Linux_aws
Chapter 91: Linux on AWS
Section titled “Chapter 91: Linux on AWS”Comprehensive Guide to Linux Administration on Amazon Web Services
Section titled “Comprehensive Guide to Linux Administration on Amazon Web Services”91.1 Amazon EC2 Fundamentals
Section titled “91.1 Amazon EC2 Fundamentals”Understanding EC2
Section titled “Understanding EC2”Amazon Elastic Compute Cloud (EC2) provides scalable virtual servers (instances) in the AWS cloud. Understanding EC2 is fundamental to Linux administration on AWS.
EC2 Instance Types+------------------------------------------------------------------+| || Instance Families: || || +---------------------------+----------------------------------+|| | Family | Use Case | Description ||| | ------------|------------|----------------------------------||| | t2/t3 | Burstable | General purpose, CPU credits ||| | m5/m6 | General | Balanced compute/memory ||| | c5/c6 | Compute | Compute optimized ||| | r5/r6 | Memory | Memory optimized ||| | p4/p5 | GPU | GPU workloads ||| | inf2 | Inference | ML inference ||| | i3/i4g | Storage | High I/O, local NVMe ||| | d2/d3 | Dense | Dense storage ||| | hpc | HPC | High performance computing ||| +---------------------------+----------------------------------+|| || Naming: t3.medium = family.generation.size || || Storage: || +----------------------------------------------------------+ || | Instance Store | Local, ephemeral, high performance | || | EBS | Network storage, persistent | || | EFS | Network file system | || | FSx | Managed file systems | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+EC2 Instance Management
Section titled “EC2 Instance Management”# AWS CLI Installationcurl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"unzip awscliv2.zipsudo ./aws/install
# Configure AWS CLIaws configureaws configure set region us-east-1aws configure set output json
# Instance Operationsaws ec2 describe-instances --filters "Name=instance-state-name,Values=running"aws ec2 describe-instances --instance-ids i-1234567890abcdef0
# Start instanceaws ec2 start-instances --instance-ids i-1234567890abcdef0
# Stop instanceaws ec2 stop-instances --instance-ids i-1234567890abcdef0
# Reboot instanceaws ec2 reboot-instances --instance-ids i-1234567890abcdef0
# Terminate instanceaws ec2 terminate-instances --instance-ids i-1234567890abcdef0
# Describe instance statusaws ec2 describe-instance-status --instance-ids i-1234567890abcdef0
# Get instance metadata# From within instance:curl http://169.254.169.254/latest/meta-data/curl http://169.254.169.254/latest/user-data/Launching EC2 Instances
Section titled “Launching EC2 Instances”# Launch instanceaws ec2 run-instances \ --image-id ami-0c55b159cbfafe1f0 \ --count 1 \ --instance-type t3.micro \ --key-name my-key-pair \ --security-group-ids sg-1234567890abcdef0 \ --subnet-id subnet-1234567890abcdef0 \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=MyServer}]'
# With user data (startup script)aws ec2 run-instances \ --image-id ami-0c55b159cbfafe1f0 \ --instance-type t3.micro \ --key-name my-key-pair \ --security-group-ids sg-1234567890abcdef0 \ --subnet-id subnet-1234567890abcdef0 \ --user-data file://startup-script.sh
# Create key pairaws ec2 create-key-pair --key-name my-key-pair --query 'KeyMaterial' --output text > my-key-pair.pemchmod 400 my-key-pair.pem
# Create security groupaws ec2 create-security-group --group-name web-sg --description "Web security group" --vpc-id vpc-123aws ec2 create-security-group --group-name web-sg --description "Web security group"91.2 EC2 SSH Access and Management
Section titled “91.2 EC2 SSH Access and Management”Connecting to EC2 Instances
Section titled “Connecting to EC2 Instances”# SSH into Linux instancessh -i key.pem ec2-user@ec2-xx-xx-xx-xx.compute.amazonaws.com
