Linux Bastion Hosts on the AWS Cloud

Quick Start Reference Deployment

QS

March 2021
Santiago Cardenas, AWS Serverless Partners
Tony Vattathil and Ian Hill, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start deployment guide provides instructions for deploying Linux bastion hosts in an Amazon Virtual Private Cloud (Amazon VPC) environment on the Amazon Web Services (AWS) Cloud. The Quick Start also provides AWS CloudFormation templates that automate the deployment.

The guide is for IT infrastructure architects, DevOps engineers, and administrators who want to deploy Linux bastion hosts to manage their AWS Cloud deployments remotely.

Quick Starts are automated reference deployments for AWS Cloud infrastructure components and key enterprise workloads on the AWS Cloud. Each Quick Start launches, configures, and runs AWS compute, network, storage, and other services, using AWS best practices for security and availability.

Linux Bastion Hosts on AWS

This Quick Start provides Linux bastion host functionality for AWS Cloud infrastructures. It deploys a virtual private cloud (VPC) using the Amazon VPC Quick Start reference deployment. Then, it sets up private and public subnets and deploys Linux bastion instances into the VPC. You can also choose to deploy Linux bastion hosts into your existing AWS infrastructure.

The bastion hosts provide secure access to Linux instances located in the private and public subnets. The Quick Start architecture deploys Linux bastion host instances into every public subnet to provide readily available administrative access to the environment. The Quick Start sets up a Multi-AZ environment consisting of two Availability Zones. If highly available bastion access is not necessary, you can stop the instance in the second Availability Zone and start it up when needed.

You can use this Quick Start as a building block for your own Linux-based deployments. You can add other infrastructure components and software layers to complete your Linux environment in the AWS Cloud. To build an AWS Cloud infrastructure for accessing Microsoft Windows-based instances, see the Quick Start for Remote Desktop (RD) Gateway.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

No licenses are required to deploy this Quick Start. All AWS service resources consumed during the launch of the Quick Start incur AWS service usage costs.

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Linux bastion hosts environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Linux bastion hosts on AWS

As shown in Figure 1, the Quick Start sets up the following:

  • A highly available architecture that spans two Availability Zones.*

  • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • An internet gateway to allow access to the internet. This gateway is used by the bastion hosts to send and receive traffic.*

  • Managed NAT gateways to allow outbound internet access for resources in the private subnets.*

  • A Linux bastion host in each public subnet with an Elastic IP address. These allow inbound SSH (Secure Shell) access to EC2 instances in public and private subnets.

  • A security group for fine-grained inbound access control.

  • An Amazon EC2 Auto Scaling group with a configurable number of instances.

  • A set of Elastic IP addresses that match the number of bastion host instances. If the Auto Scaling group relaunches any instances, these addresses are reassociated with the new instances.

  • An Amazon CloudWatch Logs log group to hold the Linux bastion host shell history logs.

*The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start also assumes familiarity with the following AWS services and components:

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

1

Elastic IP addresses

1

Security groups

1

AWS Identity and Access Management (IAM) roles

1

Auto Scaling groups

1

<type> instances

1

Supported Regions

This Quick Start supports the following Regions:

Code Name

us-east-2

US East (Ohio)

us-east-1

US East (N. Virginia)

us-west-1

US West (N. California)

us-west-2

US West (Oregon)

af-south-1

Africa (Cape Town)

ap-east-1

Asia Pacific (Hong Kong)

ap-south-1

Asia Pacific (Mumbai)

ap-northeast-3

Asia Pacific (Osaka-Local)

ap-northeast-2

Asia Pacific (Seoul)

ap-southeast-1

Asia Pacific (Singapore)

ap-southeast-2

Asia Pacific (Sydney)

ap-northeast-1

Asia Pacific (Tokyo)

ca-central-1

Canada (Central)

eu-central-1

Europe (Frankfurt)

eu-west-1

Europe (Ireland)

eu-west-2

Europe (London)

eu-south-1

Europe (Milan)

eu-west-3

Europe (Paris)

eu-north-1

Europe (Stockholm)

me-south-1

Middle East (Bahrain)

sa-east-1

South America (São Paulo)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, see Amazon EC2 key pairs and Linux instances.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare your AWS account

Choose a Region

  • Before deploying the stack, in the AWS Management Console, choose an AWS Region from the top toolbar.

    region
    Figure 2. Selecting an AWS Region
    Consider choosing a Region closest to your data center or corporate network to reduce network latency between systems running on AWS and the systems and users on your corporate network.

