How to access the C: Drive in Amazon Workspaces

The C: Drive or root volume in AWS Workspaces cannot be seen if you open File Explorer.

This post will show how you can access the C: Drive when it is not shown.

If you want the C: Drive to be shown permanently then reading my post about it here will help.

Below are three ways you can access the C: Drive.


Access C: Drive with Windows File Explorer

To access C: Drive with Windows File Explorer, go to the address bar and enter C:. This will bring you to the C: Drive.

Continue reading How to access the C: Drive in Amazon Workspaces

How to show C: Drive in Amazon Workspaces

If you have been using AWS Workspaces then you might have noticed that the C: Drive cannot be seen when you open Windows File Explorer.

File Explorer not showing C: Drive in an Amazon Workspace

The reason why the C: Drive is hidden in Workspaces is because it is the root volume. Users are discouraged from storing files in the root volume because when you need to Rebuild a workspace any changes that you made in the C: Drive will be wiped out. Only the D: Drive or the User Volume will be restored to what its previous snapshot.

There are some use cases when you need to access the C: Drive. It might also be possible that you just want to have the C: Drive visible.

Follow the steps below to make the C: Drive visible in Windows File Explorer in your Amazon Workspaces.



Steps in showing the C: Drive in Amazon Workspaces

Click on Search icon and type regedit. Then click on regedit.

Continue reading How to show C: Drive in Amazon Workspaces

Require Multi-Factor Authentication (MFA) for IAM User in AWS

As a Security Best Practice we should always require IAM Users to have Multi-Factor Authentication (MFA) enabled when accessing the AWS Console.

The problem is how do we require users to configure MFA?

The IAM policy below can be used to require users to enable their MFA. If they do not have MFA, all their permissions will be denied. This will make access to your AWS Account more secure.



IAM Policy that requires IAM Users to have Multi-Factor Authentication (MFA)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowChangeOwnPasswordsOnFirstLogin",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowChangeOwnPasswordsAfterMFAEnabled",
            "Effect": "Allow",
            "Action": [
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:ListUsers",
                "iam:ListMFADevices",
                "iam:ChangePassword",
                "iam:GetUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ],
    "Id": "RadishLogic.com MFA Required IAM Policy"
}

The name of my IAM Policy is MFA-Required, you may use whatever name you desire to use.

Continue reading Require Multi-Factor Authentication (MFA) for IAM User in AWS

How to install ChefDK in Amazon Linux 2

The ChefDK is a package that includes everything you need to start using Chef. You will need this if you want to develop using chef.

Since I always use Amazon Web Services (AWS) EC2, I tend to choose Amazon Linux 2 even for projects using Chef.

Below is a step-by-step tutorial on how to install ChefDK in an EC2 instance running Amazon Linux 2.


Installation via shell commands

SSH to your Amazon Linux 2 EC2 Instance and run the command below.

curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -c current -P chefdk

This will install the latest version of ChefDK.

For production systems we should specify the specific version of ChefDK or else this will install the version. To do this we need to add the -v option in the end of the command.

Below is an example where we install ChefDK version 4.7.73.

curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -c current -P chefdk -v 4.7.73

Next is to check if chef was installed properly. Go to the Verification section of this post.


Installation via ChefDK Download Page

Go to https://downloads.chef.io/chefdk.

You may select your desired version for ChefDK. Default is the latest stable version.


Copy the URL for the latest version of Red Hat Enterprise Linux.

Continue reading How to install ChefDK in Amazon Linux 2

Copying a Key Pair Generated by AWS to Another Region (with Screenshots)

I have an existing key pair that was generated via AWS Console. Since I do not want to create another set of Key Pair for the other regions, I would like to use the same Key Pair. Is it possible to copy the Key Pair to another Region? How can I do this?

Dany


Hi Dany, the short answer to your question is yes, it is possible to copy your existing AWS generated Key Pair to another region and even copy this to another AWS account.


The Challenge with AWS Generated Key Pairs

Generating the Key Pairs via AWS Console is easy, it gives you the Private Key and you can launch EC2 instances and associate it with your instance by adjusting the settings during EC2 Instance Launch. Then you can SSH to your EC2 Instance via the Private Key.