# For Amazon Linuxssh -i key.pem ec2-user@ec2-xx-xx-xx-xx.region.compute.amazonaws.com
# For Ubuntussh -i key.pem ubuntu@ec2-xx-xx-xx-xx.compute.amazonaws.com
# For RHELssh -i key.pem ec2-user@ec2-xx-xx-xx-xx.compute.amazonaws.com
# For Debianssh -i key.pem admin@ec2-xx-xx-xx-xx.compute.amazonaws.com
# With verbose for debuggingssh -vvv -i key.pem ec2-user@hostname
# Using Session Manager (no SSH key needed)aws ssm start-session --target i-1234567890abcdef0SSH Key Best Practices
Section titled “SSH Key Best Practices”# Generate SSH key locallyssh-keygen -t rsa -b 4096 -C "your_email@example.com"
# Import key to AWSaws ec2 import-key-pair --key-name "my-key" --public-key-material file://~/.ssh/id_rsa.pub
# Describe key pairsaws ec2 describe-key-pairs
# Delete key pairaws ec2 delete-key-pair --key-name my-key-pair
# Use SSH agenteval "$(ssh-agent -s)"ssh-add key.pemssh ec2-user@hostname91.3 EBS (Elastic Block Store)
Section titled “91.3 EBS (Elastic Block Store)”EBS Volume Management
Section titled “EBS Volume Management” EBS Volume Types+------------------------------------------------------------------+| || Volume Type | Performance | Use Case || ---------------|------------------|---------------------------|| gp3 | 3000-16000 IOPS | General purpose SSD || gp2 | Baseline | Legacy general purpose || io2 Block Express| 256000 IOPS | High performance || io2 | 64000 IOPS | Mission critical || io1 | 64000 IOPS | High performance (older) || st1 | 50000 IOPS | Throughput optimized HDD || sc1 | 250 IOPS | Cold HDD || || Key Points: || +----------------------------------------------------------+ || | • gp3: Low cost, configurable IOPS and throughput | || | • io2: Highest durability (99.999%) | || | • EBS volumes exist independently of instances | || | • Can be encrypted at rest | || | • Snapshots enable backup and migration | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+# Create volumeaws ec2 create-volume \ --size 10 \ --volume-type gp3 \ --availability-zone us-east-1a \ --tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=DataVolume}]'
# Describe volumesaws ec2 describe-volumesaws ec2 describe-volumes --volume-ids vol-1234567890abcdef0
# Attach volumeaws ec2 attach-volume \ --volume-id vol-1234567890abcdef0 \ --instance-id i-1234567890abcdef0 \ --device /dev/sdf
# Detach volumeaws ec2 detach-volume --volume-id vol-1234567890abcdef0
# Delete volumeaws ec2 delete-volume --volume-id vol-1234567890abcdef0
# Modify volume (resize, change type)aws ec2 modify-volume \ --volume-id vol-1234567890abcdef0 \ --size 20 \ --volume-type io2
# Create snapshot (backup)aws ec2 create-snapshot \ --volume-id vol-1234567890abcdef0 \ --description "Backup of data volume"
# Describe snapshotsaws ec2 describe-snapshots --owner-ids self
# Restore from snapshot# Create volume from snapshotaws ec2 create-volume \ --snapshot-id snap-1234567890abcdef0 \ --availability-zone us-east-1aEBS on the Instance
Section titled “EBS on the Instance”# List block deviceslsblksudo lsblk -f
# Create filesystemsudo mkfs -t ext4 /dev/nvme1n1
# Mount volumesudo mkdir /mnt/datasudo mount /dev/nvme1n1 /mnt/data
# Add entry to /etc/fstab for persistent mount# /dev/nvme1n1 /mnt/data ext4 defaults,nofail 0 2
# Check disk usagedf -h
# Resize partition (after volume resize)sudo growpart /dev/nvme1n1 1sudo resize2fs /dev/nvme1n191.4 Security Groups
Section titled “91.4 Security Groups”Security Group Configuration
Section titled “Security Group Configuration” Security Group Rules+------------------------------------------------------------------+| || Inbound Rules (default: all traffic blocked): || +----------------------------------------------------------+ || | Type | Protocol | Port | Source | || | ------------|----------|---------|--------------------------| || | SSH | TCP | 22 | Your IP | || | HTTP | TCP | 80 | 0.0.0.0/0 | || | HTTPS | TCP | 443 | 0.0.0.0/0 | || | Custom TCP | TCP | 8080 | 10.0.0.0/8 | || | Custom UDP | UDP | 53 | 10.0.0.0/16 | || +----------------------------------------------------------+ || || Outbound Rules (default: all traffic allowed): || +----------------------------------------------------------+ || | Type | Protocol | Port | Destination | || | ------------|----------|---------|--------------------------| || | All Traffic | All | All | 0.0.0.0/0 | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+# Create security groupaws ec2 create-security-group \ --group-name web-sg \ --description "Security group for web servers" \ --vpc-id vpc-1234567890abcdef0
