2

In short - OS Amazon Linux or Ubuntu. One EC2 instance (or OpsWorks instance?) is running. Once a day start second instance, update it with latest security updates, install my app. Shutdown first instance. Repeat every day...

AWS documentation states:

By default, AWS OpsWorks automatically installs the latest updates during setup... We recommend that you... Create and start new instances to replace your current online instances. Then delete the current instances. The new instances will have the latest set of security patches installed during setup.

How to automate this process?

I know, I can start one micro instance to manage this process via CLI, but I would prefer to use some AWS built-in tool, so I can get notifications on failure, to add some redundancy (if CLI instance fails), everything continues to work on new CLI / AWS API versions etc.

Am I missing some elegant approach?

Update: Ability to use existing Elastic IP is preferred.

Maris B.
  • 214
  • 2
  • 10

2 Answers2

5

Use EC2 instances behind an ELB.

Upon launch, your nodes should download and install the latest security updates and do whatever other configuration is necessary to get your application running.

As for cycling out your instances, once a day:

  1. Create a second EC2 node
  2. Wait for it to configure itself and become available
  3. Add the second node to the ELB
  4. Remove the old node from the ELB
  5. Shoot the old node in the head

All of the above can be trivially automated using various AWS APIs, perhaps even as a Lambda job.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Is there any advantage by using Load Balancer? I can just switch Elastic IP address between new and old instance. – Maris B. Jul 01 '16 at 15:48
  • 2
    Yes, moving an EIP will drop any queries that are in progress. Using an ELB will handle this gracefully. Another benefit of ELB is that you can get a free SSL cert for your domain. – EEAA Jul 01 '16 at 16:01
  • Also, as I have just read, ELB does not support Elastic or Static IP – Maris B. Jul 01 '16 at 16:39
  • That does not matter, and is not needed. You create a CNAME or Alias record that points to your ELB endpoint. – EEAA Jul 01 '16 at 16:41
  • Yes, I know. Static/Elastic IP was preferred, but that's another story. – Maris B. Jul 01 '16 at 16:44
  • @EEAA what is the cost involved by adding a LoadBalancer? I ask because you can get a free ssl cert with certbot too. – james-see Apr 12 '22 at 22:02
-1

When you say "update it with latest security updates" what do you exactly mean? What is your threat profile and risk mitigation against what adversary? I use ufw and ensure that I do sudo apt update or sudo yum update && sudo yum upgrade && reboot in a cron set to once a month with near zero downtime. It is like 30 seconds for a reboot. It seems like what you are trying to do is not worth the time to implement.

So my answer would be

  1. implement sane security lockdowns in terms of firewall, ports, proper user jails, proper user runtimes for your application, and in general limit what is running on the instance.

  2. setup crontab with automatic update script on a periodic basic

This would not completely mitigate any downtime but ensures it is like 30 seconds a month.

james-see
  • 249
  • 2
  • 5