View
81
Download
0
Category
Preview:
Citation preview
Michael Mullins Page 1
Lausanne Cloud MeetUp
Hosted by Digicomp Academy, Lausanne, Switzerland17th November 2016
Michael Mullins Page 2
AWS Architecture & Security
Overview of a few important AWS services
Security features in selected AWS services
Discussion
Michael Mullins Page 3
About AWS
In 2008 AWS began offering S3 and EC2 to customers
Opex versus Capex financial model
Agile and elastic
Secure & redundant
Multiple availability zones in each geography
38 availability zones in 14 regions
More coming online next year
Michael Mullins Page 4
EC2 (Elastic Compute Cloud)
Virtualisation in the Cloud
Fast scale out (in minutes)
On demand (Dev and Test environment) Reserved (Black Friday) Spot prices (Simulation Jobs)
Instance sizes (T2, M4, C4 etc)
EBS (Elastic Block Store)
SSD / magnetic volumes attached to instances In single availability zone (AZ) & single instance
Michael Mullins Page 5
Elastic Load Balancing
Distribute load across EC2 instances
Uses hostname not public IP address
Provide fault-tolerance (health checks)
Auto-scaling
Classic Load Balancer (HTTP)
Application Load Balancer (multiple ports)
Security groups
Internal only or internet facing
Michael Mullins Page 6
S3 Storage
Object storage ideal for flat files
Up to 1 Terabyte file size
Unlimited storage up to Petabytes
Files stored in S3 buckets
Key : Value
Metadata
Unique URL like http://s3.amazonaws.com/bucket/
Pay for what you use
Durable 11 x 9's durability and 4 x 9's availability
Michael Mullins Page 7
Other Storage Types
Glacier
Long term backup Very low cost Very infrequently accessed data
Elastic File System
Scalable block Storage For EC2 compute NFS v4 protocol (shared parallel access) Replicated across availability zones
Michael Mullins Page 8
AWS Databases
RDS (Microsoft, MySQL, Postgres, Oracle, MariaDB, Aurora)
DynamoDB (NoSQL – document or key value)
Elasticache (In memory data store & cache)
Redshift (Data Warehouse)
MDS (Database Migration Service)
Michael Mullins Page 9
Identity Access Management (IAM)
Manage Users and their access privileges
Centralised access control
Identity federation to Active Directory, Facebook etc
Two-factor authentication
Set password policy
Policies (permission documents) applied to
Users Groups (with common permissions Roles (e.g. can Acess S3)
Michael Mullins Page 10
VPC (Virtual Private Cloud)
Completely isolated virtual network environment
Private cloud subnets in single AZ
DMZ to private connections
Routing tables
Stepping stone hosts in DMZ
NAT instances & NAT gateways
Security groups (service port)
Network ACL's (source / destination addresses / services)
Public IP addresses & internet gateway
Michael Mullins Page 11
AWS Databases
Relational DB (Microsoft, MySQL, Postgres, Oracle, MariaDB, Aurora)
DynamoDB (NoSQL – document or key value)
Elasticache (In memory data store & cache)
Redshift (Data Warehouse)
MDS (Database Migration Service)
Michael Mullins Page 12
Route 53
AWS DNS hosting service
NS records for your domain are AWS hostnames
AWS alias not CNAME for Elastic Load Balancer hostnames
DNS routing policies
Simple Weighted (A – B testing) Latency (DNS resource records) Failover (health checks) Geolocation (where is the user)
Michael Mullins Page 13
CloudFront CDN
Content Delivery Network
Geolocation of user & web server
Edge locations (over 50)
Distribution (collection of edge locations)
HTTP or RTSP
GET & PUT
Origin file in S3 bucket, EC2 instance or load balancer
DDoS protection
Michael Mullins Page 14
AWS Web Application Firewall (WAF)
Protects against application layer attacks
OWASP top 10 (Open Web Application Security Project)SQL injectionCross site scripting (XSS)
Billed on number of rules and web hits
Better reporting of web usage
Increased control, source IP address, country etc
Recommended