How to Setup AWS Multi-Factor Authentication

If you manage AWS servers, enabling multi-factor authentication (MFA) can increase your security quite a bit. 

You can choose a virtual MFA device (i.e. mobile app on a Phone) or a hardware MFA device.

For virtual MFA device, you can install Google Authenticator on your Android phone.

During the setup, it is critical that you copy and save the AWS’s Secret Configuration Key to a secure place.  Once the setup is complete, you won’t see it.

If you lose your phone, you can install Google Authenticator on a replacement phone.  Otherwise, you are locked out of your account.

Unless you are are a great typist, I would recommend you install ZXing’s BarCode Scanner, as suggested by Google Authenticator.

By the way, you can rename the account name on Google Authenticator to something that is easy for you to relate.

By the way, you can also get a cheap Android phone, install Google Authenticator and set up using the Secret Configuration Key and stores it in a safe.  It is like a spare key.  If you ever lose your original phone, you can use this backup phone to provide the token. 



Connect to your AWS EC2 Instance with RDP

If you are paranoid about security, you may have set up a security rule restrict the RDP traffic source traffic.

If you get a different public IP from your workstation (due to location change or release of IP address), you may no longer be able to access your AWS EC2 instance remotely.

To troubleshoot, you can login to AWS console, view your running instance.  Under Security groups, choose view rules.  You can now see the allowed source IP address for RDP traffic.  Once you update the security group rules with your new public IP, you should be able to connect without reboot the instance.  Note that the security groups rules may not reflect your new public IP right away.

SQL Connection Issue in AWS EC2 After Releasing Elastic IP


We recently consolidated websites/servers hosted on AWS EC2. 

On ServerA, we released a couple of elastic IP address.  Using EC2 –> Networking –> Manage Private IP Addresses, I unassigned those orphaned private IPs.


After reboot, we found that ServerA can no longer connect to another SQL server.


It turns out that I forgot one thing.  We used to have those orphaned private IPs as static IPs, instead of DHCP on the ServerA OS network setting.  Thus, I removed those obsolete private IPs from network adapter setting IPv4.   

The lesson is that any extra obsolete private IPs on the server network setting could lead to SQL connection issues.

Push Notification

Amazon Web Services has Amazon Simple Notification Service (SNS), being to send push notification via

  • Google Cloud Mobile (GCM)
  • Apple Push Notification Service (APNS)
  • Windows Push Notification Service (WNS)
  • Microsoft Push Notification Services for Windows Phone (MPNS)

Here is a post on how to do it in large scale; I find it a good read.

Note that there is a case study of how Parse is using AWS.  I wonder if Parse leverages Amazon SNS or the other way.

While it is hard to compare, the following is some pricing information.

As of 11/24/2014, Parse is free if you can live with 30 requests/sec.  If you need to push faster, it costs $100 per month for 40 requests/sec.

Amazon SNS is free for the 1st million request per month and $0.50 per additional million requests. 

Copy Data Files from AWS EC2 to S3

Goal: To copy files from a EC2 instance running Windows to S3.

For example, you may want to copy database backup files from a Windows Server with SQL Server running in a AWS server instance.


1. Write your own method using AWS SDK for .NET

2.  Use an open source Windows command utility

3. Use powershell to call upon a free 3rd party snap-in

For example, cloudberry has this free snap-in:

Note that CloudBerry Explorer for Amazon S3 is Freeware.

My Approach:

On Amazon side:

  1. Using Amazon Management Console, I go to IAM Management
  2. Create a group with S3 full access permission. 
  3. Create a user and add to that group.
  4. Go to S3.  Create a new bucket (e.g. mysqlbackup)
  5. Note that there is no need to add permission to the bucket.  You cannot add a IAM account as a grantee.

On the SQL Server:

  1. Download s3.exe from here and copy it to a folder (e.g. C:\Program Files\WinWin\)
  2. Create a new job “CopyDatabaseBackupToS3”
  3. Create a new step.
  4. For Type, choose “Operating system (CmdExec)”
  5. Under the command textbox, enter

    “C:\Program Files\WinWin\s3.exe” put mysqlbackup C:\Backup\ /sub:withdelete /yes /sync /nogui”

  6. Create a daily maintenance plan with the following steps 
    1. Backup Database Task. 
    2. Maintenance Cleanup Task (optional: to delete old database files)
    3. Step 3: Execute SQL Server Agent Task (to execute  CopyDatabaseBackupToS3)

Explanation on the s3.exe command syntax:

In the above example, s3.exe is located at “C:\Program Files\WinWin\”

put – put (e.g. store files) to S3

mysqlbackup – the name of the S3 bucket to put files into

C:\Backup\ – this is the source directory where all my sql backup files are stored.

/sub:withdelete – this copy the entire directory tree and also delete keys on S3 that correspond to a local file

/yes – when used with /sub:withdelete, it suppresses prompting on each delete.

/sync – only uploads new or modified files since last upload.

/nogui – suppress windows popup.

But what about authentication?

You need to either use s3.exe auth or you can save it to Windows user profile.  If you run the s3.exe in a command line under the service account, you will be prompted for the access key Id and Secret Access key.


It is recommended that you encrypt your Secret Access Key with a password.