Convert from instance store to EBS

Amazon IAM – Identity and Access Management

I found out about IAM (Identity and Access Management) these days while I was searching for a way not to give my email/pass for my AWS account. Seems that IAM is pretty easy to use:

1. You add a group where you define the rights. Here you can select either one or multiple of the default values (Administrator full access, Read only, EC2 full access, EC2 read only…etc) or you can even define custom policies by adding the rules in the Custom profile page. I’ve selected the default EC2 full access that looks like :

{
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}

2. Once the group is defined next step is to add users to this group.  Once the user name is defined a Access Key Id and Secret Access Key will be generated. Also here you need to define a password for the newly created account.

3. Final step is to test this by accessing a URL like : https://xxxxxxxxx.signin.aws.amazon.com/console where xxxxxxxxx AWS account ID (you find that in your “Security credentials” page)

 

Using Passive FTP on Amazon EC2

Installing proftpd on an amazon ec2 instance is not rocket since, but after installing you need to configure it to work correct.Because amazon ec2 instances use an internal IP address as their ethernet interface address, proftpd needs to be configured for passive FTP.

First, you need to apply for an Elastic IP address which you will allocate to your instance. This will be the IP address that will be show to the world.

Second step is to configure the firewall properly for that instance. Go to the “Security group” assigned to the instance and add the following rules:

* Connection Method: Custom
* Protocol: TCP
* From Port: 20
* To Port: 21
* Source (IP or group): 0.0.0.0/0 (that is, if you want to permit to the whole internet to access your ftp server; if not, replace this with the IP address or class that you want to give access to your ftp server)

We need to add another rule for the passive ports that will be used by proftpd:

* Connection Method: Custom
* Protocol: TCP
* From Port: 49152
* To Port: 65535
* Source (IP or group): 0.0.0.0/0

Now, go to your machine end edit /etc/proftpd/proftpd.conf and add the following lines:

PassivePorts 49152 65535

MasqueradeAddress your_elastic_ip_address

Restart proftpd and enjoy:

/etc/init.d/proftpd restart

For Vsftpd configuration is slightly different. You need to edit vsftpd.conf and make sure that you add these lines:

pasv_min_port=1024
pasv_max_port=1080
pasv_address=elastic IP

Range 1024-1080 or whatever other range needs to be added in the Security group, same way we did for Proftpd. Then run: /etc/init.d/vsftpd restart

Clone an EC2 instance

These days Amazon sent me an email saying that the a instance that I’m using is on a server that is
failing. To clone I had to:

1. Install ec2-api-tools from http://s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip on the failing instance
2. Install Java from http://javadl.sun.com/webapps/download/AutoDL?BundleId=39484 (I’m using a small instance)
3. Set .bashrc as follows:

export EC2_HOME=~/ec2
export PATH=$PATH:$EC2_HOME/bin
export EC2_PRIVATE_KEY=$EC2_HOME/pk.pem
export EC2_CERT=$EC2_HOME/cert.pem
export JAVA_HOME=/usr

Run :

source /root/.bashrc

4. Create a directory for the bundled files (/mnt/myimage in my case)
5. Bundle the actual instance using:

ec2-bundle-vol –cert ec2/cert.pem –privatekey ec2/pk.pem -s 2048 -u Your_AWS_Account_ID -d /mnt/myimage/

-u : AWS Account ID is taken from AWS page Security Credentials, e.g: 1234-5678-9012-3456. Make sure to skip the “-” when using it.
-s : size of the image
-d : directory from step 4

6. Upload the files to a S3 account using:

ec2-upload-bundle -a access_key -s secret_key -b bucket_name –manifest /mnt/myimage/image.manifest.xml

-a : access_key from Security Credentials page
-s : secret_key from Security Credentials page
-b : bucket name
–manifest : name of the manifest file

7. Register the AMI by going to your AWS EC2 console->AMI->Images->Register new AMI and enter:
bucket_name/image.manifest.xml
8. Create a new EC2 instance by using the newly registered AMI

Note that you will need the [pk,cert].pem files too.