1. AWS Usage

最後更新: 2020-10-14

AWS = Amazon Web Services

cli tools

  • Euca2ools (EPEL)
  • Ansible (Python, Playbooks)
  • ec2-ami-tools.noarch.rpm (yum install java-1.7.0-openjdk)
  • aws (https://aws.amazon.com/cli/)


  • VPC
  • EC2
  • EBS(Elastic Block Store)
    - network-attached, and persist independently from the life of an instance)
    - 支援建立 snapshots
  • AMI (Amazon Machine Image)
  • S3
  • IAM (Identity and Access Management)




  • AMI (Amazon Machine Images)
  • VPC (Virtual Private Cloud )



Ubuntu AMI







Account info.


AWS Account Number (12 digit number)

User ID ( 12 digit number )

Access Key ID (20 alpha-numeric )
Secret Access Key (40 alpha-numeric-slash-plus)

X.509 Certificate and Private Key
( AWS API (SOAP only))


查看 Access Key ID 及 Secret Access Key

Web Panel: http://aws.amazon.com/console/

"account"-> security credentials -> Access Keys -> 'Show Access Key' link

# Note: You can have a maximum of two access keys (active or inactive) at a time.

# My Account -> Usage Reposts


IAM 用圖




設定 Security Status

  • Root Account MFA
  • Password Policy
  • 設定 Permission

MFA - Multi-Factor Authentication

  • MFA device
  • Virtual MFA Device (Google Authenticator) # Price Free

設定 Permission

attach the created policy to the IAM group or role to which the IAM user is assigned.

For EC2, you must consider two questions when locking down a user's EC2 access to a single virtual private cloud (VPC):

  • Which API actions support Amazon Resource Names (ARNs) and conditions?
    Action: "ec2:DescribeInstances"
    Resource types: arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}  # instance
  • Which API actions do not support ARNs and conditions?



   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

限制 A/C 查看到什麼 Instanse

The Amazon EC2 "ec2:Describe*" API actions do not support resource-level permissions,

so you cannot control which individual resources users can view in the console.

Therefore, the * wildcard is necessary in the Resource element of the above statement.

解決方案: Organizations


Veeam iam restore permission



Free tier



centos instanse

  • t1.micro instance only

12 Month (Per Month) Free

750 hours of Amazon EC2 Linux Micro Instance
(Micro Instance(613 MB))(all AWS regions)

30 GB of Amazon Elastic Block Storage
(2 million I/Os and 1 GB of snapshot)

750 hours of an Elastic Load Balancer plus 15 GB data processing

5 GB of Amazon S3 standard storage
(20,000 Get Requests, and 2,000 Put Requests)

750 hours of Amazon ElastiCache
(Memcached )

15 GB of bandwidth out aggregated across all AWS services

    10 Amazon Cloudwatch metrics, 10 alarms, and 1,000,000 API requests
    (Basic Monitoring metrics (at five-minute frequency) for Amazon EC2 instances are free of charge)

在 Account Activity 會見到:

You are eligible for the AWS Free Usage Tier.See the Getting Started Guide AWS Free Usage Tier to 
learn how to get started with the free usage tier.


If you stop and start an EC2 instance three times in an hour, you’ll have used up three hours of your free-tier allotment.





在左上角的 My Account / Console -> Account Activity

Usage Reports

在左上角的 My Account / Console -> Usage Reports


Billing Alerts(CloudWatch)


visit your Account Activity to enable monitoring for your AWS charges.

Every AWS customer receives 10 alarms and 1,000 e-mail notifications free each month as part of the AWS Free Tier,

and most customers will be able to use billing alerts at no additional charge.

(If you currently use the AWS Free Tier, you can set a billing alert to notify you if you exceed the free tier by setting a threshold of $0.00.)

Note that billing alarms can only be created in the US East (N. Virginia) region.(20130918)


EC2 Reachability Test




Estimate AWS latency

[1] By ping IP

HK to X (@201904)

US-east: 230 ms
US-west: 160 ms
Singapore: 40 ms
JP: 55 ms




Route tables


Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table).

local route

Every route table contains a local route for communication within the VPC.

This route is added by default to all route tables.

If your VPC has more than one IPv4 CIDR block,your route tables contain a local route for each IPv4 CIDR block.

(You cannot modify or delete these routes)

Main route table

The route table that automatically comes with your VPC.

It controls the routing for all subnets that are not explicitly associated with any other route table.

Custom route table

A route table that you create for your VPC.

Subnet route table

A route table that's associated with a subnet.




Internet Gateway(igw)

The Amazon VPC side of a connection to the public Internet.

- perform one-to-one NAT for instances that have been assigned public IPv4 addresses.


Creating a subnet

Creating and attaching an internet gateway

Creating a custom route table

 - For IPv4 traffic, specify in the Destination box, and select the internet gateway ID in the Target list.

