devops lab1
Myung-ui-Air:~ Jay$ sudo -H pip install awscli --upgrade --ignore-installed six
Password:
Collecting awscli
Downloading awscli-1.11.142-py2.py3-none-any.whl (1.2MB)
100% |████████████████████████████████| 1.2MB 422kB/s
Collecting six
Downloading six-1.10.0-py2.py3-none-any.whl
Collecting docutils>=0.10 (from awscli)
Downloading docutils-0.14-py2-none-any.whl (543kB)
100% |████████████████████████████████| 552kB 832kB/s
Collecting botocore==1.7.0 (from awscli)
Downloading botocore-1.7.0-py2.py3-none-any.whl (3.6MB)
100% |████████████████████████████████| 3.6MB 134kB/s
Collecting colorama<=0.3.7,>=0.2.5 (from awscli)
Downloading colorama-0.3.7-py2.py3-none-any.whl
Collecting s3transfer<0.2.0,>=0.1.9 (from awscli)
Downloading s3transfer-0.1.10-py2.py3-none-any.whl (54kB)
100% |████████████████████████████████| 61kB 435kB/s
Collecting rsa<=3.5.0,>=3.1.2 (from awscli)
Downloading rsa-3.4.2-py2.py3-none-any.whl (46kB)
100% |████████████████████████████████| 51kB 477kB/s
Collecting PyYAML<=3.12,>=3.10 (from awscli)
Downloading PyYAML-3.12.tar.gz (253kB)
100% |████████████████████████████████| 256kB 494kB/s
Collecting jmespath<1.0.0,>=0.7.1 (from botocore==1.7.0->awscli)
Downloading jmespath-0.9.3-py2.py3-none-any.whl
Collecting python-dateutil<3.0.0,>=2.1 (from botocore==1.7.0->awscli)
Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
100% |████████████████████████████████| 194kB 417kB/s
Collecting futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" (from s3transfer<0.2.0,>=0.1.9->awscli)
Downloading futures-3.1.1-py2-none-any.whl
Collecting pyasn1>=0.1.3 (from rsa<=3.5.0,>=3.1.2->awscli)
Downloading pyasn1-0.3.3-py2.py3-none-any.whl (63kB)
100% |████████████████████████████████| 71kB 642kB/s
Installing collected packages: docutils, jmespath, six, python-dateutil, botocore, colorama, futures, s3transfer, pyasn1, rsa, PyYAML, awscli
Running setup.py install for PyYAML ... done
Successfully installed PyYAML-3.12 awscli-1.11.142 botocore-1.7.0 colorama-0.3.7 docutils-0.14 futures-3.1.1 jmespath-0.9.3 pyasn1-0.3.3 python-dateutil-2.6.1 rsa-3.4.2 s3transfer-0.1.10 six-1.10.0
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$ aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: too few arguments
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$ ssh ec2-34-201-105-190.compute-1.amazonaws.com
The authenticity of host 'ec2-34-201-105-190.compute-1.amazonaws.com (34.201.105.190)' can't be established.
RSA key fingerprint is 34:40:59:e9:85:97:b9:2c:8c:0b:2e:38:f7:c5:3c:88.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-34-201-105-190.compute-1.amazonaws.com,34.201.105.190' (RSA) to the list of known hosts.
Permission denied (publickey).
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$
Myung-ui-Air:~ Jay$ cd ~/Do
Documents/ Downloads/
Myung-ui-Air:~ Jay$ cd ~/Do
Documents/ Downloads/
Myung-ui-Air:~ Jay$ cd ~/Downloads/
Myung-ui-Air:Downloads Jay$ ssh -i qwikLABS-L1415-905230.pem ec2-34-201-105-190.compute-1.amazonaws.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'qwikLABS-L1415-905230.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: qwikLABS-L1415-905230.pem
Permission denied (publickey).
Myung-ui-Air:Downloads Jay$ ls -al qwikLABS-L1415-905230.pem
-rw-r--r--@ 1 Jay staff 1675 8 31 00:07 qwikLABS-L1415-905230.pem
Myung-ui-Air:Downloads Jay$ chmod 400 qwikLABS-L1415-905230.pem
Myung-ui-Air:Downloads Jay$ ls -al qwikLABS-L1415-905230.pem
-r--------@ 1 Jay staff 1675 8 31 00:07 qwikLABS-L1415-905230.pem
Myung-ui-Air:Downloads Jay$ ssh -i qwikLABS-L1415-905230.pem ec2-34-201-105-190.compute-1.amazonaws.com
Permission denied (publickey).
