Day 39 AWS and IAM Basics☁(Jan 04, 2024)

Day 39 AWS and IAM Basics☁(Jan 04, 2024)

User Data in AWS

User data in AWS is a feature that allows you to pass custom data to an Amazon EC2 instance when it starts. This data can be used to initialize the instance, configure software, or install files.

User data is passed to the instance as a base64-encoded string. The instance then decodes the string and executes the commands that are specified in the data.

User data can be specified in the following ways:

  • When you launch an instance using the AWS Management Console, you can specify user data in the User data field.

  • When you launch an instance using the AWS CLI, you can specify user data using the --user-data option.

  • When you create an AMI, you can specify user data in the User data field.

User data can be used for a variety of purposes, such as:

  • To initialize the instance, such as by creating a user account or mounting a filesystem.

  • To configure software, such as by installing packages or setting up configuration files.

  • To install files, such as scripts or data files.

Here is an example of user data:

#!/bin/bash

# Update the system packages.
sudo apt-get update && sudo apt-get upgrade

# Install the Apache web server.
sudo apt-get install apache2

# Create a new website.
echo "Hello, world!" > /var/www/html/index.html

# Start the Apache web server.
sudo systemctl start apache2

This user data will update the system packages, install the Apache web server, create a new website, and start the Apache web server.

User data is a powerful feature that can be used to automate the setup and configuration of EC2 instances. It is a good way to ensure that your instances are configured consistently and that they have the software and data that they need.

What is IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user

IAM features

IAM gives you the following features:

Shared access to your AWS account

You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.

Granular permissions

You can grant different permissions to different people for different resources. For example, you might allow some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow read-only access to just some S3 buckets, or permission to administer just some EC2 instances, or to access your billing information but nothing else.

Secure access to AWS resources for applications that run on Amazon EC2

You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and DynamoDB tables.

Multi-factor authentication (MFA)

You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account but also a code from a specially configured device. If you already use a FIDO security key with other services, and it has an AWS-supported configuration, you can use WebAuthn for MFA security. For more information

Accessing IAM

You can work with AWS Identity and Access Management in any of the following ways.

AWS Management Console

The console is a browser-based interface to manage IAM and AWS resources. For more information about accessing IAM through the console

AWS Command Line Tools

You can use the AWS command line tools to issue commands at your system's command line to perform IAM and AWS tasks. Using the command line can be faster and more convenient than the console

Difference between IAM Users and IAM Roles

IAM Users:

- Purpose: IAM Users are designed to represent individual people or entities.
- Usage: They are typically used for interactive access to AWS resources.
- Authentication: IAM Users use long-term credentials, such as username/password or access keys, for authentication.
- Permission: Permissions are assigned directly to the user.
- Trust Relationship: There is no concept of a trust relationship for IAM Users.
- Credential Rotation: IAM Users may have long-term credentials that need to be manually rotated periodically.
- Auditing and Compliance: IAM Users have separate audit trails and activity tracking.

IAM Roles:

- Purpose: IAM Roles are used to grant permissions to AWS services or non-human entities.
- Usage: They are commonly used to provide access for applications running on AWS services.
- Authentication: IAM Roles provide temporary credentials for entities assuming the role.
- Permission: Permissions are attached to the role and are assumed by entities.
- Trust Relationship: IAM Roles define trust relationships that specify which entities are allowed to assume the role.
- Credential Rotation: IAM Roles provide temporary credentials that are automatically rotated by AWS.
- Auditing and Compliance: Actions performed by entities assuming a role are logged under the role’s activity.

In the previous blog, we performed a task on IAM too. Let’s get started with the tasks and learn further.

Task 1 - Launch EC2 Instance with Jenkins Installed

  1. Go to the AWS Management Console and navigate to the EC2 service.

  2. Click on "Launch Instance" and choose an appropriate AMI (Amazon Machine Image).

  3. Select an instance type, configure instance details, and add any required storage.

  4. In the "Network Settings", make sure the Security Group allows inbound traffic on port 8080 to access Jenkins.

  5. Scroll down to the "Advanced Details" section. Enter the following script in the "User data" field to install Jenkins and Docker (Script from Day 38):

#!/bin/bash

# Update the system packages
sudo yum update –y

# Download and configure the Jenkins repository
sudo wget -O /etc/yum.repos.d/jenkins.repo \
    https://pkg.jenkins.io/redhat-stable/jenkins.repo
sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io-2023.key

# Upgrade the system packages
sudo yum upgrade

# Install Java 11 using Amazon Corretto
sudo dnf install java-11-amazon-corretto -y

# Install Jenkins
sudo yum install jenkins -y

# Enable and start the Jenkins service
sudo systemctl enable jenkins
sudo systemctl start jenkins

# Install Docker
sudo yum install -y docker

# Enable and start the Docker service
sudo systemctl enable docker
sudo systemctl start docker

# Check the status of Jenkins service
sudo systemctl status jenkins

# Check the status of Docker service
sudo systemctl status docker
  1. Review the configuration, and launch the instance.

  2. Once the instance is running, copy the public IP address.

  3. Open a web browser and paste the IP Address using port 8080. You should see the Jenkins page.

Task 2 - Create Three Roles

  1. Go to the AWS Management Console and navigate to the IAM service.

  2. Click on "Roles" and then "Create Role".

  3. Select the "Trusted Entity" and "Use case". In this example, I'll use "AWS Service" and "EC2"

  4. On the permissions page, assign the necessary policies and permissions to the role based on its purpose. I will select "AmazonEC2FullAccess"

  5. Give the role a name, such as "DevOps-User".

  6. Repeat the above steps to create the roles "Test-User" and "Admin", assigning the relevant policies to each.