Cloud, The Hard Way

HELLO!I am Will BengtsonI love the cloudYou can find me at @__muscles

2

0.PREFACEThe Hard Way is Easier

3@__muscles

◈ Cover the basics◈ Build on them◈ Run free

THE HARD WAY IS EASIER

4@__muscles

1.INTRODUCTIONGetting started in the cloud

5@__muscles

◈ Challenges◈ Understand Datacenter vs. AWS

GETTING STARTED IN THE CLOUD

6@__muscles

◈ Dynamic environment◈ Huge scale◈ Diverse applications

CHALLENGES

7@__muscles

Datacenter◈ Firewall◈ RBAC◈ Cluster◈ Syslog◈ VLAN◈ Datacenter

DATACENTER VS AWS

AWS◈ Security Group◈ IAM◈ Auto Scaling Group◈ CloudWatch◈ VPC◈ Region / AZ

8@__muscles

MAPS

9@__muscles

MAPS

10@__muscles

2.EXERCISE 0Let’s get to the root of things

11@__muscles

◈ First AWS account◈ Highest level of access◈ Sensitive

ROOT ACCOUNT

12@__muscles

◈ Break glass superuser◈ S3 Bucket ACL

USE CASES OF ROOT

13@__muscles

THROW AWAY THE KEY14@__muscles

3.EXERCISE 1Auditing - CloudTrail

15@__muscles

CLOUDTRAIL◈ Logs AWS API activity

◆ Like a credit card statement

◈ AWS API transactions◆ Who / When / What (Call) / Which (Resource)

16@__muscles

17

EXAMPLE: HOW TO CLOUDTRAIL

@__muscles

4.EXERCISE 2Identity and Access Management (IAM)

18@__muscles

◈ Users◈ Groups◈ Roles◈ Policies

IDENTITY AND ACCESS MANAGEMENT (IAM)

19@__muscles

◈ Can log into the console◈ Credentials are static◈ Avoid if you can

IAM USERS

20@__muscles

◈ Used to provide similar permissions to users◈ Think of them like AD groups

IAM GROUPS

21@__muscles

◈ Preferred method for operating in AWS◈ Similar to users, but credentials are

temporary◈ Used throughout all services within AWS◈ Single Sign-On (SSO)

IAM ROLES

22@__muscles

◈ Permissions that can be applied to anything◈ Managed Policies◈ Inline policies

POLICIES

23@__muscles

Works EVERYWHERE!24@__muscles

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"s3:GetObject"

],

"Effect": "Allow",

"Resource": "arn:aws:s3:::sans-sj"

}

]}

25@__muscles

5.EXERCISE 3Simple Storage Service (S3)

26@__muscles

◈ It is like a folder on the internet◈ Can be used to store your data on AWS◈ Cheap

S3

27@__muscles

◈ Buckets◆ Globally unique◆ Can make files (objects) public

◈ Objects◆ Contain data and metadata◆ Can be public even though bucket is not!

S3

28@__muscles

6.EXERCISE 4Base AMI

29@__muscles

◈ Immutability◆ No SSH◆ Config change == new build

◈ Every application has the same base layer◆ Logging◆ Security◆ Secrets Management

BASE AMI

30@__muscles

7.EXERCISE 5Lambda

31@__muscles

◈ Someone else’s container◈ Highly scalable◈ Pay for what you use◈ Multiple languages

◆ Bring your own runtime

Lambda A.K.A Serverless

32@__muscles

◈ Deploy in VPC◈ Configurable memory and runtime

◆ More memory ~= more power◈ Easy to get started◈ Be careful with versions

Lambda A.K.A Serverless

33@__muscles

8.TOOLSSome awesome open source

34@__muscles

35

STREAMALERT

@__muscles

36

REPOKID

@__muscles

CLOUD INQUISITOR

37@__muscles

CLOUD CUSTODIAN

38@__muscles

39

THANKS!Any questions?@__muscles