Installing Amazon Inspector Service - amazon-web-services

I'm about to install and use Amazon Inspector. We have many EC2 instances behind ELB. Plus some EC2 instances are opened via Auto-Scale.
My question: Is the Amazon Inspector doing its work locally or globally, meaning is the monitoring being made on the instance that it is installed on or it can be configured to include all the instances of the infrastructure?
If Inspector should be applied on every EC2 instance, can the Auto-Scale be configured to open the new instances with Inspector already installed on them and if yes, how can i do that?

I asked a similar question on the Amazon forum but got no response.
In the end I used the following feature to customise the EC2 instances that my application gets deployed to:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html
Basically off the root of your .war file you need a folder named '.ebextensions' and in there a .config file containing some commands to install the Inspector client.
So my file 'inspector-agent.config' looks like this:
# Errors get logged to /var/log/cfn-init.log. See Also /var/log/eb-tools.log
commands:
# Download the agent installation script
"01-agent-repository":
command: sudo wget https://inspector-agent.amazonaws.com/linux/latest/install
# Run the installation script
"02-run-installation-script":
command: sudo bash install

I've found the answer and the solution, You have to install Amazon Inspector on each EC2 in order to inspect them all using Amazon Inspector.
About the Auto-Scale, I've applied Amazon Inspector on the main EC2 servers and took an image from them (after inspecting all the EC2s and fix all the issues). Then I've configured the Auto-Scale to lunch to lunch from the new AMIs (The Inspected AMIs).

Related

Install software on multiple ec2 instances along with json file

I need to install Fire Eye in multiple ec2 instances in my AWS account, all running Windows Server 2012. I have the installer msi and could do it using Distributor in SSM. However there is a json file that needs to be in the same folder as the msi file when software is being installed. This doesn't seem to be supported by Distributor.
Can anyone help me out with how this can be done, short of logging in to every server and installing it manually after copy pasting the json and msi file in one folder?
Usually for ad-hoc execution of commands on a fleet of instances you would use AWS Systems Manager Run Command:
Administrators use Run Command to perform the following types of tasks on their managed instances: install or bootstrap applications, build a deployment pipeline, capture log files when an instance is terminated from an Auto Scaling group, and join instances to a Windows domain, to name a few.

Should multiple ec2 instances share an EFS or should code be downloaded to instance on spin-up?

I am playing around with the idea of having an Auto Scaling Group for my website that receives a lot of traffic. I need each server to be running an identical webservice, so I have come up with several ideas to make this happen.
Idea 1: Use Code Commit + User Data
I will keep my webserver code in a git repo in CodeCommit. Then, when my EC2 instances spin-up, they will install apache2, and then pull from the git repo.
Idea 2: Use Elastic File System
After a server spins up, it will mount to one central EFS that has my webserver code on it. EC2 will install apache2 then use EFS to get the proper php files etc.
Idea 3: Use AWS S3
Like above with apache2, but then download webserver code from s3.
Which option is advised? Why?
I suggest you have a reference machine which is used for creating images. Keep it updated with the latest version of your code and when you are happy with it, create an image out of it, update your launch configuration, and change the ASG configuration so that it uses it. You can then stop the reference machine and leave the job to the ASG instances.

Where are AWS CodeDeploy Deployment logs found?

