1.1. Interacting with services - AWS CLI & SDK.md

Interacting with services - AWS CLI, SDK

Interacting with services

• All services can be called using APIs and you can talk to APIs using:
  • Console (web), SDK's and CLI that make API calls.

AWS CLI

• Interact with AWS Proprietary services (S3, DynamoDB etc.) over www.
• Can be installed on Linux/Windows/Mac OS
  • Python & pip is bundled in Windows but require separate installation in Mac OS / Linux
  • aws --version get the version of CLI, Python, OS, and botocore
• Python based using botocore / boto3 (AWS SDK for python)
• Requires access credentials
  1. Can be found at IAM -> Users -> Security credentials
  2. Create your access key (can download as CSV)
     • ❗ You cannot restore them, they're generated & shown once
     • To revoke it: disable or delete your key.
  3. Run aws configure & paste Access Key Id and Secret Access Key when prompted
     • You can optionally set default region & output format
       • Otherwise the region is us-east-1 by default
     • You can run aws configure to check if they're saved & modify them.
  4. Credentials are saved in ~/.aws in Mac OS & Linux
     • In config file you have region and output settings.
     • In credentials file your access key id and secret key are saved
  5. You can run help to get more information about command e.g. aws s3 ls help
• AWS CLI on EC2
  • ❗ Bad & insecure way:
    • Run aws configure and save your credentials
    • Your personal credentials are personal and should only be on your personal computer (not on EC2)
    • Risks:
      • If EC2 is compromised -> Your account will also be compromised
      • If EC2 is shared -> other people may perform actions impersonating you
  • 💡 Better way: AWS IAM Roles
    • IAM Roles can be attached to EC2 instances.
      • ❗ One EC2 instance can have one IAM role at a time
        • But same role can be attached to many other EC2 instances
      • 📝 Also, Roles are not directly attached to EC2 instance, but are attached to instance profile. Instance profile is a container, where roles are attached.
    • IAM Roles can come with a policy authorizing exactly what the EC2 instance should be able to do e.g. AdminAccess or List buckets in S3.
    • EC2 instances can use these profiles automatically without any additional configurations
  • 📝If EC2 need access to other aws resources, never put credentials in it, always use IAM roles
  • Flow:
    • Create IAM role for the resource EC2 will access
    • EC2 portal -> Right click on instance -> Settings -> Attach IAM role
• S3 CLI
  • aws s3 ls: Lists all buckets available
  • aws s3 ls s3://bucketname: Lists contents of the bucket
  • aws s3 cp s3://bucketname/pic.jpg pic.jpg: Copy a local file, or S3 objects to your computer or from your computer.
  • aws s3 mb s3://bucketname: create a new bucket
  • aws s3 rb s3://bucketname: delete existing bucket
  • aws configure --profile <profile-name>: Allows you to name a profile and work with multiple profiles. Future commands should have --profile <profile-name> parameter to use the profile.
  • Use appropriate region to the end of the command in all the above, remember S3 buckets are regional.

AWS SDK

• Official SDK's are: Java, .NET, Node.js, PHP, Python (named boto3/botocore), Go, Ruby, C++ ...
• AWS CLI uses the Python SDK
• Recommended to use the default credential provider chain
• It works seamlessly with:
  • AWS credentials at ~/.aws/credentials
  • Use only on your computers or on premise
    • Even better to create a user specifically for that one on-premise server
  • Instance Profile Credentials using IAM Roles
  • Use 100% within AWS services e.g. EC2 machines.
  • You can use environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
    • ❗ Less recommended
• Exponential Backoff
  • E.g. request 1 fails -> wait 2 sec -> request 2 fails -> wait 4 sec -> request 3 fails -> wait 8 sec ...
  • Any API that fails because of too many calls needs to be retried with Exponential Backoff
    • Applies also to rate limited API
  • Retry mechanism included in SDK API calls
  • Ensures you don't overload API

Penetration testing

• You can carry out security assessments or penetration tests against own AWS infrastructure without prior approval for 8 services: 1.EC2 Instances, NAT Gateways & ELB 2.RDS 3.CloudFront 4.Aurora 5.API Gateways 6.Lambda & Lambda Edge functions 7.Lightsail 8.Elastic Beanstalk.
  • You can request for inclusion of additional services.
• ❗ Prohibited Activities: DDoS, DoS, DNS zone walking, port/protocol/request flooding