Although you can launch EC2 instances and then go and configure the software packages that you need on them manually, there are more efficient approaches. Following manual steps can lead to human mistakes and is a much more time-consuming process that can otherwise easily be automated.
User data scripts can also help you install and configure security patches and tools in an automated fashion as your EC2 instance is launching without the need to create an AMI, as discussed previously, in the Backing Up Amazon EC2 Instances section.
The following is an example of a user data script that can configure and set up an EC2 instance without user interaction. It can do so by adding items to the script that will perform tasks such as creating files from scratch, updating previously installed packages and software repositories, and even running commands:
#cloud-config
package_upgrade: true
repo_update: true
repo_upgrade: all
packages:
– boto3
– aws-cfn-bootstrap
write_files:
– path: /test.txt
context: |
This is my file.
There are many like it but this one is mine.
runcmd:
– [ sed, -i, -e, ‘s/is/was/g’, /test.txt
– echo “modified my file”
– [ cat, /test.txt ]
This example demonstrated how to implement a user data script to configure an EC2 instance at launch to create and manipulate files and update repositories. Next, you will look at networking interfaces on EC2 instances.
Elastic Networking Interfaces (ENIs) work like virtual networking cards and can be associated with an EC2 instance or a load balancer to have a public IP address associated with that specific ENI. The main functionality of the Elastic IP is to provide a persistent public IP address that can be easily associated with and disassociated from resources. This is especially useful in cases where other systems are using that IP address or you need the instance to work on multiple security groups.
Since security groups are attached at the network interface level and not at the instance level, adding additional ENIs to your instances can allow you to join more than one security group for specialized purposes. If you have a web server that needs to access the public internet, you can attach an interface to the security group that serves this purpose. In the same instance, you may also need to SSH into the machine so that a team member can check logs or processes running on the server as shown in Figure 2.4. The security group attached to a particular ENI that allows access to the SSH port (port 22) can be locked in this manner.
Figure 2.4: ENIs in separate security groups
Now that you have gone through the EC2 service, you can examine the security best practices for Elastic Compute Cloud:
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
