Published on

Amazon EC2 Cheat Sheet

Authors

Overview

Amazon EC2 is one of the most widely used and essential services in the AWS ecosystem. As the foundation of Infrastructure as a Service (IaaS) on AWS, EC2 allows you to launch scalable, secure, and resizable compute capacity in the cloud.

With EC2, you can:

  • Rent virtual machines called EC2 Instances
  • Store data on EBS volumes
  • Distribute traffic using Elastic Load Balancer (ELB)
  • Auto-scale your application with Auto Scaling Groups (ASG)

Amazon EC2 Features

Instance Variety & Flexibility

Broadest and deepest selection of instance types in the cloud

Categories include:

  • General Purpose: Balanced CPU, memory, networking
  • Compute Optimized: Ideal for compute-intensive workloads
  • Memory Optimized: Best for in-memory databases, analytics
  • Storage Optimized: For high random IOPS, large sequential reads/writes
  • Accelerated Computing: GPUs or FPGAs for ML, HPC, graphics

Processor Options

Instances powered by a variety of processors:

  • Intel: High frequency, broad software support
  • AMD: Lower cost, high performance
  • AWS Graviton (Arm-based): Best price-performance ratio
  • NVIDIA GPUs: Accelerated machine learning and graphics

Storage & Networking Performance

  • Local instance storage: NVMe SSD options for ultra-fast temporary data
  • Enhanced networking:
    • Powered by Elastic Network Adapter (ENA)
    • Up to 100 Gbps bandwidth
    • Suitable for low latency, high throughput workloads

Bare Metal Instances

Access underlying hardware without a hypervisor

Optimization & Recommendations

Use AWS Compute Optimizer to:

  • Analyze historical usage patterns
  • Recommend right-size instances
  • Improve cost-efficiency and performance

Instance States

Amazon EC2 instances can be in different states depending on how you manage them. Understanding these states is important to avoid data loss and control costs.

  • Stop: The instance shuts down, but EBS volumes are preserved. Use Stop when you plan to restart later
  • Terminate: The instance is permanently deleted. The root EBS volume may also be deleted depending on configuration. Use Terminate when you're done with the instance.
  • Hibernate: Allows you to preserve the in-memory state (RAM) of your EC2 instance so that it can resume exactly where it left off. Hibernate is not supported on all instance types. Ensure compatibility before using.

Root Device Volumes

An EC2 instance must boot from a root device volume, which is usually an EBS volume (or in some cases, an Instance Store). By default:

  • The root volume is deleted when the instance is terminated.
  • You can disable "Delete on Termination" to retain the volume and its data.

This configuration is important if you want to preserve your instance data even after termination.

You can replace the root volume of a running EC2 instance using the following:

  • Initial launch state
  • Snapshot
  • AMI

Amazon EBS (Elastic Block Store)

Amazon EBS provides persistent, network-attached block storage for EC2 instances.

Key characteristics:

  • Persistence: Data remains intact when an instance is stopped or terminated (if configured properly).
  • AZ-bound: An EBS volume is tied to a specific Availability Zone (AZ). You cannot attach it to an instance in a different AZ.
  • Single-Attach: At the Cloud Practitioner level, a standard EBS volume can be attached to only one EC2 instance at a time.
  • Detachable: You can detach an EBS volume from one instance and attach it to another for data recovery or failover.
  • Provisioned: You must specify size and performance (IOPS) up front. You are billed for provisioned resources.

Amazon EC2 – AMI

An AMI (Amazon Machine Image) is a template that contains the software configuration required to launch an EC2 instance.

An AMI includes:

  • Operating system (OS)
  • Pre-installed software
  • Monitoring agents
  • Application configurations

You can create custom AMIs from configured EC2 instances and use them to launch identical instances in the future. This saves setup time and ensures consistency.

Types of AMIs

  • Public AMIs: Provided by AWS or community (e.g., Amazon Linux 2).
  • Custom AMIs: Created and managed by you.
  • Marketplace AMIs: Created and sold by third-party vendors via the AWS Marketplace.

AMI Lifecycle

  1. Launch and configure an EC2 instance
  2. Stop the instance (recommended for data integrity)
  3. Create an AMI from the instance
  4. Use that AMI to launch new instances with identical configuration

Amazon EC2 Image Builder

  • Automates the creation, testing, and distribution of AMIs and container images with no manual steps.
  • Reduces operational effort and removes the need for custom scripts or manual snapshots.
  • Includes built-in security settings from AWS to keep images consistent and up-to-date.
  • Free service. You only pay for the AWS resources (like EC2, S3, EBS) used in the process.

