I have a problem connecting to my aws ec2 instance, i can easily connect to my jumpbox instance and then when i try to ssh to my private ec2 it does not let me. I think it has something to do with my key pair, i only have one on my aws account so i don't know why it does not let me connect to it so i can install something. I didn't have this problem before but now i have been stuck on it for days. I have attached the error and says ECDSA key fingerprint twice when i ssh to my private instance so i'm guessing that has something to do with the problem.
If someone knows please advise.
enter code hereJUMPBOXSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'JUMPBOX Security Group'
GroupName: JUMPBOXSG
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: 'SSH from my IP address'
FromPort: 22
ToPort: 22
IpProtocol: tcp
VpcId: !Ref Myvpc
Tags:
- Key: Name
Value: JUMPBOXSecurityGroup
enter code hereJUMPBOXEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-08e4e35cccc6189f4
InstanceType: t2.micro
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0" ### dodeluva public ip adressa na prviot interface
SubnetId: !Ref MyPublicSubnet
GroupSet:
- !Ref JUMPBOXSecurityGroup
KeyName: Key
Tags:
- Key: Name
Value: JUMPBOXEC2Instance
Here is my jumpbox instance with security group
enter code hereMyPublicEC2InstanceSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'Public EC2 Security Group'
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: 'http from everuwhere'
FromPort: 80
ToPort: 80
IpProtocol: tcp
- SourceSecurityGroupId: !Ref JUMPBOXSecurityGroup
Description: 'ssh from Jumpbox'
FromPort: 22
ToPort: 22
IpProtocol: tcp
VpcId: !Ref Myvpc
Tags:
- Key: Name
Value: MyPublicEC2InstanceSG
MyPublicEC2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0b5eea76982371e91
InstanceType: t2.micro
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0" ### dodeluva public ip adressa na prviot network interface
SubnetId: !Ref MyPublicSubnet
GroupSet:
- !Ref MyPublicEC2InstanceSG
KeyName: Key
Tags:
- Key: Name
Value: MyPublicEC2Instance
Here is my public ec2 instance with security group
Since you're seeing an actual "permission denied" error, it's not likely a security group issue. Those tend to cause the connection to hang and/or time out.
Seems like the wrong ssh key is being used. From your "jumpbox" (i.e. not your local machine), add "-vvv" to the ssh command (ex. ssh -vvv es2-user#10.1.5.157). In the output, you'll see which key or config file is being used. If an ssh config file is being used on the jumpbox instance, be sure it's pointing to the correct key, and that the key exists on the jumpbox. If the wrong key is being used, simply supply the correct one using the -i option of the ssh command, or update the config file to point to the correct key location.
My guess is that the correct key doesn't exist on your jumpbox. SSH does not automatically forward your key between instances. So a quick fix would be to copy the key to the jumpbox. But the preferred way would be to enable agent forwarding from your local machine. (see: https://docs.github.com/en/developers/overview/using-ssh-agent-forwarding)
Actually, ideally you would connect using SSM instead! (see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/session-manager.html) This has its own list of headaches, but once you get it running it lets you connect without a jumpbox and without keypairs. You also don't need to leave port 22 open on any instances.
Related
Hi I have tested my ec2 instance working or not from AWS console.
And it works fine.
I have added the sample script to show hello world text in user data section.
And then pasted the ip address without http 's'.
Of course, it shows the text.
And I am trying to show the same text, but this time by using cloudformation.
I have made it as followings. Everything looks the same as the one made through AWS console.
However, the cloudformation one does not allow me to assess on web and the request gets hanged.
I have no idea what I am missing,
Can Someone please point out?
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.micro
AllowedValues:
- t1.micro
- t2.nano
- t2.micro
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Mappings:
AWSInstanceType2Arch:
t1.micro:
Arch: PV64
t2.nano:
Arch: HVM64
t2.micro:
Arch: HVM64
AWSInstanceType2NATArch:
t1.micro:
Arch: NATPV64
t2.nano:
Arch: NATHVM64
t2.micro:
Arch: NATHVM64
AWSRegionArch2AMI:
ca-central-1:
PV64: NOT_SUPPORTED
HVM64: ami-730ebd17
HVMG2: NOT_SUPPORTED
Resources:
# ===== EC2 Instance =====
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
SecurityGroups:
- Ref: InstanceSecurityGroup
KeyName:
Ref: KeyName
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
sudo su
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" > /var/www/html/index.html
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
# ===== Security Group =====
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
# SSH
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
Ref: SSHLocation
# HTTP
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp:
Ref: SSHLocation
# HTTPS
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp:
Ref: SSHLocation
There is nothing wrong with the template you showed and it works as expected (assuming that your AMI is for Amazon Linux 2). So probably your template in the question is not the one you are actually using, or perhaps you are using different operating system that you think you are. You have to double check your actual code.
