How to connect RDS with AWS IAM authentication

A quick post listing step by step procedure to connect RDS database configured with IAM authentication.

We are considering RDS running MySQL and configured with AWS IAM authentication option throughout this post. However, if you are using a different database engine, consider editing commands/arguments whenever necessary.

Basically, we will be creating a local database user that leverages AWS IAM for authentication. Then EC2 will be configured with an IAM role or aws configure that has appropriate policies defined. And lastly, the user will generate an authentication token and log into the RDS database.

Why should we use IAM authentications for RDS?

Here is a list of reasons that are helpful to understand the benefits of the IAM authentications option for RDS.

IAM tokens used to log into the RDS database are valid for 15 minutes only. So they are more secure than permanent username/password pairs, and administrators don’t need to enforce/manage password reset policies.
IAM tokens are generated by making API calls to the AWS IAM service whenever needed. As a result, storing tokens is useless, and even if someone does, that does not pose a security threat due to its short life.
Applications can use EC2 instance profiles for generating tokens, so there is no need to store authentication information anywhere for applications to consume.

What you need?

You should be equipped with below inventory before hand –

RDS instance up and running configured with IAM DB authentication.
EC2 instance configured with AWS CLI (make sure SG allows the connectivity between EC2 and RDS on database port)
Master user login to RDS datatase
Access to AWS IAM service.

Creating user on database for the RDS access

For this step, you need to log in to the RDS database with the master user and create a new user. If you are on windows, you can use a lightweight tool like Sqlectron, or if you are already on EC2, you can use CLI as well –

For SQL CLI :

[root@kerneltalks ~]# mysql -h kerneltalks-rds.cn8uwrapea4b.us-east-1.rds.amazonaws.com -P 3306 -u admin -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 26
Server version: 8.0.20 Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> CREATE USER 'kt_iam_user' IDENTIFIED WITH AWSAuthenticationPlugin as 'RDS' REQUIRE SSL;
Query OK, 0 rows affected (0.01 sec)

Make necessary changes to username and RDS endpoint!

Create IAM role for RDS access

Navigate to AWS IAM
Create the IAM policy (sample policy below)
If you intend to use the EC2 instance profile, create an IAM role for AWS service EC2 and attach the IAM policy to it.
If you intend to use only IAM users, then make sure you configure your CLI with aws configure command by supplying access key ID and secret access key.
Make necessary changes to the resource section!

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "rds-db:connect"
         ],
         "Resource": [
             "arn:aws:rds-db:us-east-1:986532147:dbuser:db-kerneltalks-rds/kt_iam_user"
         ]
      }
   ]
}

Download the SSL root certificate available for all regions from S3 bucket. This certificate required while making RDS connection since we enforced SSL on the database user. This ensures data is encrypted in flight.

[root@kerneltalks ~]#  wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
--2021-07-03 14:44:12--  https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
Resolving s3.amazonaws.com (s3.amazonaws.com)... 52.216.205.189
Connecting to s3.amazonaws.com (s3.amazonaws.com)|52.216.205.189|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1456 (1.4K) [binary/octet-stream]
Saving to: ‘rds-ca-2019-root.pem’

100%[===================================================================================================================================>] 1,456       --.-K/s   in 0s      

2021-07-03 14:44:12 (81.2 MB/s) - ‘rds-ca-2019-root.pem’ saved [1456/1456]

Now your EC2 or IAM user is ready to access RDS.

Connect to RDS using IAM token

It’s time for you to generate an IAM token and connect to RDS. We will save the token in the Shell variable for easy management and pass that shell variable token into RDS connect command. If the downloaded certificate is not in the PWD then use the absolute path for the pem file.

[root@kerneltalks ~]# token=`aws rds generate-db-auth-token --hostname kerneltalks-rds.cn8uwrapea4b.us-east-1.rds.amazonaws.com  --port 3306 --region us-east-1 --usernam
e kt_iam_user`
[root@kerneltalks ~]# mysql -h kerneltalks-rds.cn8uwrapea4b.us-east-1.rds.amazonaws.com -P 3306 --ssl-ca=rds-ca-2019-root.pem -u kt_iam_user --password=$token --protocol
=tcp
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 59
Server version: 8.0.20 Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

And you are connected!

Here we have used IAM token as password to connect to RDS database! Make a note that, these generated tokens are good only for 15 minutes. If you are using connect command after 15 minutes you need to generate the token again.

Just for anote, token looks like this –

[root@kerneltalks ~]# echo $token
kerneltalks-rds.cn8uwrapea4b.us-east-1.rds.amazonaws.com:3306/
NXZG4BNZMCVY%2F20210703%2Fus-east-1%2Frds-db%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20210703T153110Z&X-Amz-Signature=04605698c01f3de6b2d7a7a48ddf28008d290795e11e
e4ac89587cbb3cdd9661

Understanding the authentication flow

For your understanding, lets see how authentication flows under the hood –

User runs the token generation command with database name, port, region and username for which token to be generated.
RDS sends back API token with 15 min lifespan. It requires your EC2 Instance role/IAM user to have rds connect permission. We covered this by defining IAM policy.
The user attempt to connect to RDS using the token acquired in the previous step.
A secure connection establishes, and the user logs in only if
- The root certificate is valid
- IAM permissions are in place and valid for db:connect
- Supplied username has RDS authentication set in the database
- The supplied token is generated for the same username, and currently, it’s not expired.
A user granted access and logs in. SQL prompt will be presented.

How to connect AWS RDS database from Windows

Leave a reply

A quick article for AWS beginners on connecting the AWS RDS database from Windows.

A step by step RDS database login procedure using the lightweight SQL client. This article is intended for AWS beginners who wanted to learn about RDS service with a little bit of database hands-on. Being said that, there is always a question for the non-DB guys; “How did I connect with this RDS database?”. So here we will walk you through step by step procedure for doing that.

For connecting to RDS database you should have –

RDS database up and running
RDS database endpoint
A SQL client
Connectivity between your machine and RDS database

Throughout this article, I am considering the MySQL database on RDS. If you are using a different database engine on RDS, then the connection port may vary. Also, we are considering ‘Password authentication’ of authentications options here –

Password authentication: RDS configured with this option has users managed at the database level.
AWS IAM database authentication: RDS configured with this option authenticates users by leveraging AWS IAM service. As a result, users are managed outside the database.

Let’s get started!

Identify RDS Endpoint

Navigate to the RDS console
Go to Databases and select your database
Database details screen should open up where you can copy your RDS endpoint.

Prepare SQL client

Download lightweight SQL client Sqlectron
Install and open the Sqlectron client.

Click on Add button to enter RDS connection details. We are testing RDS with ‘Password authentication’ here hence user and password needs to be supplied.

Click on Test to verify the connectivity.

If you encounter the below error, try to connect from a machine with direct connectivity to RDS. You can analyse RDS security groups to determine allowed subnets.

Verify below things –

There are no firewall rules between your machine and RDS blocking the port 3306 traffic.
RDS database is publicly accessible. (Obv. It applies to testing POC databases). If not, you can configure RDS to be publicly accessible.
If you don’t want your RDS to be publicly accessible, you need to connect RDS from the allowed subnets. That means your machine needs to be in the same VPC as RDS (e.g. Windows EC2 in the same VPC)

How to make RDS publicly accessible

Not recommended for production RDS instances or RDS carrying sensitive data.

Navigate to RDS console and respective database
Select Modify from the action menu for that particular database
Goto Connectivity section and expand Additional configuration
Here choose the radio button against Publicly accessible and Apply the changes

RDS connection using ‘Password authentication’ via SQL client

Once you sort out RDS connectivity issues, go back to the SQL client and try Test again. Now you should be able to succeed.

Now, click on Save to save this configuration in SQL client. And then hit Connect to connect to your RDS database.

After connecting, you can see schema on the left-hand side and a command box on the right-hand side to execute commands on the database.

Command outputs or messages will be shown in the blank space below the command text area. You will be able to download outputs in JSON, CSV format or even copy them directly.

That’s all! You can use this light weight SQL client to get started with RDS immediately.

Preparing for Hashicorp Certified Terraform Associate Exam

Leave a reply

A quick article that helps you preparing for Hashicorp Certified Terraform Associate Exam

In this quick post, I would like to share some of the resources that help you clear the terraform associate exam. Feel free to add resources you know in the comments section, which may help fellow readers.

The terraform associate exam is designed to test the candidate’s readiness towards IaC, i.e. Infrastructure as code. IaC concepts, terraform CLI hands-on (a lot of it) and knowledge on terraform’s paid offerings through Cloud or Enterprise should get you through this exam. It’s a practitioner level exam, so it shouldn’t be hard to beat if you have IaC and cloud background.

You must have researched already about the exam on its official page, but here are quick facts for your reference.

Approx 57-60 questions
Duration 1 hour
Validity: 2 years
Cost: 70.50 USD plus local taxes
Type: Multiple choice
It’s online proctored
Official study guide
Sample questions

Topics to study

I suggest you have good hands-on with terraform CLI before taking this exam. It will help you cover the majority of topics, and you don’t have to learn them during preparation. That leaves you with minimal topics to prepare for actual certification.

Hashicorp’s study guide is the best resource to follow along for preparation. Let me quickly list down a couple of topics you should not miss during preparation –

IaC concepts
- Traditional infra provisioning v/s IaC
Terraform basic workflow
- Write, plan and apply.
Different types of blocks in terraform code
Terraform CLI commands (a huge list of them!)
Terraform Modules, functions, state files
- At least go through all functions once.
- Lots of hands-on to understand how modules works
- State management (a big topic!)
Debugging and variables
- Different ways to handle variables
- Debugging levels, ways to set them, logging in files
Detailed understanding of Terraform cloud and enterprise
- Free and paid offerings in each type
- Sentinal, workspaces, remote runs etc. understanding
- Clustering, OS availability in each type

Resources for preparation

Assorted list of online resources you can leverage to follow along your preparation journey.