Myung-ui-Air:Downloads Jay$ ssh -i qwikLABS-L1415-905230.pem ec2user@ec2-34-201-105-190.compute-1.amazonaws.com
Permission denied (publickey).
Myung-ui-Air:Downloads Jay$
Myung-ui-Air:Downloads Jay$
Myung-ui-Air:Downloads Jay$ ssh -i qwikLABS-L1415-905230.pem ec2-user@ec2-34-201-105-190.compute-1.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2017.03-release-notes/
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$ aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: too few arguments
[ec2-user@ip-10-0-10-131 ~]$ which aws
/usr/bin/aws
[ec2-user@ip-10-0-10-131 ~]$ aws configure
AWS Access Key ID [None]: AKIAI7GFF5RXOCTRMTAA
AWS Secret Access Key [None]: 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
Default region name [us-east-1]:
Default output format [None]:
[ec2-user@ip-10-0-10-131 ~]$ aws ec2 run-instances --dry-run --instance-type "t2.small" --image-id ami-8fcee4e5 --subnet-id subnet-0ccbdb44
An error occurred (DryRunOperation) when calling the RunInstances operation: Request would have succeeded, but DryRun flag is set.
[ec2-user@ip-10-0-10-131 ~]$ aws ec2 run-instances --dry-run --instance-type "t2.small" --image-id ami-8fcee4e5 --subnet-id subnet-9ff4e4d7
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: mz8AEP4yMniIVDHErv-DFqUmpdaOe_vjsoWEt-_ZBp0Ho-kfkOz-t4KQN6pInXQzc6p7uzMoFCeTQFvtnUDpASymhKEyRX9LpQjnEFhXqBXkWzK_Xmq2x8BFqr0Lc7cgTzspr5hJOt9OX1IQncanLgFQiGuKxUdQj0RUSJ4qLYURpV78z67tTlo_q6IsfyiQGEtazkR65IBE6jmZjtuQc8BmKvD2__B0n7ojriJ20u5RqwSpmac5szABCPMwj23mIUIpX9PPiwrSoYK7pWnf0cGh-9vfPGurHM-NMNboXOK16sUXs4hpvvibnclYKiUl7bchBC2BpLwbWNfk8ftuzQ819JRiThFNPBgwuucBfiGgXV0GDbTrw8v0kAkdpH33o3rmJT1NQJDMBDUr5ZcEpydD4ScHkEVQ7yfvy7YGxpOV53TV1wqHA8BgDBe1n4fRafBk0ITFLivoAjfGo896uBOP8-_HqBNyzqa6znQzJ8ALHrsQhm_mcK-N7F8wKbPCadOj9i37mjyPQaovZBQctmWO0owMyxPObLQw425q-JRS_-8QzoGg0mIntHfVfTVdemUYWuwb6bPaKOuxZAH5S9yyzF-N23bGZROfqY4fB2mFJm2kPDVUwk580xNhxYkK8gqryIqrOhcnEB5XS-fiPS7QYYClQZUZsz6Iln-LSF0lIliAUozsxFRJheLCK7Gka04ip8lcJppd7rSTow9k4DGd5jQpVWY8WfMalqTNOnrWWyexOkIVh4x5r_YUgE6mOVbW-JTihHDEx8QIssAa-rC9v9G1Wi6khL_bXjg_Kx3ERTnQJIbdkp8LbByNJ2zy_49Y0ZHTcN_4N7qvL7ySq9Ra
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$ aws sts decode-authorization-message --encoded-message mz8AEP4yMniIVDHErv-DFqUmpdaOe_vjsoWEt-_ZBp0Ho-kfkOz-t4KQN6pInXQzc6p7uzMoFCeTQFvtnUDpASymhKEyRX9LpQjnEFhXqBXkWzK_Xmq2x8BFqr0Lc7cgTzspr5hJOt9OX1IQncanLgFQiGuKxUdQj0RUSJ4qLYURpV78z67tTlo_q6IsfyiQGEtazkR65IBE6jmZjtuQc8BmKvD2__B0n7ojriJ20u5RqwSpmac5szABCPMwj23mIUIpX9PPiwrSoYK7pWnf0cGh-9vfPGurHM-NMNboXOK16sUXs4hpvvibnclYKiUl7bchBC2BpLwbWNfk8ftuzQ819JRiThFNPBgwuucBfiGgXV0GDbTrw8v0kAkdpH33o3rmJT1NQJDMBDUr5ZcEpydD4ScHkEVQ7yfvy7YGxpOV53TV1wqHA8BgDBe1n4fRafBk0ITFLivoAjfGo896uBOP8-_HqBNyzqa6znQzJ8ALHrsQhm_mcK-N7F8wKbPCadOj9i37mjyPQaovZBQctmWO0owMyxPObLQw425q-JRS_-8QzoGg0mIntHfVfTVdemUYWuwb6bPaKOuxZAH5S9yyzF-N23bGZROfqY4fB2mFJm2kPDVUwk580xNhxYkK8gqryIqrOhcnEB5XS-fiPS7QYYClQZUZsz6Iln-LSF0lIliAUozsxFRJheLCK7Gka04ip8lcJppd7rSTow9k4DGd5jQpVWY8WfMalqTNOnrWWyexOkIVh4x5r_YUgE6mOVbW-JTihHDEx8QIssAa-rC9v9G1Wi6khL_bXjg_Kx3ERTnQJIbdkp8LbByNJ2zy_49Y0ZHTcN_4N7qvL7ySq9Ra
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AIDAIQWZTLCLNAA6YDMHE\",\"name\":\"developer1\",\"arn\":\"arn:aws:iam::495672033565:user/developer1\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:495672033565:subnet/subnet-9ff4e4d7\",\"conditions\":{\"items\":[{\"key\":\"495672033565:aws:cloudformation:stack-id\",\"values\":{\"items\":[{\"value\":\"arn:aws:cloudformation:us-east-1:495672033565:stack/qls-905230-dd0d1e81db5f7a63/6a1c9520-8d8e-11e7-8811-500c219a98d2\"}]}},{\"key\":\"ec2:Vpc\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:495672033565:vpc/vpc-ae0433d7\"}]}},{\"key\":\"495672033565:CustomerName\",\"values\":{\"items\":[{\"value\":\"aws\"}]}},{\"key\":\"495672033565:Name\",\"values\":{\"items\":[{\"value\":\"Production Private Subnet\"}]}},{\"key\":\"ec2:ResourceTag/aws:cloudformation:stack-id\",\"values\":{\"items\":[{\"value\":\"arn:aws:cloudformation:us-east-1:495672033565:stack/qls-905230-dd0d1e81db5f7a63/6a1c9520-8d8e-11e7-8811-500c219a98d2\"}]}},{\"key\":\"495672033565:aws:cloudformation:stack-name\",\"values\":{\"items\":[{\"value\":\"qls-905230-dd0d1e81db5f7a63\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"subnet/subnet-9ff4e4d7\"}]}},{\"key\":\"495672033565:aws:cloudformation:logical-id\",\"values\":{\"items\":[{\"value\":\"ProdPrivateSubnet\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"495672033565\"}]}},{\"key\":\"ec2:ResourceTag/aws:cloudformation:stack-name\",\"values\":{\"items\":[{\"value\":\"qls-905230-dd0d1e81db5f7a63\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1a\"}]}},{\"key\":\"ec2:ResourceTag/Name\",\"values\":{\"items\":[{\"value\":\"Production Private Subnet\"}]}},{\"key\":\"ec2:SubnetID\",\"values\":{\"items\":[{\"value\":\"subnet-9ff4e4d7\"}]}},{\"key\":\"495672033565:LabName\",\"values\":{\"items\":[{\"value\":\"1415\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:ResourceTag/LabName\",\"values\":{\"items\":[{\"value\":\"1415\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"subnet\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"ec2:ResourceTag/CustomerName\",\"values\":{\"items\":[{\"value\":\"aws\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:495672033565:subnet/subnet-9ff4e4d7\"}]}},{\"key\":\"ec2:ResourceTag/aws:cloudformation:logical-id\",\"values\":{\"items\":[{\"value\":\"ProdPrivateSubnet\"}]}}]}}}"
}