Amazon EC2 Pricing

Pricing ModelDescriptionBest Use CaseBillingNotes
On-DemandPay per second/hour with no commitmentTesting, development, unpredictable workloadsPer second/hourHighest flexibility, no upfront cost
Reserved Instances1- or 3-year commitment for up to 75% savingsSteady-state, long-term workloadsFull, partial, or no upfrontStandard (more savings, limited change) vs. Convertible
Spot InstancesBid on unused capacity for up to 90% discountFault-tolerant jobs, big data, CI/CDVaries (market-based)Can be interrupted anytime
Spot BlockFixed-duration Spot (1–6 hours)Stable short jobs needing more reliability than SpotReduced fixed rateLess likely to be interrupted
Spot FleetGroup of Spot (and optionally On-Demand) managed togetherScalable, cost-optimized workloadsCustom strategiesAllocation: Lowest Price, Diversified, Capacity Optimized, etc.
Dedicated HostsFull physical server accessCompliance, BYOL licensingOn-demand or reservedControl over instance placement
Dedicated InstancesInstances run on hardware dedicated to youIsolation without needing host-level controlOn-demandNo hardware-level visibility
Capacity ReservationsReserve capacity in a specific AZShort-term critical workloads in specific AZsOn-demand priceCharged even if not used; no discount

Amazon Elastic Compute Cloud Security

Key pairs, which are used for secure SSH access (for Linux) or RDP access (for Windows). A public key is stored in AWS, while the private key remains with the user. Without this private key, it is impossible to log in to the instance, which emphasizes the importance of securely storing key pairs.

Security Groups: A virtual firewall that controls inbound and outbound traffic to your EC2 instances

  • You can attach multiple security groups to an instance.
  • A security group can be attached to multiple instances.
  • They are regional and VPC-specific not shared across regions/VPCs.

IAM roles: can be attached to EC2 instances, allowing applications running on the instance to interact with other AWS services (such as S3, DynamoDB, or SQS) without embedding access keys in your code

EC2 Instance Metadata Service v2 (IMDSv2), which mitigates the risk of SSRF (Server-Side Request Forgery) attacks that could expose sensitive metadata.

Amazon EC2 Networking

Subnets and IP Addresses

Networking is to sort of have IP, there is IPv4 and IPv6.

  • IPv4 is what is most commonly used online. It's basically four numbers separated by three dots.
  • IPv6 is a bit less common... strange string of exotic symbol numbers, and letters

Public IP:

  • Accessible over the internet
  • Must be globally unique
  • Can be geolocated

Private IP:

  • Only accessible within the private network
  • Must be unique within the private network only
  • Different companies can use same private IP ranges
  • Machines use NAT device and Internet Gateway to access Internet
  • Only specific IP ranges are allowed to be private

Elastic IP:

  • A public IPv4 that you own until you release it
  • Can be moved between instances
  • Limited to 5 per account by default

Instances are placed in subnets (public or private) based on their access needs.

Firewalls and Traffic Control

Security Groups (instance-level, stateful):

  • Only allow rules (no deny rules).
  • Return traffic is automatically allowed.

Network ACLs (NACLs) (subnet-level, stateless):

  • Support both allow and deny rules.
  • Rules are evaluated in number order.

Enhanced Networking: Use Elastic Network Adapter (ENA) or Intel VF for:

  • Higher bandwidth
  • Lower latency
  • Better packet per second (PPS) performance

Elastic Load Balancing (ELB)

  • Distributes incoming traffic across multiple EC2 instances.
  • Works with Auto Scaling for high availability and scalability.

Placement Groups

Control the physical placement of EC2 instances:

  • Cluster: Low-latency, high throughput (same rack)
  • Spread: High availability (separate racks)
  • Partition: Isolate failure domains (for large workloads)

Amazon EC2 Monitoring

Amazon CloudWatch Alarms

EC2 integrates with Amazon CloudWatch to provide a single metric over a time period

You can monitor:

  • CPU utilization
  • Disk reads/writes
  • Network in/out
  • Status checks (system & instance level)

CloudWatch alarms can notify you or trigger actions like Auto Scaling or instance reboot.

