You are on page 1of 116

Module 1: Knowledge Check

Knowledge Check

What is the Cloud?


Knowledge Check

How does AWS cloud computing differ


from traditional IT infrastructure?
Knowledge Check

There are 3 main methods of


interacting with AWS. Can you list
them? Which method is most
commonly used by individuals new to
AWS?
Knowledge Check

What is an AWS Region?


Knowledge Check

What are regions made of?


Knowledge Check

Where can you get the latest


information on the number of regions
and Availability Zones within AWS?
Knowledge Check

Where does AWS responsibility for


security end and yours begin?
Knowledge Check

Why would you use a security group?


Can you give an example of how
multiple security groups would work
together?
Knowledge Check

How do you extend your on-premise


network into AWS?
Knowledge Check

What type of storage system is S3?


Knowledge Check

How do different EC2 instance types


differ?
Knowledge Check

There are three ways you can pay for


EC2 instances. Can you name them?
Knowledge Check

How many providers of Amazon


Machine Image (AMIs) are there? Can
you name them?
Knowledge Check

Why would you choose EBS over


instance storage?
Knowledge Check

Why would you want to scale out your


application, instead of scaling up?
Knowledge Check

Why should you avoid using your AWS


Master Account?
Knowledge Check

What is the difference between a


CloudFormation template and a
CloudFormation stack?
Knowledge Check

What advantages does a


CloudFormation template have over a
traditional network diagram?
Knowledge Check

Where you can you go to find a variety


of CloudFormation templates that you
can try out?
Knowledge Check

How can you keep track of your


applications metrics in AWS? What
types of metrics are available to you?
Module 2: Architecting in the Cloud
Topics

• Five benefits of the cloud


• Seven best practices for building systems with
AWS
Topics

• Five benefits of the cloud


• Seven best practices for building systems with
AWS
What makes the cloud attractive?

• Abstract Resources
– Focus on your needs, not hardware specs. As needs change, so
should your resources
• On-Demand Provisioning
– Ask for what you need, exactly when you need it; get rid of it
when you do not
• Scalability in Minutes
– Scale out or in, up or down, depending on usage or needs
What makes the cloud attractive? (continue)

• Pay Per Consumption


– No long-term commitments. Pay only for what you use
• Efficiency of Experts
– Utilize the skills, knowledge and resources of experts
Topics

• Five benefits of the cloud


• Seven best practices for building systems
with AWS
Seven best practices for building system with AWS

• Design for failure and nothing fails


• Loose coupling sets you free
• Implement elasticity
• Build security in every layer
• Don’t fear constraints
• Think parallel
• Leverage different storage options
Seven best practices for building system with AWS

“Everything fails, all the time”


Werner Vogels, CTO, Amazon.com
Seven best practices: Design for failure

• Avoid single points of failure


• Assume everything fails and design backwards
– Goal: Applications should continue to function even if the
underlying physical hardware fails or is removed/replaced.
Seven best practices: Design for failure (continue)
Seven best practices: Loose coupling

• Design architectures with independent


components
– The more loosely they are coupled, the bigger they scale
• Design every component as a black box
• Load balance clusters
• Use a queue to pass messages between
components
Loose coupling: Load balance the cluster
Loose couping: Use a queue to pass messages
Seven best practices: Implement elasticity

• Elasticity is a fundamental property of the cloud


• Do not assume the health, availability, or fixed
location of components
• Use designs that are resilient to reboot and
re-launch
• Bootstrap your instances
– When an instance launches, it should ask: “Who am I and What is
my role?”
• Favor dynamic configuration
Seven best practices: Implement elasticity

• Elasticity is a fundamental property of the cloud


• Do not assume the health, availability, or fixed
location of components
• Use designs that are resilient to reboot and
re-launch
• Bootstrap your instances
– When an instance launches, it should ask: “Who am I and What is
my role?”
• Favor dynamic configuration
Seven best practices: Build security in every layer

• Security is a shared responsibility. You decide


how to:
– Encrypt data in transit and at rest
– Enforce principle of least privilege
– Create distinct, restricted Security Groups for each application
role
• Restrict external access via these security groups
– Use multi-factor authentication
Seven best practices: Do not fear constraints

• Need more RAM?


– Consider distributing load across machines or a shared cache
• Need better IOPS for databases?
– Instead, consider multiple read replicas, sharding, or DB
clustering
• Hardware failed or configuration got corrupted?
– “Rip and replace” – Simply toss bad instances and instantiate
replacement
Seven best practices: Think parallel

• Experiment with parallel architectures


Seven best practices: Think parallel (continue)
Seven best practices: Leverage many storage options

• One size does not fit all


– Object storage
– Content delivery network/edge caching
– Block storage
– Relational database
– NoSQL
Module review

• What are the benefits cloud services offer?


• List the seven AWS best practices
Module 3: Security and Compliance
Before we start….
• Identify the correct statements:
Security and patching Penetration testing is a Data on block storage
of the operating system violation of the AWS devices (ephemeral
and the application is Terms of Service. storage and EBS) is
the responsibility of the encrypted by default.
customer.
Port scanning is AWS is PCI DSS Level 1 Each AWS Region has
performed by AWS to certified, but customers at least one Disaster
check for vulnerabilities are responsible for Recovery Availability
in your application. managing PCI compliance Zone.
and certification for their
own applications.
Topics

• The shared responsibility security model


• AWS role in security
• Your role in security
• Securing networks with Security Groups
Topics

• The shared responsibility security model


• AWS role in security
• Your role in security
• Securing networks with Security Groups
The shared responsibility security model
The shared responsibility security model
Topics

• The shared responsibility security model


• AWS role in security
• Your role in security
• Securing networks with Security Groups
AWS role in Shared Responsibility Security Model

• AWS • Customer
– Facilities
– Operating system
– Physical Security
– Application
• Physical infrastructure
– Security groups
• Network infrastructure
– OS Firewalls
– Virtualization infrastructure
– Network configuration
– Third-Party Attestations,
Reports, and Certifications – Account Management
for the above – Certifying your applications
AWS US Regions
AWS Global Regions
Physical Security

• Controlled, need-based access


– All access is logged and reviewed
– Multi-factor authentication
• Separation of Duties
– Employees with physical access do not have logical access
• 24 x 7 security guards
Network Security

• Distributed Denial of Service (DDoS)


– Standard mitigation techniques in effect
• Man in the Middle (MITM)
– All API endpoints protected by SSL
• IP Spoofing
– Prohibited at host OS level
• Unauthorized Port Scanning
– Violation of TOS
– Detected, stopped, and blocked
• Packet Sniffing
– Promiscuous mode ineffective
– Protection at hypervisor level
Storage Device Decommissioning

• Uses techniques from:


– DoD 5220.22-M (“National Industrial Security Program Operating
Manual”)
– NIST 800-88 (“Guidelines for Media Sanitization”)
• Ultimately, all devices are:
– Degaussed
– Physically destroyed
Virtual Memory and Local Disk Space

• Proprietary disk management prevents one


instance from reading disk contents of another
• Disk is wiped upon creation
• Disks can be encrypted by customer
AWS Third-Party Attestations, Report, and
Certifications
• AWS Environment
– Service Organization Controls(SOC) Reports
• SOC 1 Type II (SSAE 16/ISAE 3402/formerly SAS70)
• SOC 2 Type II
• SOC 3
– Payment Cart Industry Data Security Standard (PCI DSS) Level 1
Certification
– ISO 27001 Certification
– FedRAMPSM
– DIACAP and FISMA
– ITAR
– FIPS 140-2
AWS Third-Party Attestations, Report, and
Certifications(continue)
• Customers have deployed various compliant
applications:
– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FedRAMPSM (US Public Sector)
– FISMA (US Public Sector)
– ITAR (US Public Sector)
– DIACAP MAC III Sensitive IATO
Topics

• The shared responsibility security model


• AWS role in security
• Your role in security
• Securing networks with Security Groups
Your role in Shared Responsibility Security Model

• AWS
– Facilities
• Customer
– Physical Security – Operating system
• Physical infrastructure – Application
• Network infrastructure – Security groups
– Virtualization – OS Firewalls
infrastructure
– Network configuration
– Third-Party Attestations,
Reports, and – Account Management
Certifications for the – Certifying your
above applications
Account Management

• Master (root) account has root/admin-level access


• Multiple accounts may be created to isolate
resources
• Account may be isolated by:
– Environment (dev, test, prod)
– Major System
– Line of business/function
– Customer
– Risk level
AWS account management by enviroment
Identity and Access Management
Operating system security

• Guest (instance) operating system


– Customer controlled (customer owns root/admin)
– AWS admins cannot log in ← Why not?
• EC2 Key Pairs
– You (and only you) have the private half of the key
– You (and only you) can:
• SSH to the instance (Linux)
• Decrypt the Administrator password (Windows)
Operating system security

• You still need to patch


– Most traditional tools will work
– Emerging options
• Chef(www.opscode.com/chef)
• Puppet(www.pupetlabs.com)
• Fabric/Cuisine(www.fabfile.org)
• Capistrano(https://github.com/capistrano/capistrano/wiki)
• Amazon OpsWorks(https://aws.amazon.com/opsworks)
Your Data

• Protect privacy and enforce your policies with data


encryption
• Encrypt data in transit
– (SSL/TLS)
• Encrypt data at rest
– Consider encrypted file systems for sensitive data
– Encrypt objects before storing them
– Encrypt records before writing in database
• EBS and Ephemeral volumes can be encrypted
• Variety of options
– EncFS, Loop-AES, dm-Crypt, TrueCrypt, etc….
Encryption: File Systems

• Managing encryption keys


– Study key management capabilities of encryption product(s) you
choose
– Establish a procedure that minimizes possibility of losing keys
– AWS CloudHSM
• Securely generate, store and manage cryptographic keys used for
data encryption
• Dedicated SafeNet Luna SA
Use Multiple Security Layers

• Security Groups (EC2, VPC, RDS, ElastiCache,


Redshift)
• Bastion Host
• Host-based Firewalls*
• IDS*
Topics

• The shared responsibility security model


• AWS role in security
• Your role in security
• Securing networks with Security Groups
Network Security: Security Groups

• Control inbound traffic


– VPC groups can also control outbound
• Apply many Security Group to one instance
• Default group: no access
• Several services use Security Groups
– EC2
– VPC(more advanced features)
– RDS
– ElastiCache
– Redshift
Network Security: Security Groups(continue)

• When defining inbound rules, specify source by:


– CIDR address
• 0.0.0.0/0 for Internet, 10.0.0.0/16 for EC2 private, and so on
– Security Group Name
• Restrict access to other EC2 instances in the specified security
group
CIDR Notation: An Overview

• CIDR notation is useful for expressing a range of IP


address
• Consider this IP(v4) address:

• Each number can have a decimal value between 0


to 255
• Each number is a single byte(8 bits)
CIDR Notation: An Overview

• What if you wanted to express a firewall rule that


allowed traffic from any address in the last octet?

– Specify the first valid number in the range. If we want to allow all
values in the last octet, the first allowable value is 0

– In this case, we want to freeze the first 3 octets: 3 octets == 3 bytes


== 24 bits. Therefore → 216.173.122.0/24
CIDR Notation: A few more examples

• Match an exact address


– 216.173.122.34 216.173.122.34/32
• Match any address
– *.*.*.* 0.0.0.0/0
Security Groups Example: Web Server Instance(1 of
3)
• Design a security group for Apache web servers
in your application’s web tier
Security Groups Example: Web Server Instance (2 of
3)
Security Groups Example: Web Server Instance (3 of
3)
Security Groups Example: Multi-tier Security Group
Activity
Most security best practices still apply in the Cloud

• Secure coding standards


• Perform penetration testing
– http://aws.amazon.com/security/penetration-testing
• Antivirus where appropriate
• Intrusion Detection
– Host-based Intrusion Detection (such as OSSEC)
• Log events
• Role-based access control
– AWS Identity & Access Management
– LDAP and/or Active Directory for Operating System & Applications
Module review

• What are the five main layers of security for


cloud architecture?
• What security model is used with AWS services
• What areas of security is AWS responsible for?
• What areas of security are you, the customer,
responsible for?
Appendix
Activity---Identify Security Mechanisms

• Consider the architecture for a scalable web


application. How do you secure it? Address the
following aspects of security:
– Physical
– Network
– Data(in transit and at rest)
– Operating system
– Security credential management
– Logging
Activity --- Identify Security Mechanisms
Activity --- Identify Security Mechanisms
Module 4: Amazon VPC
Topics

• What is Amazon VPC?


• Subnets, gateways, and routes
• Advanced Features
Topics

• What is Amazon VPC?


• Subnets, gateways, and routes
• Advanced Features
What is Amazon VPC?
Topics

• What is Amazon VPC?


• Subnets, gateways, and routes
• Advanced Features
Subnets, Gateways and routes

• Select an AWS region for your VPC


Subnets, Gateways and routes

• Specify the size of our network with a CIDR


block
Subnets, Gateways and routes

• Create subnets inside the VPC


– Subnets do not span Availability Zones
Subnets, Gateways and routes

• Attach gateway devices to network


Subnets, Gateways and routes

• VPN Gateway(VGW) allows subnet(s) to route


to on-premises network over IPSEC VPN
Subnets, Gateways and routes

• Define custom routing rule(s) for each subnet


Subnets, Gateways and routes

• Private subnet with IPSEC VPN to corporate


datacenter via VGW
Subnets, Gateways and routes

• Public subnet with inbound/outbound Internet


connectivity via IGW
Subnets, Gateways and routes
Subnets, Gateways and routes

• Network Access Control Lists allow or deny


traffic entering or existing the subnet
Topics

• What is Amazon VPC?


• Subnets, gateways, and routes
• Advanced Features
Security Groups
Network Access Control List
Elastic Network Interface (ENI)
Attach multiple ENI to an instance
EC2 instance termination
New EC2 instance
Load Balancing: External Elastic Load Balancing
(ELB)
Load Balancing: Mid-tier ELB
Load Balancing: Intranet-facing ELB
Module review

• True or False? In VPC, you can assign multiple


IP address and attach multiple ENIs and EIPs to
EC2 instances
• True or False? Private subnet can span across
multiple Availability Zone
• Describe how you can integrate ELB into your
VPC
Appendix
Appendix