[ec2-user@ip-10-0-10-131 ~]$ aws sts decode-authorization-message --encoded-message mz8AEP4yMniIVDHErv-DFqUmpdaOe_vjsoWEt-_ZBp0Ho-kfkOz-t4KQN6pInXQzc6p7uzMoFCeTQFvtnUDpASymhKEyRX9LpQjnEFhXqBXkWzK_Xmq2x8BFqr0Lc7cgTzspr5hJOt9OX1IQncanLgFQiGuKxUdQj0RUSJ4qLYURpV78z67tTlo_q6IsfyiQGEtazkR65IBE6jmZjtuQc8BmKvD2__B0n7ojriJ20u5RqwSpmac5szABCPMwj23mIUIpX9PPiwrSoYK7pWnf0cGh-9vfPGurHM-NMNboXOK16sUXs4hpvvibnclYKiUl7bchBC2BpLwbWNfk8ftuzQ819JRiThFNPBgwuucBfiGgXV0GDbTrw8v0kAkdpH33o3rmJT1NQJDMBDUr5ZcEpydD4ScHkEVQ7yfvy7YGxpOV53TV1wqHA8BgDBe1n4fRafBk0ITFLivoAjfGo896uBOP8-_HqBNyzqa6znQzJ8ALHrsQhm_mcK-N7F8wKbPCadOj9i37mjyPQaovZBQctmWO0owMyxPObLQw425q-JRS_-8QzoGg0mIntHfVfTVdemUYWuwb6bPaKOuxZAH5S9yyzF-N23bGZROfqY4fB2mFJm2kPDVUwk580xNhxYkK8gqryIqrOhcnEB5XS-fiPS7QYYClQZUZsz6Iln-LSF0lIliAUozsxFRJheLCK7Gka04ip8lcJppd7rSTow9k4DGd5jQpVWY8WfMalqTNOnrWWyexOkIVh4x5r_YUgE6mOVbW-JTihHDEx8QIssAa-rC9v9G1Wi6khL_bXjg_Kx3ERTnQJIbdkp8LbByNJ2zy_49Y0ZHTcN_4N7qvL7ySq9Ra --query 'DecodedMessage' | sed -e 's/\\"/"/g' -e 's/"{/{/g' -e 's/}"/}/g' | python -m json.tool
{
"allowed": false,
"context": {
"action": "ec2:RunInstances",
"conditions": {
"items": [
{
"key": "495672033565:aws:cloudformation:stack-id",
"values": {
"items": [
{
"value": "arn:aws:cloudformation:us-east-1:495672033565:stack/qls-905230-dd0d1e81db5f7a63/6a1c9520-8d8e-11e7-8811-500c219a98d2"
}
]
}
},
{
"key": "ec2:Vpc",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:495672033565:vpc/vpc-ae0433d7"
}
]
}
},
{
"key": "495672033565:CustomerName",
"values": {
"items": [
{
"value": "aws"
}
]
}
},
{
"key": "495672033565:Name",
"values": {
"items": [
{
"value": "Production Private Subnet"
}
]
}
},
{
"key": "ec2:ResourceTag/aws:cloudformation:stack-id",
"values": {
"items": [
{
"value": "arn:aws:cloudformation:us-east-1:495672033565:stack/qls-905230-dd0d1e81db5f7a63/6a1c9520-8d8e-11e7-8811-500c219a98d2"
}
]
}
},
{
"key": "495672033565:aws:cloudformation:stack-name",
"values": {
"items": [
{
"value": "qls-905230-dd0d1e81db5f7a63"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "subnet/subnet-9ff4e4d7"
}
]
}
},
{
"key": "495672033565:aws:cloudformation:logical-id",
"values": {
"items": [
{
"value": "ProdPrivateSubnet"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "495672033565"
}
]
}
},
{
"key": "ec2:ResourceTag/aws:cloudformation:stack-name",
"values": {
"items": [
{
"value": "qls-905230-dd0d1e81db5f7a63"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:ResourceTag/Name",
"values": {
"items": [
{
"value": "Production Private Subnet"
}
]
}
},
{
"key": "ec2:SubnetID",
"values": {
"items": [
{
"value": "subnet-9ff4e4d7"
}
]
}
},
{
"key": "495672033565:LabName",
"values": {
"items": [
{
"value": "1415"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:ResourceTag/LabName",
"values": {
"items": [
{
"value": "1415"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "subnet"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "ec2:ResourceTag/CustomerName",
"values": {
"items": [
{
"value": "aws"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:495672033565:subnet/subnet-9ff4e4d7"
}
]
}
},
{
"key": "ec2:ResourceTag/aws:cloudformation:logical-id",
"values": {
"items": [
{
"value": "ProdPrivateSubnet"
}
]
}
}
]
},
"principal": {
"arn": "arn:aws:iam::495672033565:user/developer1",
"id": "AIDAIQWZTLCLNAA6YDMHE",
"name": "developer1"
},
"resource": "arn:aws:ec2:us-east-1:495672033565:subnet/subnet-9ff4e4d7"
},
"explicitDeny": false,
"failures": {
"items": []
},
"matchedStatements": {
"items": []
}
}
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$ aws ec2 stop-instances --instance-id i-07ca9c167c7c615c5
An error occurred (UnauthorizedOperation) when calling the StopInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: TO3LFBM3EwFgbbdN08WFtL7MzhIk1m5NZhKzUxqsHMv9-I0jQBZQ_JM2ooXjCClQF1PZT8ygU-WMC6sEgfcC7iq4fkAjacOikrAZOKlgFx9qm_ggejLNY3QE61H587nE5IiqftJ6gPGrvucNsC97pCL715W8UcKOQyGliOhIATjRaVwCc68u9HYre58BIRjkzLHlB3-shhkzUUabf-_vxz24hmu5bdAeXt-fmtGmZo6XCAXCyK3LtrjNKJVoc07UTuBW4CR1gRorAEHqXTramjiSMJIQuOW08fq2l3jHjcKaaDxpfYjNfyZTpUaHwnwvVFRrGt18527IvvsUX1GRmGatFdTn5MokAGmPPuPxwCabnRBltPve3XhJT40Hy7bKjmD87jtKRFcozHhPeAZSzrW_jdk8ZPeJK7IO5s1qu9CTKLnmVi8mlMH4rCUZxbM3Y0LbZrNaf0Z2IEbXjPnnX2BLeAlpPu1cJhkoJnPty2EgLsP4OkWGz_Ex--t8yvLpT1GFtRpnRRy7V5b3cov9f_PhM_his0Dzykl_vvv9a1anv4vVuNWjF7LLgN8AXDdS-7CZGE_Mlfiw3ZK3VL60TnbIT-R-1e-GDfM1fINZkK_N1VkqhJh1jjbfDW4vnWld83ACQFOwC8wz_rh9cX_YWeveZhN4pBJeQASivaPvclztqjXH3JEUBwNtTDdbjOBmOvNwg2IlA3xmemXvuYtZctDwI7jX1neVsZ-f8cKTaObP9OWIfoFY9qlss2YhppjaxsVuJwosMtjKomxJp5kJ3om83BoCdhE7HUlx5E70Dddd6an3gk8PS1cB_T96JViPE654WwHhW4C5e5MnDFKDyg1aQiI6w0q3SKIRwBO-pvFwwsHsSwYfhsDjz452oVchQl94j0G1afTFCKcmFNLl1znNx1gcUZ8ShnNBTf4LgBhA8Gc077pYVZXhT_nuxx4aa1c
[ec2-user@ip-10-0-10-131 ~]$ aws ec2 stop-instances --instance-id i-0843ec9cea883ab24
{
"StoppingInstances": [
{
"InstanceId": "i-0843ec9cea883ab24",
"CurrentState": {
"Code": 64,
"Name": "stopping"
},
"PreviousState": {
"Code": 16,
"Name": "running"
}
}
]
}
[ec2-user@ip-10-0-10-131 ~]$
[ec2-user@ip-10-0-10-131 ~]$ aws ec2 stop-instances --instance-id i-0843ec9cea883ab24
{
"StoppingInstances": [
{
"InstanceId": "i-0843ec9cea883ab24",
"CurrentState": {
"Code": 64,
"Name": "stopping"
},
"PreviousState": {
"Code": 64,
"Name": "stopping"
}
}
]
}
[ec2-user@ip-10-0-10-131 ~]$
---------------------------------------------------------------------------------------------------
참고
Lab1ProdVPC vpc-ae0433d7
Lab1DevSubnetID subnet-0ccbdb44
Lab1Region us-east-1
Lab1DevVPC vpc-921027eb
Lab1AccountID 495672033565
Lab1ProdNATID i-07ca9c167c7c615c5
Lab1ProdSubnetID subnet-9ff4e4d7
Lab1DevNATID i-0843ec9cea883ab24
Lab1AMIID ami-8fcee4e5 and
qwikLAB {"Connection": "ssh ec2-user@34.201.105.190"} Outputs to be used by qwikLAB
evOps Engineering on AWS: Lab 1 - Configuring DevOps Roles on AWS - v1.6 (Linux)
==================================================================================================================
Using this command reference.
