Prevent SCP IAM on Ec2 that are part of ASG - amazon-iam

I need to enforce tag suite on aws resources.
The solution - use SCP Policies
The problem - it would affect existing ec2 instances in the autoscaling groups and new ec2s won't be created.
Anyone knows of a good way to condition the policy not to have effect on ec2 instances part of any autoscaling groups?

Related

Is there a proper way to stop ECS tasks and the EC2 instances inside a cluster?

I have 2 ECS clusters in one aws account and planning to shut down 1 of the clusters, the services inside that cluster as well as stop/terminate the ec2 instances in the auto-scaling group. Is there a proper way to achieve this without leaving any traces? I have thought about the following:
Changing number of tasks to 0 in each ECS service (cumbersome as I have 7-8 services)
Setting Desired Count in auto scaling group to 0 (Not sure if this will stop or terminate the EC2 instances)
Any help is appreciated
Assuming you are using AWS Cloudformation to setup the ecs cluster, you can delete the cloudformation stack, that will remove all the resources with respect to that CF stack.
Else, see if this helps - deleting via console : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/delete_cluster.html
Whenever you delete ECS cluster it will delete auto-scalling configuration, which also delete instances managed by autoscalling.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/asg-capacity-providers-delete-capacity-provider.html#:~:text=Option%201%3A%20Use%20the%20delete%20command%20to%20delete%20the%20cluster.

How 2 extra EBS be attached to newly spun EC2 instance in autoscaling group?

In autoscaling group, I have an EC2 instance (with two EBS storage) which could terminate due to any fault and a new EC2 instance is spun in it's place inside the autoscaling group.
My question is how the two EBS storage attached to old EC2 instance be attached to new EC2 instance.
if this is manual process, could reference to terraform be provided.
#rukan I guess you need to make 'DeleteOnTermination' value as false, as you would need EBS of old instances for newly created one.
Reference :
https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_Ebs.html
https://francescoboffa.com/aws-stateful-service-ebs/
Update :
I tried to do some research on your requirement and I can conclude my answer that there is no standard method where we can re-use EBS volume in AWS auto-scaling group. Moreover It is not recommended one, as autoscaling groups start multiple EC2 instances. Each EBS volume can only be attached to a single EC2 instance. For now, I can suggest to use AWS EFS instead of EBS.
But, if this is must do requirement with EBS, then we need think of some complex logic where writing some kind of startup script which associated the volume with the EC2 instance then mounted it. You can refer this answer
Reference :
https://serverfault.com/questions/831974/can-i-re-use-an-ebs-volume-with-aws-asg

Allow ECS Tasks to access RDS

I have a couple of ECS tasks (fargate, executed via Lambda function) that need to connect to an RDS.
Each of the tasks has its own role defining policies to (for example) access S3 buckets.
Each of my tasks also has its own security group.
I can now whitelist each and every tasks security group on the RDS, but this is cumbersome since new tasks are added on a daily basis.
I thought it must be possible to add a policy that allows access to the RDS (as described in the docs):
- PolicyName: RDSAccess
PolicyDocument:
Statement:
- Effect: Allow
Action:
- rds-db:connect
Resource: 'arn:aws:rds-db:REGION:ID:dbuser:DB_ID/DB_USER'
Unfortunately this does not work - I can still not connect to the database.
As mentioned before: When explicitly adding each tasks security group to the RDS, I can connect to the DB without issues.
Two questions:
Am misunderstanding the docs?
Can I add a ECS task to a pre-defined security group, so that I only need to whitelist this one specific security group?
This policy enables you to use the CLI to generate temporary credentials as a specific IAM user/role, you will still need inbound access via the network to connect.
If you want to simplify this process to connect there are 2 options for the security groups you can use:
Whitelist the subnet ranges that the tasks sit in, if this is a security issue can the tasks be moved into specific subnets to make whitelisting easier.
Create a blank security group you attach to any task that needs to connect to your RDS, then add this a source inbound. The security group could be reused across all tasks simply for identifying that it should have access.

Auto-created EC2 instance and how to delete(terminate) it?

I'm launching an EC2 instance in AWS. And there is an auto-created EC2 instance, named Test-env. Every time I terminated it, AWS would auto-created a new one for me. is there any way to terminate the auto-created instance and prevent it from creating a new one?
Shown in the picture above, I terminated the Test-env twice, and AWS just created a new Test-env for me.
Thank a lot.
It seems like you have been using Elastic Beanstalk. If you open up that section of the AWS Management Console, you can delete the application/environment from there. This will bring down the instance as well. When you terminate the Elastic Beanstalk instance manually through the EC2 section, the system thinks that it has failed and will launch a replacement.
Reference: https://forums.aws.amazon.com/thread.jspa?threadID=115913
It seems that AutoScaling group configuration is present for the EC2 instance Test-env.
Can you please check under EC2 -> AutoScaling Groups -> Test-env -> Scaling Policies?
It seems that ScaleUp Policy has been configured for that instance. It means that whenever total number of EC2 instances are less than or equal to 0 (or any limit which was set) then spawn new one.
You need to update these policies or remove it as per your need.
Other than Elastic Beanstalk and AutoScaling group,
another possibility is you have
an on-going Spot Request.
You can cancel it in order to prevent the instance from recreating.
EC2 -> Instances -> Spot Requests
Then, Actions -> Cancel Request

connection between ec2 instances

I try to use one AWS EC2 instance to start another EC2 instance automatically so that it could be started automatically if this monitoring EC2 instance keeps running. I could use SSH to connect to my instance . However ,when I try to use ec2-start-instance . I failed with following bugs:
The instance ID 'i-XXXXXXXX' does not exist
These two instances are in different availability zone so I think it is networking settings problem but I don't know how to solve it.Anyone could help me?
I suspect your answer lies in Roles. i.e. Account A's EC2 instance needs to have a Role Right on Account B to start EC2 instances in Account B. And it needs to somehow be assigned this role. Not sure that's possible?
Check into:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
"The access policy for the role specifies what the role allows someone to do. For example, you could specify that the role allows someone to manage only your Amazon EC2 and Amazon RDS resources but not your IAM users or groups. In our sample scenario, you use the access policy to give Example Corp read-only access to all of the resources in your account."
#Mark B
I fixed because I used the wrong credentials. One AWS account was set up for my personal website and the other was other uses so I considered using this continuously running instance to do something for me.
Thank you