Tuesday, August 13, 2013

AMAZON - Create SSL Certificate for a Load Balancer

AMAZON - Create SSL Certificate for a Load Balancer
This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics
  • Install and Configure OpenSSL
  • Create a Private Key
  • Create a Certificate Signing Request
  • Submit the CSR to a Certificate Authority

Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.
  • To install OpenSSL on Windows
    1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
    2. Click OpenSSL for Windows.
  • A new page displays with links to the Windows downloads.
    1. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
    2. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
    3. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
  • Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
  • To configure OpenSSL on Windows
    1. Open a Command Prompt window.
    2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
    3. Set the path to the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
Note: Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command-line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depend on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:
openssl genrsa 2048 > private-key.pem For private-key.pem
specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:
openssl req -new -key private-key.pem -out csr.pem
The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.

The following table can help you create your certificate request.
Name Description Example
Country Name The two-letter ISO abbreviation for your country. US = United States
State or Province The name of the state or province where your organization is located. This name cannot be abbreviated. Washington
Locality Name The name of the city where your organization is located. Seattle
Organization Name The full legal name of your organization. Do not abbreviate your organization name. Example Corp.
Organizational Unit Optional, for additional organization information. Marketing
Common Name The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. www.yourdomain.com
Email address The server administrator's email address someone@yourdomain.com

Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.

Steps to update SSL Certificate on Amazon Elastic Load Balancer

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the Amazon EC2 Getting Started page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.
  3. On the Load Balancers page, select your load balancer.
  4. The bottom pane displays the details of your load balancer.
  5. Click the Listeners tab.
  6. Click Change in the SSL Certificate column of the certificate you want to update.
  7. On the Configure SSL Certificate page, select Choose from your existing SSL Certificates to use previously uploaded SSL certificate and select the certificate from the drop-down box.
  8. Or, select Upload a new SSL Certificate if you have a SSL certificate and want to uploaded it.
    Before you upload, ensure that your certificate meets the following citeria:
    • Certificates must follow the X.509 PEM format.
    • The current date must be between the certificate’s start and end date.
    • Public and private certificate files must contain only a single certificate.
    • The private key must match the public key that is in the digital server certificate.
    • The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
    • The private key cannot be encrypted with a password.
    • A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
    If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.

    Step through the following instructions to continue uploading your SSL certificate.
    • Enter the name of the certificate to upload.
    • Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.
    • Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.
    • [Optional] Copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.
    Note The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
  9. Click Save.

Steps to Create SSL Certificate for Amazon Elastic Load Balancer and Update SSL Certificate on Elastic Load Balancer

his section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics
  • Install and Configure OpenSSL
  • Create a Private Key
  • Create a Certificate Signing Request
  • Submit the CSR to a Certificate Authority
  • To update an SSL certificate for an HTTPS load balancer
  • Sample server certificate

Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.
  • To install OpenSSL on Windows
    1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
    2. Click OpenSSL for Windows.
  • A new page displays with links to the Windows downloads.
    1. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
    2. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
    3. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
  • Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
  • To configure OpenSSL on Windows
    1. Open a Command Prompt window.
    2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
    3. Set the path to the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
Note: Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command-line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depend on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:
openssl genrsa 2048 > private-key.pem For private-key.pem
specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:
openssl req -new -key private-key.pem -out csr.pem
The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.

The following table can help you create your certificate request.
Name Description Example
Country Name The two-letter ISO abbreviation for your country. US = United States
State or Province The name of the state or province where your organization is located. This name cannot be abbreviated. Washington
Locality Name The name of the city where your organization is located. Seattle
Organization Name The full legal name of your organization. Do not abbreviate your organization name. Example Corp.
Organizational Unit Optional, for additional organization information. Marketing
Common Name The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. www.yourdomain.com
Email address The server administrator's email address someone@yourdomain.com

Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.


To update an SSL certificate for an HTTPS load balancer
  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the Amazon EC2 Getting Started page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.
  3. On the Load Balancers page, select your load balancer.
  4. The bottom pane displays the details of your load balancer.
  5. Click the Listeners tab.
  6. Click Change in the SSL Certificate column of the certificate you want to update.
  7. On the Configure SSL Certificate page, select Choose from your existing SSL Certificates to use previously uploaded SSL certificate and select the certificate from the drop-down box.
  8. Or, select Upload a new SSL Certificate if you have a SSL certificate and want to uploaded it.
    Before you upload, ensure that your certificate meets the following citeria:
    • Certificates must follow the X.509 PEM format.
    • The current date must be between the certificate’s start and end date.
    • Public and private certificate files must contain only a single certificate.
    • The private key must match the public key that is in the digital server certificate.
    • The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
    • The private key cannot be encrypted with a password.
    • A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
    If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.