==================================================================================================================
1. Locate the section you need. Each section in this file matches a section in the lab instructions.
2. Replace items in angle brackets - < > - with appropriate values. For example, in this command you would replace the value - <JobFlowID> - (including the angle brackets) with the parameter indicated in the lab instructions:
elastic-mapreduce --list <JobFlowID>. You can also use find and replace to change bracketed parameters in bulk.
3. Do NOT enable the Word Wrap feature in Windows Notepad or the text editor you use to view this file.
++++1. Task: Restrict Developer Access to Production++++
==================================================================================================================
1.2 Create an Initial IAM Policy
==================================================================================================================
1.2.1 Copy the IAM policy
{
"Version" : "2012-10-17",
"Statement" : [{
"Sid" : "Stmt1425065597000",
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : "arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:subnet/*",
"Condition" : {
"StringEquals" : {
"ec2:Vpc" : "arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:vpc/<Lab1DevVPC>"
}
}
}, {
"Effect" : "Allow",
"Action" : "ec2:RunInstances",
"Resource" : [
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:instance/*",
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:volume/*",
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:network-interface/*",
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:key-pair/*",
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:security-group/*",
"arn:aws:ec2:<Lab1Region>::image/*"
]
}, {
"Effect" : "Allow",
"Action" : ["sts:DecodeAuthorizationMessage"],
"Resource" : "*"
}
]
}
==================================================================================================================
1.6 Test Developer Permissions
==================================================================================================================
1.6.9 Test permissions from bastion command line
aws ec2 run-instances --dry-run --instance-type "t2.small" --image-id <Lab1AMIID> --subnet-id <Lab1DevSubnetID>
==================================================================================================================
1.7 Debug IAM Permissions Issues
==================================================================================================================
1.7.1 Attempt to create an instance in the production VPC instead
aws ec2 run-instances --dry-run --instance-type "t2.small" --image-id <Lab1AMIID> --subnet-id <Lab1ProdSubnetID>
1.7.3 Decode the failure message
aws sts decode-authorization-message --encoded-message <FailureMessage>
1.7.4 Pretty-print the decoded authorization message
aws sts decode-authorization-message --encoded-message <FailureMessage> --query 'DecodedMessage' | sed -e 's/\\"/"/g' -e 's/"{/{/g' -e 's/}"/}/g' | python -m json.tool
++++2. Challenge: Deny Permissions to Infrastructure Instances++++
==================================================================================================================
2.1 Grant Additional Permissions on Instances in Developer VPC
==================================================================================================================
2.1.5 Paste Allow statements into existing IAM policy
,
{
"Effect" : "Allow",
"Action" : [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource" : [
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:instance/*"
],
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/DeploymentType" : "Development"
}
}
},
{
"Effect" : "Deny",
"Action" : [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource" : [
"arn:aws:ec2:<Lab1Region>:<Lab1AccountID>:instance/*"
],
"Condition" : {
"StringEquals" : {
"ec2:ResourceTag/InstanceType" : "Infrastructure"
}
}
}
2.1.7 Attempt to stop the NAT instance in Production VPC
aws ec2 stop-instances --instance-id <Lab1ProdNATID>
2.1.8 Attempt to stop the NAT instance in Development VPC
aws ec2 stop-instances --instance-id <Lab1DevNATID>
© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.'Cloud > AWS' 카테고리의 다른 글
| devops lab3 (0) | 2017.08.31 |
|---|---|
| devops lab2 (0) | 2017.08.31 |
| Devops on AWS (0) | 2017.08.30 |
| aws 정기 웨비나 (0) | 2017.06.13 |
| AWS 배포 3가지 (0) | 2017.06.05 |
