Show Menu
Cheatography

AWS practitioner & SysOps essentials Cheat Sheet by

Key AWS services for System Operations

EC2 Storage types

Instance / Ephemeral Storage
Attached to the physical host running an instance
Elastic Block Store / EBS
Attached over the network
 
preferable to instance storage in nearly all usage scenarios
 
One can create a snapshot from an EBS.
 
Once you have created a snapshot, you can then create additional EBS volumes that will be identical copies of the source snapshot. You could, for example, create a snapshot containing your database backups
 
EBS volumes can persist after the instance has been terminated
EBS +ve:
EBS volumes is clearly preferable except in a few cases, such as when you need fast temporary storage for data that can be safely dis‐ carded.
Multiple volumes (of either type) can be attached to an instance

AWS EC2 Instance Types

Different combin­ations of CPU, memory, network bandwidth and even custom hard‐ ware differ­entiate AWS instance types.
General Purpose Instance
Balances computing, memory, and networking resources.
Compute Optimized Instances
Good for high-p­erf­ormance applic­ation servers, gaming servers, and web applic­ations.
Memory Optimized Instances
To quickly deliver large dataset workloads
Accele­rated Computing Instances
Boost data processing for graphics applic­ations and streaming.
Storage Optimized Instances
For large datasets on local storage:
 
- Large file systems
 
- Data warehouses
 
- Online transa­ction systems
Selecting the right instance type:
drive the CPU to 100% using your applic­ation’s load generator of choice. Now examine memory use: if you observe the instance running out of mem‐ ory before the CPU is at full throttle, switch to a higher­-memory instance type. Con‐ tinue this process until you achieve a reasonable balance.

Amazon EC2 pricing

On-Demand
Short-­term, irregular workloads that cannot be interr­upted
Savings Plans
Reduce your compute costs by committing to a consistent amount of compute usage for a 1-year or 3-year term.
Reserved Instances
Billing discount applied to the use of On-Demand Instances in your account for a 1-year or 3-year term
Spot Instances
Are ideal for workloads with flexible start and end times
Dedicated Hosts
physical servers with Amazon EC2 instance capacity that is fully dedicated to your use.

Purchasing EC2 Instances

On-demand:
Allocated by the hour and requiring no upfront commit­tment
Reserved:
Represent a pre-paid commit­tment on the part of a customer which is usually rewarded by AWS with very steep discounts, up to 75% of on-demand pricing.
Spot:
Requires no upfront committ‐ ment, and their pricing fluctuates according to the supply and demand of compute capacity.

Working with instances in the console

# Describe all of your own images in the US East region
aws ec2 descri­be-­images --owners self --region us-east-1
# List the AMIs that have a specific set of key/value tags
aws ec2 descri­be-­images --owners self --filters Name=t­ag:­rol­e,V­alu­es=­web­server # List the AMIs that have a specific set of key/value tags Name=t­ag:­env­iro­nme­nt,­Val­ues­=pr­odu­ction
# Basic invocation to create instances
aws ec2 run-in­sta­nce­s--­ima­ge-id ami-6d­060707
# Another way to display inform­ation about your instance is with aws ec2 descri­bei­nst­ances, which will show much more detail
aws ec2 descri­be-­ins­tan­ce-­status --inst­anc­e-ids i-64a8a6fe --region us-east-1 --output text

AWS elastic compute workflow

1. Launch
a) Select a template with basic configs
 
b) Specify security settings to control traffic in and out of instance
2. Connect
Users by loging in and accessing the computer desktop
3. Begin use
Run commands to:
 
a) Install software
 
b) Add storage
 
c) Copy and organise files

EC2 Networking

launching an instance with the default networking config­uration will give you an instance with a public IP address
Simple Config
Many applic­ations will require nothing more compli­cated than enabling SSH or HTTP access
To more sophis­itcated cofig
Amazon offers more-a­dvanced solu‐ tions that can, for example, give you a secure VPN connection from your datacenter to a Virtual Private Cloud (VPC) within EC2.
VPC
A network dedicated to your account, isolated from other networks in AWS, and completely under your control.
 
You can create sub‐ nets and gateways, configure routing, select IP address ranges and define its security perimeter
 
Amazon makes a distin­ction between traffic destined for the public Internet and traffic that will remain on the internal EC2 network
 

Networking - Payload

Routing requires:
Address of sender
Payload or contents
Address of recipient
IP addresses:
Unique to each computer, binary
IPv4 notation -
Usually binary IP are c

Introd­ucing EC2

EC2:
Allows customers to rent computing resources by the hour in the form of virtual machines (known as instances) that run a wide range of operating systems.
Custom­isa­tion:
Instances can be customized by the user to run any software applic­ations supported by their operating system of choice.

DB instances

Standard
Memory Optimised
Burstable perfor­mance

Introd­ucing Cloud Formation

A stack
A collection of AWS resources that you can manage as a single unit. I
 
You can create, update, or delete a collection of resources by creating, updating, or deleting stacks.
Creating Stacks:
aws cloudf­orm­ation create­-stack --temp­lat­e-body file:/­/ex­amp­le-­sta­ck.json \ --stac­k-name exampl­e-stack
Modifying Stacks:
$ aws cloudf­orm­ation descri­be-­sta­ck-­eve­nts­--s­tac­k-name exampl­e-stack \ --output text
 
$ aws cloudf­orm­ation descri­be-­sta­ck-­res­ources --stac­k-name exampl­e-stack \ --output text
Updating Stacks
. Update the stack.json file
 
Update the running stack with aws cloudf­orm­ation update­-stack
 
View with aws cloudf­orm­ation descri­be-­stack￾ event
Ensuring local copy of a stack matches the running version:
- Get a JSON file with running template, cleaning output
aws cloudf­orm­ation get-te­mplate
use diff to:
compare the local and remote versions

Cost Optimi­zation

The ability to run systems to deliver business value at the lowest price point
Govern usage
Employing a checks­-an­d-b­alance approach, you can innovate without oversp­ending.
Monitor usage and cost
Establish policies and procedures to monitor and approp­riately allocate
To decomm­ission resources
Implement change control and resource management from project inception to end-of­-life to u shut down or terminate unused resources to reduce waste
Evaluate cost when you select services:
Building Block AWS Services:
Amazon EC2, Amazon EBS, and Amazon S3
Applic­ation level:
Amazon RDS and Amazon DynamoDB
 
Reduce or remove admini­str­ative tasks and operat­ional overhead
Meet costs targets when selecting resources
Think type, Size and Number
Plan for data transfer charges:
A small yet effective archit­ectural change can drasti­cally reduce operat­ional costs
Cost Explorer:
View and track your usage in detail
 
Reserved Instance recomm­end­ations
Auto Scaling:
Match supply and demand

AWS Design Process

To identify any critical issues and areas that could be improved

Update answers as the archit­ecture evolves


To facilitate meetings, provide:
• Print outs of any diagrams or design notes
• Action list of questions that require out-of­-band research
 

Identity and Access Management

Identity and Access Management (IAM) is the name given to the suite of features that let you manage who and what can access AWS APIs using your account.
The idea behind IAM is to separate users and groups from the actions they need to perform. You do this by creating an IAM policy, which is a JSON-f­orm­atted docu‐ ment describing which actions a user can perform.
Amazon Resource Names / ARM:
A globally unique identifier that references AWS objects
ARN Format:
arn:aw­s:s­erv­ice­:re­gio­n:a­cco­unt­_ID­:re­lat­ive_ID
A permis­sion:
a combin­ation of two items: an action and one or more resources.
 
