EC2 - II Flashcards
EC2 data
User-data - user defined
Meta-data - intrinsic
Userdata processing on ec2
EC2 instance is a slave to the user data. It doesn’t interpret it, it just passes it on to system process responsible for executing it
Effects of a failed user-data
Ec2 Launch is not affected by a failed userdata. Instance will pass its System checks whether or not the userdata script executes successfully or fails
How secured is a user-data?
Userdata is not secured. Any one that can access the instance can access its user data. Do not pass in sensitive data into it.
File size for ec2 user data
16Kb max. But can contain instructions to download infinite size of files for its job
EC2 user Data Format
Base64
Linux 2023 Instance metadata Command (Version2)
TOKEN= ‘curl -X PUT “http://169.254.169.254/latest/api/token’ -H “x-aws-ec2-metadata-token-ttl-seconds:21600”’
Linux 2023 Instance userdata Command (Version2)
TOKEN= ‘curl -X PUT “http://169.254.169.254/latest/api/token’ -H “x-aws-ec2-userdata-token-ttl-seconds:21600”’
Userdata using CloudFormation
Using CloudFormation, you must encode the user data to 64bits
Applications onEC2 access instance role via?
metadata
meta-data is attached to the instance profile(CLI, CF, SDK)
Inside the meta-data there’s an IAM tree, inside the IAM Tree there’s a role attached there. (*iam/security-credentials/role-name)
EC2 and STS Token ensures the credentials are constantly rotated to avoid expired data
Applications must always lias with metadata to ensure they re using the latest version of the rotated credentials
Best practice IAM Roles
Always use Roles instead of storing long term credentials.
Avoid Storing Long term credentials on your instance or Local Host
Instance Role
A Specific type of IAM Role is designed so it can be assumed by an EC2 Instance. When an Instance assumes a role, the instance and all its applications gain access to all the security credentials assigned in the role
“AWS Configuration”
Avoid using AWS Configure option for instaling AWS CLI toolkit. Credentials are stored in the instance which is not secured. Instead, use EC2 Instance Role.
IAM Role Types
- AWS Service
- Account
- Web Identity
4 SAML 2.0 Federation - Custom Trust Policy
ec2-user
Alwys check to ensure that your Instance Connect is about to connect to an ec2-user
AWS CLI utility rules
Reference
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-configure-quickstart-precedence
Effect of Deleting EC2 Instance Role from the IAM Console
Deleting an IAM Role does not remove the Role from the Instance. It will still be existing in the In the Instance Profile. . It MUST be Detached from the Instance
Define IAM ROles
An IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations. Roles can be assumed by entities that you trust.
IAM Role Session Duration
=>3,600seconds - 12Hrs (Minimum of 1hr by default)
IAM users switching roles in the console are granted a role session duration up to this value. API or CLI users can use the DurationSeconds parameter to set a session duration up to this maximum.
By default, temporary security credentials are valid for 1 hour.
Parameter st Instance metadata are always rotated and always valid. Thanks to ssm ore access
For every resource/identity requesting access to credentials in PM Store, Parameter store will always check with IAM and Kms for authentication.
EC2 instance profile
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
Any role is captured into instance profile which manages the role across instance applications
Instance credentials expiry
Instance metadata are always rotated and always valid(**as long as the instance role is still attached **. Thanks to ssm
Ssm parameter command
$aws ssm get-parameters –/parameterName-or-Path
Cluster Placement and EC2 Host
All Instances within a cluster group are most likely running on the same host.
All Instances in a cluster placement are directly connected together in an upto 10GB/s bandwidth for single Stream data transfer rate against the normal 5GBps of normal bandwidth
Single Az,
Subsequent instances follow suit with the AZ of the first instance
EC2 Placement Groups
- Cluster - Pack instances close together
- Spread - Keep instances separated
- Partition - groups of instances spread apart
Cluster Placement Latency
Lowest possible inter-instance Latency
Max packets per session(PPS)
This speed is proportional to the Instance in use
High-performance Networking instances
Enhanced Networking enabled
Cluster Placement Cons
Offers little to no resilience
- Host can fail
- AZ can fail
and - any failure goes down with the entire cluster
- Advisable to use same instances and Launch them at same time
- not available on all instance types
Clustter Placement and HA
Cluster placement can not span AZs. It’s locked to a single AZ
However can span a paired AZ.
Use case
High speed Low Latency workload
HPC
Spread Placement can span AZ
Infrastructure Isolation(Each instance has its own rack, isolated networking and power supply)
Fault Isolation Advantage
Limited to 7 instances per AZ
Dedicated Host or Instances are not supported
Spread Placement Use case
Physical instance distance is required
Blast radius separation within application.
Small number of critical instances that require isolation.
HA
Partition Placement Group
- Need for morethan 7 instances in a spread placement in an AZ that needs to be separated per fault domain.
- Instances can be placed in a specific partition, or ec2 can automatically do placement arrangement
- Multi AZ is available
- For Huge Scale parallel processing systems
- Offers visibility into the partition(helps topology-aware applications, eg Cassandra, HDFS,HBASE) they make intelligent data replication decisions.
EC2 enhanced Networking
The Host becomes aware of the virtual layer over it and assigns to each instance its dedicated network resources.
Host’s NIC is virtually parallelized as against a serial(Single) NIC attending to all virtual instances on the Host.
Enhanced Networking Pros
Higher IO
Higher bandwidth
Low Latency
High PPS
CPU load is ofloaded to ENI
