AWS System Administration Mike Ryan and Federico Lucifredi Boston AWS System Administration by Mike Ryan and Federico Lucifredi Copyright © 2015 Mike Ryan and Federico Lucifredi. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/ institutional sales department: 800-998-9938 or [email protected]. Editors: Andy Oram and Mike Hendrickson Indexer: Lucie Haskins Production Editor: Melanie Yarbrough Interior Designer: David Futato Copyeditor: Sharon Wilkey Cover Designer: Eleanor Volkhausen Proofreader: Marta Justak Illustrator: Rebecca Demarest January 2015: First Edition Revision History for the First Edition 2015-01-12: First Early Release 2015-05-05: Second Early Release 2016-05-31: Third Early Release See http://oreilly.com/catalog/errata.csp?isbn=9781449342579 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. AWS System Administration, the cover image of a peccary, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-449-34257-9 [LSI] Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1. Setting Up AWS Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Getting Started Preparing Your Tools 3 Installing the AWS Command Line Interface 5 Parsing JSON Output with jq 8 Installing the Legacy AWS Command-Line Tools 10 2. First Steps with EC2 and CloudFormation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 What Is an Instance? 16 Instance Types 17 Processing Power 18 Storage 21 Networking 22 Launching Instances 24 Launching from the Management Console 24 Launching with Command-Line Tools 34 Launching from Your Own Programs and Scripts 41 Introducing CloudFormation 45 Working with CloudFormation Stacks 46 Creating the Stack 47 Updating the Stack 49 Looking Before You Leap 52 Deleting the Stack 53 Which Method Should I Use? 54 Amazon Machine Images 56 Building Your Own AMI 58 iii Deregistering AMIs 62 Pets vs. Cattle 64 3. Access Management and Security Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Identity and Access Management 67 Amazon Resource Names 68 IAM Policies 68 IAM Users and Groups 77 IAM Roles 79 Using IAM Roles from Other AWS Accounts 86 Using IAM in CloudFormation Stacks 87 Security Groups 91 Protecting Instances with SSH Whitelists 93 Virtual Private Networks and Security Groups 95 Recap 103 4. Configuration Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Why Use Configuration Management? 105 OpsWorks 106 Choosing a Configuration Management Package 107 Puppet on AWS 109 A Quick Introduction to Puppet 109 Puppet and CloudFormation 115 User Data and Tags 128 Executing Tasks with Fabric 130 Master-less Puppet 133 Building AMIs with Packer 137 5. An Example Application Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Overview of Application Components 143 The Web Application 144 Database and Caching 144 Background Task Processing 144 Installing the Web Application 145 Preparing Puppet and CloudFormation 149 Puppet Files 149 CloudFormation Files 155 Creating an RDS Database 157 RDS: Updating Puppet and CloudFormation 162 Creating an ElastiCache Node 168 ElastiCache: Updating Puppet and CloudFormation 172 Installing Celery with Simple Queueing Service 175 iv | Table of Contents Celery: Updating Puppet and CloudFormation 181 Building the AMIs 185 Creating the Stack with CloudFormation 187 Recap 188 6. Auto Scaling and Elastic Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 What Is Auto Scaling? 189 Static Auto Scaling Groups 191 Notifications of Scaling Activities 195 Scaling Policies 197 Scaling on CloudWatch Metrics 197 Elastic Load Balancing 202 Elastic Load Balancer and Auto Scaling Groups 203 Recap 206 7. Deployment Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Instance-Based Deployments 209 Executing Code on Running Instances with Fabric 210 Updating Instances at Launch Time 214 AMI-Based Deployments 215 Deploying AMIs with CloudFormation 215 Deploying AMIs with the EC2 API 216 Recap 217 8. Building Reusable Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Role-Based AMIs 219 Mapping Instances to Roles 221 Patterns for Configuration Management Tools 222 Modular CloudFormation Stacks 226 9. Log Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Central Logging 229 Logstash Configuration 231 Logging to S3 235 AWS Service Logs 238 S3 Life Cycle Management 240 10. DNS with Route 53. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Why Use Route 53? 243 Failure Is an Option: Using Route 53 to Handle Service Failover 244 Ramping Up Traffic 248 Surviving ELB and Application Outages with Route 53 249 Table of Contents | v Recap 253 11. Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Why Are You Monitoring? 255 CloudWatch 256 Auto Scaling and Custom Metrics 257 Old Tools, New Tricks 261 12. Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Backing Up Static Files from EC2 Instances to S3 267 Rolling Backups with S3 and Glacier 268 PostgreSQL and Other Databases 271 pg_dump 271 Snapshots and Continuous Archiving 272 Off-Site Backups 276 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 vi | Table of Contents Preface System administration is a complicated topic that requires practitioners to be familiar with an ever-expanding range of applications and services. In some ways, Amazon Web Services (AWS) is just another tool to add to your toolkit, yet it can also be con‐ sidered a discipline in and of itself. Successfully building and deploying infrastructure on AWS involves a thorough understanding of the underlying operating system con‐ cerns, software architecture, and delivery practices, as well as the myriad components that make up Amazon Web Services. Mike runs a DevOps consultancy, helping startups and small businesses reap the ben‐ efits of tools and processes that were previously available only to organizations with large teams of systems administrators. Many of these businesses do not have a dedica‐ ted systems administrator, and the development team is responsible for deploying and maintaining the architecture. In working with these clients, Mike noticed patterns in how people were working with AWS. Those who came from a pure development background, without any sysadmin experience, would often build an infrastructure that left out many of the things sysadmins would take for granted, such as monitoring and logging. The lack of monitoring and logging would then make it difficult to track down issues, leading to more downtime than necessary. At the other end of the spectrum were those with a lot of sysadmin experience, but less or no development experience. This group was more likely to treat AWS as noth‐ ing more than a virtual machine hosting provider, simply using EC2 to run a fleet of static instances without taking advantage of any high-availability features such as Auto Scaling groups and Elastic Load Balancing. This is akin to buying a Ferrari and then using it only to buy groceries once per week: fun, but not very cost-effective. Using AWS requires a fundamentally different mindset than when deploying groups of static servers. You do not simply set up some servers and then periodically perform maintenance. Instead, you use the full AWS toolset (automatic instance replacement, vii scaling up and down in response to demand, etc.) to build a system. In this sense, it is more like programming than traditional system administration. Federico’s work as the lead Product Manager for Ubuntu Server at Canonical placed him on the front lines from the vendor perspective. Looking at how users and public cloud vendors were integrating Ubuntu into their infrastructure informed the team’s decisions as to what user problems to solve first, and led to the creation of Canonical’s Certified Public Cloud program, which solves integration problems for public cloud vendors and manages the relationship between Ubuntu and the Amazon AWS tech‐ nical team. The Ubuntu Server team’s cloud-first focus led to the creation of technologies like Cloud-Init, and produced the early, smooth integration of Ubuntu with public cloud that resulted in its popularity there today. Federico’s aim has been to complement Mike’s knowledge as a power user of public cloud with his behind-the-scenes insight of where things can go wrong for users. The aim of this book is to help you reach a balance between development and opera‐ tional focus, and help you make the right choice for your application’s specific hosting requirements. If you are a developer, this book will give you enough system adminis‐ tration knowledge to ensure that you are using AWS effectively, and help you build a robust and resilient application infrastructure. For systems administrators, it will show you how you can keep your favorite tools and processes while working with AWS, and hopefully save you from reinventing some wheels along the way. AWS is a collection of cloud computing services that can be combined to build scala‐ ble and reliable applications and services. It comprises a number of components, each with their own names and configuration options, which are offered under the AWS umbrella. Some of these—such as EC2 and S3—are extremely popular and well- known. Others, such as Kinesis and CloudFormation, are less well-known. Because covering each of these services in detail would result in a multivolume tome of formi‐ dable size, this book focuses on the more commonly used services and provides jumping-off points for learning about the others. If you are familiar with AWS, feel free to hop between chapters to find the informa‐ tion that is most interesting or relevant to your current project. Beginners to AWS should work through the book sequentially, as each chapter builds on information presented in the previous chapters. Chapter 1 helps you get set up with the tools you will need to interact with AWS and build the example infrastructure. Chapter 2 introduces what is perhaps the most well-known of all AWS services, EC2. This chapter also introduces our favorite AWS service, CloudFormation. In Chapter 3, we look at some of the security features offered by AWS. viii | Preface