Operations Playbook

Mike Stewart

6th Dec, 2024

IFT 562
Contents
How to connect to the Mom & Pop Cafe Test EC2 instance.......................................................4

How to use the AWS CLI to connect to your AWS account.......................................................4

How to make a modification to the lab policy using the AWS CLI............................................4

How to add a parameter to the parameter store for allowing cookies on the website..................4

How to connect to an EC2 instance to describe instances...........................................................4

How to launch an EC2 instance...................................................................................................4

How to fix a misconfigured web server with (________) issue..................................................4

How to change the AMI instance on the create-lamp-instance.sh script.....................................4

How to tail a log in Linux............................................................................................................4

How to create an Auto Scaling Group in the AWS UI................................................................4

How to create a Route 53 health check........................................................................................4

How to create an Amazon RDS instance using the CLI..............................................................4

How to collect information about an instance.............................................................................4

How to create two subnets in a subnet group via the AWS CLI.................................................4

How to use the mysqldump tool to take a backup of a SQL database and restore it on another
SQL instance................................................................................................................................5

How to enable VPC Flow Logs via the command line interface.................................................5

How to troubleshoot network connectivity on an instance..........................................................5

How to take a snapshot of an EBS volume..................................................................................5

How to synchronize files using the command line (aws s3api and aws s3)................................5

How to create a S3 bucket via the CLI........................................................................................5

How to add an event notification to a S3 bucket.........................................................................5

How to install the CloudWatch Agent.........................................................................................5

How to create a CloudWatch Events/CloudWatch EventBridge notification rule......................5

How to use the prebuilt stopinator script to turn off instances with the tag value of your full
name.............................................................................................................................................5

How to resize an EC2 instance using the AWS CLI....................................................................5

How to detect drift in a CloudFormation template......................................................................5

How to create an Amazon Athena table.......................................................................................5

How to manually review access logs to find anomalous user activity.........................................5

How to create a batch file to update the café website to change its colors..................................5

How to create a Lambda Layer and add it to a Lambda function................................................6

How to create a Lambda function from a prebuilt package.........................................................6

How to setup a VPC.....................................................................................................................6

How to add a bastion host (Linux) to the public subnet of a VPC to connect to instances in the
private subnet...............................................................................................................................6

How to setup IAM so a user can assume an IAM role to access a resource................................6

How to setup AWS Config to monitor resources........................................................................6

How to add inbound rules to both security groups and network ACLs.......................................6

How to encrypt the root volume of an existing EC2 instance.....................................................6

How to create a SNS topic...........................................................................................................6

How to subscribe to a SNS topic.................................................................................................6

How to create a CloudWatch alarm using a metrics-based filter.................................................6

How to connect to the Mom & Pop Cafe Test EC2 instance
1. Ensure you have a copy of the ppk/pem file used to authenticate with your instance
2. Open putty and configure the connection to the following settings
3. Connection - Seconds between keepalives - Set to 30
4. Add the public IPv4 address of the EC2 instance to the hostname field
5. Add the ppk/pem file to the connection
6. Click on open and use the user "ec2-user" to connect to the instance

How to use the AWS CLI to connect to your AWS account

1. Install the AWS CLI if not already installed.
2. Run the command: aws configure
3. Enter your Access Key ID, Secret Access Key, Region, and Output Format when prompted.
4. Verify connection by running: aws sts get-caller-identity
How to make a modification to the lab policy using the AWS CLI
1. Identify the policy ARN with: aws iam list-policies
2. Download the current policy document: aws iam get-policy-version --policy-arn
<policy-arn> --version-id <version-id>
3. Edit the downloaded policy file.
4. Apply the updated policy: aws iam create-policy-version --policy-arn
<policy-arn> --policy-document file://updated_policy.json --set-as-default

How to add a parameter to the parameter store for allowing cookies on the website
aws ssm put-parameter \ --name "/website/allowCookies" \ --value "true" \ --type "String" \ --overwrite

How to connect to an EC2 instance to describe instances

1. aws ec2 describe-instances --instance-ids <instance-id>

How to launch an EC2 instance

1. aws ec2 run-instances \ --image-id <ami-id> \ --count 1 \ --instance-type <instance-type> \ --key-
name <key-name> \ --security-group-ids <sg-id> \ --subnet-id <subnet-id>