CloudWatch Agent

  • For more detailed metrics (e.g., memory usage, disk space), you can install the CloudWatch Agent on your EC2 instance.
  • Custom metrics can also be pushed to CloudWatch from inside the instance.

EC2 Status Checks

AWS performs automatic health checks at two levels:

  • System status check: Detects problems with the underlying AWS infrastructure.
  • Instance status check: Detects problems with your OS

Failed checks can be addressed with Auto Recovery (for supported instance types).

CloudTrail Logging

  • AWS CloudTrail logs all API calls made to EC2 (start, stop, terminate, etc.).
  • Helps with auditing, compliance, and troubleshooting issues related to access and configuration changes.

AWS Config

  • Tracks configuration changes to EC2 resources over time.
  • Useful for security auditing and compliance reporting.

Instance Metadata and User Data

Instance Metadata

Provides information about your EC2 instance, accessible from inside the instance.

Access via a special IP endpoint:

http://169.254.169.254/latest/meta-data/

Common metadata info includes:

  • Instance ID, AMI ID
  • Public & Private IP
  • Security groups
  • IAM Role temporary credentials
  • Availability Zone, region, etc.

Your instance metadata is available from your running instance, you do not need to use the Amazon EC2 console or the AWS CLI

Instance metadata is available via link-local IP addresses, which are only accessible from within the running instance.

You can use either IPv4 or IPv6 to retrieve metadata

User Data

  • Is used to run custom scripts at first boot.
  • By default, it runs only once (at launch).
  • You can retrieve User Data from within the instance using a special HTTP endpoint.
  • This is useful for debugging, verifying if the script was attached or executed.

To use the IPv6 endpoint:

  • The instance must be Nitro-based (most modern instance types).
  • The subnet must support IPv6 addressing.
  • IPv6 must be enabled on the instance.

Placement Groups

Placement groups you want to have control over how our EC2 instances placement strategy

3 strategies available:

  • Cluster: cluster placement group in which your instances will be grouped together in a low-latency hardware setup within a single availability zone.
  • Spread: spread instances are going to be spread across different hardware, and there is a restriction on this. That means you can only have seven EC2 instances per placement group that spread per AZ. So you would use a spread placement group when you have critical applications.
  • Partition: It's similar to the spread, meaning that you want to spread your instances, but here, they're spread across many different partitions. And these partitions rely on different sets of racks of hardware within an AZ.

Amazon EC2 Storage

Amazon S3 – Object Storage

Used for storing unstructured data as objects. Highly durable, scalable, accessible via REST APIs.

Amazon EBS – Block Storage

Used as virtual hard drives for EC2. Attached to a single EC2 instance at a time.

Volume types:

  • gp3: General purpose SSD (default)
  • io1/io2: Provisioned IOPS SSD (for high-performance workloads)
  • st1: Throughput-optimized HDD (big data, log processing)
  • sc1: Cold HDD (infrequent access)

Multi-Attach: io1/io2 volumes can attach to multiple EC2s

EC2 Instance Store – Ephemeral Storage

Physical storage on the EC2 host. Very high performance but ephemeral.

Amazon EFS – Elastic File System

Scalable, elastic file system accessible by multiple EC2 (Linux) across AZs. POSIX compliant

Amazon FSx – Managed File Systems

Fully managed third-party file systems

TypeUse Case
FSx for WindowsWindows-native file system with SMB, AD support
FSx for LustreHPC workloads, fast throughput /low latency
FSx for NetApp ONTAPEnterprise storage, multi-protocol, snapshots
FSx for OpenZFSPOSIX-compliant for Linux apps

AWS Storage Gateway – Hybrid Storage

Connects on-premises environments to AWS

Types:

  • File Gateway: Files stored in S3, cached locally
  • Volume Gateway: iSCSI volumes, backed by S3 snapshots
  • Tape Gateway: Virtual tape library stored in S3/Glacier

AWS Transfer Family – File Transfer

  • FTP/SFTP/FTPS access to S3 or EFS. Fully managed
  • No need for server management

AWS DataSync

Scheduled file synchronization between on-premises/cloud and AWS. Preserves metadata.

AWS Snow Family – Offline Data Transfer

Physical data transfer for petabyte-scale data when network bandwidth is limited.

Devices:

  • Snowcone: Small, portable (8 TB usable), edge compute
  • Snowball: Medium, 80–100 TB, supports EC2 instances
  • Snowmobile: Shipping container (100 PB+), exabyte-scale

References

Discuss on TwitterView on GitHub