Related Books
Guide to Prompt Engineering

Guide to Prompt Engineering
Introduction to C Programming Language

Introduction to C Programming Language
TypeScript for Java Developers by CodeAhoy

TypeScript for Java Developers by CodeAhoy
Ruby for Beginners

Ruby for Beginners
The Little ASP.NET Core Book

The Little ASP.NET Core Book

View all

Interacting with services - AWS CLI, SDK

Interacting with services

  • All services can be called using APIs and you can talk to APIs using:
    • Console (web), SDK’s and CLI that make API calls.

AWS CLI

  • Interact with AWS Proprietary services (S3, DynamoDB etc.) over www.
  • Can be installed on Linux/Windows/Mac OS
    • Python & pip is bundled in Windows but require separate installation in Mac OS / Linux
    • aws --version get the version of CLI, Python, OS, and botocore
  • Python based using botocore / boto3 (AWS SDK for python)
  • Requires access credentials
    1. Can be found at IAM -> Users -> Security credentials
    2. Create your access key (can download as CSV)
      • ❗ You cannot restore them, they’re generated & shown once
      • To revoke it: disable or delete your key.
    3. Run aws configure & paste Access Key Id and Secret Access Key when prompted
      • You can optionally set default region & output format
        • Otherwise the region is us-east-1 by default
      • You can run aws configure to check if they’re saved & modify them.
    4. Credentials are saved in ~/.aws in Mac OS & Linux
      • In config file you have region and output settings.
      • In credentials file your access key id and secret key are saved
    5. You can run help to get more information about command e.g. aws s3 ls help
  • AWS CLI on EC2
    • ❗ Bad & insecure way:
      • Run aws configure and save your credentials
      • Your personal credentials are personal and should only be on your personal computer (not on EC2)
      • Risks:
        • If EC2 is compromised -> Your account will also be compromised
        • If EC2 is shared -> other people may perform actions impersonating you
    • 💡 Better way: AWS IAM Roles
      • IAM Roles can be attached to EC2 instances.
        • ❗ One EC2 instance can have one IAM role at a time
          • But same role can be attached to many other EC2 instances
        • 📝 Also, Roles are not directly attached to EC2 instance, but are attached to instance profile. Instance profile is a container, where roles are attached.
      • IAM Roles can come with a policy authorizing exactly what the EC2 instance should be able to do e.g. AdminAccess or List buckets in S3.
      • EC2 instances can use these profiles automatically without any additional configurations
    • 📝If EC2 need access to other aws resources, never put credentials in it, always use IAM roles
    • Flow:
      • Create IAM role for the resource EC2 will access
      • EC2 portal -> Right click on instance -> Settings -> Attach IAM role
  • S3 CLI
    • aws s3 ls: Lists all buckets available
    • aws s3 ls s3://bucketname: Lists contents of the bucket
    • aws s3 cp s3://bucketname/pic.jpg pic.jpg: Copy a local file, or S3 objects to your computer or from your computer.
    • aws s3 mb s3://bucketname: create a new bucket
    • aws s3 rb s3://bucketname: delete existing bucket
    • aws configure --profile <profile-name>: Allows you to name a profile and work with multiple profiles. Future commands should have --profile <profile-name> parameter to use the profile.
    • Use appropriate region to the end of the command in all the above, remember S3 buckets are regional.

AWS SDK

  • Official SDK’s are: Java, .NET, Node.js, PHP, Python (named boto3/botocore), Go, Ruby, C++ …
  • AWS CLI uses the Python SDK
  • Recommended to use the default credential provider chain
  • It works seamlessly with:
    • AWS credentials at ~/.aws/credentials
    • Use only on your computers or on premise
      • Even better to create a user specifically for that one on-premise server
    • Instance Profile Credentials using IAM Roles
    • Use 100% within AWS services e.g. EC2 machines.
    • You can use environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
      • ❗ Less recommended
  • Exponential Backoff
    • E.g. request 1 fails -> wait 2 sec -> request 2 fails -> wait 4 sec -> request 3 fails -> wait 8 sec …
    • Any API that fails because of too many calls needs to be retried with Exponential Backoff
      • Applies also to rate limited API
    • Retry mechanism included in SDK API calls
    • Ensures you don’t overload API

Penetration testing

  • You can carry out security assessments or penetration tests against own AWS infrastructure without prior approval for 8 services: 1.EC2 Instances, NAT Gateways & ELB 2.RDS 3.CloudFront 4.Aurora 5.API Gateways 6.Lambda & Lambda Edge functions 7.Lightsail 8.Elastic Beanstalk.
    • You can request for inclusion of additional services.
  • ❗ Prohibited Activities: DDoS, DoS, DNS zone walking, port/protocol/request flooding

Licenses and Attributions

Speak Your Mind

-->