Changing Root Access Key to IAM Users on AWS

I got an old AWS instance created way back 2009 when I was still learning and only way to access AWS resources through the API was through an access id and security access key. Unfortunately during that time there were no IAM yet. Fast forward a year or so this is highly insecure as those access keys have root access. Best practice is to use IAM and create a user which you add to a Group assigned with the specific policy permissions.

We got a notice from AWS that we need to either rotate or delete our access keys. But better way to do it is create a new user instead.
1. First go to AWS console then IAM, on your dashboard you would see something like this if you have an access key generated from the root.
Delete Root Access Key2. Click accordion tab to expand and click on Manage Security Credentials

3. Expand Access Keys (Access Key ID and Secret Access Key) and check any access keys and where you likely used them. In my case I use them for Amazon SES via PHP SimpleEmailService class.

4. Delete the access keys.

5. Go to on Groups, click Create a Group then Give a name, Attach Policy – AdministratorAccess and AmazonSESFullAcces, then save.

 

Groups

6. Go to User, click on Create User and download the new access key and access secret key.

7. Assign the user to the group.

That should be it.

Now update any of your files that you use the previous root key.

 

 

How to run on WordPress on a LEMP stack on Amazon EC2

At last, finally found time to move my blog on LEMP(Linux, Nginx, MySQL and PHP-FPM) stack and it just one of the many goals I have set for starting overhauling this blog and over the coming days I’ll be optimizing it further and come up with a fresh new design. I’ve been running this blog on Amazon EC2 LAMP stack on t1.micro instance. With micro instances you have limited processing power and memory. Running apache is kinda like an overkill, MySQL most often times crashes due to running out of memory and this layout design is outdated and not responsive. I’ve been focused too much on Salesforce development that I’ve completely snobbed this blog and first love which is designing, web development.

Here a short 3 part tutorial for setting up EC2, LEMP and WordPress

    Part 1 Setup EC2 instance

  • Sign up for AWS account
  • Create a new instance
  • Select Linux distro either Ubuntu 14.04 or higher (HVM preferred)
  • Select t2.micro instance and run through the wizard
  • Edit the security group and make sure you add SSH and HTTP rules
  • Then launch and download your key
  • Once launched get the public IP
  • On Mac SSH using pem key to the IP
    eg. sudo ssh -i my.pem ubuntu@1.1.1.1
  • Part 2 Setup Nginx,MySQL and PHP-FPM

  • Once connect make sure you update your distro local package (sudo apt-get update)
  • Next install nginx
    sudo apt-get install nginx
  • Install MySQL Server
    sudo apt-get install mysql-server
  • Setup MySQL structure
    sudo mysql_install_db
  • Run secure MySQL script and follow the prompts
    sudo mysql_secure_installation
  • Install PHP
    sudo apt-get install php5-fpm php5-mysql
  • Install PHP
    sudo apt-get install php5-fpm php5-mysql
  • Secure PHP
    sudo vi /etc/php5/fpm/php.ini
    Uncomment and set to cgi.fix_pathinfo=0
  • Restart PHP
    sudo service php5-fpm restart
  • Edit nginx configuration to read PHP
    sudo vi /etc/nginx/sites-available/default
  • Add index.php to be parsed
    index index.php index.html index.htm;
  • Restart nginx
    sudo service nginx restart
  • Setup server permissions
    sudo chown -R demo:www-data /var/www/html/*
    sudo chown -R www-data /var/www/wordpress
  • Sweet! Finally you can install your wordpress.

Configure WordPress Update on Ubuntu EC2 instance

EC2 instances uses SFTP and not FTP. Since you do not have a password. The easiest way to configure the WordPress update is via command line. SSH into your instance and enter the following.

sudo chown -R www-data /var/www/wordpress

sudo chmod -R 755 /var/www/wordpress

Troubleshoot AWS SimpleEmailService – Sender – RequestExpired

On our AWS EC2 instance email delivery stopped working without any notice. Customers started reporting that they are not receiving their emails. Better check your error logs.

If you find something like this.

PHP Warning: SimpleEmailService::sendEmail(): Sender – RequestExpired: Request timestamp: Sun, 15 Sep 2013 06:39:50 UTC expired. It must be within 300 secs/ of server time.\nRequest Id: 552d8117-1dd2-11e3-a1bc-29ded7e8e9e2\n

This basically means that the timestamp of our server is off and does match the Amazon Simple Email Service. It is off by almost 300 secs.

By why will our server time suddenly be off. It appears that server time needs to be synch to a central NTP server. You can try the following suggested solutions.

1. Update locally
Install the ntpdate package on your system.
#sudo apt-get install ntpdate
#sudo /usr/sbin/ntpdate 128.101.101.101

2. Run and check against existing NTP Servers
#sudo /usr/sbin/ntpdate 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org 3.north-america.pool.ntp.org

Kudos to Mind Geek for the second solution.

Error on EC2 Command Line Interface Tool Mac OS X

Just recently Amazon Web Services(AWS) has started offering AWS Certifications for Solutions Architect. I got excited of the thought of having a new certification under my belt so I jumped back to getting myself acquainted back to AWS. One of my first thing I needed to do was to get up to speed with the latest enhancements and tools.

First thing is there is a new method for setting up EC2 Command Line Interface(CLI) Tool, new method prefers the AWS_ACCESS_KEY and the AWS_SECRET_KEY, the old method is going to be deprecated in the future.

If you try adding the AWS_ACCESS_KEY and AWS_SECRET_KEY and then removed the EC2_PRIVATE_KEY and EC2_CERT on your setup environment(~/.bash_profile). When you run any ec2 command like

ec2-describe-instances

You might run into this error.

Required option '-K, --private-key KEY' missing (-h for usage)

Took me awhile to figure it out but the error is caused by an oudated CLI Tool. Since the old tool does not recognize the AWS_ACCESS_KEY and AWS_SECRET_KEY on your environment even if they are properly setup.

The quick solution is upgrade the CLI Tool and replace the bin and lib on your /.ec2 folder. That should be it. One post just for that simple solution. Hope somebody find that useful.

BTW major updates are coming soon for this site. I’ll redesigning it and be moving this blog to a nginx server soon to speed it up.