I have a static website hosted in a Amazon S3 bucket. The website uses PouchDB (javascript) to get data from a (Bitnami) CouchDB hosted in a EC2 instance.
The EC2 instance's inbound rules is configured to allow traffic for SSH, HTTP, .. including CouchDB port, 5984.
I could open the (EC2 hosted) CouchDB (Fauxton) from a browser, able to create / modify stuff, but the javascript in static website from S3 is unable to access the EC2.
The PouchDB throws error 'Timed out'.
Do I need to configure any other stuff in EC2?
Thanks
S3 is a Simple Storage Service, can only be used to store data. Nothing runs on S3. The website you are serving from S3 runs on your local system. Configure EC2 instance to accept traffic from web i.e allow 0.0.0.0/0 in the security group.
Related
I have a container running in an EC2 instance on ECS. The container is hosting a django based application that utilizes S3 and RDS for its file storage and db needs respectively. I have appropriately configured my VPC, Subnets, VPC endpoints, Internet Gateway, roles, security groups, and other parameters such that I am able to host the site, connect to the RDS instance, and I can even access the site.
The issue is with the connection to S3. When I try to run the command python manage.py collectstatic --no-input which should upload/update any new/modified files to S3 as part of the application set up the program hangs and will not continue. No files are transferred to the already set up S3 bucket.
Details of the set up:
All of the below is hosted on AWS Gov Cloud
VPC and Subnets
1 VPC located in Gov Cloud East with 2 availability zones (AZ) and one private and public subnet in each AZ (4 total subnets)
The 3 default routing tables (1 for each private subnet, and 1 for the two public subnets together)
DNS hostnames and DNS resolution are both enabled
VPC Endpoints
All endpoints have the "vpce-sg" security group attached and are associated to the above vpc
s3 gateway endpoint (set up to use the two private subnet routing tables)
ecr-api interface endpoint
ecr-dkr interface endpoint
ecs-agetn interface endpoint
ecs interface endpoint
ecs-telemetry interface endpoint
logs interface endpoint
rds interface endpoint
Security Groups
Elastic Load Balancer Security Group (elb-sg)
Used for the elastic load balancer
Only allows inbound traffic from my local IP
No outbound restrictions
ECS Security Group (ecs-sg)
Used for the EC2 instance in ECS
Allows all traffic from the elb-sg
Allows http:80, https:443 from vpce-sg for s3
Allows postgresql:5432 from vpce-sg for rds
No outbound restrictions
VPC Endpoints Security Group (vpce-sg)
Used for all vpc endpoints
Allows http:80, https:443 from ecs-sg for s3
Allows postgresql:5432 from ecs-sg for rds
No outbound restrictions
Elastic Load Balancer
Set up to use an Amazon Certificate https connection with a domain managed by GoDaddy since Gov Cloud route53 does not allow public hosted zones
Listener on http permanently redirects to https
Roles
ecsInstanceRole (Used for the EC2 instance on ECS)
Attached policies: AmazonS3FullAccess, AmazonEC2ContainerServiceforEC2Role, AmazonRDSFullAccess
Trust relationships: ec2.amazonaws.com
ecsTaskExecutionRole (Used for executionRole in task definition)
Attached policies: AmazonECSTaskExecutionRolePolicy
Trust relationships: ec2.amazonaws.com, ecs-tasks.amazonaws.com
ecsRunTaskRole (Used for taskRole in task definition)
Attached policies: AmazonS3FullAccess, CloudWatchLogsFullAccess, AmazonRDSFullAccess
Trust relationships: ec2.amazonaws.com, ecs-tasks.amazonaws.com
S3 Bucket
Standard bucket set up in the same Gov Cloud region as everything else
Trouble Shooting
If I bypass the connection to s3 the application successfully launches and I can connect to the website, but since static files are supposed to be hosted on s3 there is less formatting and images are missing.