Official study guide
HashiCorp Certified Terraform Associate by A Cloud Guru
Learning terraform by Linkedin Learning
Terraform study guide by Ned Bellavance

I am linking here my own last day revision notes as well that I prepared during my certification preparation.

Practice tests

Here is a list of practice tests you can take online before going in for an actual exam. It will test the understanding of your topic and concretes your decision for exam booking.

HashiCorp Certified: Terraform Associate Practice Exam 2021 on Udemy (Check coupons on author’s Github here. I missed grabbing one 🙁 )
HashiCorp Certified Terraform Associate by Whizlabs. There is a small free test available too.
250 Practice Questions For Terraform Associate Certification on Medium. This list covers a lot of ground.

That’s all I have to share. All the best!

How to create atomic counter in AWS DynamoDB with AWS CLI

Leave a reply

A step by step procedure to create and update atomic counter in AWS DynamoDB table.

First of all, we will see what is atomic counter and why do we need it. We will also check why DybamoDB is chosen in this use case.

What is atomic counter?

Often it would help if you tracked some numerical like website visits, which are incremental in nature. Such counters need to be stored in a centralized place, and the update should be atomic. Atomic means one request executes without interfering with another request. i.e. concurrent updates do not clash with each other and so no data lost in the process. Since everyone is leveraging temporary infrastructure like EC2 getting replaced by Auto Scaling groups or containers, storing such counter locally is not a good idea. So to get central storage, DDB is the best choice since it’s an ultra-fast, single-digit milliseconds latency, NoSQL database. Perfect for the atomic operation of scaling infra/traffic.

Now let’s get into the process of creating this counter and updating it.

Creating DynamoDB table for the counter

Login to DDB console
Click on Create table
Enter Table Name
Enter Primary Key (Partition Key)
We don’t need a sort key here since our table will carry only one counter value. Keep the rest of the settings default and click Create

You can use below Cloudformation resource block to create a DDB table:

Type: AWS::DynamoDB::Table
    Properties:
      TableName: kerneltalks-counter
      AttributeDefinitions: 
        - AttributeName: ID
          AttributeType: S
      KeySchema: 
        - AttributeName: ID
          KeyType: HASH

Make sure you change the TableName to your choice. You can also explorer other properties supported by DDB in CloudFormation.

Preparing DynamoDB table for counter updates

Now, you will be presented with newly created table details.

Goto Items tab and click Create item

Add attributes in item as mentioned below :

Click on Save. Now your DDB table is ready for updating the counter

DDB table creation can be done via AWS CLI as well using the below command:

$ aws dynamodb put-item --table-name kerneltalks-counter --item '{"ID": { "S": "Counter" }, "TotalCount": { "N": "0" }}'

Updating counter in DDB table

Now you can use below AWS CLI command below to update the counter! Every time you run the command, it will update the counter by 1. You can code it in your application at the appropriate place to run this command/API call to update the counter.

$ aws dynamodb update-item --table-name kerneltalks-counter --key '{"ID": { "S": "Counter" }}' --update-expression "SET TotalCount = TotalCount + :incr" --expression-attribute-values '{":incr":{"N":"1"}}' --return-values UPDATED_NEW
{
    "Attributes": {
        "TotalCount": {
            "N": "1"
        }
    }
}

The command should return with the updated attribute in JSON format. You can format it to text for easy usability in code.

$ aws dynamodb update-item --table-name kerneltalks-counter --key '{"ID": { "S": "Counter" }}' --update-expression "SET TotalCount = TotalCount + :incr" --expression-attribute-values '{":incr":{"N":"1"}}' --return-values UPDATED_NEW --output text
TOTALCOUNT      2

The same can be verified in the console.

That’s all! Now you have a counter in DDB which can be updated from different sources using API calls.

How to add Capacity Providers in the existing ECS Cluster?

Leave a reply

A quick post on how to add Capacity Providers in ECS clusters.

In our last article, we walked you through the basics of Capacity Providers. In this article, let’s create them to test their functionalities. You can create Capacity Providers and add them to the running ECS cluster without touching anything in the cluster.

Creating EC2 type Capacity Providers

Steps:

Make sure you are running EC2 backed ECS Cluster.
Create new ASG using same launch template/configuration as existing ASG
Create Capacity Provider
Update cluster with newly created Capacity Provider.

For creating EC2 type Capacity Providers, you should use the new ASG. AWS does not recommend re-using the same ASG which is configured in ECS Cluster. You can use the same Launch template or Launch configuration and create a new ASG to be used by Capacity Providers. It makes it easy for Capacity Providers to keep track of EC2 instances instantiated by them.

While creating new ASG make sure –

Desired and minimum capacity is set to zero.
Maximum capacity is set to a non-zero number.
Enable instance scale-in protection. So that scale in action does not terminate EC2s running tasks.

