How to add and delete security group rules in AWS via the CLI (and list them too!)

Author: erics, September 13th, 2023

Add inbound rule(s) for a security group ID:

shell> aws ec2 authorize-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0'

1	shell> aws ec2 authorize-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0'

## Delete inbound rule(s) for a security group ID

shell> aws ec2 revoke-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0'

1	shell> aws ec2 revoke-security-group-ingress --group-id sg-NNNNNNNN --protocol tcp --port 80 --cidr '0.0.0.0/0'

## List security groups by security group ID

shell> aws ec2 describe-security-groups --output json | jq -r '.SecurityGroups[]|.GroupId+" "+.GroupName'

1	shell> aws ec2 describe-security-groups --output json \| jq -r '.SecurityGroups[]\|.GroupId+" "+.GroupName'

## List inbound rules for a specific security group ID

shell> aws ec2 describe-security-groups --group-ids sg-NNNNNNNN --output json | jq -r '.SecurityGroups[].IpPermissions[]|. as $parent|(.IpRanges[].CidrIp+" "+($parent.ToPort|tostring))'

1	shell> aws ec2 describe-security-groups --group-ids sg-NNNNNNNN --output json \| jq -r '.SecurityGroups[].IpPermissions[]\|. as $parent\|(.IpRanges[].CidrIp+" "+($parent.ToPort\|tostring))'

Thanks to: https://www.bluematador.com/learn/aws-cli-cheatsheet

Categories: How-To's, Technology Tags: Add, AWS, aws cli, cli, Delete, Group, howto, Remove, security, Security Group, tips | No comments

How To Upgrade MySQL to 8.0 on CentOS/AWS Linux

Author: erics, August 31st, 2023

START: Server version: 5.7.43-log MySQL Community Server (GPL) FINISH: Server version: 8.0.34-log MySQL Community Server (GPL)

mysql --execute="SET GLOBAL innodb_fast_shutdown=0;"
service mysqld stop
yum remove mysql mysql-* mysql57-community-release

yum install https://dev.mysql.com/get/mysql80-community-release-el6-3.noarch.rpm
yum update
yum install mysql-community-server

cp /etc/my.cnf.rpmsave /etc/my.cnf
service mysqld start

grep 'temporary password' /var/log/mysqld.log | tail -1
mysql -p
Enter password: 
ALTER USER 'root'@'localhost' IDENTIFIED BY 'newRootPassword';

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

mysql --execute="SET GLOBAL innodb_fast_shutdown=0;"

service mysqld stop

yum remove mysql mysql-* mysql57-community-release

yum install https://dev.mysql.com/get/mysql80-community-release-el6-3.noarch.rpm

yum update

yum install mysql-community-server

cp /etc/my.cnf.rpmsave /etc/my.cnf

service mysqld start

grep 'temporary password' /var/log/mysqld.log | tail -1

mysql -p

Enter password:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'newRootPassword';

https://dev.mysql.com/doc/refman/8.0/en/default-privileges.html Check and veify your my.cnf ssl entries if you see the following error in the /var/log/mysqld.log file at startup:

Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

1	Failed to set up SSL because of the following SSL library error: SSL_CTX_set_default_verify_paths failed

Categories: How-To's, Technology Tags: 5.7, 8.0, AWS, AWS Linux, CentOS, howto, mysql, MySQL 5.7, MySQL 8.0, tips, upgrade | No comments

How To Fix Error “Cannot open access to console, the root account is locked”

Author: erics, June 23rd, 2023

When trying to access the serial console on AWS, I got the following error: Cannot open access to console, the root account is locked Since I had edited /etc/fstab, the host would not boot. The only way to fix this problem is to unmount the root volume from the affected instance, mount it on another […]

Categories: How-To's, Technology Tags: /etc/fstab, AWS, Console, Error, fstab, howto, Locked, root, tips | No comments

How To Fix SSH Permission Denied From macOS Ventura To Amazon Linux

Author: erics, May 9th, 2023

I have been using RSA SSH keys forever to login to my various AWS EC2 instances. With macOS Ventura 13.3.1 ssh failed with the “Permission Denied” error. Using ssh -vvv, I saw that the RSA key was now being rejected. After much research, I decided to implement new keys on the client (Ventura) side using […]

Categories: How-To's, Technology Tags: AWS, denied, ed25519, Error, Generate, howto, key, Linux, MacOS, Permission Denied, public, Public Key, ssh, ssh-keygen, sshd, tips, Ventura | No comments