How to fix a misconfigured web server with (________) issue

1. Connect to the EC2 instance hosting the web server.
2. Diagnose the issue with relevant log files (e.g., /var/log/httpd/ for Apache).
3. Update the server configuration files (e.g., /etc/httpd/conf/httpd.conf for
Apache).
4. Restart the web server: sudo systemctl restart httpd
How to change the AMI instance on the create-lamp-instance.sh script
1. Locate the line in the script that specifies the AMI ID: AMI_ID="<old-ami-id>"
2. Replace the AMI ID with the new one: AMI_ID="<new-ami-id>"

How to tail a log in Linux

1. tail -f /path/to/log/file.log

How to create an Auto Scaling Group in the AWS UI

1. Go to the EC2 Dashboard in AWS.
2. Under "Auto Scaling," click Create Auto Scaling group.
3. Specify the Launch Template or Configuration.
4. Configure the group size and scaling policies.
5. Specify networking settings (VPC, subnets).
6. Add notifications and review settings.
7. Click Create Auto Scaling Group.

How to create a Route 53 health check

1. Open the Route 53 Console.
2. Go to Health Checks and click Create health check.
3. Specify a name and configure the health check (protocol, domain name/IP, port, path).
4. Set health check thresholds.
5. Review and click Create Health Check.

How to create an Amazon RDS instance using the CLI

1. aws rds create-db-instance \ --db-instance-identifier <identifier> \ --db-instance-class <instance-
class> \ --engine <engine> \ --allocated-storage <size-in-gb> \ --master-username <username> \
--master-user-password <password> \ --vpc-security-group-ids <sg-id>

How to collect information about an instance

1. aws ec2 describe-instances --instance-id <instance-id>

How to create two subnets in a subnet group via the AWS CLI
1. aws ec2 create-subnet \ --vpc-id <vpc-id> \ --cidr-block <subnet1-cidr-block> \ --availability-zone
<az1>
2. aws ec2 create-subnet \ --vpc-id <vpc-id> \ --cidr-block <subnet2-cidr-block> \ --availability-zone
<az2>
How to use the mysqldump tool to take a backup of a SQL database and restore it on another
SQL instance
Backup the database:
mysqldump -u <user> -p <database_name> > backup.sql

Copy the backup file to another instance (if needed):

scp backup.sql user@destination:/path/to/backup.sql

Restore the database on the new instance:

mysql -u <user> -p <database_name> < backup.sql

How to enable VPC Flow Logs via the command line interface
Steps:

1. Create an S3 bucket to store the flow logs:

aws s3api create-bucket --bucket flowlog#### --region <region> --create-bucket-
configuration LocationConstraint=<region>
2. Enable VPC Flow Logs:
aws ec2 create-flow-logs --resource-type VPC --resource-ids <vpc-id> --traffic-type
ALL --log-destination-type s3 --log-destination arn:aws:s3:::flowlog####
3. Verify the flow logs creation:
aws ec2 describe-flow-logs --filter Name=resource-id,Values=<vpc-id>
How to troubleshoot network connectivity on an instance
Methods:

1. Check Security Group Settings

aws ec2 describe-security-groups --group-ids <security-group-id>
2. Check Route Table Entries
aws ec2 describe-route-tables --filter "Name=association.subnet-id,Values=<subnet-
id>"
3. Parse and Search Network Logs (VPC Flow Logs)
Search for rejected SSH connections:
grep -rn ' 22 ' . | grep REJECT
4. Use nmap to Check Open Ports
sudo yum install -y nmap
nmap <WebServerIP>

How to take a snapshot of an EBS volume

1. Use the following command to create a snapshot of the EBS volume:

aws ec2 create-snapshot --volume-id <VOLUME-ID>

 Replace <VOLUME-ID> with your actual EBS volume ID, which you can
retrieve using the aws ec2 describe-instances command.

Example Command

aws ec2 create-snapshot --volume-id vol-000f3611f3327a68d

2. Use the following command to verify the snapshot creation process:

aws ec2 describe-snapshots --filters "Name=volume-id,Values=<VOLUME-

ID>"
This will list all snapshots associated with the given volume ID.