Create a key pair

To create a key pair in your preferred Region, do the following:

  1. In your AWS Management Console, choose an AWS Region.

  2. On the Services menu, choose EC2.

  3. Under Network and Security, choose Key Pairs.

  4. Choose Create Key Pair.

  5. Enter a name and choose Create.

    keypair
    Figure 3. Creating a key pair

    Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. To be able to log in to your instances, you must create a key pair. On Linux, the key pair is used to authenticate SSH login.

Deployment options

This Quick Start provides two deployment options:

  • Deploy Linux bastion hosts into a new VPC. This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Linux bastion hosts into this new VPC.

  • Deploy Linux bastion hosts into an existing VPC. This option provisions Linux bastion hosts in your existing AWS infrastructure.

The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Linux bastion host settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

If you are using the CentOS operating system, subscribe to the CentOS AMI in AWS Marketplace.
When deploying this Quick Start into an existing VPC, ensure that your VPC has two private subnets in different Availability Zones for the workload instances and that the subnets are not shared. This Quick Start does not support shared subnets. These subnets require NAT gateways in their route tables to allow the instances to download packages and software without exposing them to the internet. Also ensure that the domain name option is configured as explained in DHCP options sets. You provide your VPC settings when you launch the Quick Start.

Each deployment takes about 5 minutes to complete.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see Deployment options earlier in this guide.

Deploy Linux bastion hosts into a new VPC on AWS

View template

Deploy Linux bastion hosts into an existing VPC on AWS

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the network infrastructure for Linux bastion hosts is built. The template is launched in the us-west-2 Region by default. For other choices, see Supported Regions earlier in this guide.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  1. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  2. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  3. Choose Create stack to deploy the stack.

  4. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Linux bastion hosts deployment is ready.

  5. Use the values displayed in the Outputs tab for the stack, as shown in Figure 4, to view the created resources.

cfn_outputs
Figure 4. Linux bastion hosts outputs after successful deployment

Post-deployment steps

Log in to the bastion host. Use one of the following user names, depending on your choice of Linux distribution:

  • Amazon Linux: ec2-user

  • CentOS: centos

  • Ubuntu: ubuntu

The Linux distribution is specified in the Bastion AMI operating system parameter when you deploy the templates. For more information, see Parameter reference.

Enabling and customizing the Linux bastion host banner

This Quick Start provides the default banner illustrated in Figure 5 for the Linux bastion hosts. The banner is disabled by default. To enable it, set the Bastion banner parameter to true during deployment.

To customize the banner, create an ASCII text file with your own banner content. Then upload it to an S3 bucket or other publicly accessible location, and verify that it is accessible from the host.

Bastion logging

The bastion hosts deployed by this Quick Start provide a command logger in the /var/log/audit/audit.log file. This log file contains the date, SSH client connection IP address, user name, working directory, and the commands issued.

For added security, the contents of the /var/log/audit/audit.log file is also stored in a CloudWatch Logs log group in the AWS Cloud, and remains available in case the bastion hosts fail.

The log includes a history of the commands that are run when you log in. Figure 6 shows an example.

Regloggingion
Figure 6. Bastion logging

To notify your users that all their commands will be monitored and logged, we recommend that you enable the bastion host banner. For more information, see Enabling and Customizing the Linux bastion host banner. The default banner text includes the alert shown in Figure 5, which you can customize.

The bastion.log file is an immutable file that cannot be easily deleted or tampered with. However, in case this happens, there is a shadow file with a copy of bastion.log located in /var/log/audit/audit.log. And, the Quick Start also stores the contents of bastion.log remotely using the CloudWatch Logs service. Log files can be found under CloudWatch Logs using the instance ID as the log stream name.

Best practices for using Linux bastion hosts on AWS

The architecture built by this Quick Start supports AWS best practices for high availability and security.

  • Linux bastion hosts are deployed in two Availability Zones to support immediate access across the VPC. You can configure the number of bastion host instances at launch.

  • An Auto Scaling group ensures that the number of bastion host instances always matches the desired capacity you specify during launch.

  • Bastion hosts are deployed in the public (DMZ) subnets of the VPC.

  • Elastic IP addresses are associated with bastion instances to allow these IP addresses from on-premises firewalls. When an instance is shut down, the Auto Scaling group launches a new instance, and the existing Elastic IP addresses are associated with it. This ensures that the same trusted Elastic IP addresses are used at all times.

  • Inbound access to bastion hosts is locked down to known CIDR scopes. This is achieved by associating the bastion instances with a security group. The Quick Start creates a BastionSecurityGroup resource for this purpose.

  • Ports are limited to allow only the necessary access to the bastion hosts. For Linux bastion hosts, TCP port 22 for SSH connections is typically the only port allowed.

We recommend that you follow these best practices when using the architecture built by the Quick Start:

  • When you add new instances to the VPC that require management access from the bastion host, associate a security group inbound rule with each instance. The rule should reference the bastion security group as the source. It is also important to limit access to the required ports for administration.

  • During deployment, the public key from the Amazon EC2 key pair is associated with the user ec2-user in the Linux instance. For additional users, create users with the required permissions and associate them with their individual authorized public keys for SSH connectivity.

  • For the bastion host instances, select the number and type of instances according to the number of users and operations to be performed. The Quick Start creates one bastion host instance and uses the t2.micro instance type by default, but you can change these settings during deployment.

You can also change the number and type of bastion host instances after deployment by updating the AWS CloudFormation stack and changing the parameters. Reconfiguring the bastion host instances updates the related Elastic IP addresses and changes the bootstrapping logic in the launch configuration and Auto Scaling group. However, before you update the stack, you must shut down the instances you want to replace while keeping the Elastic IP addresses. When you update the stack, the Auto Scaling group launches the new instances with the updated instance type. Bootstrapping will assign the Elastic IP addresses from the existing pool of IP addresses that were provisioned during the initial deployment.
  • Set your desired expiration time directly in the CloudWatch Logs log group for the logs collected from each bastion instance. This ensures that bastion log history is retained only for the amount of time you need.

  • Keep CloudWatch log files for each bastion host instance separate so that you can filter and isolate log messages from individual bastion hosts. Every instance that is launched by the bastion Auto Scaling group will create its own log stream based on the instance ID.

Security

This Quick Start provisions one Linux bastion host in each Availability Zone with a single security group as a virtual firewall. This security group is required for remote access from the Internet. The security group is configured as follows:

Inbound

Source Protocol Ports

Remote access CIDR

TCP

22

Remote access CIDR

ICMP

N/A

Outbound

Destination Protocol Ports

0.0.0.0/0

All

All

For more information, see Internetwork traffic privacy in Amazon VPC.

Other useful information

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained, and you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Ensure that you delete stack after troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size-limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template-size limitations. For more information, see AWS CloudFormation quotas.

Q. I changed the instance type parameter after deployment and updated the stack, but the instance types did not change or the Elastic IP addresses were not reassociated after the stack update.

A. Terminate your bastion host instances. They will be replaced by Auto Scaling. A bootstrap action is performed on the new instances to configure security settings and CloudWatch logs and associate Elastic IP addresses.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Launch into a new VPC

Table 1. Network configuration
Parameter label (name) Default value Description

Availability Zones (AvailabilityZones)

Requires input

List of Availability Zones to use for the subnets in the VPC.

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR Block for the VPC.

Private subnet 1 CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

CIDR block for private subnet 1, located in Availability Zone 1.

Private subnet 2 CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

CIDR block for private subnet 2, located in Availability Zone 2.

Public subnet 1 CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR Block for the public DMZ subnet 1, located in Availability Zone 1.

Public subnet 2 CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR Block for the public DMZ subnet 2, located in Availability Zone 2.

