Infrastructure as Code (IaC) has transformed how cloud infrastructure is managed, making deployments more scalable, reproducible, and efficient. However, before jumping into automation with Terraform, it's essential to first learn how to create and manage resources using the cloud provider's console. This approach builds a strong foundation and helps avoid common pitfalls when transitioning to IaC.

Why Start with the Cloud Console?

1. Understanding Cloud Services and Dependencies

• Cloud providers offer a variety of services like compute, networking, and databases.

• Creating resources manually helps you understand how different components interact.

2. Troubleshooting and Debugging

• When things go wrong in Terraform, knowledge of the console helps diagnose issues.

• Knowing where to check logs, security settings, and dependencies is crucial.

3. Building an Intuitive Mental Model

• Seeing the configurations in the UI makes it easier to relate them to Terraform code.

• Helps in understanding default values, required parameters, and best practices.

4. Avoiding the "Black Box" Effect

• Jumping straight into Terraform might lead to blindly copying configurations without truly understanding them.

• Manual creation ensures you grasp how things work before automating them.

Step-by-Step: Manually Deploying an EC2 Instance

Let's walk through creating an EC2 instance manually in AWS to understand the process before automating it with Terraform.

1. Navigate to EC2 in the AWS Console

• Log into your AWS account.

• Go to the EC2 Dashboard and click on Launch Instance.

2. Choose an Amazon Machine Image (AMI)

• Select an OS (e.g., Amazon Linux, Ubuntu, Windows Server).

• Understand why certain AMIs are better suited for specific workloads.

3. Select an Instance Type

• Choose a type based on compute power and memory needs (e.g., t2.micro for free-tier usage).

• Learn about CPU, memory, and performance trade-offs.

4. Configure Instance Details

• Set networking options (VPC, subnets, auto-assignment of public IPs).

• Enable monitoring, IAM roles, and placement strategies.

5. Add Storage

• Define storage size, type (GP2, GP3 SSD, Magnetic, etc.), and encryption settings.

6. Configure Security Groups

• Set inbound and outbound rules.

• Understand why limiting access is crucial for security.

7. Launch and Connect to the Instance

• Connect via SSM.

Key Takeaways

• Learning via the console helps you grasp cloud concepts, dependencies, and security settings.

• Manual creation builds confidence before automating with Terraform.

• Debugging Terraform issues becomes easier when you know how things work in the UI.

What’s Next?

In the next article, we’ll take what we’ve learned and automate the deployment of an EC2 instance using Terraform. Stay tuned!

By default, AWS SSM Session Manager does not store logs permanently. While CloudWatch is great for real-time monitoring, S3 provides long-term log storage for security audits and compliance.

This guide covers:
✅ Creating an S3 bucket for SSM logs
✅ Enabling SSM session logging to S3
✅ Verifying logs are saved in S3

Step 1: Create an S3 Bucket for Logging

1. Navigate to AWS S3 Console → Click Create bucket.
2. Enter a unique bucket name (e.g., ssm-session-logs-123).
3. Choose the AWS region where your EC2 instances run.
4. Under Block Public Access settings, ensure public access is blocked.
5. Click Create bucket.

Step 2: Attach IAM Permissions for S3 Logging

AWS SSM needs permission to write logs to the S3 bucket.

1. Go to the AWS IAM Console → Click Roles.
2. Select the IAM role attached to your EC2 instance (e.g., SSMLoggingRole).
3. Click Attach Policies → Choose AmazonS3FullAccess.
4. Click Save.

Step 3: Enable SSM Logging to S3

1. Navigate to AWS Systems Manager Console → Click Session Manager.
2. In the left panel, click Preferences.
3. Click Edit and configure:
   • ✅ Enable S3 Logging → Select your S3 bucket from Step 1.
4. Click Save.

Step 4: Verify Logs in S3

1. Start an SSM session:

   aws ssm start-session --target <INSTANCE_ID>
   

AWS Systems Manager (SSM) Session Manager provides secure access to EC2 instances, but logging session activity is crucial for auditing and compliance. By enabling CloudWatch logging, you can track who accessed instances, what commands were run, and store logs securely.

Step 1: Create a CloudWatch Log Group

1. Navigate to AWS CloudWatch Console → Click Logs → Log groups.
2. Click Create log group.
3. Enter a Log Group Name (e.g., /aws/ssm/session-logs).
4. Choose an appropriate Retention period.
5. Click Create.