Once ASG is ready, head back to the ECS cluster dashboard and click on Cluster name. On a cluster detail page, you should see a tab named Capacity Providers. Click on it and then click on Create button.

You should be presented with the Capacity Provider configuration page. Here you can specify –

Capacity provider name: Identifier
Auto Scaling group: Select newly created ASG from the dropdown.
Managed scaling: Enabled so that capacity providers can manage both scales in and scale-out.
Target capacity %: It defines how much capacity you want to be used for the task’s compute requirements. I chose 100% that means I don’t want the capacity providers to maintain any spare capacity for upcoming tasks. For example, if you specify 70%, then the capacity provider maintains 30% capacity spare so that any new upcoming tasks can directly be placed here and don’t need to wait in a PROVISIONING state for long. For optimum billing experience, 100% should be good enough.
Managed termination protection: Enabled. It prevents ASG from terminating any instance running at least one task on it during scale-in action. Your ASG should have instance scale-in protection enabled for it.

Click on Create button to create your capacity provider. You should be able to see the capacity provider on the cluster details page now.

Now, it’s time to add this capacity provider to the ECS cluster.

You can create multiple capacity providers with different ASGs so that you can leverage different instance types. And they all should be listed here as well. For the sake of this article, I am moving ahead with a single capacity provider.

Click on the Update cluster button on the Cluster details page. On the update page, capacity providers can be added/removed to the cluster.

Select a capacity provider from the dropdown and click on the Update button. If you have multiple capacity providers, then add them by clicking Add, another provider.

When adding more than one capacity provider, you need to specify Base and Weight values for each capacity provider.

You should see the above message confirming capacity provider addition is successful!

Creating FARGATE capacity providers

Well, you cant create them technically! FARGATE capacity providers are readily available in FARGATE clusters. You need to associate them with the cluster.

When you create an ECS cluster backed by FARGATE, you can see FARGATE and FARGE_SPOT types of capacity providers already available in the cluster.

You can add them to the cluster by the same Update cluster process explained above.

Adding FARGATE capacity provider to cluster

Adding FARGATE capacity providers to existing cluster

If you have an existing FARGATE ECS Cluster, you need to use AWS CLI or API calls to update it with the FARGATE capacity providers.

You need to use the put-cluster-capacity-providers switch—more details on AWS documentation here. Since I don’t have any existing FARGATE cluster, I can not demonstrate it here.

Now, your cluster is updated with capacity providers and ready to run tasks on a complete auto-scaled ECS cluster!

Amazon ECS Capacity Providers Overview

Leave a reply

A quick rundown at Amazon ECS Capacity Providers

We have seen the Amazon ECS service in detail under a couple of previous articles. In this article, we will be discussing the Capacity Provider feature of the ECS service.

What are the Capacity Providers?

As you must be aware, Amazon ECS Clusters leverage EC2 or Fargate compute in the backend to run the container tasks. Before CPs, ECS was conceptualized as infrastructure first! That means you need to have infra ready before you can run the tasks. If you see the ECS’s functioning, you have to create ASG, run the desired count of instances in ASG, and then run the tasks in ECS.

With the concept of Application first, Capacity Providers came into existence. CPs are managers of infrastructure. Basically, they are providing and managing the compute capacity for running tasks in the cluster. So, you need not run instances before running tasks. You can run the tasks even if there is no infra provisioned in the cluster and when CPs detects tasks are awaiting compute to run, they will provision compute (EC2/Fargate). They work in both ways: scale out and scale in.

CPs responds to the service/application’s requirement and mange compute capacity automatically.

Types of Capacity Providers

There are two types of capacity providers offered –

For ECS using EC2:
- A capacity provider will be a logical entity grouping ASG of EC2 and setting for managed scaling, termination protection.
- It is recommended to create a new ASG to use in this capacity provider. You may use the same launch config/template from the existing ECS ASG.
For ECS using FARGATE:
1. Amazon offers FARGATE and FARGATE_SPOT capacity providers.
2. There are reserved and can not be created or deleted. You can directly associate them with your cluster.

Why should I move from Launch type to Capacity Providers?

All this capacity provider hype leaves many of us to the very question. Why? So let me jot down few reasons why you should consider moving to capacity providers than using launch types.

Out of the box autoscaling for both scale-in and scale-out actions. So, you don’t have to engineer it using the CloudWatch matrix!
You can start a cluster without provisioning any instances beforehand (desired capacity set to 0 in ASG)
Capacity will be made available to tasks when you run them by scaling out ASG. This makes sure AWS bills are light on your pocket.
Scale-out compute when your application takes the load and automatically scales in when load flattens. Peace of mind from management and bills!
You can make use of FARGATE_SPOT!
You can migrate existing ECS services to Capacity Providers without any downtime.

