added details for ec2
This commit is contained in:
parent
1ce5afd912
commit
5378eca051
|
@ -681,9 +681,123 @@ How to find a potentially interesting CloudFront assets domain
|
|||
|
||||
### EC2
|
||||
|
||||
Virtual machine service.
|
||||
Deploy service instances of Virtual machines inside a VPC.
|
||||
Deployment EC2 instances into 26 regions. Supports multiple OSs.
|
||||
On-demand billing.
|
||||
|
||||
### Restore an Amazon Machine Image
|
||||
#### Connect to an EC2 Instance
|
||||
|
||||
Connect to the instance using SSH, RDP, SSM, serial console or webconsole.
|
||||
A keypair is needed to be owned to connect, for eaxmple EC2 Connect uses
|
||||
temporary keys. Serial Console has be activated by the adminstrator and
|
||||
the user which will be used to login needs a password set.
|
||||
|
||||
The URL scheme for EC2 Connect through the webconsole is the following.
|
||||
|
||||
```sh
|
||||
https://console.aws.amazon.com/ec2/v2/connect/$USERNAME/$INSTANCE_ID
|
||||
```
|
||||
|
||||
| Method | Network Access needed | Requires Agent | Requires IAM Permissions |
|
||||
+--------+-----------------------+----------------+--------------------------+
|
||||
| SSH/RDP | YES | NO | NO |
|
||||
| Instance Connect | YES | YES (amazon linux 2) | NO |
|
||||
| SSM Run Command | No | YES | YES |
|
||||
| SSM Session Manager | NO | YES | YES |
|
||||
| Serial Console | No | Password needed | NO |
|
||||
|
||||
Instance Connect and the SSM Session Manager can be used to reset the root
|
||||
password via `sudo passwd root`. After that it is possible to connect to the
|
||||
root user, e.g. using serial console or just use `sudo su root` or `su root` directly.
|
||||
|
||||
#### EC2 and IAM
|
||||
|
||||
EC2 instances can use nearly any other service provided by AWS.
|
||||
There only needs to be access to the credentials. This is can be done through
|
||||
the Instance MetaData Service (IMDS). The IMDS is available through HTTP on
|
||||
IP address `169.254.169.254` inside every EC2 instance.
|
||||
|
||||
##### Request Credentials through IMDS
|
||||
|
||||
There are two versions of IMDS in place right now.
|
||||
Regardless of the version a name of a role needs to be requested through the
|
||||
IMDS using curl, which is then used to query the token for said role.
|
||||
|
||||
###### Query IMDSv1 Permissions
|
||||
|
||||
Query the name of the role via curl.
|
||||
|
||||
```sh
|
||||
role_name=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
|
||||
```
|
||||
|
||||
Through the knowledge of the role name we can request the credentials of that role.
|
||||
|
||||
```sh
|
||||
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}
|
||||
```
|
||||
|
||||
##### Query IMDSv2 Permissions
|
||||
|
||||
A token is needed to curl for the name of the role. This is done using curl.
|
||||
|
||||
```sh
|
||||
TOKEN=$(curl -s -XPUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
|
||||
```
|
||||
|
||||
The token is used to query the name of the role via curl.
|
||||
|
||||
```sh
|
||||
role_name=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/)
|
||||
```
|
||||
|
||||
Both, token and name of the role can then be used to request the credentials
|
||||
via curl.
|
||||
|
||||
```sh
|
||||
curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/${role_name}
|
||||
```
|
||||
|
||||
PS:
|
||||
If you want to activate IMDSv2 an instance ID is needed to activate it through aws cli.
|
||||
|
||||
```sh
|
||||
instance_id=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
|
||||
region_name=<region_name>
|
||||
aws ec2 modify-instance-metadata-options --instance-id $instance_id --https-tokens required --region $region_name
|
||||
```
|
||||
|
||||
#### EC2 & Elastic Network Interface (ENI)
|
||||
|
||||
Every EC2 instance has at least one ENI to be made available on the network.
|
||||
There is a security group bound to each ENI to limit communication to the EC2
|
||||
instance. Such security contain for example which IP addresses can access the
|
||||
instance, on which ports and which protocols can be used to access it.
|
||||
|
||||
List available ENIs through the webshell of the account.
|
||||
|
||||
```sh
|
||||
aws ec2 describe-network-interfaces
|
||||
```
|
||||
|
||||
#### EC2 & ELastic Block Storage (EBS)
|
||||
|
||||
An EC2 instance has EBS as its set block device, either SSD or HDD.
|
||||
|
||||
EBS storage is persistent, snapshots can be created.
|
||||
In contrast to other storage solutions. These other, ephemeral storage
|
||||
solutions can not be snapshotted.
|
||||
|
||||
Snapshots can be created from EBSs, which are stored in S3 buckets.
|
||||
Snapshots can be encrypted through KMS and can be shared accross accounts.
|
||||
|
||||
Snapshots deliver a lot of useful content. List metadata of a snapshot via aws cli.
|
||||
|
||||
```sh
|
||||
aws ec2 describe-snapshots --snapshot-ids <snap-id>
|
||||
```
|
||||
|
||||
#### Restore an Amazon Machine Image
|
||||
|
||||
An EC2 VM can be created from an Amazon Machine Image,
|
||||
that can be found in some S3 buckets.
|
||||
|
|
Loading…
Reference in New Issue