    Step through the following instructions to continue uploading your SSL certificate.
    • Enter the name of the certificate to upload.
    • Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.
    • Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.
    • [Optional] Copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.
    Note The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
  9. Click Save.

Sample Certificates
The following certificates show the valid format that IAM accepts for server certificates and their associated private key and certificate chain.
The server certificate associates your public key with your identity. When you submit your Certificate Signing Request (CSR) to a certificate authority (CA), a server certificate is returned to you by the CA. The following figure is a sample server certificate:
Sample server certificate
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIQU306HIX4KsioTW1s2A2krTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4
MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
bSBJbmMuMRowGAYDVQQDFBFpYW0uYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA3Xb0EGea2dB8QGEUwLcEpwvGawEkUdLZmGL1rQJZdeeN
3vaF+ZTm8Qw5Adk2Gr/RwYXtpx04xvQXmNm+9YmksHmCZdruCrW1eN/P9wBfqMMZ
X964CjVov3NrF5AuxU8jgtw0yu//C3hWnOuIVGdg76626ggOoJSaj48R2n0MnVcC
AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJT
ZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19
RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBALpFBXeG782QsTtGwEE9zBcVCuKjrsl3dWK1dFiq3OP4y/Bi
ZBYEywBt8zNuYFUE25Ub/zmvmpe7p0G76tmQ8bRp/4qkJoiSesHJvFgJ1mksr3IQ
3gaE1aN2BSUIHxGLn9N4F09hYwwbeEZaCxfgBiLdEIodNwzcvGJ+2LlDWGJOGrNI
NM856xjqhJCPxYzk9buuCl1B4Kzu0CTbexz/iEgYV+DiuTxcfA4uhwMDSe0nynbn
1qiwRk450mCOnqH4ly4P4lXo02t4A/DI1I8ZNct/Qfl69a2Lf6vc9rF7BELT0e5Y
R7CKx7fc5xRaeQdyGj/dJevm9BF/mSdnclS5vas=
-----END CERTIFICATE-----

The private key allows you to decrypt messages that are encrypted with your public key. The following figure is a sample private key: Sample private key

The certificate chain includes all intermediary certificates that lead to the root certificate, as shown in the following example. Intermediaries that are not involved in the trust path must not be included. Sample certificate chain
-----BEGIN CERTIFICATE-----
CA public key certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----

Friday, August 2, 2013

Configure VPC with scenario 1 "VPC with a Public Subnet Only"

Set up the VPC, subnet, and Internet gateway:
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click VPC Dashboard in the navigation pane.
  3. Locate the Your Virtual Private Cloud area of the dashboard and clicks get started creating a VPC, if you have no VPC resources, or click Start VPC Wizard.
  4. Select the first option, VPC with a Single Public Subnet Only, and then click Continue.
  5. The confirmation page shows the CIDR ranges and settings that you've chosen. Make any changes that you need, and then click Create VPC to create your VPC, subnet, Internet gateway, and route table.

Create WebServerSG and Adding Rules to the Security Group
The WebServerSG security group is the security group that you'll specify when you launch your web servers into your public subnet. The following table describes the recommended rules for this security group, which allow the web servers to receive Internet traffic, as well as SSH and RDP traffic from your network. The web servers can also initiate traffic to the Internet and read and write requests to the database servers in the private subnet.
Inbound
Source Protocol Port Range Comments
0.0.0.0/0 TCP 80 Allow inbound HTTP access to the web servers from anywhere
0.0.0.0/0 TCP 443 Allow inbound HTTPS access to the web servers from anywhere
18.71.152.166/32 TCP 3389 Allow inbound RDP access to Windows instances from your network (over the Internet gateway)
Outbound
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 80 Allow web servers to initiate outbound HTTP access to the Internet (for example, for software updates)
0.0.0.0/0 TCP 443 Allow web servers to initiate outbound HTTPS access to the Internet (for example, for software updates)
The ID of your DBServerSG security group TCP 1433 Allow outbound Microsoft SQL Server access to the database servers assigned to DBServerSG
Create the WebServerSG security group and add rules:
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Security Groups in the navigation pane.
  3. Click the Create Security Group button.
  4. Specify WebServerSG as the name of the security group, and provide a description. Select the ID of your VPC from the VPC menu, and then click Yes, Create
  5. Select the WebServerSG security group that you just created. The details pane include a tab for information about the security group, plus tabs for working with its inbound rules and outbound rules.
  6. On the Inbound tab, do the following:
    • Select HTTP from the Create a new rule list, make sure that Source is 0.0.0.0/0, and then click Add Rule.
    • Select HTTPS from the Create a new rule list, make sure that Source is 0.0.0.0/0, and then click Add Rule.
    • Select RDP from the Create a new rule list, make sure that Source is “Office IP Address” , and then click Add Rule
    • Click Apply Rule Changes to apply these inbound rules.
  7. On the Outbound tab, do the following:
    • Locate the default rule that enables all outbound traffic, and then click Delete.
    • Select HTTP from the Create a new rule list, make sure that Destination is 0.0.0.0/0, and then click Add Rule.
    • Select HTTPS from the Create a new rule list, make sure that Destination is 0.0.0.0/0, and then click Add Rule.
    • Select My SQL from the Create a new rule list, make sure that Destination is “ID of DBServerSG”, and then click Add Rule.
    • Click Apply Rule Changes to apply these outbound rules.


Create DBServerSG and Adding Rules to the Security Group
The DBServerSG security group is the security group that you'll specify when you launch your database servers into your private subnet. The following table describes the recommended rules for this security group, which allow read or write database requests from the web servers. The database servers can also initiate traffic bound for the Internet (your route table sends that traffic to the NAT instance, which then forwards it to the Internet over the Internet gateway).
DBServerSG:Rules
Inbound
Source Protocol Port Range Comments
The ID of your WebServerSG security group TCP 1433 Allow web servers assigned to WebServerSG Microsoft SQL Server access to database servers assigned to DBServerSG
18.71.152.166/32 TCP 3389 Allow inbound RDP access to Windows instances from your network (over the Internet gateway)
Outbound
Destination Protocol Port Range Comments
0.0.0.0/0 TCP 80 Allow outbound HTTP access to the Internet (for example, for software updates)
0.0.0.0/0 TCP 443 Allow outbound HTTPS access to the Internet (for example, for software updates)


To add the recommended rules to the DBServerSG security group
  1. Select the DBServerSG security group that you created. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.
  2. Add rules for inbound traffic using the Inbound tab as follows:
    1. Select MYSQL from the Create a new rule list. In the Source box, specify the ID of your WebServerSG security group, and then click Add Rule.
    2. Select RDP from the Create a new rule list. In the Source box, specify IP Address of office security group, and then click Add Rule.
    3. Click Apply Rule Changes.
  3. Add rules for outbound traffic using the Outbound tab as follows:
    1. Select HTTP from the Create a new rule list. Make sure that Destination is 0.0.0.0/0, and then click Add Rule.
    2. Select HTTPS from the Create a new rule list. Make sure that Destination is 0.0.0.0/0, and then click Add Rule.
    3. Click Apply Rule Changes.

To launch First Web instance
  1. Start the Classic wizard:
    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
    2. Click the Launch Instance button from the dashboard.
    3. On the Create a New Instance page, select Classic Wizard, and then click Continue.
  2. On the CHOOSE AN AMI page, the Quick Start tab displays a list of basic configurations called Amazon Machine Images (AMI). Choose the AMI that you want to use and click its Select button.
  3. On the INSTANCE DETAILS page, under Launch Instances, select the subnet to launch the instance into. Keep the other default settings on this page and click Continue.
  4. To use the default settings on the next INSTANCE DETAILS pages, just click Continue on each page.
  5. Select EBS Volume
  6. On the CREATE A KEY PAIR page, you can choose from any existing key pairs that you've created, or follow the wizard directions to create a new key pair.
  7. On the Configure Firewall page, select the security group you want to use for the instance (WebServerSG), and then click Continue.
  8. Review your settings. When you're satisfied with your selections, click Launch.
    Before you can access an instance in your public subnet, you must assign it an Elastic IP address.
To allocate Elastic IP address and assign it to an instance
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. Click Elastic IPs in the navigation pane.
  3. Click the Allocate New Address button.
  4. In the Allocate New Address dialog box, in the EIP used in list, select VPC, and then click Yes, Allocate.
  5. Select the Elastic IP address from the list, and then click the Associate Address button.
  6. In the Associate Address dialog box, select the network interface or instance. Select the address to associate the Elastic IP address with from the corresponding Private IP Address list, and then click Yes, Associate.
To create password for this instance
  1. Go to instance in EC2 and Right Click on instance.
  2. Click on “Get Windows Password” , select your Private key pair file and generate password by clicking on “Decrepit Password”
To create password for this instance To launch First Web instance
We have to launch a seperate Instance for Database with the security group "DBServerSG" (specified above) on the same public subnet mask.
Now you can connect to database server from Web server by using Private IP of Database Instance.