Downsides of Capacity Providers

There are few shorts in the capacity providers as well for now. They may improve in the future. A quick list as below –

CAP is not supported if you are using Classic Load Balancers for services in the ECS cluster.
CAP is not supported for blue/green deployment types for services.
The scale in duration is set to 15 minutes, and you can not customize it.
This leads to another issue: you should have EC2 idle for 15 minutes straight to get it nominated in scale-in action. Hence, scale in action is not aggressive and might not even happen in a crowded/spiking environment.
It also does not for fragmentation of tasks, i.e., grouping them in underutilized instances, which is another reason scale-in will not be aggressive. You can try binpack placement strategy, though, to mitigate this.
Once you update the service to use capacity providers, you can not update it to use EC2/previous launch type. You have to delete and re-create the service for that (includes downtime).
When using the capacity provider strategy, a maximum of 6 capacity providers can be provided.

That’s all for starters! We will see Capacity Providers in action in upcoming articles.

Using AWS Systems Manager Session Manager

Leave a reply

Learn how to use AWS Systems Manager’s Session Manager feature to access Linux EC2 instances.

AWS Systems Manager is a service offered by AWS to manage your instances in AWS and on-prem. Session Manager console lets you log into EC2 or on-prem instances using a browser-based shell or AWS CLI. This strikes out the need of managing bastion hosts, open ports in security groups or manage SSH keys. Session manager connects to instances using IAM roles. It also allows you to save fully auditable logs in CloudWatch logs stream or S3 bucket for every session you run.

Without further delay, let’s dive into Session Manager.

Pre-requisite

Instance running SSM agent
IAM role attached to the instance with proper permissions
S3 bucket for saving logs (optional)
CloudWatch log group to stream session logs (optional)

Lets go through all the pre-requisites one by one –

SSM agent

AWS Systems Manager Agent, i.e., SSM agent, is the small software installed and configured on instance so that AWS Systems Manager can communicate and execute the tasks on instances remotely. Agent receives requests from AWS systems Manager and executes them on an instance with administrative privileges.

SSM agent is open-sourced on GitHub. It is preinstalled on selected AMIs like Amazon Linux, Ubuntu server 16, 18 & 20, Windows Server 2016 and 2019. The complete list can be found on the Amazon documentation portal.

On the Linux server, you can verify agent installed or not using the below command –

[root@ip-172-31-44-63 ~]# rpm -qa |grep -i ssm-agent
amazon-ssm-agent-3.0.161.0-1.amzn2.x86_64

If not, you can follow the agent installation instructions to install the same. Instructions vary for different platforms and regions.

IAM role for AWS Systems Manager

EC2 instance to be used under AWS systems manager should be attached with the IAM role with AWS Managed policy AmazonSSMManagedInstanceCore attached to it. You can drill down and have a custom policy in place as per the scenario, but this is best to start.

Depending on which below 2 logging options you choose, those extra access rules to be added to the role.

S3 bucket for logs

Create the S3 bucket with standard procedure and keep it ready. You can select it under the session manager’s preferences later. Session logs will be stored in this S3 bucket, which you can refer to for debugging and troubleshooting.

Ensure appropriate access rules in the EC2 instance role to enable writing logs to the S3 bucket.

CloudWatch Log group

You can also upload/stream session logs to the CloudWatch log group. Uploading logs happens at the end of the session while streaming is on the go. Streaming logs are recommended.

Ensure appropriate access rules in the EC2 instance role to enable writing logs to the CloudWatch Log group.

Setting preferences

Once all the above pre-requisite is ready, proceed with setting the preferences for the session manager.

Login to session manager console
Click on Configure Preferences button on the right side introduction page.
Configure settings as per your requirement –

General Preferences
- Idle session timeout: Duration for which session can be idle before ending. (Range 0-60 mins)
- KMS encryption: For encrypted communication from EC2 to the user’s machine.
- Specify Operating System user for sessions: Launch sessions with other OS accounts than the default ssm-user account.

CloudWatch logging
- Enable/Disable
- Choose logging options:
  - Stream session logs: Recommended. Logs will be streamed to the CloudWatch log group throughout the session.
  - Upload session logs: Logs will be uploaded to the CloudWatch log group at the end of the session.
- Enforce encryption: Encryption for added security.
- CloudWatch log group: Select the pre-created log group.

S3 logging
- Enable/disable.
- Enforce encryption: Make sure only encrypted S3 bucket can be selected for delivery.
- Choose S3 bucket: Select pre-created S3 bucket for session log delivery.
- S3 Key prefix: For creating a hierarchical structure within the S3 bucket.

Linux shell profile
- Add environmental variables, commands to be executed once a session starts. I added one variable for the test here.

Click Save button to save the preferences.

Running Linux EC2 session

Login to Session manager dashboard
Click on the Start session button.
You should be presented with a list of EC2 instances on which the session can be started.

Select the appropriate instance and click on the Start session button
You may see the below message. In that case, it’s best to update the agent

The SSM Agent version installed on this instance doesn't support streaming logs to CloudWatch. Either update the SSM Agent to the latest version, or disable the streaming logs option in your preferences.

Server session should be started in new window.

There are few things you can verify here –

The variable we defined in the Linux shell profile is exported at the start of the session.
the session will be started with user ssm-user
ssm-user has passwordless sudo access to the root account.

On logging front, there should be logs created in S3 and CloudWatch.

You can view the contents of this log file. It contains all the session output as-is. Commands entered, and their outputs are shown during the session.

If you look closely, its using Linux tool script to log a session output!

Also, new logs can be found in CloudWatch.

Log events in log stream under CloudWatch

On opening each log event in the log stream, you can see each command entered in the session and output it returned.

Here the sessionData key shows the command and its output from the session!

Once you are done working, you can use either exit shell as you normally use exit or cntl+D, or click the Terminate button in the web browser shell window.

Creating first AWS Lambda function

Leave a reply

A quick article explaining all available options for creating a new AWS Lambda function and how to run it.

AWS Lambda is a compute service offered by AWS. It is treated as a serverless compute since the end-user did not have to worry about providing and maintaining the back-end infrastructure. Without further delay, let’s move ahead with creating the first AWS Lambda function.

Login to AWS Lambda console.
Click on the Create function button.
You should see wizard as below –

There are 4 ways you can choose to create AWS Lambda function –

Author from scratch: Select the programming language of your choice and start writing the function code
Use a blueprint: Use readymade function pre-written for you by AWS.
Container image: Use a docker container image to deploy function
Browse serverless app repository: Use complete application pre-written in Lambda.

Basic information
- Function name: For identification purpose
- Runtime: Function’s coding lanuage. Select a supported language from the dropdown.
- Permissions: Arrange the Lambda function IAM role to access AWS resources on your behalf.

You can either use an existing role or let the wizard create a default permission role. If your code requires special permissions, it’s recommended to create a new role using policy templates to ensure that function has sufficient privileges to access AWS resources.

Advanced settings
- Code signing: To ensure the integrity of the code and its source.
- Network: If function expected to have network access, then select VPC here and hence in turns select subnet, security group which will be applicable to function when it runs.

Click the Create function button.

AWS Lambda function should be created. Click on the Latest alias to edit your code and test it.

In latest alias, there are 5 tabs you can navigate.

Overview: Overall details.
Code: Edit code and code-related configurations.
Test: Invoke test event for the Lambda function
Monitor: Monitoring aspects in context to Cloudwatch
Latest configuration: Various Lambda function related configurations.

Lets have a look at all these tabs one by one.

Overview
- General configuration: Shows description, last modified, and Function ARN.
- Function visualization: Visual representation of a function.
Code
- Code Source: In browser code editor. You can upload the code in a zip file or reference it from the S3 location.
- Runtime settings: Edit the code language.
- Code signing details: Edit code signing for code integrity.
- Layers: Edit or add layers to function.
Test
- Test event: Create, format, or invoke test event.
Monitor
- View CloudWatch metrics or CloudWatch logs insights.
Latest configuration
- This is the biggest section of all. It has 5 subsections
  1. General
  2. Environment
  3. Triggers
  4. Permissions
  5. Destinations

Lets go through each section one by one:

General
- Basic settings: Edit below configurations
  - Description
  - Memory (MB): Memory allocated to function. CPU will be allocated in proportion to memory.
  - Timeout: Max execution time. Limit: 15 mins.
  - Execution role: IAM role being used by the function.
- Asynchronous invocations:
  - Maximum age of event: To keep the unprocessed event in the queue.
  - Retry attempt: Maximum number of retries after the function returns an error.
  - Dead letter queue: SQS queue for sending unprocessed events for asynchronous invocations.
- Monitoring tools
  - Amazon CloudWatch: By default enabled for AWS Lambda
  - AWS X-ray: For analysis and debug purposes.
  - CloudWatch Lambda insights: Enhanced monitoring.
- VPC
  - Edit VPC, subnet, security group for Lambda function if function required networking.
- State machines
  - Step functions to orchestrate Lambda function.
- Database proxy
  - Manage database connections if the function requires DB connectivity.
- Filesystem
  - Make EFS available to Function.
Environment
- Environment variables: Set of key-value pairs to use as environment variables in function during execution.
Triggers
- Add triggers to invoke the lambda function.
Permissions
- IAM permissions via role or resource-based policies
Destinations
- Configure destination for invocation records once function executes.

Since its a test function, I move ahead with all the defaults. Once everything is configured you are ready to test the fuction.

Click on the Test tab and then click the Invoke button to invoke the Lambda function test event.

Test invokation results presented on same screen. The important details to look for are –

Returned results by function
Duration: Actual execution time
Billed Duration: Billed execution time. Rounded to nearest 1ms.
Max memory used

The log output at the end can also be viewed in CloudWatch log group.

The bill amount is calculated using the amount of memory allocated and billed duration.

So that’s how you configure and execute simple basic Lambda functions for understanding the foundation of AWS Lambda!

Replication in Amazon S3

Leave a reply

An article to overview SRR and CRR in Amazon S3. Why, when, and how to use it.

