Review@amazon: AWS for Solutions Architects

 Beginning of 2024 i read the book "AWS for Solutions Architects: The definitive guide to AWS Solutions Architecture for migrating to, building, scaling, and succeeding in the cloud":

The book has 627 pages and consists of 16 chapters.

Due to the number of topics, the author wants to cover (and has to!) the book cannot really go into detail about all the services - but in my opinion that is not necessary. I really liked the network sketches in Chapter 4 and the 6 Pillars in chapter 9. But the rest also fits - there are various keywords or links for each area that provide a good introduction.  

For anyone who knows other hyperscalers and is moving to AWS or is having their first contact with the cloud with AWS, this book should be a must-read. I really liked chapters 9, 14, 15, 16 because they deal with the general topics. Here the author cares more about the reader's knowledge base than about the specific implementation in AWS (and he doesn't leave this out). Absolute reading recommendation!

For more details please read my review at amazon (this time in german only) :)

(But maybe copilot or any other ChatGPT/OpenAI can translate that.

Review: Running Containers in Production for dummies

 Last evening i read the following booklet:

Here my review:

Chapter one gives within 7 pages an excellent introduction into "Containers & Orchestration Platforms". From Kubernetes over Openshift/Docker Swarm up to Amazon EKS - many services are described. In my opinion Azure AKS is missing, but it is clear, that every hyperscaler will provide you its managed Kubernetes environment. At the end even Apache Mesos is listed - which is out of scope for the most of us. 

Building & Deploying Containers is the headline of chapter 2 and a brief, solid description of these topics is given. If you want to know what all the buzzwords like CI/CD/CS, Pipelines, Container Registries are about: Read that chapter and you have a good starting point.

Nearly 33% of the book(let) is abount Monitoring Containers (chapter 3). This points in to the right directions. You have to know what your containers are doing and what you have to change with continuous delivery and continuous deployment. If you are running tens or hundreds of containers, the monitoring has to be  automatic as well - or you are lost. "A best practice for using containers is to isolate workloads by running only a single process per container.  Placing a monitoring agent — which amounts to a second process or service — in each container to get visibility risks destroying a key value of containers: simplicity." - So building up a monitoring is not such easy, as is was on full-stack servers...

Chapter 4 is about Security. This focuses on the following topics: Implementing container limits against resource abuse, how to avoid outdated container images, management of secrets and image authenticity.

The last chapter closes with "Ten Container Takeaways".

 

Within 43 pages a really nice starting point to learn about the world of docker and container orchestration.

AWS: Accessing S3 buckets from the internet and from ec2 instances (2)

After accessing a S3 bucket from an ec2 instance by adding an IAM role to my EC2 instance, i tried to get the access from an ec2 instance by using a AWS endpoint.

First step: Launch an ec2 instance within your VPC and try to access your S3 bucket:

[ec2-user@ip-172-31-30-93 ~]$ wget https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
--2019-02-02 18:29:28--  https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
Auflösen des Hostnamen »s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)«... 52.218.16.244
Verbindungsaufbau zu s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)|52.218.16.244|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2019-02-02 18:29:28 FEHLER 403: Forbidden.

Second step: change the bucket policy to this:

{
    "Version": "2012-10-17",
    "Id": "Policy1119991119999",
    "Statement": [
        {
            "Sid": "Access-to-specific-VPC-only",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::my.webtest",
                "arn:aws:s3:::my.webtest/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:sourceVpc": "vpc-12e0cc74"
                }
            }
        }
    ]
}

The access to the bucket is still forbidden. So next step is to add the endpoint:
Goto VPC -> endpoint:

And then choose the following:

(Here you have to select your route table ID!!!)

After that everything works like expected:

[ec2-user@ip-172-31-30-93 ~]$ wget https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
--2019-02-02 18:29:51--  https://s3-eu-west-1.amazonaws.com/my.webtest/website.json
Auflösen des Hostnamen »s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)«... 52.218.53.66
Verbindungsaufbau zu s3-eu-west-1.amazonaws.com (s3-eu-west-1.amazonaws.com)|52.218.53.66|:443... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 200 OK
Länge: 130 [application/json]
In »»website.json.1«« speichern.