Actions are namespaced strings that take the form servic­e_n­ame­:Pe­rmi­ssion. All EC2-re­lated permis­sions are prefixed with ec2:, such as ec2:De­let­eSn­apshot.
Create a set of access creden­tials that are authorized to perform only the specific actions required by the script:
Eg, an AMI policy with enough permis­sions to run the script that cleans old images and snapshots
Via four Boto function calls:
One can use the comman­d-line tools to create a user and attach a new policy to it, using the iam-us­erc­reate and iam￾ userad­dpolicy commands
Create a new user for this role, named ami-cl­eaner:
mike@i­p-1­0-3­2-3­4-1­16:­/tmp$ iam-us­erc­reate -u ami-cl­eaner -k AKIAIN­AK6­ZGJ­NUA­WVACA cjJvjs­79X­j/k­vrJ­kLF­pRr­MAI­MAx­EdQ­rJL­GIQQD28
 
The -k option says that we want to create a new access key and secret for this use. These get printed to stdout. The first item is the access key ID, and the second is the secret access key. Store these somewhere safe, as we will need them later.
Create an AMI policy and attach it to the user:
mike@i­p-1­0-3­2-3­4-1­16:­/tmp$ iam-us­era­ddp­olicy -u ami-cl­eaner -p ami-cl­eaner -e Allow -r "­*" -a ec2:De­scr­ibe­Images -a ec2:De­let­eSn­apshot -a ec2:De­reg­ist­erImage
 
The -e and -r arguments state that we are creating an Allow policy that applies to all resources (the asterisk after the -r option). Finally, we specify a list of actions that will be allowed, each preceded by an -a flag. You can specify as many permis­sions as you need.
Refere­ncing resources in IAM policies
The Resource attribute of an IAM policy lets you control exactly which resources an action can be performed on. In the previous example, the policy granted the user per‐ missions to delete any EBS snapshot owned by this account. What if you want a more granular policy that applies only to a subset of resources?
ARNs are used to globally identify AWS resources. Used in IAM policies, they let you control exactly which resources are included when grant‐ ing or denying permis­sions.
An IAM policy that allows users to perform any action on S3 buckets, with the exception of the one containing your backups. We do this by creating a policy containing two statem­ents. The first grants the user all S3-related permis­sions, allowing them to be performed on any resource. The second statement denies all S3-related permis­sions, but only on the protected buckets
{ "­Sta­tem­ent­": [ { "­Act­ion­": [ "s3:" ], "­Eff­ect­": "­All­ow", "­Res­our­ce": [ "" ] }, { "­Act­ion­": [ "­s3:­*" ], "­Eff­ect­": "­Den­y", "­Res­our­ce": [ "­arn­:aw­s:s­3::­:db­-ba­cku­ps" ] } ] }
Next, create the policy using the comman­d-line tools or Management Console. If using the Management Console, you can create the policy as follows: 1. Navigate to IAM Users. 2. Select an existing User or Group. 3. Click Attach User/Group Policy. 4. Select Custom Policy. 5. Paste the text into the Policy Document box
Dynamic Policies:
Conditions can be used to create dynamic IAM policies that behave differ­ently, depending on one or more factors. The attributes of the request (such as the ARN of the requesting user or the source IP address) can be used in Boolean expres­sions to control whether a request should be allowed or denied.
Attributes on which you can base your conditions are as follows:
• Time of day • Source IP address • Whether the request is being made using HTTP or HTTPS
Limita­tions of IAM policies
Some AWS resources do not use ARNs, and can therefore not be explicitly managed by IAM policies.
Because EC2 instances do not have ARNs, there is no way to reference a specific EC2 instance from an IAM policy
 
Whenever you refer to EC2 permis­sions in a policy, the resource will be *, which means it will apply to every instance owned by your AWS account.
IAM Users and Groups
The user can be assigned one or more IAM policies, which specify the actions the user is allowed to perform.
Users can be placed in groups. When an IAM policy is assigned to a group, all members of that group inherit the permis­sions designated by the IAM policy
IAM is a global AWS service, meaning it is not tied to any particular region. An IAM user will be able to access APIs in any region
Map AWS groups to specific roles within your organi­zation, and apply the policy to the group instead
Amazon’s CloudTrail service keeps track of the API calls made by
users in your account. You can use this to review the full history of
AWS API calls that have been made by your account, whether they
came from the Management Console, cli tools, or services like
CloudF­orm­ation
           
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Basic Cisco IOS Commands Cheat Sheet
          AWS Services Cheat Sheet
          AWS-DevOps Overview Cheat Sheet

          More Cheat Sheets by datamansam