diff --git a/docs/cloud-amazon-ec2.md b/docs/cloud-amazon-ec2.md new file mode 100644 index 00000000..933a8ae0 --- /dev/null +++ b/docs/cloud-amazon-ec2.md @@ -0,0 +1,128 @@ +# Amazon EC2 cloud setup + +## AWS account creation + +Creating an Amazon AWS account requires giving Amazon a phone number that can receive a call and has a number pad to enter a +PIN challenge displayed in the browser. This phone system prompt occasionally fails to correctly validate input, but try again +(request a new PIN in the browser) until you succeed. + +### Select an EC2 plan + +The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, +it has limits on usage, and is converts to standard pricing after 12 months (the "introductory period"). After you exceed the +usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go +service prices. + +*Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service +charges on your AWS account. + +As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance +usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage +limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to +exceed the Free Tier limits. + +### Set up an AWS user + +In the AWS console, find the users (“Identiy and Access Management”, a.k.a. IAM users) menu: click Services > IAM. + +Activate multi-factor authentication (MFA) on your root account. The simplest choice is the mobile app "Google Authenticator." +A hardware U2F token is ideal (less prone to a phishing attack), but a TOTP authenticator like this is good enough. + +![The new user screen in the AWS console.](/docs/images/aws-ec2-new-user.png) + +Now "Create individual IAM users" and click Add User. + +Create a user name. I chose “algovpn”. Then click the box next to Programmatic Access. Then click Next. + +![The IAM user naming screen in the AWS console.](/docs/images/aws-ec2-new-user-name.png) + +Next, click “Attach existing policies directly.” + +Type “admin” in the search box to filter the policies. Find “AdministratorAccess” and click the checkbox next to that. + +Click Next when you’re done. + +![Attaching a policy to an IAM user in the AWS console.](/docs/images/aws-ec2-attach-policy.png) + +The user creation confirmation screen should look like this if you've done everything correctly. + +![New user creation confirmation screen in the AWS console.](/docs/images/aws-ec2-new-user-confirm.png) + +On the final screen, click the Download CSV button. This file includes the AWS access keys you’ll need during the Algo set-up +process. Click Close, and you’re all set. + +![Downloading the credentials for an AWS IAM user.](/docs/images/aws-ec2-new-user-csv.png) + +## Using EC2 during Algo setup + +After you have downloaded Algo and installed its dependencies, the next step is running Algo to provision the VPN server +on your AWS account. + +First you will be asked which server type to setup. You would want to enter "2" to use Amazon EC2. + +``` +$ ./algo + + What provider would you like to use? + 1. DigitalOcean + 2. Amazon EC2 + 3. Microsoft Azure + 4. Google Compute Engine + 5. Scaleway + 6. OpenStack (DreamCompute optimised) + 7. Install to existing Ubuntu 16.04 server (Advanced) + +Enter the number of your desired provider +: 2 +``` + +Next you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Key (Secret Access Key) that you received in +the CSV file when you setup the account (don't worry if you don't see your text entered in the console; the key input is +hidden here by Algo). + +``` +Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md). +[pasted values will not be displayed] +[AKIA...]: + +Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +[pasted values will not be displayed] +[ABCD...]: +``` + +You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain +how this will affect your setup. Here we chose to call it "algovpn". + +``` +Name the vpn server: +[algo]: algovpn +``` + +After entering the server name, the script ask which region you wish to setup your new Algo instance in. Enter the number +next to name of the region. + +``` + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-east-2 US East (Ohio) + 3. us-west-1 US West (N. California) + 4. us-west-2 US West (Oregon) + 5. ca-central-1 Canada (Central) + 6. eu-central-1 EU (Frankfurt) + 7. eu-west-1 EU (Ireland) + 8. eu-west-2 EU (London) + 9. eu-west-3 EU (Paris) + 10. ap-northeast-1 Asia Pacific (Tokyo) + 11. ap-northeast-2 Asia Pacific (Seoul) + 12. ap-northeast-3 Asia Pacific (Osaka-Local) + 13. ap-southeast-1 Asia Pacific (Singapore) + 14. ap-southeast-2 Asia Pacific (Sydney) + 15. ap-south-1 Asia Pacific (Mumbai) + 16. sa-east-1 South America (São Paulo) + +Enter the number of your desired region: +[1]: 10 +``` + +You will then be asked the remainder of the standard Algo setup questions.