Cloud Linux Environments
Deploy and manage Linux in AWS, Azure, and GCP.
Running Linux in the cloud is mostly the same as running Linux anywhere β plus a few cloud-specific primitives: IAM, security groups/firewalls, instance metadata, and managed monitoring/logging.
AWS EC2
The typical workflow is: pick an image, choose instance type, attach networking/security groups, then bootstrap via SSH or cloud-init.
# Launch instance
$ aws ec2 run-instances --image-id ami-xxx --instance-type t2.micro
# Connect via SSH
$ ssh -i key.pem ec2-user@ip-address
# List instances
$ aws ec2 describe-instances
$ aws ec2 run-instances --image-id ami-xxx --instance-type t2.micro
# Connect via SSH
$ ssh -i key.pem ec2-user@ip-address
# List instances
$ aws ec2 describe-instances
First 10 minutes on a new cloud VM
# Update and patch
$ sudo apt update && sudo apt upgrade # Ubuntu/Debian
$ sudo dnf update # RHEL/Fedora
# Verify exposure
$ ss -tulpn | head
$ sudo ufw status verbose 2>/dev/null || true
# Confirm identity and host info
$ uname -a
$ cat /etc/os-release
$ sudo apt update && sudo apt upgrade # Ubuntu/Debian
$ sudo dnf update # RHEL/Fedora
# Verify exposure
$ ss -tulpn | head
$ sudo ufw status verbose 2>/dev/null || true
# Confirm identity and host info
$ uname -a
$ cat /etc/os-release
Cloud Best Practices
Cloud incidents are usually caused by misconfigurations (open security groups, leaked keys, missing backups) rather than Linux itself. Treat cloud primitives as part of your security posture.
- β Use IAM roles instead of access keys
- β Enable VPC flow logs for network monitoring
- β Restrict SSH to trusted IPs/VPN (avoid 0.0.0.0/0 on port 22)
- β Implement auto-scaling for variable workloads
- β Use managed services when possible
- β Automate bootstrap with cloud-init / IaC (donβt click in consoles)
- β Enable backups/snapshots and test restores
- β Enable CloudWatch/Stackdriver monitoring
Security group baseline (mental model)
- β’Inbound: allow only what you must (SSH from trusted IPs; 80/443 for web)
- β’Outbound: restrict if your org requires it; otherwise monitor and log
- β’Least privilege: if an app only needs 443, donβt open extra ports
Cloud-init (bootstrap without manual steps)
Cloud-init runs on first boot and can install packages, write config files, and start services automatically.
#cloud-config
package_update: true
packages:
- nginx
runcmd:
- systemctl enable --now nginx
package_update: true
packages:
- nginx
runcmd:
- systemctl enable --now nginx
β Practice (30 minutes)
- Spin up a test VM, patch it, and confirm only expected ports are listening.
- Define a security group policy for a βweb + SSHβ server and explain each rule.
- Use cloud-init (or user-data) to install nginx automatically on boot.
Popular Cloud Linux Distributions
- Amazon Linux 2 - Optimized for AWS
- Ubuntu Server - Wide support, great community
- RHEL - Enterprise support and stability
- Debian - Stable and secure