Step 2: Update IAM Role to Allow Logging

The IAM role attached to EC2 instances must have permission to write to CloudWatch Logs.

1. Go to AWS IAM Console → Roles.
2. Find and select the EC2SSMRole role used for SSM.
3. Click Attach Policies → Search for CloudWatchLogsFullAccess (or create a custom policy if needed).
4. Click Attach policy.

Step 3: Enable Session Logging in SSM

1. Go to AWS Systems Manager Console → Session Manager.
2. Click Preferences.
3. Click Edit and enable Session logging.
4. Select CloudWatch Logs.
5. Choose the Log group created in Step 1 (/aws/ssm/session-logs).
6. Click Save.

Step 4: Start a Session and Verify Logging

1. Open a new SSM session:

   aws ssm start-session --target <INSTANCE_ID>
   

2. Run some commands inside the session.
3. Check the CloudWatch Logs Console → Navigate to /aws/ssm/session-logs to see logs.

Conclusion

• Enhanced security and auditing with detailed session logs.
• Easy tracking of user actions for compliance and troubleshooting.
• Seamless integration with CloudWatch for centralized logging.

Now your SSM sessions are fully logged and auditable! 🚀

Why move away from SSH?

• Managing SSH keys is a hassle
• Open SSH ports expose security risks
• No built-in logging for SSH sessions

What is AWS Systems Manager (SSM) Session Manager?

• Secure, agent-based access to EC2
• Works over AWS APIs, no open ports required

Note: Enabling SSM does not automatically disable SSH. If you previously used SSH, it will still be available unless explicitly disabled.

Step 1: Create an IAM Role for SSM

Before launching an EC2 instance, create an IAM role with the necessary permissions:

1. Go to the AWS IAM Console → Click Roles → Click Create Role
2. Select AWS Service → Choose EC2 as the trusted entity
3. Attach the policy AmazonSSMManagedInstanceCore
4. Name the role (e.g., EC2SSMRole) and create it

This role will allow your EC2 instance to communicate with AWS Systems Manager.

Step 2: Create an EC2 Instance (For New Instances)

If you don’t have an EC2 instance yet, follow these steps:

1. Go to AWS EC2 Console → Click Launch Instance
2. Choose Amazon Linux 2 (or Ubuntu)
3. In the IAM Role section, select the EC2SSMRole (created in Step 1).
4. Launch the instance

Important: If you select the IAM role during instance creation, the SSM Agent will be preinstalled and no manual installation is required.

If you skipped adding the IAM role, you may need to manually install the SSM Agent (see Step 3).

Step 3: Enable SSM on Existing Instances

Skip this step if you selected the IAM role during instance creation.

If your EC2 instance is already running and does not have the SSM Agent installed, follow these steps:

Attach IAM Role to an Existing Instance

1. Navigate to AWS EC2 Console → Select your instance
2. Click Actions → Security → Modify IAM Role
3. Attach the EC2SSMRole created in Step 1

Manually Install the SSM Agent

For Amazon Linux 2 & RHEL:

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

For Ubuntu:

sudo snap install amazon-ssm-agent --classic
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

Verify installation:

sudo systemctl status amazon-ssm-agent

Step 4: Connect to EC2 via SSM

Option 1: AWS Console

1. Navigate to AWS Systems Manager > Session Manager
2. Select your EC2 instance and click Start Session

Option 2: AWS CLI

Run the following command to start an SSM session:

aws ssm start-session --target <INSTANCE_ID>

Step 5: Disable SSH Access (Highly Recommended)

Important: If you previously used SSH, it remains enabled unless manually disabled.

Using AWS Console

1. Navigate to EC2 > Security Groups in the AWS Console.
2. Select the security group attached to your EC2 instance.
3. In the Inbound rules tab, locate the rule allowing SSH (port 22).
4. Click Edit inbound rules, remove the SSH rule, and save changes.

Using AWS CLI

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 22 --cidr 0.0.0.0/0

Disable SSH Service on EC2

1. Stop and disable the SSH service:

   sudo systemctl stop sshd
   sudo systemctl disable sshd
   

2. To check that SSH is disabled, run:

   sudo systemctl status sshd
   

Step 6: Enable Logging for Auditing (Optional but Recommended)

• Configure AWS CloudWatch Logs to record all session activity
• Set up an S3 bucket for long-term storage

Conclusion

• No more SSH key management
• Increased security (no open ports)
• Built-in logging and auditing
• Easier access control using IAM policies
• Option to fully disable SSH for enhanced security

Terraform is popular because:

• It supports multiple cloud providers (AWS, Azure, Google Cloud).