# Describe security groupsaws ec2 describe-security-groups --group-names web-sgaws ec2 describe-security-groups --group-ids sg-1234567890abcdef0
# Add inbound rule (SSH)aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 22 \ --cidr 0.0.0.0/0
# Add inbound rule (HTTP/HTTPS)aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0
# Add inbound rule (from security group)aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 3306 \ --source-group sg-0987654321abcdef0
# Add outbound ruleaws ec2 authorize-security-group-egress \ --group-id sg-1234567890abcdef0 \ --protocol all \ --cidr 0.0.0.0/0
# Revoke ruleaws ec2 revoke-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 22 \ --cidr 0.0.0.0/0
# Delete security groupaws ec2 delete-security-group --group-id sg-1234567890abcdef091.5 VPC Networking
Section titled “91.5 VPC Networking”VPC Configuration
Section titled “VPC Configuration”# Create VPCaws ec2 create-vpc --cidr-block 10.0.0.0/16
# Create subnetaws ec2 create-subnet \ --vpc-id vpc-1234567890abcdef0 \ --cidr-block 10.0.1.0/24 \ --availability-zone us-east-1a
# Create Internet Gatewayaws ec2 create-internet-gateway
# Attach IGW to VPCaws ec2 attach-internet-gateway \ --internet-gateway-id igw-1234567890abcdef0 \ --vpc-id vpc-1234567890abcdef0
# Create route tableaws ec2 create-route-table --vpc-id vpc-1234567890abcdef0
# Add routeaws ec2 create-route \ --route-table-id rtb-1234567890abcdef0 \ --destination-cidr-block 0.0.0.0/0 \ --gateway-id igw-1234567890abcdef0
# Associate subnet with route tableaws ec2 associate-route-table \ --route-table-id rtb-1234567890abcdef0 \ --subnet-id subnet-1234567890abcdef0
# Create NAT Gateway (for private subnet internet access)aws ec2 create-nat-gateway \ --subnet-id subnet-1234567890abcdef0
# Elastic IPaws ec2 allocate-addressaws ec2 associate-address --instance-id i-1234567890abcdef0 --allocation-id eipalloc-1234567890abcdef091.6 S3 Storage
Section titled “91.6 S3 Storage”S3 CLI Operations
Section titled “S3 CLI Operations”# List bucketsaws s3 ls
# Create bucketaws s3 mb s3://my-bucket-name
# List objects in bucketaws s3 ls s3://my-bucket-name/
# Copy file to S3aws s3 cp file.txt s3://my-bucket-name/aws s3 cp folder/ s3://my-bucket-name/ --recursive
# Download from S3aws s3 cp s3://my-bucket-name/file.txt ./
# Sync (efficient copy)aws s3 sync s3://source-bucket/ s3://dest-bucket/
# Delete objectaws s3 rm s3://my-bucket-name/file.txt
# Delete bucketaws s3 rb s3://my-bucket-name --force
# Set permissionsaws s3 cp file.txt s3://my-bucket-name/ --acl public-read
# Encrypt with KMSaws s3 cp file.txt s3://my-bucket-name/ --sse aws:kms --sse-kms-key-id alias/my-key91.7 EFS (Elastic File System)
Section titled “91.7 EFS (Elastic File System)”EFS Mounting
Section titled “EFS Mounting”# Install EFS utilitiessudo apt install amazon-efs-utils # Debian/Ubuntusudo yum install amazon-efs-utils # RHEL/CentOS
# Mount EFSsudo mkdir /mnt/efssudo mount -t efs fs-12345678:/ /mnt/efs
# Mount with TLS (recommended)sudo mount -t efs -o tls fs-12345678:/ /mnt/efs
# Add to /etc/fstab# fs-12345678:/ /mnt/efs efs defaults,_netdev 0 0# fs-12345678:/ /mnt/efs efs tls,_netdev 0 0
# Check mountdf -h | grep efs91.8 AWS Systems Manager
Section titled “91.8 AWS Systems Manager”Session Manager
Section titled “Session Manager”# Start session (no SSH needed)aws ssm start-session --target i-1234567890abcdef0
