AWS Archives - Page 5 of 6

How to install Active Directory Administration Tools in Windows Server

If you need Active Directory Users and Computers on your Windows Server, you need to install Active Directory Administration Tools.

The walk through below will also install other AD Administration Tools like DNS configuration and optional if you want to install Group Policy Management.

Tutorial below have been tested in Windows Server 2016, Windows Server 2019 and Amazon Workspaces Windows 10.

I learned the steps below when I was configuring Amazon Workspaces Windows 10 to do Active Directory Administration. I was avoiding to RDP to the AD Domain Controller to lessen the impact when I make adjustments that is why I needed the Active Directory Management Tools inside my Amazon Workspace.

Note: It is best if your Windows Server is already joined to an Active Directory Domain.

Step-by-step Instruction to Install Active Directory Administration Tools

Click on Start Menu and click Server Manager.

On Server Manager click Add roles and features.

Grafana monitoring for AWS CloudWatch via EC2 IAM Role

Grafana is an open source software to create visualization of time-series data. This can graph AWS CloudWatch Metrics too.

As a security best practice when using Grafana on an EC2 Instance it is recommended to use an IAM Role. Using a credentials file may expose access to your AWS Account if ever other people gain access to your Grafana Server.

Follow the step-by-step instructions below on how to attach an IAM Role to your Grafana EC2 Instance and set Grafana to access CloudWatch.

Creation of IAM Role for Grafana EC2 Instance

Create an IAM policy with the below permission in JSON. Name this GrafanaAccessPolicy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Then create an IAM Role with the following properties.

Trusted Entity Type	`EC2`
Policies	`GrafanaAccessPolicy`
Role name	`GrafanaAccessRole`

How to install Grafana on EC2 Amazon Linux 2

Grafana is an open source software that specializes in creating graphs and visualizations for users to easily understand the time-series data.

On this step-by-step guide, we will be launching an EC2 Instance with Amazon Linux 2 as the operating system, then install and run Grafana.

EC2 Instance Setup

Launch an EC2 Instance using the Amazon Linux 2 AMI.

For reference here are the settings of my EC2 Instance.

AMI	Amazon Linux 2
Instance Type	t2.micro (free tier) or t3a.nano (cheapest)
Storage	8GB General Purpose SSD (gp2)
Tags	Key: Name Value: Grafana-Server
Security Group	See below (EC2 Security Group Setup)

Note: This post is about installing Grafana on Amazon Linux 2. Launching an EC2 Instance will not be discussed here.

EC2 Security Group Setup

For the EC2 Instance Security Group I opened SSH (22) and default Grafana port (3000) to the internet (0.0.0.0/0).

Copying a Key Pair Generated by AWS to Another Region (with Screenshots)

I have an existing key pair that was generated via AWS Console. Since I do not want to create another set of Key Pair for the other regions, I would like to use the same Key Pair. Is it possible to copy the Key Pair to another Region? How can I do this?
Dany

Hi Dany, the short answer to your question is yes, it is possible to copy your existing AWS generated Key Pair to another region and even copy this to another AWS account.

The Challenge with AWS Generated Key Pairs

Generating the Key Pairs via AWS Console is easy, it gives you the Private Key and you can launch EC2 instances and associate it with your instance by adjusting the settings during EC2 Instance Launch. Then you can SSH to your EC2 Instance via the Private Key.

The issue here is the Public Key. AWS does not provide the Public Key during creation or any time after that.

Do not worry, we can still get the Public Key. It is not easy as clicking on the console then selecting copy to other region, but it is still doable.

See the steps below.

Step-by-step guide on copying a Key Pair to another region.

For this tutorial, I have created an AWS Key Pair in N. Virginia Region (us-east-1) – radishlogic_key.

The goal is to copy the Key Pair to Oregon Region (us-west-2).

Here are screenshots of my Key Pair.

1. Retrieving the Private Key in N. Virginia Region (us-east-1)

Launch a temporary Linux EC2 Instance in where the Key Pair is located (us-east-1). Any Linux Image will do.

How to Fix Network Error on AWS Cognito

When I encountered the Network Error when developing with AWS Cognito I panicked. I was connected to the internet so why am I getting a Network Error? Even the Console output was not helpful.

This happened to me during User Registration and Login.

Why is the `Network Error` happening?

By default, a type=submit in a form element will automatically refresh the page when it is clicked or triggered.

How to solve SSL Certificate not showing in AWS CloudFront

Most likely you already have an SSL Certificate in AWS Certificate Manager (ACM). Then when you go to configure it in CloudFront you cannot select the radio button that says Custom SSL Certificate (example.com) or your SSL Certificate does not show in the options.

The reason for this is that your SSL Certificate should be in the N. Virginia Region (us-east-1).

If you look closely on the words below the selection it says You can use a certificate stored in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region, or you use a certificate stored in IAM.

This is also stated in the AWS CloudFront Documentation regarding the use of Alternate Domain Names and HTTPS.

Request or upload your SSL Certificate in AWS Certificate Manager in N. Virginia Region (us-east-1) and your SSL Certificate should show on the selection.

With this you can now use HTTPS to access your services when you are working with CloudFront.

How to solve Failed-Activating Windows in AWS EC2

Sometimes when I create a Windows EC2 Instance from one of my custom AMIs I get an activation failed Windows Server.

Follow the instruction below to Activate your Windows Instance. (For Windows Server 2016, 2019 and later only).

Activate Windows Manually using EC2Launch initialization script

Open Powershell on your Windows Server and run the command below.

C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1; cscript "${env:SYSTEMROOT}\system32\slmgr.vbs" /ato

Notes:

No need to run Powershell in administrator mode.
No need to restart your instance. Once you run the above command, the Activate Windows on your desktop will disappear.
This will not update the local Administrator password

There are other ways to Activate Windows on your AWS EC2. You can check them all here.

Adding a Volume without Restart in Windows EC2

When I create Windows Instances in AWS EC2, I usually forget to add a drive or two. With this step-by-step tutorial, I will walk you through how to create a new Volume for EC2 Instances, then make Windows use the new Volume without a reboot.

Initial Setup
Creating and Attaching the Volume in AWS EC2 Console
Adding the new Volume to Windows System

Initial Setup

I launched a EC2 Windows 2016 Server with only 1 Block Device (/dev/sda1), which is also my Root Device.

Note the Availability Zone where your instance is located, you will need this later. Mine is in us-east-1a.

Looking inside Windows it only has 1 volume.

Creating and Attaching the Volume in AWS EC2 Console

Now we need to attach a new Volume for our Windows Server.

Go to AWS EC2 Console, on the left sidebar click on Volumes.

Creating a Public SSL/TLS Certificate in AWS Certificate Manager

If you plan to make the communication of your site visitors to be secure by using HTTPS then you need to use Public SSL/TLS Certificate. You can do this by requesting for a Public Certificate via AWS Certificate Manager (ACM).

Below are the advantages of using Public SSL/TLS Certificate provided by AWS Certificate Manager.

No charges = Free.
Auto renew – No need to worry on expiring SSL/TLS Certificate. ACM Automatically does this for you.
Easy integration with Amazon Web Services (AWS) products such as CloudFront, Elastic Load Balancer, API Gateway and many more.

Check the step-by-step guide on how you can request a Public SSL/TLS Certificate for HTTPS access of your website/domain.

Requesting for a Public SSL/TLS Certificate

Note: AWS Certificate Manager is a regional service, therefore make sure to be in the correct AWS Region. If you are new to AWS just select N. Virginia (us-east-1) as it is one of the cheapest regions.

On the AWS Certificate Manager page, click on Get started.

On the next screen, make sure to select the Request a public certificate, then click on Request a certificate.

Under Add domain names. Enter the following.

.[Your Domain] Example: `.chargedneutron.com`	The * represents a wildcard. This will allow you to use the SSL Certificate to any subdomains that you want like www.domain.com, images.domain.com, sites.domain.com, mobile.domain.com
[Your Domain] Example: `chargedneutron.com`	Apex Domain or Naked Domain Name. Your domain name without subdomains. Use this if you do not want to use www in front of your website.

Then click on Next.

Select DNS Validation, then click on Review.

Steps to Install Group Policy Management