• It provides a unified workflow.

• It maintains an infrastructure state file to track resources.

• It uses a modular approach to manage complex systems.

Key Terraform Commands

Here are the most common terraform commands you will run into:

1. terraform init

• Purpose: Prepares the working directory for Terraform operations.

• What it does:

  • Downloads provider plugins.

  • Initializes the backend for storing the Terraform state.

  • Verifies the configuration files.

2. terraform validate

• Purpose: Checks the configuration files for syntax or logical errors.

• What it does:

  • Ensures that the configuration is syntactically valid.

  • Validates against the provider's schema but does not connect to the cloud.

3. terraform fmt

• Purpose: Formats the configuration files to match the standard style conventions.

• What it does:

  • Ensures consistent indentation and spacing.

  • Makes code easier to read and maintain.

4. terraform plan

• Purpose: Creates an execution plan showing what actions Terraform will take.

• What it does:

  • Highlights the changes required to achieve the desired state.

  • Outputs actions like resource additions, modifications, or deletions without applying them.

5. terraform apply

• Purpose: Executes the actions defined in the execution plan created by terraform plan.

• What it does:

  • Creates, updates, or deletes resources in the infrastructure.

  • Requires user confirmation before execution unless the -auto-approve flag is used.

6. terraform plan -destroy

• Purpose: Simulates the destruction of resources without actually executing it.

• What it does:

  • Generates a plan detailing which resources will be removed.

  • Useful for previewing the impact of a terraform destroy command.

7. terraform destroy

• Purpose: Removes all resources defined in the Terraform configuration.

• Note: Always run terraform plan -destroy before running any terraform destroy

• What it does:

  • Deletes the infrastructure safely and ensures resources are destroyed in the correct order.

  • You can also target specific resources using the target flag instead of destroying all the resources.

  • eg. terraform destroy --target aws_instance.instance_name

8. terraform import

• Purpose: Brings existing infrastructure into Terraform's management.

• What it does:

  • Adds resources not originally created with Terraform to the state file.

  • Does not generate configuration files automatically; you must write the configuration manually.

Here are two ways to view the help or manual page of any Linux command.

a. man command – Manual.

This command is used to view the user manual page for any Linux command.

Syntax: man [command]

To run it simply type man followed by the command you want to view the manual page for.

eg. man man – This will display the manual page for the man command

• Press h in the man page to view the help section of the manual

• To exit the man page, press q on the keyboard

b. --help command - This provides information on a particular command.

Syntax: [command] --help

Eg. man --help

2. Working with files and directories (folders)

One of the most common tasks we perform on our computers is navigating directories or folders using a GUI application like Windows Explorer in Microsoft Windows or Finder in Apple MacOS. Below are some commands for performing common tasks when working with files and folders:

a. pwd command – Print working directory.

This command shows you the folder you are currently working in.

Command: pwd

From the image above, the pwd command shows that I am working in the /home/josh directory.

b. ls command – List

This command is used to display the contents of a folder

Command: ls

This will display the contents of the current folder.

c. mkdir command – Make directory

This command is used to create a folder or directory

Syntax: mkdir [foldername]

Eg. mkdir tutorials

In this example, I created a folder called tutorials, then I used the ls command to confirm that it was created.

d. cd command – change directory

This is used to navigate to a different directory or folder.

Syntax: cd [foldername]

Eg. cd tutorials

This will change my working directory to the tutorials directory. This means that my current working directory will change from /home/josh to /home/josh/tutorials

e. cp command – Copy

This command is used to create a copy of a file

Syntax – cp [source] [destination]

Eg. 1. cp file1.txt notes.txt

This will create a copy of file1.txt and name the copy notes.txt

Eg. 2. cp file1.txt tutorials/

This will create a copy of file1.txt in the tutorials folder.

f. mv command – Move

This command has two uses – It can be used to move files from one location to another. It can also used to rename files or directories.

Eg. 1. Moving file1.txt to the tutorials directory

Command: mv file1.txt tutorials

File1.txt is now in the tutorials directory

Eg. 2. Renaming a file with mv

Command: mv file1.txt renamed.txt

This changes the name of file1.txt to renamed.txt

g. rm command – Remove

This is used to delete files.

Syntax: rm [filename]

Eg. Deleting renamed.txt

Command: rm renamed.txt

You can view more information about all the commands used by accessing their respective help and manual pages.