# List sessionsaws ssm list-sessions
# Send command to instancesaws ssm send-command \ --instance-ids i-1234567890abcdef0 \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["uptime", "free -h"]'
# Run command on all instances with tagaws ssm send-command \ --targets "Key=tag:Environment,Values=production" \ --document-name "AWS-RunShellScript" \ --parameters 'commands=["yum update -y"]'
# Get command outputaws ssm get-command-invocation \ --command-id command-1234567890abcdef0 \ --instance-id i-1234567890abcdef091.9 CloudWatch Monitoring
Section titled “91.9 CloudWatch Monitoring”CloudWatch for EC2
Section titled “CloudWatch for EC2”# Get EC2 metricsaws cloudwatch get-metric-statistics \ --namespace AWS/EC2 \ --metric-name CPUUtilization \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-02T00:00:00Z \ --period 3600 \ --statistics Average,Maximum \ --dimensions Name=InstanceId,Value=i-1234567890abcdef0
# Create alarmaws cloudwatch put-metric-alarm \ --alarm-name high-cpu \ --alarm-description "Alarm when CPU exceeds 80%" \ --metric-name CPUUtilization \ --namespace AWS/EC2 \ --statistic Average \ --period 300 \ --evaluation-periods 2 \ --threshold 80 \ --comparison-operator GreaterThanThreshold \ --dimensions Name=InstanceId,Value=i-1234567890abcdef0
# View logsaws logs describe-log-groupsaws logs get-log-events --log-group-name /aws/ec2/instance-id/i-1234567890abcdef0/system91.10 Interview Questions
Section titled “91.10 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is EC2?
- Elastic Compute Cloud - virtual servers in AWS
-
What are the main EC2 instance families?
- t (burstable), m (general), c (compute), r (memory), i (storage)
-
What is the difference between instance store and EBS?
- Instance store is local/ephemeral; EBS is persistent network storage
-
What is a security group?
- Virtual firewall for EC2 instances
-
How do you connect to an EC2 instance?
- SSH with key pair (or Session Manager)
Intermediate Questions
Section titled “Intermediate Questions”-
What is the difference between gp2 and gp3 EBS volumes?
- gp2 has baseline performance; gp3 has configurable IOPS and throughput
-
What is a VPC?
- Virtual Private Cloud - isolated virtual network
-
How do you secure EC2 instances?
- Security groups, IAM roles, key pairs, regular updates
-
What is the AWS Instance Metadata Service?
- Service at 169.254.169.254 providing instance info
-
What is Systems Manager Session Manager?
- Connect without SSH using IAM permissions
Advanced Questions
Section titled “Advanced Questions”-
How do you back up EBS volumes?
- Create snapshots, automate with Data Lifecycle Manager
-
What is EFS vs EBS vs S3?
- EFS: shared file system; EBS: block storage; S3: object storage
-
How do you monitor EC2?
- CloudWatch, CloudWatch Agent, Systems Manager
-
What is placement groups?
- Control instance placement for performance/availability
-
How do you scale EC2?
- Auto Scaling Groups, Load Balancers
Summary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || EC2: || +----------------------------------------------------------+ || | aws ec2 describe-instances | List instances | || | aws ec2 start/stop/terminate | Instance control | || | ssh -i key.pem user@host | SSH access | || +----------------------------------------------------------+ || || EBS: || +----------------------------------------------------------+ || | aws ec2 create-volume | Create volume | || | aws ec2 attach-volume | Attach to instance| || | aws ec2 create-snapshot | Create backup | || +----------------------------------------------------------+ || || Security Groups: || +----------------------------------------------------------+ || | aws ec2 create-security-group | Create SG | || | aws ec2 authorize-security-group-ingress| Add rule | || +----------------------------------------------------------+ || || S3: || +----------------------------------------------------------+ || | aws s3 ls | List buckets | || | aws s3 cp file s3://bucket/ | Upload | || | aws s3 sync | Sync folders | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+