMI From an Existing AMI
      - Instance Store Device Names
      - SO: Convert EBS root device to instance store
      - Convert EBS image to instance store image
        
        forum question
        
        You must pass -B root=/dev/sda1 to the ebs-bundle-vol command.
        
        Also, by default, the ec2-bundle-vol command will store your image part files in the /tmp directory, which typically is not large enough.
        
        Use the -d parameter to store your image in the /mnt directory (or /media on Amazon Linux?) (the ephemeral store).
    - Amazon EBS-Backed
- AMIs
  - Amazon Linux
    - Based on RedHat. See forum question.
    - FAQ
    - ami-10249879: 32 bit, instance backed, US East (Virginia): launch
S3
- S3 fs / sync
  - S3cmd
  - S3sync,
  - boto_rsync
Command Line Tools
- ec2-run-instances
Netflix/ice

Users and Groups

Management is called IAM - Identity Access Management
- There is a web console for EC2 – https://console.aws.amazon.com/ec2/home#s=SecurityGroups – but it's not for S3.

Snippets

Creating an instance backed AMI

# From: http://serverfault.com/questions/360882/ebs-backed-ami-become-instance-store-ami-when-migrate-across-region
ec2-bundle-vol \
    -k pk-xxx.pem \
    -u xxx \
    -c cert-xxx.pem

# If you want to change regions.
ec2-migrate-manifest \
    -m /tmp/image.manifest.xml \
    -c cert-xxx.pem \
    -k pk-xxx.pem \
    -a xxx \
    -s xxx \
    --region ap-southeast-1

 ec2-upload-bundle \
    -b my-sg-bucket \
    -m /tmp/image.manifest.xml \
    -a xxx \
    -s xxx \
    --location ap-southeast-1

 ec2-register \
    -K pk-xxx.pem \
    -C cert-xxx.pem \
    --region ap-southeast-1 \
    my-sg-bucket/image.manifest.xml \
    --name my-ami

Manipulating with boto

import getpass
import pprint
pp = pprint.pprint

import ck_3p
import boto.iam

AWS_ID = "..."

# Create a new connection
C = boto.iam.connection.IAMConnection(AWS_ID, getpass.getpass())

# Create the Administrators group.
C.create_group("Administrators")

# Print all existing groups.
pprint(C.get_all_groups())

# Create a group policy for the Administrators group.
policy_json='''
{
   "Statement":[{
      "Effect":"Allow",
      "Action":"*",
      "Resource":"*"
      }
   ]
}
'''
C.put_group_policy("Administrators", "AdministratorGroupPolicy", policy_json)

# Create a new user and add to the Administrators group.
u = C.create_user("ckadmin")
C.add_user_to_group("Administrators", "ckadmin")  # username is a string.

def display_response(response):
    interested_map = response.itervalues().next().itervalues().next().itervalues().next()
    for k, v in interested_map.items():
        print "%s: %s" % (k, v)

# Create access keys for the user.
response = C.create_access_key("ckadmin")
display_response(response)

# git2 user and group

# Create the user.
U = C.create_user("git2")

# Create access key.
response = C.create_access_key("git2")
display_response(response)

# Create group.
response = C.create_group("git2_users")
display_response(response)

# Add user to group.
C.add_user_to_group("git2_users", "git2")

# Add a policy.
policy=r'''{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:*"],
      "Resource":[
      "arn:aws:s3:::ck2.git.chirayuk.com",
      "arn:aws:s3:::ck2.git.chirayuk.com/*"] 
      },
      {
      "Effect":"Deny",
      "Action":["s3:*"],
      "NotResource":[
      "arn:aws:s3:::ck2.git.chirayuk.com",
      "arn:aws:s3:::ck2.git.chirayuk.com/*"] 
      }
   ]
}
'''

C.put_group_policy("git2_users", "git2_policy", policy)