The issue here is the Public Key. AWS does not provide the Public Key during creation or any time after that.

Do not worry, we can still get the Public Key. It is not easy as clicking on the console then selecting copy to other region, but it is still doable.

See the steps below.


Step-by-step guide on copying a Key Pair to another region.

For this tutorial, I have created an AWS Key Pair in N. Virginia Region (us-east-1) – radishlogic_key.

The goal is to copy the Key Pair to Oregon Region (us-west-2).

Here are screenshots of my Key Pair.

Key Pair in AWS Console
Private Key

1. Retrieving the Private Key in N. Virginia Region (us-east-1)

Launch a temporary Linux EC2 Instance in where the Key Pair is located (us-east-1). Any Linux Image will do.

Continue reading Copying a Key Pair Generated by AWS to Another Region (with Screenshots)

Running Minikube in AWS EC2 (Ubuntu)

If you are studying Kubernetes and having a hard time running Minikube on an EC2 Instance, you are not alone. I had a hard time doing it when it was my first time.

Below are the steps (and some comments) that I took to help me run Minikube on my EC2 Instance.

Installation of Minikube on EC2 Ubuntu

1. Run a public EC2 Server with the following setup

AMI Ubuntu Server 18.04 LTS (HVM), SSD Volume Type
Instance Type t3.micro (2 vCPU, 1GB Memory)
Storage 8 GB (gp2)
Tags – Key: Name
– Value: Minikube
Security Group Name: Minikube Security Group
– SSH, 0.0.0.0/0
Later we will be editing this.
Key Pair Create your own keypair.
You will need this to SSH to your EC2 Instance

Update: I changed the Instance Type from t2.micro (1 vCPU) to t3.micro (2 vCPU). An update to Minikube required a minimum of 2 vCPUs. The error when running with t2.micro was Requested cpu count 1 is less than the minimum allowed of 2.

t3.micro is no longer in the Free Tier, make sure to stop or terminate the instance after you are done testing to avoid a huge AWS bill.

Thank you to everyone in the comments section who pointed this change.

2. SSH into your created EC2 Instance using your keypair.

ssh [email protected]<ipv4_public_ip> -i <keypair>.pem

3. Install kubectl

curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl

4. Install Docker

sudo apt-get update && \
    sudo apt-get install docker.io -y

Minikube requires Docker. Continue reading Running Minikube in AWS EC2 (Ubuntu)

How to solve SSL Certificate not showing in AWS CloudFront

Most likely you already have an SSL Certificate in AWS Certificate Manager (ACM). Then when you go to configure it in CloudFront you cannot select the radio button that says Custom SSL Certificate (example.com) or your SSL Certificate does not show in the options.

The reason for this is that your SSL Certificate should be in the N. Virginia Region (us-east-1).

If you look closely on the words below the selection it says You can use a certificate stored in AWS Certificate Manager (ACM) in the US East (N. Virginia) Region, or you use a certificate stored in IAM.

This is also stated in the AWS CloudFront Documentation regarding the use of Alternate Domain Names and HTTPS.

Request or upload your SSL Certificate in AWS Certificate Manager in N. Virginia Region (us-east-1) and your SSL Certificate should show on the selection.

With this you can now use HTTPS to access your services when you are working with CloudFront.

How to solve Failed-Activating Windows in AWS EC2

Sometimes when I create a Windows EC2 Instance from one of my custom AMIs I get an activation failed Windows Server.

Follow the instruction below to Activate your Windows Instance. (For Windows Server 2016, 2019 and later only).

Activate Windows Manually using EC2Launch initialization script

Open Powershell on your Windows Server and run the command below.

C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1; cscript "${env:SYSTEMROOT}\system32\slmgr.vbs" /ato

Notes:

  • No need to run Powershell in administrator mode.
  • No need to restart your instance. Once you run the above command, the Activate Windows on your desktop will disappear.
  • This will not update the local Administrator password

There are other ways to Activate Windows on your AWS EC2. You can check them all here.