I try to use one AWS EC2 instance to start another EC2 instance automatically so that it could be started automatically if this monitoring EC2 instance keeps running. I could use SSH to connect to my instance . However ,when I try to use ec2-start-instance . I failed with following bugs:
The instance ID 'i-XXXXXXXX' does not exist
These two instances are in different availability zone so I think it is networking settings problem but I don't know how to solve it.Anyone could help me?
I suspect your answer lies in Roles. i.e. Account A's EC2 instance needs to have a Role Right on Account B to start EC2 instances in Account B. And it needs to somehow be assigned this role. Not sure that's possible?
Check into:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
"The access policy for the role specifies what the role allows someone to do. For example, you could specify that the role allows someone to manage only your Amazon EC2 and Amazon RDS resources but not your IAM users or groups. In our sample scenario, you use the access policy to give Example Corp read-only access to all of the resources in your account."
#Mark B
I fixed because I used the wrong credentials. One AWS account was set up for my personal website and the other was other uses so I considered using this continuously running instance to do something for me.
Thank you
Related
I have approximately 40 Windows EC2 instances running at the moment. This number will start to grow substantially in the next few months. Each one is a t2.small Windows 2016 Server instance. Cost is starting to become an issue as the number increases. Each instance has its own Elastic IP address because when user Tom wants to access his machine he will use the DNS tom.mydomain.com.
tom.mydomain.com is registered in a Route53 hosted zone pointing to Elastic IP 22.33.44.55 which has been associated with Tom's EC2 instance.
Problem is that Tom only needs to use his machine 4 hours per day. When not using it he simply shuts the machine down. But... An Elastic IP that is pointing to a stopped instance costs almost as much per hour as a t1.micro instance in a running state.
So what I want to do is when Tom logs into AWS console and starts his EC2 instance, it will automatically register itself with Route53 against the DNS "tom.mydomain.com".
In short I want to do away with the need for Elastic IPs which are fast becoming a very substantial cost.
The tutorial Auto-Register EC2 Instance in AWS Route 53
looks like it does exactly what I want to do. The problem is the scripting is for Linux. I want to get it working for Windows. I have everything done down to step 6 in the tutorial but am stuck there. Any one get something similar to this working on Windows?
I would recommend:
Create a web-based front-end where your users can authenticate and request access to their Amazon EC2 instance
You could use Amazon Cognito for authentication and DynamoDB for data storage
Once the user authenticates, the service can:
Start their EC2 instance (if it was previously stopped)
Associate the random public IP address to the customer's domain name
Tell the user that the instance is now available
Users login to the instance and perform their work function
You then have some mechanism (I'm not sure what) that detects that they no longer need the instance, and then Stops the instance to save costs
The above process avoids assigning IAM credentials to your users. While IAM credentials are important for staff members who work on your AWS infrastructure, they should not be assigned to end-users of your service.
The process also avoids assigning IAM permissions to each EC2 instance. While the instances themselves could call Route 53 to update a record for their domain name, this requires an IAM Role to be assigned to the EC2 instance. If your users have access to the instance itself, this would potentially open a security hole where they could call Route 53 with incorrect data, such as assigning other users' domain names to their own instance.
It's worth mentioning that the above recommendations mirror the way that Amazon WorkSpaces operates — users authenticate, their instance is started and after a period of non-use the instance is stopped.
I will recommend use of cloudformation template. Cloudformation can create EC2 and then attach it to route53 url. So when tom like to use the EC2 instance, he have to run the stack in Cloudformation. Once he finished he have to go back to cloudformation and destroy the stack.
Yes Cloudformation would be a recommended approach. You can try cloudkast which is an online cloudformation template generator. It will make your task of creating cloudformation template very easy and effortless
I have several EC2 instances in my AWS amazon account. I have one specific EC2 instance that I want an outsourcer to use (stop,start, manage security group, resize disk space, etc).
I tried to do it with IAM policies, but from what I see, the DescribeInstances allows the user to see all instances in my account. And when I try to edit the policy for a specific resource it shows error because it DescribeInstances is not a resource-level policy, so it must have Resource '*'.
I was thinking maybe allow him access to a different region, and put the instance there. Another option is using organizations (a little complex, but looks promising, would be happy to understand if this is the way to go).
Am I missing something? What is the best solution to achieve what I need?
If you want to give the outsourcer permission to call AWS services in your account, then from a security perspective, it would be much safer to put those resources in a child account.
That way, you are guaranteed that their credentials are not able to impact any of your other resources and services.
The alternative would be way too complex to manage. For example, security groups can be associated with many instances and one instance can have many security groups. That would not be possible to code within an IAM policy.
I am member of an organisation account in AWS. I have created two EC2 instance in us-east-1 region. But other team members are not able to see this EC2 instance in Management console.
Since infrastructure or assets is managed by a team and not individuals we need to have a team view for all that is in use. The admin users should have ability to view any instance, that is what we want to achieve here. The problem is at present the user who created the EC2 instance is the only user who is able to see EC2 instance in console.
Below is the account details as it gets displayed in AWS Management Console -
Below is the screen shot which confirms that the user belongs to an organisation -
Can any one suggest how can this be achieved?
If users have the ability to view any instances in the EC2 management console, then they will see all instances in the console.
If they can see some instances (which proves they have the right permission to view instances), but some instances are not appearing then the problem might be one of:
The 'missing' instance was launched in a different account
The 'missing' instance was launched in a different region than you are viewing in the console
There is a filter active on the listing that is limiting the instances shown
You could also try using the AWS Command-Line Interface (CLI) aws ec2 describe-instances command to list instances to verify that the same information is returned for different credentials. (That is, run it as different users and compare the output.)
Bottom line: You should either see them all or see none (due to insufficient permissions to list instances). It is not possible to only view some.
After I initiated an Amazon ECS following their tutorial (But I don't recall there is one step that asks me for the key-pair information.)
After I set it up, I found that there is an extra EC2 in my EC2 instance list that starts to charge me money. I wonder what that EC2 is doing.
Is it the EC2 that is associated with ECS that I can start to build my own server on?
If so, how can I log into it? (There is no key-pair information for me to log in. It says I need to log in via valid username-password pair, but I don't even know my username.)
If not, how can I kill it? (Directly terminating it in EC2 service is not helping since it seems ECS will just start another one)
The username will be ec2-user. ECS creates a launch configuration in which you can set key pair
ECS creates an autoscaling group you can find it under ec2/autoscaling/home you can edit this group and set min and desired to 0 this will shut down the instance automatically.
I have an aws instance running on one account A. Then I wanted to transform everything on that account to another aws account B. Here's what i did, i create an AMI (private) for A and shared it with account B by adding permissions. Then I used the shard AMI created another instance running on account B.
Now is it safe to shut down the running instance on account A? Cause I no longer want to use that account.
Or what further steps do I need?
Thanks,it's really a hurry !
Yes, that's all the steps you need to do. Now you can safely remove the EC2 instance and the AMI from account A, account B won't be affected.