How to synchronize files using the command line (aws s3api and aws s3)
1. Enable versioning for your S3 bucket:

aws s3api put-bucket-versioning --bucket <S3-BUCKET-NAME> --versioning-

configuration Status=Enabled
Replace <S3-BUCKET-NAME> with the name of your S3 bucket.
Example Command:
 aws s3api put-bucket-versioning --bucket mike-aws-bucket-2024 --versioning-
configuration Status=Enabled

2. Sync files from your local directory to the S3 bucket:

aws s3 sync <LOCAL-DIRECTORY> s3://<S3-BUCKET-NAME>/<S3-PATH>

Replace <LOCAL-DIRECTORY> with your local folder path and <S3-BUCKET-
NAME>/<S3-PATH> with your S3 bucket path.
Example Command:
aws s3 sync files s3://mike-aws-bucket-2024/files/
3. Verify the contents of the S3 bucket:

aws s3 ls s3://<S3-BUCKET-NAME>/<S3-PATH>/

Example Command:
aws s3 ls s3://mike-aws-bucket-2024/files/
This lists all files in the specified S3 path.

How to create a S3 bucket via the CLI

1. Open your terminal and make sure AWS CLI is configured with your credentials.
 2. Run the following command to create an S3 bucket:

Command

aws s3 mb s3://<bucket-name> --region <region>

Replace <bucket-name> with a unique name and <region> with the AWS region (e.g., us-east-
1).

Example

aws s3 mb s3://my-bucket-123 --region us-east-1

How to add an event notification to a S3 bucket

1. Create a JSON file to define the event notification configuration. For example, using vi in
a Linux shell:
vi s3EventNotification.json
2. Enter the following JSON configuration in the file:
{
"TopicConfigurations": [
 {
"TopicArn": "<ARN of SNS topic>",
"Events": ["s3:ObjectCreated:*","s3:ObjectRemoved:*"],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "prefix",
"Value": "images/"
}
]
}
}
}
]
}

Replace <ARN of SNS topic> with your actual SNS Topic ARN.

3. Save and close the file. If using vi, you would press ESC and type :wq.
4. Associate the event notification with the S3 bucket using the following AWS CLI
command:
aws s3api put-bucket-notification-configuration --bucket <bucket-name> --
notification-configuration file://s3EventNotification.json
Replace <bucket-name> with your S3 bucket name.
5. Example
aws s3api put-bucket-notification-configuration --bucket my-unique-bucket-123 --
notification-configuration file://s3EventNotification.json
6. Check SNS for notifications: You should receive a notification whenever objects are
created or deleted in the specified folder within the bucket.
How to install the CloudWatch Agent
1. Log into AWS Management Console and navigate to Systems Manager under the
Services menu.
2. In the left navigation pane, select Run Command under Node Management.
3. Choose Run a Command and select the AWS-ConfigureAWSPackage command.
4. Configure the following:
 Action: Install
 Name: AmazonCloudWatchAgent
 Version: latest
5. In the Targets section, manually select the instances (such as the Web Server).
6. Click Run and wait for the status to change to Success.
7. To confirm installation, view the output and check for the message: Successfully installed
arn:aws:ssm:::package/AmazonCloudWatchAgent.
How to create a CloudWatch Events/CloudWatch EventBridge notification rule
1. Log into AWS Management Console and navigate to CloudWatch.
2. In the left navigation pane, choose Rules under Events.
3. Choose Create rule.
4. Configure the following:
 Event source: AWS services
 AWS service: EC2
 Event type: EC2 Instance State-change Notification
 Select Specific state(s) and choose stopped and terminated.
5. Under Targets, select SNS topic and choose or create a topic.
6. Review the settings and choose Create rule.
7. Your rule will now send notifications when an EC2 instance is stopped or terminated.

How to use the prebuilt stopinator script to turn off instances with the tag value of your full name
Task 1: Using Tags to Manage Resources

1. Connect to Command Host (EC2) via SSH (use PuTTY for Windows or Terminal
for Mac/Linux).
2. Find EC2 Instances by Tag:

 Run this AWS CLI command to find instances with a specific project tag:
 aws ec2 describe-instances --filter "Name=tag:Project,Values=ERPSystem" --
query 'Reservations[*].Instances[*].
{ID:InstanceId,AZ:Placement.AvailabilityZone}'

3. Update Tags:

 Open the tag script /home/ec2-user/change-resource-tags.sh, and run it to change

the version tag:

./change-resource-tags.sh

Task 2: Stop and Start Instances by Tag

1. Examine the Stopinator Script:

 Navigate to the AWS tools directory:

cd aws-tools
 Run the Stopinator script to stop instances tagged as development:
./stopinator.php -t"Project=ERPSystem;Environment=development"

2. Start the Stopped Instances:

 Use the same script to restart:

./stopinator.php -t"Project=ERPSystem;Environment=development" -s

Task 3: Challenge – Terminate Non-Compliant Instances

1. Remove Environment Tags:

 Go to the EC2 Management Console and remove the Environment tag from two
instances in the private subnet.