Amazon S3 is a Simple Storage Service offered by AWS. It’s object storage with virtually unlimited in size. S3 also offered the feature of replication to replicate objects from one bucket to another bucket. The bucket is a placeholder for arranging objects in S3. It can be visualized as a root folder in the file structure.

What is replication in Amazon S3?

Replication is a process of copying objects and their metadata from a source bucket to a destination bucket in an asynchronous way in the same or different region.

Why S3 replication is needed?

There are couple of use cases where S3 replication can prove helpful –

Compliance: Some customers need to keep a copy of data in a particular territory for compliance purposes. In such cases, S3 replication can be set to copy data into the destined region.
Data copy under different regions and accounts: S3 data replication enables users to copy data in different regions and under different accounts.
Latency requirement: Keeping a copy in a region close to consumers helps to achieve low latency in accessing data stored in S3.
Objects aggregation: Data from different buckets can be aggregated into a single bucket using replication.
Storage class requirement: S3 replication can directly put objects in Glacier 9diff storage class) in the destination bucket.

Types of S3 replications

Same-Region Replication (SRR)
- Source and destination buckets lie within the same region.
- Used in case data compliance requires the same copy of data to be maintained in different accounts.
- Log aggregation can be achieved using SRR by setting up SRR from different log buckets to the same destination bucket.
Cross-Region Replication (CRR)
- Source and destination bucket lies in different regions.
- Used in case data compliance requires the same copy of data to be maintained in different regions.
- Useful in latency requirements.

Requirements and limitations of Amazon S3 replication

Versioning must be enabled at source and destination buckets.
Existing files are not replicated. Only new uploaded objects (after enabling replication) are replicated.
Delete markers created by lifecycle rules are not replicated.
You can’t replicate objects which are encrypted using SSE-C.
Can set up across accounts.
It’s one-way replication, not bidirectional. It means source bucket to destination and not vice versa.
Lifecycle policy events are not replicated.
Amazon S3 should have access to read/write on both buckets by assuming your identity.
The destination bucket can not be configured with requestor pays mode.

How to configure S3 replication?

Let’s dive into the practical aspects of it. We will be configuring replication between 2 buckets hosted in different regions under the same account for this exercise. Read here how to create an S3 bucket. Below are 2 buckets in consideration –

Log in to the S3 console.
Click on Buckets in the left navigation panel.
On the buckets page, click on the bucket name you want to create replication (source bucket).

Creating replication rule for source bucket

Click on the Management tab under bucket details.
And scroll down to the Replication rules section.
Click on the Create replication rule button.

Make sure you have versioning enabled on both source and destination buckets, or else you will see a warning like the one below –

In replication rule configuration wizard –

Replication rule configuration
- Replication rule name: Name
- Status: Enable/disable the rule on creation
- Priority: In the case of multiple replication rules, the object follows priority.

Source bucket
- Source bucket name: Prepopulated.
- Source region: Region of source bucket. Prepopulated.
- Choose a rule scope: Replication can be limited to selected objects by using a prefix filter. Or apply it for all objects in the bucket.
Destination
- Bucket name: Choose bucket from the same account or a different account here as a destination.
- Destination Region: Region of destination bucket.

IAM role
- Select the IAM role to be used by S3 for performing the copy operation. Make sure you have carefully added proper permissions to it. I choose to create new for this exercise.
Encryption
- If data is encrypted using AWS KMS, it can be replicated.
Destination storage class
- Change the storage class of replicated objects or keep it the same as the source.

Additional replication options
- RTC: Premium service with guaranteed 15 mins ETA for replication of new objects
- Replication metrics and notifications: Cloudwatch for replication!
- Delete marker replication: Enable to replicate S3 delete operation created delete markers. Remember lifecycle rule created delete markers can not be replicated.

Click the Save button. Replication rule should be created and you should be presented with rule details like below –

You can even see the IAM role created by AWS while creating a rule since we opt to create one.

Now, it’s time for the test. I had one file already in the source bucket, and it’s not replicated after creating the rule since it’s only applied to new objects uploaded to the source bucket after rule creation.

File1.text was existing before rule creation and File2.txt uploaded after rule creation. So the destination bucket should be having File2.txt replicated from the source bucket.

And its there! So replication rule worked perfectly!

How to check if object is replicated?

To verify if the object is replicated or not. Click on the object and check its replication status.

For replicated object replication status should show it as REPLICA. Whereas, for source object i.e., who uploaded to source object and then got replicated status is COMPLETED

And it would be blank for non-replicated objects. Since File1.txt was uploaded before replication rule creation, the rule was not applied to it.

And hence we see its replication status as - i.e., no replication rules applied to this object.

Configuring Visual Studio Code for Terraform to work with AWS

Leave a reply

A quick post for working on AWS using Visual Studio Code and terraform.

Install Terraform

Download the latest terraform software and install it on your machine. For windows, keep terraform.exe downloaded from this page in C:\Windows\System32 and that should be enough.

