Interacting with services - AWS CLI, SDK

Interacting with services

  • All services can be called using APIs and you can talk to APIs using:
    • Console (web), SDK’s and CLI that make API calls.

AWS CLI

  • Interact with AWS Proprietary services (S3, DynamoDB etc.) over www.
  • Can be installed on Linux/Windows/Mac OS
    • Python & pip is bundled in Windows but require separate installation in Mac OS / Linux
    • aws --version get the version of CLI, Python, OS, and botocore
  • Python based using botocore / boto3 (AWS SDK for python)
  • Requires access credentials
    1. Can be found at IAM -> Users -> Security credentials
    2. Create your access key (can download as CSV)
      • ❗ You cannot restore them, they’re generated & shown once
      • To revoke it: disable or delete your key.
    3. Run aws configure & paste Access Key Id and Secret Access Key when prompted
      • You can optionally set default region & output format
        • Otherwise the region is us-east-1 by default
      • You can run aws configure to check if they’re saved & modify them.
    4. Credentials are saved in ~/.aws in Mac OS & Linux
      • In config file you have region and output settings.
      • In credentials file your access key id and secret key are saved
    5. You can run help to get more information about command e.g. aws s3 ls help
  • AWS CLI on EC2
    • ❗ Bad & insecure way:
      • Run aws configure and save your credentials
      • Your personal credentials are personal and should only be on your personal computer (not on EC2)
      • Risks:
        • If EC2 is compromised -> Your account will also be compromised
        • If EC2 is shared -> other people may perform actions impersonating you
    • 💡 Better way: AWS IAM Roles
      • IAM Roles can be attached to EC2 instances.
        • ❗ One EC2 instance can have one IAM role at a time
          • But same role can be attached to many other EC2 instances
        • 📝 Also, Roles are not directly attached to EC2 instance, but are attached to instance profile. Instance profile is a container, where roles are attached.
      • IAM Roles can come with a policy authorizing exactly what the EC2 instance should be able to do e.g. AdminAccess or List buckets in S3.
      • EC2 instances can use these profiles automatically without any additional configurations
    • 📝If EC2 need access to other aws resources, never put credentials in it, always use IAM roles
    • Flow:
      • Create IAM role for the resource EC2 will access
      • EC2 portal -> Right click on instance -> Settings -> Attach IAM role
  • S3 CLI
    • aws s3 ls: Lists all buckets available
    • aws s3 ls s3://bucketname: Lists contents of the bucket
    • aws s3 cp s3://bucketname/pic.jpg pic.jpg: Copy a local file, or S3 objects to your computer or from your computer.
    • aws s3 mb s3://bucketname: create a new bucket
    • aws s3 rb s3://bucketname: delete existing bucket
    • aws configure --profile <profile-name>: Allows you to name a profile and work with multiple profiles. Future commands should have --profile <profile-name> parameter to use the profile.
    • Use appropriate region to the end of the command in all the above, remember S3 buckets are regional.

AWS SDK

  • Official SDK’s are: Java, .NET, Node.js, PHP, Python (named boto3/botocore), Go, Ruby, C++ …
  • AWS CLI uses the Python SDK
  • Recommended to use the default credential provider chain
  • It works seamlessly with:
    • AWS credentials at ~/.aws/credentials
    • Use only on your computers or on premise
      • Even better to create a user specifically for that one on-premise server
    • Instance Profile Credentials using IAM Roles
    • Use 100% within AWS services e.g. EC2 machines.
    • You can use environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
      • ❗ Less recommended
  • Exponential Backoff
    • E.g. request 1 fails -> wait 2 sec -> request 2 fails -> wait 4 sec -> request 3 fails -> wait 8 sec …
    • Any API that fails because of too many calls needs to be retried with Exponential Backoff
      • Applies also to rate limited API
    • Retry mechanism included in SDK API calls
    • Ensures you don’t overload API

Penetration testing

  • You can carry out security assessments or penetration tests against own AWS infrastructure without prior approval for 8 services: 1.EC2 Instances, NAT Gateways & ELB 2.RDS 3.CloudFront 4.Aurora 5.API Gateways 6.Lambda & Lambda Edge functions 7.Lightsail 8.Elastic Beanstalk.
    • You can request for inclusion of additional services.
  • ❗ Prohibited Activities: DDoS, DoS, DNS zone walking, port/protocol/request flooding

Licenses and Attributions


Speak Your Mind