AWS Overview

This is an overview of the Amazon Web Services most common components and some information about the AWS security model.

Infrastructure and Services

  1. Regions and availability zones
  2. Foundation services
  3. Platform services

1. Infrastructure

Regions

  • Regions are split into Availability zones
  • Availability zones can have multiple data centers

Edge locations

  • Instead of using the data centers data can be cached in edge locations
  • Used as CDN

2. Foundation services

  • Compute (EC2, Lambda, Auto-scaling)
  • Networking (Load-balancing, Route53, VPC)
  • Storage (S3, Block storage, glacies, EFS)

3. Platform services

  • Databases (DynamoDB, Relational DBs, Redshift)
  • Analytics (Kinesis, EMR, Data pipeline)
  • Deployment (Elastic beanstalk, CodeDeploy)
  • Mobile (Cognito, SNS)

AWS Elastic Compute Cloud (EC2)

  • Infrastructure as a Service (IaaS)
  • Spins up virtual machines in the cloud
  • Custom VM’s
  • Fully manages infrastructure
  • Fast provisioning
  • Elastic scaling
  • Pre-built images or bring your own
  • Configurable network
  • Use security groups to open/close ports

Amazon Machine Images (AMI)

  • Different images available
  • Configures OS and Root Volume
  • Public images available in AMI repo
  • AMI defines EBS backend (most common, flexible) or instance backend (faster and restricted)
  • AMI marketplace includes pre-build images with popular configurations

Storage options

  1. Root volume configuration
  2. Instance backend vs EBS backend
  3. Lifecycle of an instance

Root volume configuration

Defines where should OS be stored

Instance stored backed

Fast IO Drive directly connected to the instance Ephemereal storage Cannot be stopped

EBS stored backend

Slower IO Persistant storage Can be stopped

Lifecycle

Advanced features

  1. Machine types with different optimisations (cpu/memory/storage/gpu etc.)
  2. Instance metadata (info on system) and user data (scripts can be launched on startup). NOT SECURE!
  3. Pricing models

AWS Simple Storage Service (S3)

  • Online HTTPS accessible storage
  • Built for unstructured binary data (files)
  • Highly scalable, durable, limitless

Features

  • Access via SOAP/REST/Web/shell
  • Unlimited number of objects (each up to 5TB)
  • Secure with client-side or AWS provided server-side encryption
  • Bucket and object level access logs for auditing and compliance

Concepts

  1. Architecture
  2. Buckets and Object
  3. Security options

1. Architecture

2. Buckets and Object

Buckets
  • Top level containers for data (Objects)
  • Exist in gobal namespace
  • Created in a region
  • Cannot be nested
  • Usage/Charges can be aggregated by Bucket
Objects
  • Discrete data files betwenn 0-5 TB
  • Can be versioned
  • Bucket + Object + Version can map to unique URL

3. Security options

  • Access control at Bucket and Object
  • ACL’s
  • Identity and Access management policies
  • Bucket and Object policies can be defined with Access Policy Language (json)
  • Encrypt at rest with AES-256 or/and BYO and encrypt before sending

Advanced features

  1. Object Versioning
  2. Object Storage Classes
  3. Lifecycle Management

1. Object Versioning

  • Versioning set at bucket level
  • Existing objects have “null” version
  • New objects are assigned new version id
  • All versions are retained… even after delete

2. Object Storage Classes

  • Set at object level
  • Standard, Infrequently Accessed, Glacier, Reduced Redundancy
  • Different pricing, durability, and availablity

3. Lifecycle Management

  • Can delete old versions of files after some specified time
  • Can automatically move objects between storage classes
  • Configured with xml

Elastic Block Store (EBS)

  • Virtual hard drives in the cloud
  • Create volumes during EC2 creation or independently
  • SSD or Magnetic available
  • 1GB to 16TB available
  • Take snapshot into S3 at anytime
  • Use for root volumes, databases, application data
  • Pay per provision rather then usage

S3 comparasion

Virtual Private Cloud (VPC)

  • Private, isolated, virtual network
  • Create logically isolated subntes
  • Resolve ip adress ranges and assign to resources
  • Remotely connect to on-pre network with VPN
  • Supports both public and private networks
  • Available per Availability Zone

Security inside a VPC

  • Use network ACL’s and IAM Security Groups to controll access
  • Security groups control inbound and outbound traffic at intance level
  • Network ACL control inbound and outbound traffic at subnet level
  • Use a NAT gateway instance to allow access from private network to WAN
  • Setup route tables, firewalls, gateways

AWS Shared Responsibility Model

Defines who is responsible for what. Security in the cloud is up to user. Security of the cloud is handled by Amazon.

  1. Shared responsibility
  2. Physical security
  3. Hardware, software, network

EC2 Example

  • Amazon controls physical security
  • The user controls patching, firewall, security groups of the instance

S3 Example

  • Amazon controls patching and firewalls
  • The user controls access to filesm encryption, transport etc

2. Physical security

  • Non-descript, undisclosed locations
  • 24/7 security staff
  • Two factor auth for entry
  • Continual monitoring, logging and auditing

3. Hardware, software and network security

  • Automated change control process
  • Physical acces requires authorization with frequent renewal
  • Bastion servers act as gateways for privileged users
  • Network bboundary devices monitor and audit access
  • Unusual or abnormal activity monitoring of application usage, intrusion etc.

Regulatory compliance

  • HIPPA
  • PCI
  • ISO 27001
  • Many many more…