Thursday, February 15, 2018

AWS Key Pairs - Deep Dive

AWS Key Pairs

What is AWS Key Pairs

AWS key pair is basically used to login EC2 instance without using password in a secure manner.


When we create EC2 instance,  need to provide key file name, At this time Amazon EC2 instance will store public key at server in ~/.ssh/authorized_keys file and you store private key at your machine. Only using this private key you can login to the instance.

you can add or replace key pair with your running instance.

The keys that Amazon EC2 uses are 2048-bit SSH-2 RSA keys. You can have up to five thousand key pairs per region.

Creating AWS Key Pair

1. Using AWS Console

2. Using CLI

3. Importing your Own Key Pairs using AWS Console

4.  Importing your Own Key Pairs using AWS CLI

1. Using AWS Console 

  • navigation pane, under NETWORK & SECURITY, choose Key Pairs
    Fig1 Select Key Pairs 
  • Chose Create key pair 
    fig 2 Create Key Pair
  • Enter key pair name, and click on create this will create key pair and download private key at your system. Keep this file at secure place and change its permission to readonly using chmod 400
    Fig 3 Enter key pair name 

    Fig 4 After Creating Key Pair

2 Using CLI

create-key-pair 
--key-name <value>
[--dry-run | --no-dry-run]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

for example 
aws ec2 create-key-pair --key-name test2

 3. Importing your Own Key Pairs using AWS Console

1. Generate key pair using any keygen tool such as ssh-keygen Note AWS does not support DSA key format
2. Save public key to a local file by extension .pub
3. save private key to a local secure area by extension .pem
4. open AWS management console and navigate Network Security open Key Pair 
Now click on Import Key Pair
5. Select public key file 


 4. Importing your Own Key Pairs using AWS CLI

  import-key-pair
[--dry-run | --no-dry-run]
--key-name <value>
--public-key-material <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

for example 

aws ec2 import-key-pair --key-name mypublickey --public-key-material MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhrGNglwb2Zz/Qcz1zV+l12fJOnWmJxC2GMwQOjAX/L7p01o9vcLRoHXxOtcHBx0TmwMo+i85HWMUE7aJtYclVWPMOeepFmDqR1AxFhaIc9jDe88iLA07VK96wY4oNpp8+lICtgCFkuXyunsk4+KhuasN6kOpk7B2w5cUWveooVrhmJprR90FOHQB2Uhe9MkRkFjnbsA/hvZ/Ay0Cflc2CRZm/NG00lbLrV4l/SQnZmP63DJx194T6pI3vAev2+6UMWSwptNmtRZPMNADjmo50KiG2c3uiUIltiQtqdbSBMh9ztL/98AHtn88JG0s8u2uSRTNEHjG55tyuMbLD40QEXAMPLE


Replace Key Pair with New One


Connect to your instance using your existing private key file.

Using a text editor of your choice, open the .ssh/authorized_keys file on the instance. Paste the public key information from your new key pair underneath the existing public key information. Save the file.

Now connect using new private key.
Posted by at No comments:

Monday, February 12, 2018

AWS Tutorial - What is Security Group


Security group in AWS is like a firewall(Virtual Firewall), it control inbound and outbound traffic from one or more instances. Security groups in AWS are Region Based.

Apart from maintaining Inbound and outbound Traffic using Security Group, if we want to add additional rule then we can use firewalld.

 Security Group rules are associated with primary network Ethernet interface. 

Security Group Rules

By Default Security Group all Outbound Traffic.

Security Group rules are always permissive, you can't create deny rules.

You can add,modify and update rule in security group and it applied immediately.

 When you associate multiple Security Group to a instance, the rule from each security group are effectively aggregated and applied to that instance. But This is not recommended way.



How to Create Security Group 

  1. Choose security group from Navigation Panel
    Fig 1 : Security Groups Under EC2
  2. Choose Create Security Group
  3. Enter name and description for new security group. for example - iamname_SG_region
  4. Select VPC from dropdown, if you don't create any vpc it show only default VPC
  5. Two Tab Inbound and Outbound
  6. Click on Add Rule to allow port for server.
Type : Protocol 
Protocol : 
Port Range :
Source(Inbound)/Destination(Outbound) :  
Description : Add Description upto 255 character.

Create Security Group using Command Line

  create-security-group
--description <value>
--group-name <value>
[--vpc-id <value>]
[--dry-run | --no-dry-run]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
--description -  Upto 255 Character 
Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

--group-name - upto 255 character, not start with sg
Constraints for EC2-VPC: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
 --vpc-id - id of VPC
For Example 
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-1a2b3c4d
Note : You can add upto 50 rules per security group

You can create a security group and add rules that reflect the role of the instance that's associated with the security group. For example, an instance that's configured as a web server needs security group rules that allow inbound HTTP and HTTPS access, and a database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL.
The following are examples of the kinds of rules that you can add to security groups for specific kinds of access.

