Tuesday, 22 June 2010

Amazon EC2 - Security Groups don't work the way you expect

Nested security groups, sounds great, exactly what you need to organise you security rules. However doesn't appear to work as you would expect, as the grouping concept work in other software products.

So far I don't fully understand how it is supposed to work and not found that key piece of documentation either. What I do understand at present is that rules within nested security groups (that are not applied to any EC2 instances) do not apply to an EC2 instance that has the parent group applied.

For example if I had a security group called 'sec-group-A' which contains 'sec-group-B' and 'sec-group-B' has one rule that allowed RDP from 0.0.0.0/0. Now apply 'sec-group-A' to an EC2 instance (a windows instance), you will not be able to connect using RDP. If you add the RDP allow rule directly to 'sec-group-A' it will.

So what is the point of grouping - obviously there is a usage? When used within another group they are treated as tags which identify other EC2 instances (?)

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?concepts-security.html

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?using-network-security.html

http://somic.org/2009/09/21/security-groups-most-underappreciated-feature-of-amazon-ec2/

http://developer.amazonwebservices.com/connect/thread.jspa?threadID=36513

http://www.shlomoswidler.com/2009/06/tagging-ec2-instances-using-security_30.html

http://aws.typepad.com/aws/2010/06/building-three-tier-architectures-with-security-groups.html

Wednesday, 9 June 2010

Install and configure the Amazon RDS Command Line Tools

On Windows XP


Installation:
1. Ensure that JAVA version 1.5 or higher is installed on your system: (java -version). Java SE 1.6 works.
2. Download the latest deployment zip file from here and unzip in "c:\program files\amazon\aws\rdscli" on windows.
3. Set the following environment variables:
3.1 AWS_RDS_HOME - The directory where the deployment files were copied to
        check with: dir %AWS_RDS_HOME%\bin should list rds-describe-db-instances ...)
3.2 JAVA_HOME = "C:\Program Files\Java\jre6" (Java Installation home directory).
3.3 EC2_REGION = eu-west-1
3.4 EC2_URL = http://%EC2_REGION%.ec2.amazonaws.com/
4. Add "%AWS_RDS_HOME%\bin" to your path.


Configuration:
Provide the command line tool with your AWS user credentials. There are two ways you can provide credentails: AWS keys, or using X.509 certificates.


Using AWS Keys:
1. Create a credential file: The deployment includes a template file %AWS_RDS_HOME%/credential-file-path.template. Edit a copy of this file to add your information.


2. There are several ways to provide your credential information:
      a. Set the following environment variable: AWS_CREDENTIAL_FILE=<the file created in 1> e.g. AWS_CREDENTIAL_FILE = %AWS_RDS_HOME%\credential-file-path.template
      b. Alternatively, provide the following option with every command --aws-credential-file <the file created in 1>
      c. Explicitly specify credentials on the command line: --I ACCESS_KEY --S SECRET_KEY
      
Using X.509 Certs:
1. Save your cetificate and private keys to files: e.g. my-cert.pem and my-pk.pem.


2. There are two ways to provide the certificate information to the command line tool:
    a.  Set the following environment variables:
        EC2_CERT=/path/to/my-cert.pem
        EC2_PRIVATE_KEY=/path/to/my-pk.pem
    b.  Specify the files directly on command-line for every command:
        <command> --ec2-cert-file-path=/path/to/my-cert.pem --ec2-private-key-file-path=/path/to/my-pk.pem


Running:
Check that your setup works properly, run the following command:
   $ rds --help
      You should see the usage page for all RDS commands.
   $ rds-describe-db-instances --headers
      You should see a header line. If you have database instances already configured, you will see a description line for each database instance.