Site icon JDK Solutions

Cloud Computing 101

Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.

Service Models

Cloud Characteristics

Shared Responsibility Model: concept that AWS and the customer share responsibilities for security and compliance of Amazon Web Services. This allows AWS to support the customer by taking on the burden of operations control associated with the physical infrastructure so the customer can focus on securing and producing within the context of software (logical).

Cloud Actors

Deployment Models

Identity Access Control Service Access Control Resource Access Control

Federation

Orchestration

Virtual Private Cloud (VPC): Core networking component in AWS Cloud provides isolated container for AWS services resembling traditional networks. Fully realized in software with Subnets Routes Firewalls Implementing Router & Switch Functions to transport huge amounts of packets across AWS zones and IN/OUT of VPC. VPC also supports extended network services Elastic IP Addresses, Elastic Network Interface, AWS Endpoint, Elastic Load Balancer, DNS Services (Route53), Internet Gateways VPC Best Practices:

Choose highest CIDR block Unique IP Address to support AWS services Leave default VPC alone Including main route table Design for region expansion Tier your subnets Design subnets according to application stack (.ie Application tier, Business tier, Database tier) Spread across multiple availability zones for fault Tolerance Keep subnets balanced with appropriate routing tables Keep most resources in the private subnet (insulation) Use elastic load balancer in front of all outward exposed services Use different VPCs for different use cases (no one catch all VPC) Use Security Groups over NACLs IAM your VPC (least Privilege) Leverage VPC peering Use elastic IP instead of public IP

Amazon Machine Image Simple Storage Service Elastic Block Storage Elastic Compute Cloud Elastic IP: Public IPv4 static address associated with any one instance or network interface When you need an IP address to persist you need to use elastic IP addresses as public addresses are recycled when the instance Is shutdown. Elastic IP is portable and can be moved to another running instances Elastic Load Balancing: Provides high availability insulation layer to AWS resources by allowing private subnet to be exposed through secure channels

Identity and Access Management

Groups Users Roles Policies

Secure Server Best Practices Least Access Least Privilege Configuration Management Change Management Audit Logs Network Access API Access Data Encryption

AWS Secure Communication Model (data in flight)

Console CLI API

Data at Rest: state of data while it persists in a storage medium

Encryption fundamentals Symmetric Encryption: Same key for encryption and decryption Not viable where sender and receiver never meet (no way to get key there) Asymmetric Encryption: Different keys for encryption Public/Private Public encrypts Private Decrypts

Encryption: Conversion of plaintext into ciphertext where remnants of language are removed (semantic patterns) Decryption: Conversion from ciphertext back to plain text Two-part process: Encryption Key: Unique value of variable length (longer is better) Algorithm (Cipher): Function that takes as input plain text string and key and returns cipher text

AWS does not use asymmetric encryption (performance) AWS Encryption Envelope 1. AWS Service generates data key when user requests data to be encrypted 2. This key is used to encrypt data along with the encryption algorithm 3. Once data is encrypted, key is encrypted as well 4. Both key and data are stored in AWS storage service Process requires independent master key (managed separately from data and data key) to encrypt data key Process is reversed for decryption

AWS KMS Key Management Service Asymmetric Key Service Fully Managed Centralized key Management Fully integrated with the AWS Service Suite Secure and Compliant SOC1, SOC2, SOC3 ISO-9001 PCI-DSS Level1

Facebook Comments
Exit mobile version