Web server

The following inbound rules allow HTTP and HTTPS access from any IP address. If your VPC is enabled for IPv6, you can add rules to control inbound HTTP and HTTPS traffic from IPv6 addresses.
Protocol typeProtocol numberPortSource IPNotes
TCP680 (HTTP)0.0.0.0/0Allows inbound HTTP access from any IPv4 address
TCP6443 (HTTPS)0.0.0.0/0Allows inbound HTTPS access from any IPv4 address
TCP680 (HTTP)::/0(VPC only) Allows inbound HTTP access from any IPv6 address
TCP6443 (HTTPS)::/0(VPC only) Allows inbound HTTPS access from any IPv6 address

Database server

The following inbound rules are examples of rules you might add for database access, depending on what type of database you're running on your instance. For more information about Amazon RDS instances, see the Amazon Relational Database Service User Guide.
For the source IP, specify one of the following:
  • A specific IP address or range of IP addresses in your local network
  • A security group ID for a group of instances that access the database
Protocol typeProtocol numberPortNotes
TCP61433 (MS SQL)The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance
TCP63306 (MYSQL/Aurora)The default port to access a MySQL or Aurora database, for example, on an Amazon RDS instance
TCP65439 (Redshift)The default port to access an Amazon Redshift cluster database.
TCP65432 (PostgreSQL)The default port to access a PostgreSQL database, for example, on an Amazon RDS instance
TCP61521 (Oracle)The default port to access an Oracle database, for example, on an Amazon RDS instance
(VPC only) You can optionally restrict outbound traffic from your database servers, for example, if you want allow access to the Internet for software updates, but restrict all other kinds of traffic. You must first remove the default outbound rule that allows all outbound traffic.
Protocol typeProtocol numberPortDestination IPNotes
TCP680 (HTTP)0.0.0.0/0Allows outbound HTTP access to any IPv4 address
TCP6443 (HTTPS)0.0.0.0/0Allows outbound HTTPS access to any IPv4 address
TCP680 (HTTP)::/0(IPv6-enabled VPC only) Allows outbound HTTP access to any IPv6 address
TCP6443 (HTTPS)::/0(IPv6-enabled VPC only) Allows outbound HTTPS access to any IPv6 address

Access from another instance in the same group

To allow instances that are associated with the same security group to communicate with each other, you must explicitly add rules for this.
The following table describes the inbound rule for a VPC security group that enables associated instances to communicate with each other. The rule allows all types of traffic.
Protocol typeProtocol numberPortsSource IP
-1 (All)-1 (All)-1 (All)The ID of the security group
The following table describes inbound rules for an EC2-Classic security group that enable associated instances to communicate with each other. The rules allow all types of traffic.
Protocol typeProtocol numberPortsSource IP
ICMP1-1 (All)The ID of the security group
TCP60 - 65535 (All)The ID of the security group
UDP170 - 65535 (All)The ID of the security group

Access from local computer

To connect to your instance, your security group must have inbound rules that allow SSH access (for Linux instances) or RDP access (for Windows instances).
Protocol typeProtocol numberPortSource IP
TCP622 (SSH)The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.
TCP63389 (RDP)The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range.

Path MTU Discovery

The path MTU is the maximum packet size that's supported on the path between the originating host and the receiving host. If a host sends a packet that's larger than the MTU of the receiving host or that's larger than the MTU of a device along the path, the receiving host returns the following ICMP message:







Destination Unreachable: Fragmentation Needed and Don't Fragment was Set
To ensure that your instance can receive this message and the packet does not get dropped, you must add an ICMP rule to your inbound security group rules.
Protocol typeProtocol numberICMP typeICMP codeSource IP
ICMP13 (Destination Unreachable)4 (Fragmentation Needed and Don't Fragment was Set)The IP addresses of the hosts that communicate with your instance

Ping your instance

The ping command is a type of ICMP traffic. To ping your instance, you must add the following inbound ICMP rule.
Protocol typeProtocol numberICMP typeICMP codeSource IP
ICMP18 (Echo)N/AThe public IPv4 address of your computer, or a range of IPv4 addresses in your local network
To use the ping6 command to ping the IPv6 address for your instance, you must add the following inbound ICMPv6 rule.
Protocol typeProtocol numberICMP typeICMP codeSource IP
ICMPv658128 (Echo)0The IPv6 address of your computer, or a range of IPv6 addresses in your local network

DNS server

If you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.
For the source IP, specify one of the following:
  • A specific IP address or range of IP addresses in a network
  • A security group ID for a group of instances in your network that require access to the DNS server
Protocol typeProtocol numberPort
TCP653
UDP1753

Amazon EFS file system

If you're using an Amazon EFS file system with your Amazon EC2 instances, the security group that you associate with your Amazon EFS mount targets must allow traffic over the NFS protocol.
Protocol typeProtocol numberPortsSource IPNotes
TCP62049 (NFS)The ID of the security group.Allows inbound NFS access from resources (including the mount target) associated with this security group.
To mount an Amazon EFS file system on your Amazon EC2 instance, you must connect to your instance. Therefore, the security group associated with your instance must have rules that allow inbound SSH from your local computer or local network.
Protocol typeProtocol numberPortsSource IPNotes
TCP622 (SSH)The IP address range of your local computer, or the range of IP addresses for your network.Allows inbound SSH access from your local computer.

Elastic Load Balancing

If you're using a load balancer, the security group associated with your load balancer must have rules that allow communication with your instances or targets.
Inbound
Protocol typeProtocol numberPortSource IPNotes
TCP6The listener port
For an Internet-facing load-balancer: 0.0.0.0/0 (all IPv4 addresses)
For an internal load-balancer: the IPv4 CIDR block of the VPC
Allow inbound traffic on the load balancer listener port.
Outbound
Protocol typeProtocol numberPortDestination IPNotes
TCP6The instance listener portThe ID of the instance security groupAllow outbound traffic to instances on the instance listener port.
TCP6The health check portThe ID of the instance security groupAllow outbound traffic to instances on the health check port.
The security group rules for your instances must allow the load balancer to communicate with your instances on both the listener port and the health check port.
Inbound
Protocol typeProtocol numberPortSource IPNotes
TCP6The instance listener port
The ID of the load balancer security group
Allow traffic from the load balancer on the instance listener port.
TCP6The health check portThe ID of the load balancer security groupAllow traffic from the load balancer on the health check port.
Posted by at No comments:
Subscribe to: Posts (Atom)