2. Run the Termination Script:

 Run the terminate-instances.php script with the proper region and subnet:

./terminate-instances.php -region <region> -subnetid <subnet-id>

How to resize an EC2 instance using the AWS CLI
Steps to Resize an EC2 Instance
1. Stop the EC2 Instance: Replace i-1234567890abcdef0 with your instance ID.
aws ec2 stop-instances --instance-ids i-1234567890abcdef0

2. Wait for the Instance to Stop: Check the instance state to ensure it is stopped.

aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query

"Reservations[*].Instances[*].State.Name"

3. Resize the EC2 Instance: Replace t2.micro with your desired instance type.

aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --instance-type

"{\"Value\": \"t2.micro\"}"

4. Start the EC2 Instance: Restart the instance after resizing.

aws ec2 start-instances --instance-ids i-1234567890abcdef0

 5. Verify the Change: Check the instance type to confirm the change was successful.

aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query

"Reservations[*].Instances[*].[InstanceId, InstanceType]"

How to detect drift in a CloudFormation template

1. Navigate to the CloudFormation Console:

Open the AWS CloudFormation Console.

2. Select the Stack:

Choose the stack you want to check for drift.

3. Initiate Drift Detection:

In the Stack Actions menu, select Detect Drift.

CloudFormation will begin the drift detection process.

4. View Drift Status:

After the detection completes, the drift status for the stack will be displayed (e.g., IN_SYNC or DRIFTED).
Click on the stack to view details about which resources have drifted and how they differ from the
template.

How to create an Amazon Athena table

Steps:

1. In the AWS Management Console, search for and select the CloudTrail service.

2. Navigate to Event history and choose Create Athena table.

3. Set the Storage location to your CloudTrail monitoring S3 bucket.

4. Analyze the CREATE TABLE SQL generated statement to confirm the structure.

5. Click Create table to finalize.

How to manually review access logs to find anomalous user activity

Steps:

1. Use the AWS CLI to filter through CloudTrail logs with specific commands such as:

 To look up console logins:

 aws cloudtrail lookup-events --lookup-attributes
AttributeKey=EventName,AttributeValue=ConsoleLogin

 To check actions on security groups:

aws cloudtrail lookup-events --lookup-attributes

AttributeKey=ResourceType,AttributeValue=AWS::EC2::SecurityGroup --
output text

 To find the security group ID of the Cafe Web Server instance:

region=$(curl
http://169.254.169.254/latest/dynamic/instance-identity/document | grep
region | cut -d '"' -f4)

sgId=$(aws ec2 describe-instances --filters "Name=tag:Name,Values='Cafe

Web Server'" --query 'Reservations[*].Instances[*].SecurityGroups[*].
[GroupId]' --region $region --output text)

echo $sgId

 To filter events related to that security group:

aws cloudtrail lookup-events --lookup-attributes

AttributeKey=ResourceType,AttributeValue=AWS::EC2::SecurityGroup --
region $region --output text | grep $sgId
How to create a batch file to update the café website to change its colors

1. Open a text editor (e.g., Notepad on Windows).

2. Write the following commands to replace the CSS file or relevant color configuration:

@echo off
echo Updating Café website colors...
copy /Y "new-styles.css" "C:\path\to\website\styles.css"
echo Colors updated successfully.
pause

3. Save the file with a .bat extension (e.g., update_colors.bat).

4. Run the batch file by double-clicking it or executing it in a command prompt.

How to create a Lambda Layer and add it to a Lambda function

Step 1: Create the Lambda Layer

1. Package your dependencies in a zip file:

o For Python:

bash
Copy code
mkdir python
pip install requests -t python/
zip -r layer.zip python/
 2. Create the Lambda Layer in AWS:

aws lambda publish-layer-version --layer-name my-layer --zip-file

fileb://layer.zip --compatible-runtimes python3.9
Step 2: Add the Layer to a Lambda Function

1. Retrieve the Layer ARN:

aws lambda list-layer-versions --layer-name my-layer

2. Update your Lambda function to include the layer:

aws lambda update-function-configuration --function-name my-function --

layers <layer-arn>

How to create a Lambda function from a prebuilt package

Package the code into a zip file:

Include your .py file and dependencies in the zip file:

zip function.zip lambda_function.py

Create the Lambda function:

aws lambda create-function --function-name my-function \

--runtime python3.9 \

--role <role-arn> \

--handler lambda_function.lambda_handler \

--zip-file fileb://function.zip

How to setup a VPC

Create the VPC:
aws ec2 create-vpc --cidr-block 10.0.0.0/16

Create subnets for the VPC:

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.2.0/24

Set up an Internet Gateway and attach it:

aws ec2 create-internet-gateway
 aws ec2 attach-internet-gateway --vpc-id <vpc-id> --internet-gateway-id
<igw-id>

How to add a bastion host (Linux) to the public subnet of a VPC to connect to instances in the
private subnet
1. Launch an EC2 instance in the public subnet of your VPC.
2. Assign the instance a public IP address.
3. Install SSH and configure security groups to allow SSH access (port 22) from your IP.

How to setup IAM so a user can assume an IAM role to access a resource

Create an IAM Role:

 Create a trust policy allowing your user to assume the role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<user-arn>"
},
"Action": "sts:AssumeRole"
}
]
}

 Attach the trust policy and permissions to the role.

Allow the User to Assume the Role:

 Provide the user with the following CLI command to assume the role:

aws sts assume-role --role-arn <role-arn> --role-session-name session1

How to setup AWS Config to monitor resources

1. Open AWS Config Console:
 In the AWS Management Console, search for Config and select AWS Config.
2. Start the Configuration:
 Click Get started if you are setting it up for the first time.
3. Set Recording Strategy:
  Choose Specific resource types.
 Select the resource you want to monitor (e.g., AWS EC2 SecurityGroup).
4. Assign an IAM Role:
 Select Choose a role from your account.
 Choose an existing role (e.g., AwsConfigRole) with the required permissions.
5. Delivery Method:
 AWS Config stores its findings in an S3 bucket. You can use the default S3 settings.
6. Review and Confirm:
 Review the setup details and click Confirm to activate AWS Config.

How to add inbound rules to both security groups and network ACLs

Create an IAM Role:

 Go to IAM Console > Roles > Create role.

 Select AWS account as the trusted entity.
 Attach a permission (e.g., S3FullAccess).
 Name the role and create it.

Create an IAM Policy to Assume the Role:

  Go to Policies > Create policy.
 Use this policy to allow the user to assume the role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account-id:role/RoleName"
}
]
}
Replace account-id and RoleName.

Attach Policy to the User:

 Go to Users > Select User > Add permissions.

 Attach the new policy.

User Assumes the Role:

 The user can use the AWS CLI to assume the role with:

aws sts assume-role --role-arn "arn:aws:iam::account-id:role/RoleName" --role-session-

name "session-name"
How to encrypt the root volume of an existing EC2 instance
Create an AMI:
 Stop the EC2 instance.
 In the EC2 console, create an AMI (Amazon Machine Image) from the instance.

Create an Encrypted Volume:

 From the AMI, launch a new instance, but during the launch process:
 In the Storage section, copy the root volume and set encryption using an existing or
new KMS key.

Launch the New Instance:

 Complete the setup and launch the instance with the encrypted root volume.

Terminate the Old Instance (Optional):

 Once the new instance is verified, you can terminate the original instance if no longer
needed.
How to create a SNS topic
1. Access the SNS Console: Navigate to the Amazon Simple Notification Service (SNS)
console.
2. Create a Topic:
3. Click on Create topic.
4. Choose Standard as the type.
5. Enter a name (e.g., MySNSTopic).
6. Set access policy to allow everyone to publish and subscribe.
7. Click Create topic.

How to subscribe to a SNS topic

1. Create Subscription:
2. In the SNS console, select the topic you created.
3. Click on Create subscription.
4. Select Email as the protocol and enter your email address.
5. Click Create subscription.
6. Confirm Subscription: Check your email for a confirmation message from AWS and
click the confirmation link.
How to create a CloudWatch alarm using a metrics-based filter
Create Metric Filter:
 Open the CloudWatch console and navigate to Log groups.
 Select the log group for CloudTrail logs (e.g., CloudTrailLogGroup).
 Choose Actions > Create metric filter.
 Enter the filter pattern for failed login attempts:
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
 Name the filter (e.g., ConsoleLoginErrors) and configure metrics.
Create Alarm:
 From the metric filters tab, select the newly created filter and click Create alarm.
 Set conditions (e.g., trigger if the count is greater than or equal to 3).
 Choose the SNS topic for notifications (e.g., MySNSTopic).
 Name the alarm (e.g., FailedLogins) and create it.