Creating a security group for internet access

 - By default, a VPC security group allows all outbound traffic.

You can create a new security group and add rules that allow inbound traffic from the internet.

Adding Elastic IP addresses

NAT gateways

Pricing: hourly usage and data processing rates apply

  • Price per NAT gateway ($/hour)    US$0.065@2020       # Region: HK
  • Price per GB data processed ($) US$0.065@2020        # Region: HK

Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.

If you have resources in multiple Availability Zones and they share one NAT gateway

The Elastic IP address cannot be changed after you associate it with the NAT Gateway.

Deleting a NAT gateway disassociates its Elastic IP address, but does not release the address from your account.

You cannot associate a security group with a NAT gateway.

You can use security groups for your instances in the private subnets to control the traffic to and from those instances.

Migrating from a NAT instance to NAT gateway


Private IP


An instance's private IP address will never change during the lifetime of that instance.

Re-assign private IP to new instance

If you have an existing instance with the private IP you want (EXAMPLE:

You should take an image (AMI) and then terminate that instance. Because it is in a VPC, just stopping it won't free the private IP.

Once you have a good image, terminate it. That would free up its Private IP Address. Thus you would have ( available

Then assign a secondary private IP to your new instance that you want and specify the private IP to be the one you want it to be (

1. Open EC2 dashboard.
2. Click on Launch Instance.
3. Then choose My AMIs on the left side tab and select your AMI.
4. Select the desired instance type.
5. Click on "Next :Configure Instance details".
6. Then select/provide the VPC ID and choose the subnet in network and subnet field respectively.
7. Select "disable" option in " Auto-assign Public IP" field of "Configure Instance" 
   (which is third step of launching an instance)
8. In the same page, scroll down and click on Network Interfaces.
9. Then paste the required private IP in Primary IP field.
10. Add storage, configure Security group if required ( if you wish)
11. Click on Launch.


Assigning a public IPv4 address during instance launch


EC2-Classic: automatically assigned a public IP address to the instance (This behavior cannot be modified.)

If an instance is launched in a VPC, you control whether it receives a public IP or not


Each subnet has an attribute that determines whether instances launched into that subnet are assigned a public IP address.

 - To access the public IP addressing feature when launching an instance

 - To enable or disable the public IP addressing feature using the command line


Elastic IP Pricing


By default Amazon Web Services allows each AWS account to have up to five Elastic IP addresses.

If you need reserve more than five Elastic IPs, you must submit a request for more Elastic IPs to Amazon.

An Elastic IP address doesn’t incur charges as long as all the following conditions are true:

  • The Elastic IP address is associated with an EC2 instance.
  • The instance associated with the Elastic IP address is running.
  • The instance has only one Elastic IP address attached to it.


Security Group & Network ACLs



|     Network ACLs      |
     SG          SG
|Instance-A | Instance-B|

Network ACLs

 * Operates at the subnet level

 * Supports allow rules and deny rules
   (process rules in order, starting with the lowest numbered rule)

 * stateless

Security Group

 * Operates at the instance level

 * Supports allow rules only

 * stateful

When you launch an instance in a VPC, you can assign up to five security groups to the instance.

You can have 50 inbound and 50 outbound rules per security group


Windows 's Agent


  • Amazon SSM Agent(amazon-ssm-agent.exe)
  • AWS Lite Guest Agent

Amazon SSM Agent(amazon-ssm-agent.exe)

AWS Systems Manager Agent makes it possible for Systems Manager to update, manage, and configure these resources.

The agent processes requests from the Systems Manager service in the AWS Cloud,
and then runs them as specified in the request.

SSM Agent then sends status and execution information back to the Systems Manager service by
using the Amazon Message Delivery Service (service prefix: ec2messages)

To automatically update SSM Agent

Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/

In the navigation pane, choose Managed instances.

Choose Agent auto update.

AWS Lite Guest Agent

The Lite Agent is a component of the AWS PV Driver package which is specifically responsible for handling Shutdown and Restart events from AWS APIs.

However, this agent is not used on Nitro platform based instances (T3/M5/C5/R5, etc.) and as such, can be safely disabled.

This is because, Nitro based instances use ACPI signals to perform the Reboot and Shutdown events.


In case you want to disable the service, you can run the following commands in powershell:

PS C:>Set-Service AWSLiteAgent -StartupType Disabled
PS C:>Stop-Service AWSLiteAgent


AWS PV Drivers


The AWS PV drivers are stored in the "%ProgramFiles%\Amazon\Xentools" directory.

command line tool, xenstore_client.exe, that enables you to access entries in XenStore

The AWS PV driver components are listed in the Windows registry under


These driver components are as follows:

xenbus, xeniface, xennet, xenvbd, and xenvif.


8.3.3@(4 February 2020)



 * Upgrade 完可能會死機, 所以一定要 Backup !!