Security is one of the biggest concerns in Cloud Computing. Every company whose application is running on either web or the mobile phone is always worried about the security of their infrastructure.
1) The leadership team at a large Online Store is worried that its employee might delete its critical data by mistake.
2) The CEO of a Social Media company is concerned about the security of its website images stored in the Cloud.
3) The DevOps team of a top Online Gaming Company wants to provide a secure and easy way for its users to login to their site and not worry about the leakage of these login credentials.
4) The Site Reliability team at an Online Media company is concerned about the reliability of its server whenever there is a viral news on their website.
5) The leadership team at a large IT firm is concerned that their employees might have more privileges than required.
These are few of many security questions which gives all of us sleepless nights.
It takes more than one Documentation to answer all of the security questions on Cloud.
For now, Let's look at the above 5 scenarios and try to resolve these concerns - One Concern at a Time!
1) The leadership team at a large Online Store is worried that its employee might delete its critical data by mistake.
Loosing crucial data due to human error is avoidable. We need to automate the infrastructure governance. In AWS, we have Identity and Access Management (IAM).
• It is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
• It helps the root user to securely have control access to AWS resources.
• You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
• To learn more about IAM, click on the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
2) The CEO of a Social Media company is concerned about the security of its website images stored in the Cloud.
In AWS, S3(Simple Storage Service) and EBS (Elastic Block Storage) provide storage for front-end and Back-end files of the application. Encryption is possible for the files stored in S3 and EBS. Let’s see how!
S3 (Simple Storage Service):
• S3 is an object-based storage system which stores objects in buckets.
• It provides unlimited object storage where each object can be 0B to 5TB in size.
Security and Encryption in S3:
• By default, all newly created buckets are PRIVATE.
• Access Control can be set by:
- Bucket Policy – Bucket Level Encryption.
- Access Control Lists – Object Level Encryption.
• S3 buckets can be configured to create access logs.
• It logs all requests made to S3 buckets.
• These logs can be sent to another bucket or even to a bucket on another account.
Encryption in Transit:
• Traffic flows in S3 following HTTPS Protocol.
• Any traffic flowing through HTTPS will be encrypted by SSL/TLS.
Encryption at Rest:
Encryption for data at rest can be done using 3 different keys.
• S3 Managed Keys – SSE-S3
• AWS KMS Managed Keys – SSE-KMS
• Server-Side Encryption with customer provided keys – SSE-C
• Client-Side Encryption – Files are encrypted at the client’s end before sent to S3
For more information about S3 and its Security. Click on the following link: https://aws.amazon.com/s3/security/#:~:text=Amazon%20S3%20offers%20flexible%20security,Private%20Cloud%20(Amazon%20VPC).
EBS-Elastic Block Store:
• It provides persistent block storage volume for use with Amazon EC2 instance in AWS Cloud.
• Each EBS volume is automatically replicated within its AZ to protect you from component failure, offering high availability and Durability.
• Snapshots can be taken for each of the EBS store volumes. They exist on S3.
• Snapshots are point in time copies of volumes. Think of snapshot as photograph of disks.
• Snapshots are incremental – this means that only the blocks that are changed since last snapshot are moved to S3.
• AMIs can also be created from snapshots.
Encryption of EBS Volumes:
Encryption of EBS volumes can be done in two ways.
• EBS volumes can be encrypted during its creation.
• They can also be encrypted after they are created as well by following the below steps.
- Create a snapshot of unencrypted root device.
- Create a copy of the snapshot and select the encrypt option.
- Create an AMI of the encrypted snapshot.
- Use AMI to launch new encrypted instances.
For more information about EBS Encryption. Check the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
3) The DevOps team of a top Online Gaming Company wants to provide a secure and easy way for its users to login to their site and not worry about the leakage of these login credentials.
Every customer wants their login credentials to be very confidential and discreet. At the same time, they also expect the login process to be simple and smooth as well.
AWS provides Web Identity Federation to meet the above demand:
• It allows users to authenticate with the web identity provider (Google, Facebook, Amazon).
• The user authenticates first with the web ID provider and receives an authentication token, which is exchanged for temporary AWS credentials allowing them to assume the IAM role.
• Cognito is an identity broker which handles interaction between your applications and the web ID provider.
It provides sign up, sign in & guest user access.
Syncs user data for a seamless experience across your devices.
• Cognito is the AWS recommended approach for web ID federation particularly for mobile apps.
For more information about Cognito. Click on the following link: https://docs.aws.amazon.com/cognito/
4) The Site Reliability team at an Online Media company is concerned about the reliability of its server whenever there is a viral news on their website.
Automating the monitoring service for 24/7 is one of the main advantages of having Cloud Infrastructure. AWS provides CloudWatch and CloudTrail for monitoring the infrastructure.
CloudWatch:
• It is a monitoring service which monitors your AWS resources as well as applications running on AWS.
• CloudWatch can monitor:
1) Compute services such as:
a. EC2 Instances
b. Auto Scaling Groups
c. Elastic Load Balancers
d. Route 53 Health Checks
2) Storage & Content Delivery:
a. EBS Volumes
b. Storage Gateway
c. Cloudfront
Cloudwatch monitoring in EC2:
• Cloudwatch monitors the following metrics in EC2:
- CPU
- Network
- Disk
- Status Check
• RAM Utilization is a custom metric.
• CloudWatch with EC2 can monitor events every 5 minutes by default.
• You can have 1 minute interval by turning on detailed monitoring.
• You can create CloudWatch alarms which triggers notifications.
• You can retrieve data from terminated EC2 or ELB instances after its termination.
• CloudWatch logs by default are stored indefinitely.
• CloudWatch services are not restricted to just AWS resources. They can be used on premise as well.
• The user just needs to download SSM agent and CloudWatch agent on the server.
To know more about CloudWatch. Follow the link: https://docs.aws.amazon.com/cloudwatch/index.html
CloudTrail:
• It increases visibility into your user and resource activity by recording AWS management console actions and API calls.
• You can identify which user and accounts called AWS, the source IP address from which call was made and when the call occurred.
For more about CloudTrail. Click on the link: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html
CloudWatch is all about performance and CloudTrail is all about auditing.
5) The leadership team at a large IT firm is concerned that their employees might have more privileges than required.
It is very important especially in large companies that its employees always have least privileges towards AWS resources. The leadership team can use AWS Organizations for such instances in AWS cloud infrastructure.
AWS Organizations:
• It centrally manages policies across multiple AWS accounts.
• It controls access to AWS services within these accounts using Service Control Policies (SCP).
• It also automates AWS account creation and management.
• It consolidates billing across multiple AWS Accounts.
Tagging and Resource Group:
• Tagging every AWS service is very important.
• Resource Groups are a way of grouping tags.
• You can use resource groups with AWS systems manager to automate tasks.
AWS Cost Explorer & Cost Allocation Tags:
• Cost Explorer is a tool that enables you to view and analyze your costs and usage.
• Use tags to tag your resources.
• Configure tags for cost centers (i.e., by department, Emp ID etc.)
• Activate cost allocation tags to track your cost by tags.
For more information about AWS Organizations. Click the following link: https://docs.aws.amazon.com/organizations/
This was about Security and few of many AWS services for security and infrastructure governance in AWS.
Top comments (0)