100%[===============================================================================================================>] 130         --.-K/s   in 0s      

2019-02-02 18:29:51 (5,28 MB/s) - »»website.json.1«« gespeichert [130/130]

AWS: overview of all postings

After nearly an half year of looking into AWS, here a summary of all postings related to that topic:

• Amazon Web Services: A Start into AWS  

ECS & S3 (Computing & Storage):

• AWS: Running a docker-image with ECS  
• AWS: Running a docker-image with ECS (part 2)
• AWS: Running a docker-image with ECS (part 3): Stop it!  
• AWS: Accessing S3 buckets from the internet and from ec2 instances
by granting acces via IAM and using AWS CLI on the server without a password
• AWS: Accessing S3 buckets from ec2 instances without using IAM
  by using network rules and service endpoints to reach out to S3 with AWS-unaware CLI commands

VPC (Networking):

• AWS: Networking - Virtual Privat Cloud

Billing

• AWS: Billing - how to delete a route 53   
• AWS: What services are free of charge? How to control your costs...
• AWS: What services are free of charge? How to control your costs...(part 2)
• AWS: What services are free of charge? How to control your costs...(part 3)

Automation

• AWS: Installing aws cli (Amazon Web Service Commandline)  
• AWS: Creating a static Website with S3 (simple storage service) with aws cli
• AWS: How to delete a static website via aws cli

Miscellaneous 

• AWS: Logging? CloudTrail! 
• AWS: AWS Solutions Architect Associate - Practice
• Review at amazon: AWS Certified Solutions Architect - Official Study Guide 
• AWS: IAM & security - Best practices: Using a non-root user 

AWS: Accessing S3 buckets from the internet and from ec2 instances

After reading about endpoints for AWS S3 i was wondering how i can use this feature.

First step was to create a bucket and just tried to access this bucket over the internet:

$ aws s3api create-bucket --bucket my.webtest --region eu-west-1 --create-bucket-configuration LocationConstraint=eu-west-1
{
    "Location": "http://my.webtest.s3.amazonaws.com/"
}

And the i put this location into my browser:

This is like expected, because i did not allow public access for this bucket:

Ok. Let's try this from an EC2 instance:

$ wget http://my.webtest.s3.amazonaws.com/
--2018-12-04 20:09:47--  http://my.webtest.s3.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)«... 52.216.107.108
Verbindungsaufbau zu my.webtest.s3.amazonaws.com (my.webtest.s3.amazonaws.com)|52.216.107.108|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 307 Temporary Redirect
Platz: http://my.webtest.s3-eu-west-1.amazonaws.com/[folge]
--2018-12-04 20:09:47--  http://my.webtest.s3-eu-west-1.amazonaws.com/
Auflösen des Hostnamen »my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)«... 52.218.96.155
Verbindungsaufbau zu my.webtest.s3-eu-west-1.amazonaws.com (my.webtest.s3-eu-west-1.amazonaws.com)|52.218.96.155|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2018-12-04 20:09:47 FEHLER 403: Forbidden.

This was not like expected, but how should my bucket know, that this access was from an EC2 instance beloging to the same AWS account.

Let's try to access the bucket with aws cli:

$ aws s3 ls
Unable to locate credentials. You can configure credentials by running "aws configure".

To get this working you have to add an IAM role to your EC2 instance. So let's create a new role:

 choose ec2:

and AmazonS3FullAccess:

Move on (without configuring tags)

 And then attach this role to your EC2 instance:

 and choose your new "AccessToS3Role":

After that the aws cli works like expected:

[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls
2018-12-04 20:02:11 my.webtest
[ec2-user@ip-172-31-2-99 ~]$ aws s3 ls my.webtest 
2018-12-04 20:23:12        130 website.json

But still no access via wget possible. This is because the aws cli uses the Amazon API to access the keys which come with the IAM role attached to the ec2 instance. The wget does not know anything about these keys.

