ec2
npx machina-cli add skill itsmostafa/aws-agent-skills/ec2 --openclawFiles (1)
SKILL.md
9.2 KB
AWS EC2
Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the cloud. Launch virtual servers, configure networking and security, and manage storage.
Table of Contents
Core Concepts
Instance Types
| Category | Example | Use Case |
|---|---|---|
| General Purpose | t3, m6i | Web servers, dev environments |
| Compute Optimized | c6i | Batch processing, gaming |
| Memory Optimized | r6i | Databases, caching |
| Storage Optimized | i3, d3 | Data warehousing |
| Accelerated | p4d, g5 | ML, graphics |
Purchasing Options
| Option | Description |
|---|---|
| On-Demand | Pay by the hour/second |
| Reserved | 1-3 year commitment, up to 72% discount |
| Spot | Unused capacity, up to 90% discount |
| Savings Plans | Flexible commitment-based discount |
AMI (Amazon Machine Image)
Template containing OS, software, and configuration for launching instances.
Security Groups
Virtual firewalls controlling inbound and outbound traffic.
Common Patterns
Launch an Instance
AWS CLI:
# Create key pair
aws ec2 create-key-pair \
--key-name my-key \
--query 'KeyMaterial' \
--output text > my-key.pem
chmod 400 my-key.pem
# Create security group
aws ec2 create-security-group \
--group-name web-server-sg \
--description "Web server security group" \
--vpc-id vpc-12345678
# Allow SSH and HTTP
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 22 \
--cidr 10.0.0.0/8
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
# Launch instance
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=web-server}]'
boto3:
import boto3
ec2 = boto3.resource('ec2')
instances = ec2.create_instances(
ImageId='ami-0123456789abcdef0',
InstanceType='t3.micro',
KeyName='my-key',
SecurityGroupIds=['sg-12345678'],
SubnetId='subnet-12345678',
MinCount=1,
MaxCount=1,
TagSpecifications=[{
'ResourceType': 'instance',
'Tags': [{'Key': 'Name', 'Value': 'web-server'}]
}]
)
instance = instances[0]
instance.wait_until_running()
instance.reload()
print(f"Instance ID: {instance.id}")
print(f"Public IP: {instance.public_ip_address}")
User Data Script
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--key-name my-key \
--security-group-ids sg-12345678 \
--subnet-id subnet-12345678 \
--user-data '#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>Hello from $(hostname)</h1>" > /var/www/html/index.html
'
Attach IAM Role
# Create instance profile
aws iam create-instance-profile \
--instance-profile-name web-server-profile
aws iam add-role-to-instance-profile \
--instance-profile-name web-server-profile \
--role-name web-server-role
# Launch with profile
aws ec2 run-instances \
--image-id ami-0123456789abcdef0 \
--instance-type t3.micro \
--iam-instance-profile Name=web-server-profile \
...
Create AMI from Instance
aws ec2 create-image \
--instance-id i-1234567890abcdef0 \
--name "my-custom-ami-$(date +%Y%m%d)" \
--description "Custom AMI with web server" \
--no-reboot
Spot Instance Request
aws ec2 request-spot-instances \
--instance-count 1 \
--type "one-time" \
--launch-specification '{
"ImageId": "ami-0123456789abcdef0",
"InstanceType": "c5.large",
"KeyName": "my-key",
"SecurityGroupIds": ["sg-12345678"],
"SubnetId": "subnet-12345678"
}' \
--spot-price "0.05"
EBS Volume Management
# Create volume
aws ec2 create-volume \
--availability-zone us-east-1a \
--size 100 \
--volume-type gp3 \
--iops 3000 \
--throughput 125 \
--encrypted
# Attach to instance
aws ec2 attach-volume \
--volume-id vol-12345678 \
--instance-id i-1234567890abcdef0 \
--device /dev/sdf
# Create snapshot
aws ec2 create-snapshot \
--volume-id vol-12345678 \
--description "Daily backup"
CLI Reference
Instance Management
| Command | Description |
|---|---|
aws ec2 run-instances | Launch instances |
aws ec2 describe-instances | List instances |
aws ec2 start-instances | Start stopped instances |
aws ec2 stop-instances | Stop running instances |
aws ec2 reboot-instances | Reboot instances |
aws ec2 terminate-instances | Terminate instances |
aws ec2 modify-instance-attribute | Modify instance settings |
Security Groups
| Command | Description |
|---|---|
aws ec2 create-security-group | Create security group |
aws ec2 describe-security-groups | List security groups |
aws ec2 authorize-security-group-ingress | Add inbound rule |
aws ec2 revoke-security-group-ingress | Remove inbound rule |
aws ec2 authorize-security-group-egress | Add outbound rule |
AMIs
| Command | Description |
|---|---|
aws ec2 describe-images | List AMIs |
aws ec2 create-image | Create AMI from instance |
aws ec2 copy-image | Copy AMI to another region |
aws ec2 deregister-image | Delete AMI |
EBS Volumes
| Command | Description |
|---|---|
aws ec2 create-volume | Create EBS volume |
aws ec2 attach-volume | Attach to instance |
aws ec2 detach-volume | Detach from instance |
aws ec2 create-snapshot | Create snapshot |
aws ec2 modify-volume | Resize/modify volume |
Best Practices
Security
- Use IAM roles instead of access keys on instances
- Restrict security groups — principle of least privilege
- Use private subnets for backend instances
