AWS Notepad; Getting Getting started on AWS, complete noob

I passed a number of AWS certs, frankly they were a waste of my time, as they didn’t cover the basics of USING the software. There is no better way to gain experience than hands on software.

Here is some basic by vital bits that should be covered some where, but of course it isn’t very clear.

• Create a few account, this is your root master account, straight away you need to do few things.
  • Setup billing budgets, to make sure you don’t accidentally exceed your usage.
  • Setup your mobile phone with access to the AWS Console, that way you can quickly shutdown VMs if you left them on.
  • setup MFA for your ROOT user.
  • Create a IAM account with permissions and then use the IAM to do stuff instead of the root user.
  • Deactivate regions not required
• AWS Default networking
  • Your default AWS account, will have existing; VPC, Subnets, Security Groups and Internet gateways all configured. If you delete them, it’s just going to make your life difficult, so keep them. You can also ways re-create them, via support if needed. But, just keep them.
  • On the Top Right, you can select the Regions, you want to build in. Make sure you save the AWS Console to corresponding region.
    • e.g. https://ap-southeast-2.console.aws.amazon.com/
  • Each Region will have defaults
    • Default VPC per Region
    • Default Subnet per Physical DC, called Availability Zone.
    • Default Security Group
    • Route Table
    • Default Internet Gateway, provides Ingress and Egress internet access for attached VPC
    • Default Network ACL for the VPC
  • Creating seperate Tenants under same billing account; AWS has a bit of a limit, where each tenant is self contained and you really cant create complete separation for a environment or multiple -tenant with account, the only options is with using AWS Organisations;
    1. Setup Billing Tenant with your payment options
    2. Create AWS Organisations
    3. Create a seperate AWS Account with another different email address.
    4. Invite other AWS accounts into AWS organisations and setup Service Control Policies.
    5. This way you can have Prod, DR, Test and Dev AWS accounts which are completely seperate but still under control from a AWS Organisations.
       1. This still is crap IMO, It would be better if you can create multiple account using the same email address
    6. https://medium.com/@asankha/creating-isolated-aws-accounts-for-testing-and-experimentation-9795a8d2e2de#:~:text=To%20do%20this%2C%20go%20to,then%20select%20%27Invite%20account%27.&text=You%20will%20then%20receive%20an,%2Forganizations%2Fhome%23%2Finvites
    7. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html
    8. https://aws.amazon.com/blogs/aws/category/security-identity-compliance/aws-organizations/
• Programmatically Stop AWS EC2 in case of inactivity
  • https://aws.amazon.com/about-aws/whats-new/2013/01/08/use-amazon-cloudwatch-to-detect-and-shut-down-unused-amazon-ec2-instances/
• AWS Key pair management
  • https://hashnode.com/post/users-and-ssh-setup-on-aws-ec2-best-practices-cj4bd8wpi0063zmk9mkivpoyu
  1. Have one SSH key per person
     1. /[user-home]/.ssh/authorized_keys
     2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
     3. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html
     4. https://stackoverflow.com/questions/63166951/programmatically-stop-aws-ec2-in-case-of-inactivity
     5. https://dev.to/aws/auto-stop-ec2-instances-when-they-finish-a-task-2f0i
     6. https://www.howtoforge.com/aws-lambda-function-to-start-and-stop-ec2-instance/
     7. https://serverfault.com/questions/490886/automatically-shut-down-server-on-inactivity-ssh
     8. https://aws.amazon.com/about-aws/whats-new/2013/01/08/use-amazon-cloudwatch-to-detect-and-shut-down-unused-amazon-ec2-instances/
     9. https://aws.amazon.com/blogs/aws/amazon-cloudwatch-alarm-actions/
     10. https://www.cloudconformity.com/knowledge-base/aws/EC2/idle-instance.html
     11. https://serverfault.com/questions/490886/automatically-shut-down-server-on-inactivity-ssh
     12. https://aws.amazon.com/premiumsupport/knowledge-center/start-stop-lambda-cloudwatch/
  2. Guard your SSH key – never share the private key, encrypt if possible
  3. Never use AWS generated keys
  4. Use individual login (user) IDs
  5. Don’t give sudo access to everyone
  6. Hide non-public instances
  7. Use SSH Port Forwarding and SSH Agent forwarding
  8. IAM SSH
     1. https://github.com/Giftbit/iam-ssh
     2. https://github.com/dolmen/github-keygen/
• ReCreate AWS Defaults
  • https://aws.amazon.com/premiumsupport/knowledge-center/deleted-default-vpc/
• Clean AWS
  • Clean Up AWSAWS Clean https://github.com/gofore/aws-clean
  • Terraform destroy – https://www.terraform.io/docs/commands/destroy.html
  • AWS Nukehttps://github.com/rebuy-de/aws-nuke
  • https://github.com/1Strategy/automated-aws-multi-account-cleanup
  • CloudMapper – https://summitroute.com/blog/2018/06/05/cloudmapper_collect/
  • Janitor Monkey – https://netflixtechblog.com/janitor-monkey-keeping-the-cloud-tidy-and-clean-d517ad74d648
  • Cloud Nuke – https://github.com/gruntwork-io/cloud-nuke
  • AWS Auto-cleanup https://github.com/servian/aws-auto-cleanup
  • Delete all VPCs
    • https://github.com/davidobrien1985/delete-aws-default-vpc
    • https://gist.github.com/jokeru/e4a25bbd95080cfd00edf1fa67b06996
• List all Resoures
  • Select AWS Resources Groups, Select Tag Editor / All regions / All supported resource types / search resources
    • https://console.aws.amazon.com/config/home?region=us-east-1&awsc-custsat-override=promptUser#/resources/listing
  • aws configservice list-discovered-resources
  • aws resourcegroupstaggingapi get-resources –region ap-southeast-2
  • Enable AWS Config
    • aws configservice delete-configuration-recorder –configuration-recorder-name default
    • aws configservice delete-configuration-recorder –configuration-recorder-name default –region ap-southeast-2
    • aws configservice delete-configuration-recorder –configuration-recorder-name default –region us-east-1
  • https://pypi.org/project/aws-list-all/
  • https://github.com/dtylman/AWSRetriever
  • https://github.com/JohannesEbke/aws_list_all
  • https://github.com/tmobile/pacbot