Install Visual Studio Code

Download Microsoft Visual Studio Code software from their website. Install and launch Visual Studio Code. It supports many code languages. But many of them are not supported on install. One needs to add extensions from the extension marketplace to make it available in VSC.

Install Terraform Visual Studio Code extension

The official Visual Studio Code extension for Terraform is HashiCorp Terraform. You can visit this link and click on the Install button on the webpage, which in turn opens up VSC and install the extension or follow the below procedure.

Launch Visual Studio Code
Click on the Extensions shortcut on the left navigation panel.
Search terraform in extensions marketplace
Select HashiCorp Terraform from search results
Click the Install button.

Once installed it will be available to use.

Login to AWS account for terraform

It’s programmatic access you will be configuring to AWS. So for that, you should create Access keys through the IAM AWS console. Once you are ready with a valid AWS account with programmatic access enabled and downloaded its access keys, head back to VSC.

Create a new file main.tf with the below code for login. Make sure you use your own key values in there :

provider "aws" {
    access_key = "AKIAVGESLBG6N4NLDQ7H"
    secret_key = "jyiL7OTx4glshojC6VVoVxMe94kBtsc4XiEaD+8p"
    region = "us-east-1"
}

and in terminal below, run terraform init command.

Although hard coding credentials like this is not recommended, you can define them as environment variables or other methods supported by terraform.

This should initialize Terraform to use with AWS. It will download the AWS plugin for Terraform. Sample output –

PS D:\Testing> terraform init

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
- Installing hashicorp/aws v3.17.0...
- Installed hashicorp/aws v3.17.0 (signed by HashiCorp)

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, we recommend adding version constraints in a required_providers block
in your configuration, with the constraint strings suggested below.

* hashicorp/aws: version = "~> 3.17.0"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

The next step is scanning existing AWS infra to give an account to make the terraform aware of it. Execute the terraform plan command. This command now will use the access keys defined in the file, login to AWS, and check the existing infra.

PS D:\Testing> terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Creating sample user in AWS using terraform from Visual Studio Code

Now to test a small command, let’s define a user in the file. If that user existing in your AWS account, you should see the same output as above. If not, terraform should show that a new user needs to be created to match the file’s requirements.

Ensure the user you are using in terraform has permissions to create resources in AWS you are planning to.

Add below code in file, save and run terrafrom plan again.

resource "aws_iam_user" "user1" {
    name = "user1"
}

PS D:\Testing> terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_user.user1 will be created
  + resource "aws_iam_user" "user1" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "user1"
      + path          = "/"
      + unique_id     = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

As you can see, since testuser is not existing in AWS infra, it’s prompting to create one! To apply the changes, run the terraform apply command, and it will execute the operation.

Finally, to verify the user created run terrafrom show command.

Finally, to delete all resources being created by terraform, you can run terrafrom destroy command.

PS D:\Testing> terraform destroy
aws_iam_user.user1: Refreshing state... [id=user1]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_iam_user.user1 will be destroyed
  - resource "aws_iam_user" "user1" {
      - arn           = "arn:aws:iam::xxxxxxxxxxxx:user/user1" -> null
      - force_destroy = false -> null
      - id            = "user1" -> null
      - name          = "user1" -> null
      - path          = "/" -> null
      - tags          = {} -> null
      - unique_id     = "AIDAVGESLBG6PGBXZBT35" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value:
aws_iam_user.user1: Destroying... [id=user1]
aws_iam_user.user1: Destruction complete after 2s

Destroy complete! Resources: 1 destroyed.

It should ask confirmation and then proceed with deleting resources.

Kernel Talks

Unix, Linux, & Cloud!

How to connect RDS with AWS IAM authentication

Why should we use IAM authentications for RDS?

What you need?

Creating user on database for the RDS access

Create IAM role for RDS access

Connect to RDS using IAM token

Understanding the authentication flow

How to connect AWS RDS database from Windows

Identify RDS Endpoint

Prepare SQL client

How to make RDS publicly accessible

RDS connection using ‘Password authentication’ via SQL client

Preparing for Hashicorp Certified Terraform Associate Exam

Topics to study

Resources for preparation

Practice tests

How to create atomic counter in AWS DynamoDB with AWS CLI

What is atomic counter?

Creating DynamoDB table for the counter

Preparing DynamoDB table for counter updates

Updating counter in DDB table

How to add Capacity Providers in the existing ECS Cluster?

Creating EC2 type Capacity Providers

Creating FARGATE capacity providers

Adding FARGATE capacity providers to existing cluster

Amazon ECS Capacity Providers Overview

What are the Capacity Providers?

Types of Capacity Providers

Why should I move from Launch type to Capacity Providers?

Downsides of Capacity Providers

Creating first AWS Lambda function

Replication in Amazon S3

What is replication in Amazon S3?

Why S3 replication is needed?

Types of S3 replications

Requirements and limitations of Amazon S3 replication

How to configure S3 replication?

How to check if object is replicated?