Using a bastion instance I was able to ssh into the EC2 instance running the container and successfully test my connection to s3 from there using aws s3 ls s3://BUCKET_NAME
If I connect to a shell within the application container itself and I try to connect to the bucket using...
s3 = boto3.resource('s3')
bucket = s3.Bucket(BUCKET_NAME)
s3.meta.client.head_bucket(Bucket=bucket.name)
I receive a timeout error...
File "/.venv/lib/python3.9/site-packages/urllib3/connection.py", line 179, in _new_conn
raise ConnectTimeoutError(
urllib3.exceptions.ConnectTimeoutError: (<botocore.awsrequest.AWSHTTPSConnection object at 0x7f3da4467190>, 'Connection to BUCKET_NAME.s3.amazonaws.com timed out. (connect timeout=60)')
...
File "/.venv/lib/python3.9/site-packages/botocore/httpsession.py", line 418, in send
raise ConnectTimeoutError(endpoint_url=request.url, error=e)
botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "https://BUCKET_NAME.s3.amazonaws.com/"
Based on this article I think this may have something to do with the fact that I am using the GoDaddy DNS servers which may be preventing proper URL resolution for S3.
If you're using the Amazon DNS servers, you must enable both DNS
hostnames and DNS resolution for your VPC. If you're using your own
DNS server, ensure that requests to Amazon S3 resolve correctly to the
IP addresses maintained by AWS.
I am unsure of how to ensure that requests to Amazon S3 resolve correctly to the IP address maintained by AWS. Perhaps I need to set up another private DNS on route53?
I have tried a very similar set up for this application in AWS non-Gov Cloud using route53 public DNS instead of GoDaddy and there is no issue connecting to S3.
Please let me know if there is any other information I can provide to help.
AWS Region
The issue lies within how boto3 handles different aws regions. This may be unique to usage on AWS GovCloud. Originally I did not have a region configured for S3, but according to the docs an optional environment variable named AWS_S3_REGION_NAME can be set.
AWS_S3_REGION_NAME (optional: default is None)
Name of the AWS S3 region to use (eg. eu-west-1)
I reached this conclusion thanks to a stackoverflow answer I was using to try to manually connect to s3 via boto3. I noticed that they included an argument for region_name when creating the session, which alerted me to make sure I had appropriately set the region in my app.settings and environment variables.
If anyone has some background on why this needs to be set for GovCloud functionality but apparently not for commercial, I would be interested to know.
Signature Version
I also had to specify the AWS_S3_SIGNATURE_VERSION in app.settings so boto3 knew to use version 4 of the signature. According to the docs
As of boto3 version 1.13.21 the default signature version used for generating presigned urls is still v2. To be able to access your s3 objects in all regions through presigned urls, explicitly set this to s3v4. Set this to use an alternate version such as s3. Note that only certain regions support the legacy s3 (also known as v2) version.
Some additional information in this stackoverflow response details that new S3 regions deployed after January 2014 will only support signature version 4. AWS docs notice
Apparently GovCloud is in this group of newly deployed regions.
If you do not specify this calls to the s3 bucket for static files, such as js scripts, during operation of the web application will receiving a 400 response. S3 responds with the error message
<Code>InvalidRequest</Code>
<Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message>
<RequestId>#########</RequestId>
<HostId>##########</HostId>
</Error>```
To keep our resources on AWS secure, we are trying to block access to the internet for our EC2 instances unless we explicitly need it. We have one EC2 instance (Ubuntu) running that we want to install the AWS cloudwatch agent on. The default way to do this is to use wget to download the installation files from an s3-internal address (as seen in the linked article).
We now want to replace the public access our EC2 instance has to the internet with VPC endpoints. I created an interface endpoint for global S3 access and S3 access in our region each. Optimally, the EC2 instance would now connect through our endpoint to the S3 bucket to download the resources from the AWS address.
How can I now access the files from my EC2 instance using wget? The article lists an url option for the global s3 access and another url for regional S3 access, but I can not get a connection using either. Here's a few examples of urls I tried:
wget https://accesspoint.s3-global.amazonaws.com/amazoncloudwatch-agent/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
wget https://s3.vpce-123456.s3.eu-central-1.vpce.amazonaws.com/amazoncloudwatch-agent-eu-central-1/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
wget https://amazoncloudwatch-agent-eu-central-1.vpce-123456.s3.eu-central-1.vpce.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
Note that accesspoint.s3-global.amazonaws.com is the internal private DNS entry created by the global s3 service endpoint (automatically), and *.vpce-123456.s3.eu-central-1.vpce.amazonaws.com is an example for one of the DNs entries created by the regional S3 service endpoint.
Make sure that you have updated the route table of your subnet. Add the rule that routes the traffic to the endpoint gateway (since we are talking about S3).
I have my web app, written in vue, and deployed on S3 using static website hosting.
I also have an EC2 instance setup which will serve as the backend for my app.
My question is, I'd like to restrict access to the EC2 instance to only requests coming from the site hosted on S3. Is that possible?
I see in the security group for the EC2 instance, I can specify the inbound traffic rule to limit from a specific IP address. However I'm not sure how I can limit it to traffic from a particular domain
The S3 app speaking to your backend will actually be using the end users internet connection in order to communicate, so you cannot use a security group to prevent this access if your application should be available publicly.
You can however lock it down so that the application can only be called from valid domain(s) only.
To do this would need to be able to control traffic by the referer header, which would require you to configure an AWS WAF and add a rule set to allow where the referer header is your domain. Then for default logic it would need to block it.
To use a WAF it would need to attached to one of the following resources:
Application Load Balancer
CloudFront
API Gateway
The resource would sit in front of the EC2 host.
For more information take a look at the How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking blog post.
I am spinning a new EC2 instance on demand using AMI by script using Java SDK from here at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html
I am hosting rest API's on the newly spun EC2 instance from AMI on port 8000. I want to access instance from IP only as I will spinning many instances from base AMI when needed and will be destroying when not needed.
I want to call this API's from another web application which is hosted under HTTPS. I know it will not allow me to hit HTTP from HTTPS due to Mixed Content.
After some research, I found AWS provides ACM-Server Certificates service which can be applied to EC2. Ref http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-iam-server-certificates.html
But it works with services integrated with ACM as per document saying at below link
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html >>
You cannot install an ACM Certificate directly on your website or
application. You must install your certificate by using one of the
services integrated with ACM. For more information about these
services, see Services Integrated with AWS Certificate Manager.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway AWS
CloudFormation
But I am not using any of above-mentioned services. Is there any way to achieve this and install SSSL on EC2 ip using script ?
This is a common question, because AWS ACS certificates are free.
Thus, to avoid using such certificates with other services than AWS ones, AWS never discloses the associated private keys to its customers.
To let the https server on your EC2 instance use such a certificate, AWS should give you the private key, for you to configure the https server itself.
This is why you can not use an ACS certificate with your EC2 instance. You need to configure an Elastic Load Balancing instance in front of it, so that AWS provides this ELB with your certificate and private key (or provide an HSM with this private key and connect this HSM to the ELB front-end).
Note that using an ELB instance in front of your EC2 instance, in order to be able to use a free certificate from the AWS ACS service, is probably a bad idea: certificates are often cheaper (depending on their type and duration, of course) than the ELB cost overhead.
Note that Let'sEncrypt (https://letsencrypt.org/) can provide your EC2 instance with free DV (domain validated) certificates. You just need to install the Certbot ACME client, since you have shell access to your EC2 instance.
AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.
They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.
Is there any way to use the certificate with EC2?
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
https://aws.amazon.com/certificate-manager/faqs/
You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.
You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.
No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.
If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html
During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.
One downside with this is, private CA is expensive AWS service($400/month).
https://aws.amazon.com/certificate-manager/pricing/
Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:
Associate an elastic ip with your ec2 instance.
Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.
Through your domain provider's DNS settings have your domain point to your Elastic IP.
Connect to your ec2 instance and add your domain name to the site bindings.
Go to https://github.com/PKISharp/win-acme/releases
Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.
Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.
Run wacs.exe and follow the prompts.
Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.
I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.
https://www.youtube.com/watch?v=fq5OUOjumuM
Also this article might be helpful:
https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows