Windows EC2 deployment using cloud formation

Following YML script can be use to perform Windows EC2 deployment using cloud formation.

Parameters:
  EnvironmentType:
   Description: Environment Type
   Type: String
   AllowedValues: [development, production]
   ConstraintDescription: must be development or production

  KeyName:
   Description: Name of an existing EC2 KeyPair to RDP this windows instance.
   Type: AWS::EC2::KeyPair::KeyName
   ConstraintDescription: must be the name of an existing EC2 KeyPair.

Mappings:
 EnvironmentToInstanceType:
  development:
   instanceType: t2.micro
  production:
   instanceType: t2.small

Resources:
 ServerSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
   GroupDescription: Allow RDP & HTTP access from all IP ADDresses
   SecurityGroupIngress:
    -   IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
    -   IpProtocol: tcp
        FromPort: 3289
        ToPort: 3289
        CidrIp: 0.0.0.0/0

 WindowsInstance:
  Type: AWS::EC2::Instance
  Properties:
   InstanceType: !FindInMap [EnvironmentToInstanceType, !Ref 'EnvironmentType', instanceType]
   #Choose correct ImageID, ami-da003ebf belogs to base windows 2012 R2 image.
   ImageId: ami-da003ebf
   KeyName: !Ref KeyName
   SecurityGroups:
    - !Ref ServerSecurityGroup
    

 

Here are the steps.

  1. Save above code in WinEC2.YML file.
  2. Open AWS management console, In Cloud formation section, select New Template, select Upload a template to Amazon S3. Select WinEC2.YML file then follow the wizard with all default options. You will be prompted for Environment Type (Production/Development) & Key Pair.EC2.jpg
  3. Once deployment successfully completes, you would see events like below screenshot.

EC2_Success.jpg

If you wish to join newly created windows EC2 to Active directory then use following reference for YML code. https://aws.amazon.com/blogs/security/how-to-configure-your-ec2-instances-to-automatically-join-a-microsoft-active-directory-domain/

#choose

MS SQL deployment using cloud formation in AWS.

Here is the code snippets for MS SQL deployment using YML code in AWS. If you wish to make it AD integrated then review the details given in comment section.

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates an empty SQL Server RDS database as an example for automated deployments.
Parameters:
  SqlServerInstanceName:
    NoEcho: 'false'
    Description: RDS SQL Server Instance Name
    Type: String
    Default: MyAppInstance
    MinLength: '1'
    MaxLength: '63'
    AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*"
  DatabaseUsername:
    AllowedPattern: "[a-zA-Z0-9]+"
    ConstraintDescription: DBAdmin
    Description: Database Admin Account User Name
    MaxLength: '16'
    MinLength: '1'
    Type: String
    Default: 'DBAdmin'
  DatabasePassword:
    AllowedPattern: "^(?=.*[0-9])(?=.*[a-zA-Z])([a-zA-Z0-9]+)"
    ConstraintDescription: Must contain only alphanumeric characters with at least one capital letter and one number.
    Description: The database admin account password.
    MaxLength: '41'
    MinLength: '6'
    NoEcho: 'true'
    Type: String
    Default: Admin123
  DBEngine:
    Description: Select Database Engine
    Type: String
    AllowedValues: [Express, Enterprise]
  #Following paramter can be placed if SQL needs to be AD integrated.
  #DomainID:
  # Description: Enter the Domain ID
  # Type: String

Mappings:
 SQLTOEngineType:
  Express:
   Engine: sqlserver-ex
  Enterprise:
   Engine: sqlserver-ee

Resources:
  SQLDatabase:
    Type: AWS::RDS::DBInstance
    Properties:
      DBInstanceIdentifier:
        Ref: SqlServerInstanceName
      LicenseModel: license-included
      Engine: !FindInMap [SQLTOEngineType, !Ref 'DBEngine', Engine]
      EngineVersion: 13.00.4466.4.v1
      DBInstanceClass: db.t2.micro
      AllocatedStorage: '20'
      MasterUsername:
        Ref: DatabaseUsername
      MasterUserPassword:
        Ref: DatabasePassword
      PubliclyAccessible: 'true'
      BackupRetentionPeriod: '1'
      #If SQL RDS needs to Active Directory Integrated then uncomment following parameter.
      #Domain: !ImportValue Directory-ID
      #OR
      #!Ref DomainID
      #IAM role is mandate for AD integration
      #DomainIAMRoleName: 'rds-directoryservice-access-role'
Outputs:
   SQLDatabaseEndpoint:
     Description: Database endpoint
     Value: !Sub "${SQLDatabase.Endpoint.Address}:${SQLDatabase.Endpoint.Port}"
  1. Save above code in SQLRDS.YML file.
  2. Open AWS management console, In Cloud formation section, select New Template, select Upload a template to Amazon S3. Select SQLRDS.YML file then follow the wizard with all default options.
  3. Once deployment successfully completes, you would see events like below screenshot.

sqlrds.jpg

#domain, #domainiamrolename, #domainid, #following, #iam, #if, #or

Active Directory deployment using cloud formation in AWS

Paste following code in notepad and save file with YML extension (eg. ActiveDirectory.yml).

AWSTemplateFormatVersion: 2010-09-09
Parameters:
 ADDomainName:
  Description: "Name the AD domain, eg. Mydomain.LOCAL"
  Type: String
 AdminPassword:
  NoEcho: true
  Description: "Type the password of default 'Admin', hint Pass@me123"
  Type: String
 MyVPC:
  Description: VPC to operate in
  Type: AWS::EC2::VPC::Id
 EditionType:
  Description: "Type of AD"
  Type: String
  Default: Enterprise
  AllowedValues:
    - Standard
    - Enterprise
 PrivateSubnet1ID:
   Description: 'ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd)'
   Type: 'AWS::EC2::Subnet::Id'
 PrivateSubnet2ID:
   Description: 'ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd)'
   Type: 'AWS::EC2::Subnet::Id'

Resources:
  MYDIR:
    Type: 'AWS::DirectoryService::MicrosoftAD'
    Properties:
        Name: !Ref ADDomainName
        Password: !Ref AdminPassword
        Edition: !Ref EditionType
        VpcSettings:
            SubnetIds:
                - !Ref PrivateSubnet1ID
                - !Ref PrivateSubnet2ID
            VpcId: !Ref MyVPC
Outputs:
  DomainName:
    Description: Newly Created Domain name is
    Value: !Ref ADDomainName
    Export:
      Name: DomainName
  DirectoryID:
    Description: ID of AD that will be used in EC2 & SQL servers
    Value: !Ref MYDIR
    Export:
     Name: Directory-ID
  DNS:
    Description: IP address of DNS servers.
    Value: !Join
          - ','
          - !GetAtt MYDIR.DnsIpAddresses
    Export:
     Name: DnsIpAddresses

 

Open AWS console. Go to Cloud formation service then create a New stack, browse and select the YML file created for above step.

SelectFile.jpg

 

Specify Stack name, parameters such as AD name, Admin password, Edition, VPC, Subnet.

Parameter.jpg

 

AWS will prepare resource in background, status will remain Create_in_progress.

Working.jpg

 

After completion, Status will turn to complete, Output tab will show columns as return result, the value in Export Name can be used for any future cloud formation deployment such as Windows EC2, AWS RDS.. ETC.

Final.jpg

Here are the details of Managed AD in AWS.
AWS Managed Microsoft AD
AD DS on AWS

Since this is my blog on AWS cloud formation, I will try improving above code and include few more use cases such as accessing managed AD, creating AWS RDS and joining EC2 in AWS.

Configuration of AWS S3 (Simple Storage Service) for application access.

Following are the steps can be useful if you have any application (service) in your on premise that need to access (download/upload) files to AWS S3 storage.

Sign in with root a/c credential to AWS Console

loginroot.jpg

Select IAM under ‘Security, identity and compliance’ container

IAM

Add a new user for API or Console access.

CreateUser.jpg

Give appropriate ‘User name’, Select Access Type.

Please note, selection of both access type isn’t recommended for production use due to accessibly issues. This demo require only ‘Programmatic acces. You can use same user account for delegation of AWS storage related stuff managed via AWS console.

UserProperties.jpg

Select ‘Attach existing policies directly’ then search for S3, attach ‘AmazonS3FullAccess’

Permission.jpg

Review the setting and then click on ‘Create user

Note down user name, access Key ID, Secret Access Key and Sign-in URL. You can additionally download CSV file for all these information.

UserDetails.jpg

Select ‘S3’ from ‘Storage’ section.

S3Page.jpg

 

Click on ‘Create Bucket’, give appropriate name and select ‘Region’, the bucket name should be unique in AWS infrastructure.  Then click on ‘Create’. I have skipped remaining criteria such as version, permission and website related stuff for this test. However if you need to have specific settings please refer.

CreateBucket.jpg

You can upload files manually using AWS Console.

Upload.jpg

 

Testing bucket access using on premise application.

Method 1-using CloudBerry

Install Cloudberry (freeware), Connect to AWS S3 bucket

CloudBerryTest.jpg

You can copy (/cut)-paste files from local machine to S3 OR vice versa.

CloudBerry-copypaste.jpg

 

Method 2 Using-Powershell

Install AWS tools Open PowerShell, use following commands to test bucket access.

Set Credential.

Set-AWSCredentials -AccessKey AKIAI3ZDRI4HGSD4NOGQ -SecretKey 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

Get-all buckets

Get-S3Bucket

Ps1.jpg

Show all contents of specified bucket.

Get-S3Object -BucketName appdatatest1 -MaxKey 100 |Format-Table

PS2.jpg

Refer  for more details on PowerShell commands AWS.

Enable Multi Factor authentication for your AWS account

If you are beginner of AWS like me and wondering how the account can be secure for unauthorized access then enable multi factor authentication using smart phone app code.

Sign in to AWS console with root account.

Signin

 

Select IAM (Identity & Access Manager) under ‘Security, Identity & Compliance’ Section.

IAM.jpg

 

Under Dashboard, select ‘Activate MFA on your root account’

DashBoard.jpg

 

Click on ‘Manage MFA device’, then select ‘A virtual MFA device’.

ManageMFA.jpg

Before click on ‘Next Step’, install ‘Google authenticator’ app in your smart phone. Following is the list of APP supported by AWS.

 Android Google Authenticator; Authy 2-Factor Authentication
 iPhone Google Authenticator; Authy 2-Factor Authentication
 Windows Phone Authenticator
 Blackberry Google Authenticator

 

Click on ‘Next Step’ then scan the bar code from ‘Google Authenticator’ mobile app.

Barcode1    Barcode2

 

Once bar code activated successfully on phone then place two consecutive authentication code (each code generates in interval of a minute) and click on ‘Activate virtual MFA’ then click on Finish.

activate MFA.jpg

 

Refresh AWS page and then you will see MFA is activated.

AfterEanble.jpg

 

If you Sign out then Sing in again into AWS console. You need to supply username, password and authentication code generated from mobile app.

login2.jpg

Refer following links for more information.

Multi-Factor Authentication

Using Multi-Factor Authentication (MFA) in AWS