Which parameter value did you use for SSHLocation?
If you want to have 80 and 443 publicly accessible and SSH only with your own IP, you will probably want to put instead the following SG.
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
# SSH
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp:
Ref: SSHLocation
# HTTP
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
# HTTPS
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Then SSH your machine and check the web server conf inside.
I have a stack to create an VPC.
This stack exports an output for VPC ID with name VPCID. Lools like this.
Outputs:
Output0:
Description: The ID of the VPC
Value: !Ref VPC0
Export:
Name: VPCID
I can import the output into my child stacks.
sghttps:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'HTTPS'
GroupName: https
SecurityGroupIngress:
- FromPort: 443
ToPort: 443
IpProtocol: tcp
CidrIp: '0.0.0.0/0'
Description: 'HTTPS from EVERYWHERE'
SecurityGroupEgress:
- FromPort: 0
ToPort: 0
IpProtocol: '-1'
CidrIp: '0.0.0.0/0'
VpcId: !ImportValue VPCID
Tags:
- Key: CF
Value: true
Now, I need access to the attribute CidrBlock of this VPC in my child stacks.
Somethigs like this.
sgmongodb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'MONGODB'
GroupName: mongodb
SecurityGroupIngress:
- FromPort: 27017
ToPort: 27017
IpProtocol: tcp
CidrIp: !ImportValue VPCID.CidrBlock
Description: 'MongoDB from our VPC TCP'
or like this.
sgmongodb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: 'MONGODB'
GroupName: mongodb
SecurityGroupIngress:
- FromPort: 27017
ToPort: 27017
IpProtocol: tcp
CidrIp: !ImportValue 'Fn::GetAtt':
- VPCID
- CidrBlock
Description: 'MongoDB from our VPC TCP'
I'm aware that is posible export the value of CidrBlock.
Outputs:
Output0:
Description: The ID of the VPC
Value: !Ref VPC0
Export:
Name: VPCID
Output1:
Description: CidrBlock
Value: !GetAtt VPC0.CidrBlock
Export:
Name: VPCIDCidrBlock
But, Is posible pass only the main VPS (VPCID in my case) resource and get the attribute CidrBlock in the child stack?
I do not find the rigth syntax. Any idea?
But, Is posible pass only the main VPS (VPCID in my case) resource and get the attribute CidrBlock in the child stack?
No its not, without a Custom Resource in your child module. Such a resource would be in the form of a lambda function which would take the VPCID as an input paramter, used AWS SDK to query the VPC for its CIDR range, and return it to your child stack for further use.
If you don't want to create a custom resource, you have to export your CIDR range as well, and any other info that you require.
I'm working with CloudFormation trying to deploy an EC2 and an RDS into security groups, with the EC2 SG as a WebDMZ group and the RDS SG only open to traffic from the EC2 group.
The security groups are working correctly, but the EC2 and RDS instances both give me the same error that they can't find the security group in VPC XYZ123, where XYZ123 is the ID of the default VPC--the only VPC, and I've verified that my security groups are indeed in that VPC.
I tried the code for my EC2 in another template and it worked, but only if I specifically assigned it to a public subnet.
This code is academic, not for production. Can't I just have my assets deploy to a default or random subnet? Aren't Security Groups at the instance level, so as long as it's the correct VPC it should be fine? What am I missing?