How To Expand an EBS Volume After a Disk Resize on Amazon Linux

Author: erics, April 17th, 2023

First, use the AWS Console to modify the volume to the desired size, in our example we want to go from 10GB to 25GB for the root filesystem For a Xen ext4 root volume

# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/xvda1      9.8G  9.6G   26M 100% /
/dev/xvdf       200G   99G  102G  50% /volumes/data

# lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0   10G  0 disk 
└─xvda1 202:1    0   10G  0 part /
xvdf    202:80   0  200G  0 disk /volumes/data

# growpart /dev/xvda 1
CHANGED: disk=/dev/xvda partition=1: start=4096 old: size=20967390,end=20971486 new: size=52424670,end=52428766

# lsblk
lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0   25G  0 disk 
└─xvda1 202:1    0   25G  0 part /
xvdf    202:80   0  200G  0 disk /volumes/data

# resize2fs /dev/xvda1
resize2fs 1.43.5 (04-Aug-2017)
Filesystem at /dev/xvda1 is mounted on /; on-line resizing required
old_desc_blocks = 1, new_desc_blocks = 2
The filesystem on /dev/xvda1 is now 6553083 (4k) blocks long.

# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/xvda1     ext4       25G  9.6G   15G  40% /
/dev/xvdf      xfs       200G   99G  102G  50% /volumes/data

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/xvda1 9.8G 9.6G 26M 100% /

/dev/xvdf 200G 99G 102G 50% /volumes/data

# lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

xvda 202:0 0 10G 0 disk

└─xvda1 202:1 0 10G 0 part /

xvdf 202:80 0 200G 0 disk /volumes/data

# growpart /dev/xvda 1

CHANGED: disk=/dev/xvda partition=1: start=4096 old: size=20967390,end=20971486 new: size=52424670,end=52428766

# lsblk

lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

xvda 202:0 0 25G 0 disk

└─xvda1 202:1 0 25G 0 part /

xvdf 202:80 0 200G 0 disk /volumes/data

# resize2fs /dev/xvda1

resize2fs 1.43.5 (04-Aug-2017)

Filesystem at /dev/xvda1 is mounted on /; on-line resizing required

old_desc_blocks = 1, new_desc_blocks = 2

The filesystem on /dev/xvda1 is now 6553083 (4k) blocks long.

# df -hT

Filesystem Type Size Used Avail Use% Mounted on

/dev/xvda1 ext4 25G 9.6G 15G 40% /

/dev/xvdf xfs 200G 99G 102G 50% /volumes/data

For NVMe First, use lsblk to see the raw partitions:

# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/nvme0n1p1 xfs        20G  2.8G   18G  14% /

# lsblk
NAME          MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1       259:0    0  40G  0 disk 
├─nvme0n1p1   259:1    0  20G  0 part /
└─nvme0n1p128 259:2    0   1M  0 part

1

2

3

4

5

6

7

8

9

# df -hT

Filesystem Type Size Used Avail Use% Mounted on

/dev/nvme0n1p1 xfs 20G 2.8G 18G 14% /

# lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

nvme0n1 259:0 0 40G 0 disk

├─nvme0n1p1 259:1 0 20G 0 part /

└─nvme0n1p128 259:2 0 1M 0 part

Note how the partition at 259:1 is only 20GB, […]

Categories: How-To's, Technology Tags: Amazon, Amazon Linux 2, AWS, df, df -hT, Disk, EBS, Expand, Filesystem, Grow, howto, Linux, Linux2, lsblk, NVMe, partition, Resize, tips, volume, XFS | No comments

How To Use AWS CloudTrail For Intrusion Detection To Monitor Your AWS Account For Unwanted Activity

Author: erics, December 30th, 2022

Summary Use AWS CloudTrail as the basis for a simple Intrusion Detection System to monitor your AWS account for unwanted activity. Background While I follow best practices for security, it is always possible that a bad actor could obtain my credentials and gain access to my AWS account. Once access is gained, such criminals could […]

Categories: Technology Tags: Attack, AWS, Bad Actor, Cloud, CloudTrail, CloudWatch, Compromise, Crypto, DDOS, Detection, dos, howto, IDS, Intrusion, Intrusion Detection, Mining, tips, Vector | No comments

