a web services (aws) services o & s t - peerlyst...aws is providing great support in terms of...

AGENDA

• AWS SERVICES OVERVIEW

• REGIONS & AVAILABILITY ZONES

• VIRTUAL PRIVATE CLOUD (VPC)

• ELASTIC COMPUTE CLOUD (EC2)

• AWS OBJECT STORAGE: S3, AND GLACIER

• IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS

• CONTENT DELIVERY NETWORK (CDN)

• VERSIONING & ENCRYPTION

2

AWS SERVICES OVERVIEW

Amazon Web Services offers on-

demand cloud computing

services to individuals,

companies and governments, on

demand with a paid subscription

with an option available for 12

months.

APPLICATION

PLATFORM

INFRASTRUCTURE

3


Source: https://en.wikipedia.org/wiki/Cloud_computing#/media/File:Cloud_computing.svg

1. Infrastructure-as-a-service (IaaS)

Servers, virtual machines, storage,

networks, etc. provided by the cloud

provider and billed per usage.

2. Platform as a service (PaaS)

Access to a ready-made environment for

development, testing, delivering, and

managing software, billed per usage.

3. Software as a service (SaaS)

Access to applications over the Internet, like

for example Gmail, or Office365, billed per

usage.

4


5

WHAT DO YOU NEED ?

WHAT REGULATION IS YOUR BUSINESS SUBJECT TO ?

WHAT IS YOUR RESPONSIBILITY ?

WHERE DO YOU NEED THESE SERVICES ?

FIRST QUESTION - WHAT DO YOU NEED?

6

WHAT DO YOU NEED ?

Before starting the course, and your implementation it is very important to

understand your choice, and what would you and your business need as

architecture, and approach.

• Infrastructure as a service (IaaS)

• Platform as a service (PaaS)

• Software as a service (SaaS)

• Private cloud

• Public cloud

• Hybrid cloud

7

SECOND QUESTION - WHAT REGULATIONS

IS YOUR BUSINESS SUBJECT TO?

8

WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?

AWS is providing great support in terms of good practices, and guidelines for

business compliance with local regulations.

For Singapore, financial institutions are highly regulated by the Monetary

Authority of Singapore (MAS). We can find publicly available: AWS User Guide

to Financial Services Regulations & Guidelines in Singapore, to support AWS

services deployment and configuration.

You can download the guide from the link:

https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulati

ons_Guidelines_in_Singapore.pdf

9

http://www.mas.gov.sg/

https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulations_Guidelines_in_Singapore.pdf

WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?

AWS features also a list of

access-controlled documents

relevant to compliance and

security as AWS Artifact.

The list can be easily

accessible with an admin

account, and you can download

the correspondent document, to

follow the instructions.

https://console.aws.amazon.co

m/artifact

10

https://console.aws.amazon.com/artifact

THIRD QUESTION – WHAT IS YOUR

RESPONSIBILITY ?

11

WHAT IS YOUR RESPONSIBILITY ?

Source: https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulations_Guidelines_in_Singapore.pdf

12

FOURTH QUESTION - WHERE DO YOU NEED

THESE SERVICES?

13

REGIONS & AVAILABILITY ZONES

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html

AWS Services are located worldwide in

several locations.

These locations are composed of Regions

and Availability Zones.

Region = One Geographical Area

Availability Zone = Separated Location in a Geographical Area

Example:

https://ec2.ap-south-1.amazonaws.com

14


https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services

Regions are an important point

for AWS implementation and

deployment.

Your choices might vary

depending on the considered

region, as all services are not

available consistently over the

regions.

Example: Glacier is not

available in Singapore.

15


16

Use multiple availability zones (AZs) for redundancy !

Various service limits are enforced by Amazon. You can ask for soft limit

increase, in some cases.


17

YOUR ARE

AWESOMELY GETTING

THERE … ☺

LET’S CHECK THE

SECURITY TIPS

LET’S REMEMBER

THE IMPORTANT

BASICS

LET’SRECAP

VIRTUAL PRIVATE CLOUD (VPC)

18

AMAZON VIRTUAL PRIVATE CLOUD (VPC)

Amazon Virtual Private Cloud (VPC) – What is it ?

Amazon Virtual Private Cloud (Amazon VPC) allows you the provisioning of a

logically isolated section of the Amazon Web Services (AWS) cloud.

Your can select your own IP address range, create subnets, and configure

route tables and network gateways.

You can use both IPv4 and IPv6 in your VPC for secure and easy access to

resources and applications.

19


This is an example of a simple architecture

with the different services, including a VPC.

Inside the VPC, we have two different

subnets, a router, and an Internet Gateway.

Tip: Use a load balancer to balance

between AZs.

It is definitely recommended to use a

public subnet with an Internet Gateway

for Internet access.

20


Default VPC and Custom VPC are the only VPC forms available.

• Default VPC is created when you create an AWS account.

• Custom VPC is dedicated for advanced users.

21

ELASTIC COMPUTE CLOUD (EC2)

22


Elastic Compute Cloud (EC2) – What is it ?

EC2 provides a web service that provides secure, resizable compute capacity in the

cloud.

The different types of EC2 will provide you various CPUs, memory capacities, storage

types, and networking capacity.

An instance type can be changed if it has an Elastic Block Store (EBS) store

volume root device.

Example:

23

Instance Type vCPUMemory

(GiB)

Storage

(GB)

Networking PerformancePhysical Processor

Clock Speed

(GHz)

t2.nano 1 0.5 EBS Only Low Intel Xeon family up to 3.3

t2.micro 1 1 EBS Only Low to Moderate Intel Xeon familyUp to 3.3


Amazon Elastic Block Store (Amazon EBS) – What is it ?

Amazon Elastic Block Store (Amazon EBS) is a block storage volume for Amazon EC2

instances.

Data stored on an Amazon EBS volume can persist after instance termination, and

independently of the instance life.

EBS has four types of storage:

• Provisioned IOPS SSD (io1)

• General Purpose SSD (gp2)

• Throughput Optimized HDD (st1)

• Cold HDD (sc1)

You can not detach or attach instance store volume to another instance.

24


25

Elastic Compute Cloud (EC2) – Some Tips ?

"Enable termination protection" option allows you to protect an accidental EC2

instance termination.

To enable termination protection for an instance at launch time

• Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

• On the dashboard, choose Launch Instance and follow the directions in the wizard.

• On the Configure Instance Details page, select the Enable termination protection check box.

To enable termination protection for a running or stopped instance

• Select the instance, choose Actions, Instance Settings, and then choose Change Termination

Protection.

• Select Yes, Enable.

In addition, enable backups, and output data to another AWS service.

https://console.aws.amazon.com/ec2/


26

If you need to copy an EC2 instance to another region, you can create an Amazon

Machine Images (AMI).

The AMI can be deployed then as it does represent a high performance execution

environment for applications running on EC2, and contains all the information to launch an

instance.

EC2-Classic is an old configuration which is not available anymore. It is still being

supported for clients.


27

The most secure option to connect to instances without Internet connectivity in a private

subnet VPC is a bastion host server to connect to the instances.

Bastion hosts are instances within your public subnet and are typically accessed

using SSH or RDP. Once remote connectivity has been established with the bastion host,

it then behaves like a bridge, allowing you to use SSH or RDP to login to other instances

(within private subnets) within your network.

You can use bastion as a bridge with security groups and NACL to access other private

instances.


28

Placement group is a logical grouping of instances within a single Availability Zone,

achieving high performance computing, with low-latency network performance.

There is a soft limit of 20 instances per region. You can submit the limit increase form

and retry the failed requests once approved.

You can use CURL, or GET command; to access the information for your instance,

for example:

[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data

Or

[ec2-user ~]$ GET http://169.254.169.254/latest/meta-data

AWS OBJECT STORAGE: S3, AND GLACIER

29


• S3 Amazon Simple Storage Service, min

object storage size is 0B

• S3 Standard - Infrequent Access (Standard

- IA), min object storage size is 128KB

• Amazon S3 Reduced Redundancy Storage,

min object storage size is 128KB

• Glacier

30

AWS provides various storage options – What are they ?

Let’s focus on the four below:


31

AWS provides various storage options – Some Tips ?

AWS RRS provides the same functionality as AWS S3, but is cheaper.

It is ideally suited for non-mission, critical applications, such as files which can be

reproduced.

Example:

Storing image thumbnails can be a good use case for storing content in AWS RRS.

AWS RRS is being cheaper than AWS IA.


Key points to remember regarding an S3 bucket are:

• S3 is a Object Based storage, only for, for example files. and not OS. It can store files from 0 to 5 TB

• Names of Buckets are universal, and therefore need to be unique

• HTTP 200 CODE is the confirmation for successful data upload

• When you upload an object, the object will be immediately available - Read after write consistency

• If you change/delete an object in the bucket, the object might not be immediately updated. It might

take few minutes - Override after put or deleting

• No partial or damaged/corrupted objects when uploading, updating, or deleting.

• Encryption is enabled

32


33

Implementing versioning

and lifecycle rules are key

to prevent data loss.

Accidental deletion of data

from an S3 bucket can be

avoided by:

• Enabling versioning

• Enabling MFA access


34

You can't have any dots in your bucket name if you use the bucket name in the

subdomain of your URLs if you would like to use SSL for your bucket.

This will cause a certificate mismatch.

AWS SSL certificate only covers *.s3.amazonaws.com.

Versioning is required for replication in S3.

To list delete markers (and other versions of an object), you need to use the

versions subresource in a GET Bucket versions request, as a simple GET will not

retrieve delete marker objects.


35

You can retrieve data faster from Glacier with:

Expedited retrievals and access data in 1 – 5 minutes for a flat rate of $0.03 per GB

retrieved,

or

Bulk retrievals to access your data in approximately 5 – 12 hours for a flat rate of just

$0.0025 per GB retrieved.

Cross region replication has additional cost (Redundancy)

IDENTITY AND ACCESS MANAGEMENT (IAM)

& SECURITY GROUPS

36

IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS

Identity and Access Management (IAM) – What is it ?

Access Control is one of the most important security controls to put in place, and

therefore we can check the below important points offered par AWS services.

You can define your Identity Access Management rules, and create Security Groups to

control and limit the access to the resources.

The statement is the main element of the IAM policy and it is a must for a policy.

Elements such as condition, version and ID are not required.

37


You will have:

• A centralised control of your AWS account (I recommend hardware MFA for the root

account)

• Granular Permissions

• Identity Federation, including Active Directory

• Multi Factor Authentication

• Password Policies

• PCI DSS Compliance

38

Every user gets an IAM account. Never login to the master.


Identity and Access Management (IAM) – Some Tips ?

I encourage highly to use hardware MFA or Virtual MFA Device for your access control,

as for example Google Authenticator.

39https://aws.amazon.com/iam/details/mfa


40

When you create a new user, a pair of access key is generated if enabled.

Make sure that you do not enable it if not necessary.The access keys (Users can have multiple API keys) will not allow a user to connect to the

console however will allow for an API to get access.


41

AWS Best practices advise a password with 14

characters’ length.

I recommend using at least 12 characters,

complexity, password expiration, and no

password reuse.

It is possible to create an IAM when an

instance is running ONLY if "no reboot"

option is checked.


Security Group Network ACL

Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)

Supports allow rules only Supports allow rules and deny rules

Is stateful: Return traffic is automatically allowed, regardless of

any rules

Is stateless: Return traffic must be explicitly allowed by rules

We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to

allow traffic

Applies to an instance only if someone specifies the security

group when launching the instance, or associates the security

group with the instance later on

Automatically applies to all instances in the subnets it's

associated with (backup layer of defense, so you don't have to

rely on someone specifying the security group)

42

Another access control measure is Security Groups. This in fact is one of the main

controls.

I highly recommend to add Network Access Control Lists as an additional layer of

security.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html


43

Outbound Ports should be enabled on NACL, when an instance needs to be accessible by

everyone, even if port 80 allows inbound.

Source/Destination check should be disabled when a custom NAT instance is launched,

even after configuring security groups and NACL.

Instances should have either public IP or elastic IP to be able to reach the Internet. You

can have one Elastic IP address associated with a running instance at no charge.

You can also check the associated IP through the instance metadata.

For an instance to be able to connect to the Internet with an Internet Gateway, and a

public subnet, a route should be created as 0.0.0.0/0 and your internet gateway as target.


44

A NAT gateway in the Failed state is automatically deleted after about an hour.

Ensure that different route tables for your private and your public subnet. If the table is

the same, it will not route traffic to the Internet.

Use the tracert (Windows) command or traceroute (Linux) command. ICMP packets are

ignored.

Define all rules within a single aws_security_group_rules resource to refresh security

groups rules faster. (To be confirmed and feedback is welcome)


45

Here you can find a great example of the different

between ACL and Security Groups.

Security groups — Act as a firewall for Amazon EC2

instances

Network access control lists (ACLs) — Act as a

firewall for subnets

Changes to Security Groups rules are automatically

applied after a short period.


46

By default, security groups are configured as below:

• Allow no inbound traffic

• Allow all outbound traffic

• Allow instances associated with this security group to communicate

You need to disable SSH access.

You can create an IAM role with two attached policies to delegate permission to access

a resource. The permission policy grants the user for the desired task on the resource

and the trust policy indicates which trusted accounts are allowed to grant its users

permissions to assume the role.

CONTENT DELIVERY NETWORK (CDN)

47


Content Delivery Network – What is it ?

Another service that is provided by AWS and is critical is the CDN CloudFront.

This service is critical when hosting a web application online.

It delivers content by replicating commonly requested files (static content) across a

globally distributed set of caching servers.

From my experience, I suggest analyse your business requirements, as you might have

additional functionalities needed.

Amazon CloudFront doesn’t have these features: purge it all, or purge instant, SPDY

Protocol Support, Real time statistics or CDN balancing tech.

48


49

VERSIONING & ENCRYPTION

50


51

Encryption – What is it ?

AWS offers various types of encryption:

At rest,

Server Side Encryption

• S3 Managed keys – SSE-S3

• AWS Key Management Service,

SSE-KMS

• Server Side Encryption with

Customer Provided Keys – SSE-C

Client Side Encryption


52

A new version of a file on an S3 bucket is considered an update subject to eventual

consistency.

If you specified the version ID on the GET request, then the new file will be subject to a

read-after-write consistency.

With SSE-KMS you can have different objects stored with different keys in the same

bucket.

You will have two layers of security controls: the bucket and the objects.

Boot volume encryption on an EC2 instance, has some known issues. Google is your

friend :D !

AWS DATABASES

53

AWS DATABASE

If You Need Consider UsingProduct Type

A managed relational database in the cloud that you can launch

in minutes with a just a few clicks.Amazon RDS Relational Database

A fully managed MySQL and PostgreSQL-compatible relational

database with 5X performance and enterprise level features.Amazon Aurora Relational Database

A managed NoSQL database that offers extremely fast

performance, seamless scalability and reliabilityAmazon DynamoDB NoSQL Database

A fast, fully managed, petabyte-scale data warehouse at less

than a tenth the cost of traditional solutions.Amazon Redshift Data Warehouse

To deploy, operate, and scale in-memory cache based on

memcached or Redis in the cloud.Amazon ElastiCache In-Memory Cache

Help migrating your databases to AWS easily and inexpensively

with zero downtime.

AWS Database Migration

ServiceDatabase Migration

To build flexible cloud-native directories for organizing

hierarchies of data along multiple dimensions.Amazon Cloud Directory Directory

54Source: aws.com

https://aws.amazon.com/relational-database/

https://aws.amazon.com/rds/



https://aws.amazon.com/rds/aurora/


https://aws.amazon.com/nosql/

https://aws.amazon.com/dynamodb/

https://aws.amazon.com/nosql/

https://aws.amazon.com/data-warehouse/

https://aws.amazon.com/redshift/

https://aws.amazon.com/data-warehouse/

https://aws.amazon.com/elasticache/what-is-redis/

https://aws.amazon.com/elasticache/

https://aws.amazon.com/dms/

https://aws.amazon.com/cloud-directory/

COMPLIANCE TESTING

If you would like to test your configuration vs your compliance requirements,

and regulation, you can run the AWS Script.

I recommend the local execution. It was very fast and easy.

AWS GitHub script to scan for CIS compliance

55

https://github.com/awslabs/aws-security-benchmark/tree/master/aws_cis_foundation_framework

ADDITIONAL RESOURCES

Link to CIS Benchmark Guideline

Link to CIS Three-Tier Guideline

AWS Well Architected

AWS Cloud Adoption Framework – Security

56

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

https://d0.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three-tier_Web_Architecture_Benchmark.pdf

https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

MAGDA CHELLY, CYBERFEMINIST, CISSP

MAGDA LILIA CHELLY, IS THE MANAGING DIRECTOR OF RESPONSIBLE CYBER BY DAY,

AND A CYBER FEMINIST HACKER BY NIGHT. SHE SPEAKS FIVE LANGUAGES FLUENTLY,

AND HAS A PHD IN TELECOMMUNICATION ENGINEERING WITH A SUBSEQUENT

SPECIALIZATION IN CYBER SECURITY (CISSP).

‘’Your employees are your company’s biggest asset yet equally represent your weakest

link. Empower YOUR people to protect YOUR business with a trusted, value-adding and

effective cyber-security provider’’

Magda Chelly, CyberFeminist, CISSP

MAGDA WAS RECENTLY NOMINATED AS GLOBAL LEADER OF THE YEAR AT THE WOMEN

IN IT AWARDS 2017, AND TOP 50 CYBER SECURITY INFLUENCER, GLOBALLY.

57

THANK YOU !

PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS

58

a web services (aws) services o & s t - peerlyst...aws is providing great support in terms of...

Documents