Resources:
04WebDMZ:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open to HTTP, HTTPS and SSH on all ports
GroupName: 04WebDMZ
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: 04WebDMZ
04DatabaseSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open to 04WebDMZ
GroupName: 04DatabaseSG
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupName:
Ref: 04WebDMZ
Tags:
- Key: Name
Value: 04DatabaseSG
04PublicEC2:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-047a51fa27710816e
InstanceType: t2.micro
KeyName: my_key_pair
NetworkInterfaces:
- AssociatePublicIpAddress: True
DeviceIndex: 0
DeleteOnTermination: True
Tags:
- Key: Name
Value: 04PublicEC2
UserData:
!Base64 |
#!/bin/bash
yum install httpd php php-mysql -y
cd /var/www/html
wget https://wordpress.org/wordpress-5.1.1.tar.gz
tar -xzf wordpress-5.1.1.tar.gz
cp -r wordpress/* /var/www/html/
rm -rf wordpress
rm -rf wordpress-5.1.1.tar.gz
chmod -R 755 wp-content
chown -R apache:apache wp-content
service httpd start
chkconfig httpd on
04RDS:
Type: AWS::RDS::DBInstance
Properties:
DBSecurityGroups:
- Ref: 04DatabaseSG
AllocatedStorage: '5'
DBInstanceClass: db.t2.small
Engine: MySQL
MasterUsername: admin
MasterUserPassword: admin
Tags:
- Key: Name
Value: 04RDS
DeletionPolicy: Snapshot
Screenshot of the error: https://imgur.com/a/WRw5BWi
I am trying to autoScale this ec2 instance please guide me how to do it. Any template that might be helpful so that I can get started with the autoscaling. I am attaching only ec2 instance template which I want to autoScale.
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "shifa-vpc"
Resources:
webserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: webserver-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
EC2Instance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-1a
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-09d95fab7fff3776c # ami-0bdcc6c05dec346bf
InstanceType: t2.micro
#IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
#KeyName: ky-webserver
NetworkInterfaces:
- Description: Primary network interface
DeviceIndex: 0
SubnetId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-PublicSubnet"
GroupSet:
- !Ref webserver
Outputs:
ec2:
Description: ec2
Value: !Ref EC2Instance
Export:
Name:
Fn::Sub: "${AWS::StackName}-server"
sgGroupId:
Description: ec2
Value: !GetAtt webserver.GroupId
Export:
Name:
Fn::Sub: "${AWS::StackName}-sgid"
I am new to cloudformation and I am in training.
Amazon have some examples for AutoScaling instances.
Importantly EC2 instance resources are not part of the autoscaling configuration within CloudFormation.
Instead you would use either a Launch Template or a Launch Configuration resource. The Launch Template is newer so preferably you should use this. These will define the instance configuration such as volumes, instance type etc.
The other component is the Autoscaling Group this will reference either one of previous components and define how the instance should scale.
If you're trying to scale an existing instance you will need to make an AMI from it first and the reference it.
AWS has an example template with autoscaling groups here.
I have the following security group in a yaml template. I'd like to have the "SecurityGroupApplication" security group allow incoming connections from the "SecurityGroupBastion". However, the validate-template function of the aws client is telling me unhelpful information like "unsupported structure". Ok, but what is wrong with the structure? Ideas?
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: !Ref vpcId
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
Your template works perfectly find for me, except that I had to specify the ports for the App security Group:
Resources:
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Bastion security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 22
ToPort: 22
VpcId: vpc-abcd1234
SecurityGroupApplication:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Application security group
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref SecurityGroupBastion
IpProtocol: tcp
FromPort: 22
ToPort: 22
If you want SecurityGroupApplication to be a Security Group, then you should use Type: AWS::EC2::SecurityGroup instead of Type: AWS::EC2::SecurityGroupIngress. That is probably the cause of the "unsupported structure" error you are seeing.
Just if someone falls into this old question, now, there is a way to reference cross account SG in cloudformation, so if you want to add an SG ingress rule pointing to another AWS account just add the key SourceSecurityGroupOwnerId and the account ID.
i.e.
AWSTemplateFormatVersion: 2010-09-09
Resources:
TargetSG:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: vpc-1a2b3c4d
GroupDescription: Security group allowing ingress for security scanners
InboundRule:
Type: 'AWS::EC2::SecurityGroupIngress'
Properties:
GroupId: !GetAtt TargetSG.GroupId
IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: sg-12345678 # SG in the other AWS account
SourceSecurityGroupOwnerId: '123456789012' # Account ID