How To Sync AWS S3 Buckets Using RClone

Author: erics, September 9th, 2021

The aws s3 sync command is slow and painful! I needed a more efficient way to sync to large buckets (prod to dev). Finally settled on RClone: https://rclone.org/docs/

cd {extracted zip dir}
./rclone config 
cat ~/.config/rclone/rclone.conf

1

2

3

cd {extracted zip dir}

./rclone config

cat ~/.config/rclone/rclone.conf

During rclone config I called remote “s3” ;-}

./rclone sync -v --progress --fast-list --checksum s3:wyzaerd-demo-prod s3:wyzaerd-demo-dev

1	./rclone sync -v --progress --fast-list --checksum s3:wyzaerd-demo-prod s3:wyzaerd-demo-dev

Categories: How-To's, Technology Tags: AWS, Bucket, howto, rclone, rsync, S3, s3s3, s3s3mirror, Sync, tips | No comments

How To Copy Key Pairs To Another AWS Region Using The ssh-keygen Command

Author: erics, August 4th, 2021

I wanted to use the same SSH keys for multiple AWS regions. As it turns out, AWS simply stores the public key when you download the private key as a .pem file. The solution is to simply generate the public key locally from the existing .pem, then import the public key using the same name […]

Categories: How-To's, Technology Tags: Amaon, AWS, Copy Key Pair, howto, key-pair, KeyPair, Linux, ssh-keygen, tips | No comments

How To Allow AWS IAM Users EBS Snapshot Create And Delete Access

Author: erics, July 29th, 2021

SUMMARY: Needed to create an AWS IAM Policy to allow a user access to create and delete EBS snapshots. This script also needed to be able to list volumes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSnapshot",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateSnapshots",
                "ec2:ResetSnapshotAttribute",
                "ec2:CreateSnapshot"
            ],
            "Resource": [
                "arn:aws:ec2:*:ACCOUNT_ID_HERE:volume/*",
                "arn:aws:ec2:*:ACCOUNT_ID_HERE:snapshot/*",
                "arn:aws:ec2:*:ACCOUNT_ID_HERE:instance/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"ec2:DeleteSnapshot",

"ec2:ModifySnapshotAttribute",

"ec2:CreateSnapshots",

"ec2:ResetSnapshotAttribute",

"ec2:CreateSnapshot"

],

"Resource": [

"arn:aws:ec2:*:ACCOUNT_ID_HERE:volume/*",

"arn:aws:ec2:*:ACCOUNT_ID_HERE:snapshot/*",

"arn:aws:ec2:*:ACCOUNT_ID_HERE:instance/*"

]

},

{

"Sid": "VisualEditor1",

"Effect": "Allow",

"Action": [

"ec2:DescribeSnapshotAttribute",

"ec2:DescribeVolumes",

"ec2:DescribeSnapshots"

],

"Resource": "*"

}

]

}

Categories: How-To's, Technology Tags: Amazon, AWS, Create, Delete, howto, IAM, JSON, Policy, Snapshot, tips, User, volume | No comments

How To Fix aws Command Error “You must specify a region”

Author: erics, July 29th, 2021

I was getting error “You must specify a region” when running any aws CLI command. The fix: Using the aws command:

aws configure set region us-east-1 --profile demo

1	aws configure set region us-east-1 --profile demo

which will automatically add the following to the file ~/.aws/config:

[profile demo]
region = us-east-1

1 2	[profile demo] region = us-east-1

You many simply edit the ~/.aws/config file yourself and append the same thing:

vi ~/.aws/config

[profile demo]
region = us-east-1

1

2

3

4

vi ~/.aws/config

[profile demo]

region = us-east-1

Categories: How-To's, Technology Tags: AWS, aws cli, aws command, aws configure, aws set, cli, Command, Config, configure, Error, Region, You must specify a region | No comments

How to add and delete security group rules in AWS via the CLI (and list them too!)

How To Upgrade MySQL to 8.0 on CentOS/AWS Linux

How To Fix Error “Cannot open access to console, the root account is locked”

How To Fix SSH Permission Denied From macOS Ventura To Amazon Linux

How To Expand an EBS Volume After a Disk Resize on Amazon Linux

How To Use AWS CloudTrail For Intrusion Detection To Monitor Your AWS Account For Unwanted Activity

How To Sync AWS S3 Buckets Using RClone

How To Copy Key Pairs To Another AWS Region Using The ssh-keygen Command

How To Allow AWS IAM Users EBS Snapshot Create And Delete Access

How To Fix aws Command Error “You must specify a region”

Our Link Network

Business

Client Websites

Fine Dining

Friends & Family

Galleries

Health

Resources

Technology

Travel

The Archives

Latest Ramblings…

Various Topics of No Interest