Allowed bastion external access CIDR (RemoteAccessCIDR)

Requires input

Allowed CIDR block for external SSH access to the bastions

VPC tenancy (VPCTenancy)

default

The allowed tenancy of instances launched into the VPC.

Table 2. Amazon EC2 configuration
Parameter label (name) Default value Description

Key pair name (KeyPairName)

Requires input

Name of an existing public/private key pair, which allows you to securely connect to your instance after it launches.

Bastion AMI operating system (BastionAMIOS)

Amazon-Linux2-HVM

The Linux distribution for the AMI to be used for the bastion instances.

Bastion instance type (BastionInstanceType)

t2.micro

Amazon EC2 instance type for the bastion instances.

Table 3. Linux bastion configuration
Parameter label (name) Default value Description

Number of bastion hosts (NumBastionHosts)

1

The number of bastion hosts to create. The maximum number is four.

Bastion host name (BastionHostName)

LinuxBastion

The value used for the name tag of the bastion host.

Bastion tenancy (BastionTenancy)

default

Bastion VPC tenancy (dedicated or default).

Bastion banner (EnableBanner)

false

Choose true to display a banner when connecting via SSH to the bastion.

Banner text (BastionBanner)

Blank string

Banner text to display upon login.

TCP forwarding (EnableTCPForwarding)

false

To enable TCP forwarding, choose true.

X11 forwarding (EnableX11Forwarding)

false

To enable X11 forwarding, choose true.

Table 4. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-linux-bastion/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-1

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See https://aws-quickstart.github.io/option1.html.

Launch into an existing VPC

Table 5. Network configuration
Parameter label (name) Default value Description

VPC ID (VPCID)

Requires input

ID of the VPC (e.g., vpc-0343606e).

Public subnet 1 ID (PublicSubnet1ID)

Requires input

ID of the public subnet 1 that you want to provision the first bastion into (e.g., subnet-a0246dcd).

Public subnet 2 ID (PublicSubnet2ID)

Requires input

ID of the public subnet 2 that you want to provision the second bastion into (e.g., subnet-e3246d8e).

Allowed bastion external access CIDR (RemoteAccessCIDR)

Requires input

Allowed CIDR block for external SSH access to the bastions.

Table 6. Amazon EC2 configuration
Parameter label (name) Default value Description

Key pair name (KeyPairName)

Requires input

Name of an existing public/private key pair. If you do not have one in this AWS Region, please create it before continuing.

Bastion AMI operating system (BastionAMIOS)

Amazon-Linux2-HVM

The Linux distribution for the AMI to be used for the bastion instances.

Bastion instance type (BastionInstanceType)

t2.micro

Amazon EC2 instance type for the bastion instances.

Root volume size (RootVolumeSize)

10

The size in GB for the root EBS volume.

Table 7. Linux bastion configuration
Parameter label (name) Default value Description

Number of bastion hosts (NumBastionHosts)

1

The number of bastion hosts to create. The maximum number is four.

Bastion host Name (BastionHostName)

LinuxBastion

The value used for the name tag of the bastion host.

Bastion tenancy (BastionTenancy)

default

Bastion VPC tenancy (dedicated or default).

Bastion banner (EnableBanner)

false

Choose true to display a banner when connecting via SSH to the bastion.

Banner text (BastionBanner)

Blank string

Banner text to display upon login.

TCP forwarding (EnableTCPForwarding)

false

To enable TCP forwarding, choose true.

X11 forwarding (EnableX11Forwarding)

false

To enable X11 forwarding, choose true.

Table 8. Alternative configurations
Parameter label (name) Default value Description

Alternative initialization script (AlternativeInitializationScript)

Blank string

An alternative initialization script to run during setup.

Operating system override (OSImageOverride)

Blank string

The Region-specific image to use for the instance.

Alternative IAM role (AlternativeIAMRole)

Blank string

An existing IAM role name to attach to the bastion. If left blank, a new role will be created.

Environment variables (EnvironmentVariables)

Blank string

A comma-separated list of environment variables for use in bootstrapping. Variables must be in the format key=value. Value cannot contain commas.

Table 9. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-linux-bastion/

S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). End with a forward slash. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket region (QSS3BucketRegion)

us-east-1

The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.