- Enable IMDSv2 to prevent SSRF attacks
- Encrypt EBS volumes at rest
# Require IMDSv2
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-tokens required \
--http-endpoint enabled
Performance
- Right-size instances — monitor and adjust
- Use EBS-optimized instances
- Choose appropriate EBS volume type
- Use placement groups for low-latency networking
Cost Optimization
- Use Spot Instances for fault-tolerant workloads
- Stop/terminate unused instances
- Use Reserved Instances for steady-state workloads
- Delete unused EBS volumes and snapshots
Reliability
- Use Auto Scaling Groups for high availability
- Deploy across multiple AZs
- Use Elastic Load Balancer for traffic distribution
- Implement health checks
Troubleshooting
Cannot SSH to Instance
Checklist:
- Security group allows SSH (port 22) from your IP
- Instance has public IP or use bastion/SSM
- Key pair matches instance
- Instance is running
- Network ACL allows traffic
# Check security group
aws ec2 describe-security-groups --group-ids sg-12345678
# Check instance state
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query "Reservations[].Instances[].{State:State.Name,PublicIP:PublicIpAddress}"
Use Session Manager instead:
aws ssm start-session --target i-1234567890abcdef0
Instance Won't Start
Causes:
- Reached instance limits
- Insufficient capacity in AZ
- EBS volume issue
- Invalid AMI
# Check instance state reason
aws ec2 describe-instances \
--instance-ids i-1234567890abcdef0 \
--query "Reservations[].Instances[].StateReason"
Instance Unreachable
Debug:
# Check instance status
aws ec2 describe-instance-status \
--instance-ids i-1234567890abcdef0
# Get console output
aws ec2 get-console-output \
--instance-id i-1234567890abcdef0
# Get screenshot (for Windows/GUI issues)
aws ec2 get-console-screenshot \
--instance-id i-1234567890abcdef0
High CPU/Memory
# Enable detailed monitoring
aws ec2 monitor-instances \
--instance-ids i-1234567890abcdef0
# Check CloudWatch metrics
aws cloudwatch get-metric-statistics \
--namespace AWS/EC2 \
--metric-name CPUUtilization \
--dimensions Name=InstanceId,Value=i-1234567890abcdef0 \
--start-time $(date -d '1 hour ago' -u +%Y-%m-%dT%H:%M:%SZ) \
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ) \
--period 300 \
--statistics Average
References
Source
git clone https://github.com/itsmostafa/aws-agent-skills/blob/main/skills/ec2/SKILL.mdView on GitHub Overview
Amazon EC2 provides resizable compute capacity to run virtual servers in the cloud. This skill guides you through launching instances, configuring security groups and key pairs, troubleshooting connectivity, and automating lifecycle tasks like creating AMIs and attaching IAM roles for scalable deployments.
How This Skill Works
EC2 organizes resources around instance types (General Purpose like t3/m6i, Compute Optimized like c6i, Memory Optimized like r6i, Storage Optimized like i3, Accelerated like p4d). You launch machines from AMIs, secure them with security groups, and choose purchasing options such as On-Demand, Reserved, Spot, or Savings Plans. Typical flows include creating a key pair, creating and configuring a security group, and launching an instance with a CLI or via boto3, optionally using User Data scripts and IAM instance profiles to automate provisioning and access.
When to Use It
- Launching a new EC2 instance with a specific AMI, instance type, key pair, security group, and subnet
- Configuring inbound and outbound traffic using security groups to enforce access controls
- Managing SSH access by creating and rotating key pairs for authentication
- Troubleshooting connectivity issues to an instance, including security group rules, VPC routing, and DNS
- Automating deployments and repeatable environments with User Data, IAM roles, and frequent AMI creations
Quick Start
- Step 1: Create a key pair and securely store the private key
- Step 2: Create a security group and configure inbound rules for SSH and HTTP as needed
- Step 3: Launch an instance with your chosen AMI and instance type, attach the key pair and security group, specify a subnet, and tag the instance with a Name
Best Practices
- Match instance types to workload categories (General Purpose, Compute Optimized, Memory Optimized, Storage Optimized, Accelerated) for cost and performance
- Tighten network access with security groups and avoid broad open inbound rules
- Use IAM instance profiles for permissions instead of embedding credentials or keys
- Automate provisioning with User Data and create reusable AMIs for consistent environments
- Tag resources and plan cost optimization with On-Demand, Reserved, Spot, or Savings Plans as appropriate
Example Use Cases
- Launch a t3.micro web server with SSH and HTTP access behind a minimal security group
- Create an AMI from a configured instance to enable rapid cloning of environments
- Attach an IAM role to an EC2 instance to grant S3 access without keys
- Use a User Data script to install and start Apache on boot
- Provision a compute-optimized c6i instance for a batch processing workload with restricted access
Frequently Asked Questions
Add this skill to your agents
