Tag: EC2 Instance

EC2 with IAM Role: CloudFormation Sample Template

Creating an EC2 Instance with an IAM Role is easy when you do it via the AWS Console but doing this with CloudFormation is not as direct. You will need an Instance Profile to connect an EC2 with an IAM Role.

TL;DR: See the CloudFormation Template below.

Continue reading EC2 with IAM Role: CloudFormation Sample Template

CloudFormation: How to solve Circular Dependency between an Elastic IP and an EC2 Instance

When writing a CloudFormation Template that needs to use the value of an Elastic IP to a file inside an EC2 Instance, you will most likely encounter a Circular dependency between resources error.

I encountered this when configuring OpenSwan IPSec VPN in CloudFormation.

You can try the CloudFormation template below to see the error above.

CloudFormation Template with Circular Dependency Error

Parameters:
  AmazonLinux2AMIID:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2

  KeyName:
    Type: AWS::EC2::KeyPair::KeyName

Resources:
  ElasticIP:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
      InstanceId: !Ref EC2Instance
  
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: !Ref AmazonLinux2AMIID
      InstanceType: t2.micro
      KeyName: !Ref KeyName
      UserData: 
        Fn::Base64:
          !Sub |
            #!/bin/bash -ex
            echo "${ElasticIP}" >> /EIPAddress.txt
Continue reading CloudFormation: How to solve Circular Dependency between an Elastic IP and an EC2 Instance

Grafana monitoring for AWS CloudWatch via EC2 IAM Role

Grafana is an open source software to create visualization of time-series data. This can graph AWS CloudWatch Metrics too.

As a security best practice when using Grafana on an EC2 Instance it is recommended to use an IAM Role. Using a credentials file may expose access to your AWS Account if ever other people gain access to your Grafana Server.

Follow the step-by-step instructions below on how to attach an IAM Role to your Grafana EC2 Instance and set Grafana to access CloudWatch.

Creation of IAM Role for Grafana EC2 Instance

Create an IAM policy with the below permission in JSON. Name this GrafanaAccessPolicy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReadingMetricsFromCloudWatch",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DescribeAlarmsForMetric",
        "cloudwatch:ListMetrics",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:GetMetricData"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
      "Effect": "Allow",
      "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
      "Resource": "*"
    },
    {
      "Sid": "AllowReadingResourcesForTags",
      "Effect": "Allow",
      "Action": "tag:GetResources",
      "Resource": "*"
    }
  ]
}

Then create an IAM Role with the following properties.

Trusted Entity TypeEC2
PoliciesGrafanaAccessPolicy
Role nameGrafanaAccessRole
Continue reading Grafana monitoring for AWS CloudWatch via EC2 IAM Role