How an EIPAssociation in CloudFormation can Assist Stop Dependency Points | by Teri Radichel | Cloud Safety | Nov, 2022 | Hazard Tech

ACM.104 Sustaining a static IP handle when you want to delete and recreate an EC2 occasion

It is a continuation of my collection on Automating Cybersecurity Metrics.

We ran right into a snag within the final put up and we’ll repair it on this put up. In that put up, we used an AWS-managed prefix listing ot add guidelines to our safety group as an alternative of including each CIDR utilized by the S3 service.

Updating safety teams on an EC2 occasion in CloudFormation apparently requires it to delete and recreate an EC2 occasion. I do not know why as a result of you may change safety teams within the AWS console with an EIP assigned and don’t have any such points. It looks like AWS may repair no matter is inflicting that (#awswishlist).

CloudFormation denied deleting and recreating the AWS EC2 occasion attributable to the truth that one other stack was relying on an output of our EC2 stack. That different stack was our EIP (Elastic IP Handle) created this put up:

If we delete the EIP, we lose the IP handle assigned to us and we have to create a brand new one. And if now we have to create a brand new IP handle than now we have to return and repair all our native community guidelines right here that was setup on this put up:

To make sure we didn’t lose our EIP however may redeploy our VM, we eliminated the output dependency in our EIP stack. We needed to truly change our EIP template code. That is not long-term answer. We do not wish to have to alter code to create, delete, and redeploy assets. There are numerous options to that drawback however the one we’re going to use is a CloudFormation EIP affiliation:

Leveraging the EIPA affiliation useful resource

After we create an EIP affiliation, we go in an EIP handle and an Occasion ID.

The EIPAssociation CloudFormation documentation says now we have to go in an allocation ID:

Properly, the place will we get that, because the output returned by an EIP is an IP handle? We are able to glean methods to get the allocation ID from the code on the backside of the web page.

The pattern code deploys an EIP:

Then it deploys an EIPAssociation and will get the ID utilizing GetAtt and [EIP].AllocationId.

So apparently that is the way you get the ID and we have to add that to our outputs in our EIP template:

Since our EIP has no dependencies now, we will deploy it in our main deploy script. Recall that we eliminated the Occasion ID dependency.

Take a look at that out and we now have an output with the EIP ID within the CloudFormation stack:

Take a look at the EIPA Affiliation

Now we will reference that in our EIPA affiliation template. We are able to additionally reference the export worth for the EC2 occasion to which we wish to affiliate the IP handle.

With the above useful resource we will delete and recreate it with out dropping our EIP or mounted IP handle that we’re utilizing in our firewall guidelines.

Rename deploy_eips.sh to deploy_eip_alloc.sh and add the code there to deploy an EIP Affiliation.

Deploy the EIP affiliation and confirm it really works.

Test to see now we have the identical IP related together with your EC2 occasion that you simply had earlier than. Gone. Meaning I will not have to alter any community guidelines.

Now we must always have the S3 prefix listing within the safety group assigned to our EC2 occasion in that final put up.

That rule permits our EC2 occasion to connect with S3 on port 443. That, in flip, permits us to name yum instructions on AWS since yum on AWS shops packages in S3. Let’s strive it.

SSH into the Developer EC2 occasion we created on this collection. Do not forget that because the underlying host modified you may must delete your recognized hosts file as I defined in a previous put up.

Run this command:

sudo yum set up git

Success!

Whereas we’re at it you must also run the next command to replace any outdated software program on the system:

sudo yum replace

Now that now we have put in git on an EC2 occasion, let’s use it. In our subsequent put up I am going to present you methods to add networking guidelines to permit your EC2 occasion to contact GitHub to retrieve code.

Comply with for updates.

Teri Radichel

If you happen to preferred this story please clap and comply with:

Medium: Teri Radichel or E-mail Checklist: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis

© 2nd Sight Lab 2022

All of the posts on this collection:

____________________________________________

Creator:

Cybersecurity for Executives within the Age of Cloud on Amazon

Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching

Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.

Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.

Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts