AWSInstanceDeployment

From HPC Wiki
Jump to: navigation, search

Procedure for requesting and using Amazon Web Services (AWS) Elastic Compute Cloud (EC2) resources for research

  1. Determine the resources needed and associated pricing
    • See AWS calculator
    • Select the services required for the project
      • AWS EC2 Instances can be purchased reserved for 1 or 3 years
      • If you are unsure of the instance type you need you can purchase an hourly (on-demand) instance before commiting to a reservation
      • Once a reservation is purchased for a particular instance type it can not be refunded or modified
      • In addition to the instance cost, you will need to budget for data transfer and storage cost. These are charged monthly.
      • Be sure to include at least a EBS root volume for your instance. The minimum size for Linux instances is 8GB, and 50GB for Windows instances.
      • We advise storing data in a separate EBS volume from the root volume. This will be mounted as /home unless otherwise specified.
    • Click on tab "Estimate of Your Monthly Bill"
    • Click the "Save and Share" button
    • Copy the generated URL
  2. Create a service ticket
    • Log on to the service desk: Service desk
    • Create a ticket
      • Service: Research
      • Category: AWS Resources
      • Sub Category: I need access
    • Include the following in the description
      • A short descriptive name for the project
      • The URL from the AWS calculator
      • A Banner financial system index number that can be billed for the AWS resources
      • The UCID and public SSH key for the individual who will manage the AWS instance
  3. Deployment
    • When the instance is deployed, all access is from within the NJIT network. Users can ssh in to the instance only through VPN.
    • Users will be provided with the hostname of the instance
    • Root privileges on AWS instances
    • Users requesting root access will be given full sudo privileges on the instance. These users are completely responsible for everything that occurs on these instances.
    • Root level privilege is a shared responsibility with IST/ARCS, Some instance configuration must not be modified. Modification of the following is prohibited and may result in the instance being re-deployed
      • Do not attempt to modify the root user's SSH authorized_keys. Doing this will break access used to maintain the instance and will result in re-deployment.
      • Do not modify:

        • syslog configuration
        • sudo configuration or sudoers
        • any users or passwords. All access to instances is via SSH keys
        • kernel configuration
        • networking configuration
        • cron jobs created by IST/ARCS, and do not remove any
        • fstab or filesystem mount points
    • ARCS will provide best effort support for issues that arise inside the instance(s). However, users with root privileges are expected to make a best effort to diagnose and fix issues caused by user applications or administrative tasks the user performed. In some cases recovery of the instance may be provided by re-deploying.
    • Note: IST reserves the right to terminate an AWS instance without warning. In general, this would only happen if there are significant security or abuse issues with the instance.
  4. Security, Updates and Patching
    • ARCS will apply OS security patches as needed to assure the instance is in compliance with IST security policies. The instance will be rebooted weekly to make sure security updates are applied in a timely manner. The weekly reboot will be at a time to minimize inconvenience to the users. . You will be responsible for updating any software installed outside of OS package management
    • The instance will be periodically scanned for security issues
  5. Backup
    • You are responsible for backup of data and configurartions
    • For instances hosted in Virginia availability zone data backup can be provided by IST at a cost of $0.012/GB per month based on the EBS volume size.
  6. Port openings on AWS instances
    • HTTP/HTTPS
      • Send mail to arcs@njit.edu requesting the required ports be open. ARCS will then generate a security scan. If the scan reveals vulnerabilities, you will need to fix those vulnerabilities. ARCs will then re-scan. Once all vulnerabilities have been resolved, ARCS will forward the results of the scan and the port openings request to the IST networking group, which is responsible for opening the requested ports
    • SSH
      • For security purposes, SSH will not be open outside of the NJIT network
    • Other Ports
      • If other ports are needed, please send email to arcs@njit.edu listing the required ports and a description of the application requiring the ports to be opened. The same security scan procedure as in HTTP/HTTPS will then be initiated