I can see the logs in the AWS Console under Codedeploy, when I select the deployment and then click choose events, but they appear to be truncated. If I SSH into the instance, where are those codedeploy deployment logs located?
I see logs in /var/log/aws/codedeploy-agent, but the logs there don't match what's in CodeDeploy.
I'm running on Amazon Linux.
I've figured it out. The deployment logs are found in:
/opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent-deployments.log
Each deployment also keeps its logs in:
/opt/codedeploy-agent/deployment-root/88f9d1cf-4ee4-4b0c-9458-b1d41b8d4b48/d-TTUV9E8BG/logs/script.log where 88f9d1cf-4ee4-4b0c-9458-b1d41b8d4b48/d-TTUV9E8BG is different for each deployment.
On windows this appears to be:
C:\ProgramData\Amazon\CodeDeploy<DEPLOYMENT-GROUP-ID><DEPLOYMENT-ID>\logs\scripts.log
Source: https://github.com/aws/aws-codedeploy-agent/issues/8
Linux Deployment Logs (Not the same as original answer):
/var/log/aws/codedeploy-agent/codedeploy-agent.log
Linux Script Logs:
/opt/codedeploy-agent/deployment-root/deployment-group-ID/deployment-ID/logs/scripts.log
https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-view-logs.html
If you've found this question and you're looking for Windows logs, they are next to the userdata logs, in
C:\ProgramData\Amazon\CodeDeploy\log\
C:\ProgramData\Amazon\CodeDeploy\deployment-logs\codedeploy-agent-deployments.log
The \log\ folder contains the logs for the agent itself, showing that it's running and checking for updates. The deployment-logs contains the output of the deployment scripts, that's probably the one you want.
(programData is a hidden folder which requires administrative permissions)
log in to your ec2 instance with the command
ssh -i {KeyPair.pem-locations to keys file here} ec2-user#10.xxx.xx.xxx{your instance ip here}
go to below location, you will have logs here
/opt/codedeploy-agent/deployment-root/deployment-logs/codedeploy-agent-deployments.log
use the command
cat codedeploy-agent-deployments.log
with this you can open the log file in the commandline itself if your ec2 is a linux instance and if you are working on linux.
copy it and paste it somewhere in your local machine so you can further explore the logs without any hassle.
`

Using Cloudwatch log service with older AMIs

I want to use cloudwatch log service for the programs running on older AMIs (2008-2010). Is there a way I can install it on such machines?.
A workaround which I could think of, is to copy log files from these AMIs to the latest AMI with log service installed and upload the logs from there. But the downside is that I will end up paying cost for data transfer. Is there any alternate better way?
When Henry Hahn gives Amazon Deep Dive CloudWatch presentation and says: "I am gonna to do a direct install", you find what you need.
$ wget https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py
$ sudo python awslogs-agent-setup.py --region eu-west-1
(the --region can differ in your case)
accepts defaults.
It shall install a service called awslogs, which can be started/stopped as any other service.
Configuration file can be found at /var/awslogs/etc/awslogs.conf
For me, this worked for my Debian Jessie notebook which is definitely not an EC2 instance, so it shall work for your older EC2 instance as well.
I expect, this will work for RPi instance too (planning to try soon).

AWS Elastic Beanstalk . Execute .ebextensions commands only on new Instance or Manually

I have configured my .ebextensions folder to download and install a windows service on the leader ec2 instance.
Problem is that every time i want to update to a new version of the web application (Not the windows service) Those commands execute again and try to re install the service again.
On the other side. Every time i want to update only the widows service, i have to do the work manually through ssh or rdp. Or re-deploy the whole application which triggers the .ebextensions commands.
Is there a more elegant workflow for this i am skipping?
You are encountering Elastic Beanstalk weakest link. You host two different services on the same EB instance, which is unsupported by EB (which is lame I agree).
I resolved the "setup only once" need by appending a test to the setup extentension config file. In my case it's a linux box, but you can do something similar:
commands:
10_setup_win_service:
test: test ! -f /opt/elasticbeanstalk/.post-provisioning-complete
command: <...>
Now to complete this hack I have a file called .ebextensions/99_finalize_setup.config:
commands:
99_write_post_provisioning_complete_file:
command: touch /opt/elasticbeanstalk/.post-provisioning-complete
this approach ensures the win service is installed only once.
Now for your maintenance issue of the win service, you cannot use the EB toolset for that. Your understanding of the options here are correct - either use SSH to automate the work, or do it manually by logging into the server.