Edit: Finally i got the wget (or better: access without using aws cli) working: https://dietrichschroff.blogspot.com/2019/02/aws-accessing-s3-buckets-from-internet.html

AWS: IAM & security - Best practices: Using a non-root user

After my successful solutions architect practice i knew that i had to take care of my shortcomings in security.
So i decided to visit the IAM (Identity and Access Managemen) of AWS:

• Delete your root access keys
  I created them for using aws cli (installation or creating a static webpage)
• Activate MFA on your root account
  No - i will not use multi factor authentication for my playground.
• Create individual IAM users
  I think this is a good point (it is also mentioned inside the book AWS Certified Solutions Architect - Official Study Guide)

So let's move to IAM users:
Click an "add user"

Then insert a "user name", choose an access type and click next:

Then you have to create the first group:

 I created a group with full AWS access:

Then move on with creating the user:

 Additional Tags:

 And finally click "create user"

 This will show you a page with an AWS management console URL:

Use this URL to login with the new user:

 (i had to change the passwort - the checkbox "require password reset")

And then i am logged into my AWS Management console with this non-root user:

If you want to login with your root user, you have to use the link blow the "sign in" button:

AWS: What services are free of charge? How to control your costs...(part 3)

After looking into my bill (see post 1 and post 2) i was keen, how fine granular the cost statistics are inside the aws web console. So i moved to the billing dashboard and to the cost explorer:

This provides you with the following dashboard:

 

You can play around with the settings to get for example something like this:

For more information jump to: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html

AWS Billing: Set an alarm to a cost threshold

Knowing about some details about the costs inside aws and some of the services (especially, that Docker, VPNs and Kubernetes are not included in the free trials)

• What services are free of charge? How to control your costs... (Part 1)
• Part (2)
• Part (3)

i set an alarm on my account, to get informed about new costs:

So move to "Cloudwatch" and there you have to choose "Alarms":

 Then "Create Alarm":

 And click on "select metric":

 Inside "select metric" click on "Billing" (at the bottom):

And select "Total Estimated Charge"

Select the Checkbox for USD and then "Select metric"

 After that you have to specify an exceed and an e-mail address:

 

If this is your first alarm you have to verify your e-mail:

 And if the confirmation is done, you will get:

Now the Dashboard shows:

And i got an e-mail with this alarm:

AWS: AWS Solutions Architect Associate - Practice

After reading the book AWS Certified Solutions Architect - Official Study Guide i decided to go for a online exam at https://aws.amazon.com/training/

I had to answer 25 question in about 30 minutes, which was quite exhausting. Only a few minutes after the exam i got the following mail:

Hmmm.
3.0 Specify Secure Applications and Architectures: 50%
An unconvincing result for this area, but with some more reading and more exercises i should get above 80%.

4.0 and 5.0 with 100%: Better than expected.

But is an overall score of 76% enough?
One day later inside my aws certification account the following line appeared:

;-)

AWS: Logging? CloudTrail!

Today took a look at CloudTrail:

 

CloudTrails provides a view into user activities, by recording their API calls. On the AWS webpages you can find the following graphic:

So let's start and move to cloudtrail:

Inside the event history you will be provided with the following view:

Here you can see my efforts for the posting AWS: How to delete a static website via aws cli.
If you expand such an event, you get the following information:

• AWS region
• Error code (in this case "BucketNotEmpty")
• Source IP address
• Username
• ... 

The events will be stored for 90 days and can be downloaded via this button (right above the event table):

$ head -3 event_history.csv 
Event ID,Event time,User name,Event name,Resource type,Resource name,AWS access key,AWS region,Error code,Source IP address,Resources
5c0cd873-3cef-449c-9e6a-1809ba827ac1,"2018-11-24, 05:06:47 PM",root,TestEventPattern,,,,eu-west-1,,87.123.BBB.AAA,[]
dcd07bfa-780c-4640-9293-513c35b3db0a,"2018-11-24, 05:05:23 PM",root,ConsoleLogin,,,,us-east-1,,87.123.BBB.AAA,[]