Limits
There are a number of default limits to be aware of when creating security groups. These can be defined as follows:
VPC security groups per region within your VPC = 2500
Rules per security group = 120 (no more than 60 inbound and 60 outbound)
Security groups per network interface = 5
5 VPC in a region and 200 Subnets and 200 Route table in 1 VPC can be created.
VPC is created on top of the availability Zones. If there are three availability zone in Mumbai then 1VPC subnet can be used across availability zone.
One subnet cannot be created in two availability Zone.
EBS//EFS
The main differences between EBS and EFS is that EBS is only accessible from a single EC2 instance in your particular AWS region, while EFS allows you to mount the file system across multiple regions and instances. Finally, Amazon S3 is an object store good at storing vast numbers of backups or user files.
S3 is storage for the internet.
S3 is Object based Storage No operating system can be installed. S3 has distributed architecture and stored in in three different location in same region. Data is stored in bucket (folder). Bucket is flat container of object. You cannot create nested bucket means no bucket can be created inside the bucket. But you create folders in bucket. Max capacity of bucket is 5 TB Bucket ownership is non-transferable. S3 is bucket is region specific. You can have 100 buckets in an account. S3 buckets names keys are globally unique. Buckets names cannot be changed later. Buckets names must be 3 – 63 characters Buckets names are part of URL used to access a bucket. Each object is restored and restored by unique key. | Lifecycle -- S3 standard – S3 IA - Glacier Website- host static website Versioning -- can be enabled and suspended but cannot be disabled. It protect from accidentally deletion. Versioning can be used for data retention and archive. You can restore the versioning file after deleting the delete marker. Access control list-- bucket policies to give an access Bucket permission can be granted to other account. You cannot keep the copy of bucket in different region. S3 multipath uploading if more than 5MB . If required to upload the files fast. You can copy of the objects uptp 5GB size in a single automatic operation means you can replicate in 5gb in one go. |
Storage classes of Amazon S3- always charge for retrieval the data. Support SSL for data in transit and encryption for data at rest.
Amazon S3 Standard --- keep for frequent access data. Storage cost is high but accessing cost is cheaper.
Amazon S3 Glacier Deep Archive – if you are using once in a year. Cheaper the glacier. Design to retain data for long period – 10 years.
Amazon Glacier -- Availability 99.9%. iT is a secure durable low cost storage class for data archiving. Data retrieval options can be decided.
Amazon standard Infrequent Access -- Storage cost is much cheaper but retrieval cost is high. Object size less than 12KB cannot move in S3 IA
Amazon one Zone IA -- It does not keep any copy of data in same region so data can be lost. It is 20% less costlier than S3 iA. Availability 99.5%
Amazon S3 Intelligent tiering – Amazon does automatically move the data between S3 standard and S3 IA on the basis of access of data.
CloudFront – Content Delivery network
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
Cloudfront is a global services.
Amazon cloudfront is a webservices that speed up the distribution of static and synamic web content such as html, css, images file.
Cloudfront delivers your content through a worldwide network of data center called Edge locations.
When a user request content that you are serving with cloudfront, the user is routed via DNS resolution to the Edge location that provides the lowest latency to that content is delivered with the best possible performance.
Cloudfront can be access in following ways: AWS Management console, AWS SDKs, Cloudfront API, AWS command line interface.
What is a bastion host, and do I need one?
You may ask yourself, do I need a bastion host in my environment? If you require remote connectivity with your private instances over the public internet, the answer is yes!
Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with the bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances (within private subnets) deeper within your VPC.
When properly configured through the use of security groups and NACL the bastion essentially acts as a bridge to your private instances via the internet.
This diagram shows connectivity flowing from an end user to resources on a private subnet through a bastion host:
Here are the basic steps for creating a bastion host for your AWS infrastructure:
1. Launch an EC2 instance as you normally would for any other instance.
2. Apply OS hardening as required.
3. Set up the appropriate security groups (SG).
4. Implement either SSH-agent forwarding (Linux connectivity) or Remote Desktop Gateway (Windows connectivity).
5. Deploy an AWS bastion host in each of the Availability Zones you’re using.
Security groups are essential for maintaining tight security First, create an SG that will be used to allow bastion connectivity for your existing private instances. This SG should only accept SSH or RDP inbound requests from your bastion hosts across your Availability Zones (AZ). Apply this group to all of your private instances that require connectivity.
Next, create a security group to be applied to your bastion host. Inbound and outbound traffic must be restricted at the protocol level as much as possible. The inbound rule base should accept SSH or RDP connections only from the specific IP addresses (usually those of your administrators). You definitely want to avoid allowing wide open access (0.0.0.0/0). Your outbound connection should again be restricted to SSH or RDP access to the private instances of your AWS infrastructure.
SH and RDP connections require private and public key access to authenticate. This does not pose a problem when you are trying to connect to your bastion host from your local machine, as you can easily store the private key locally. However, once you have connected to your bastion host, logging in to your private instances from the bastion would require having their private keys on the bastion. As you will probably already know (and if not, then take careful note now), storing private keys on remote instances is not a good security practice
AWS 5-Pillars Architecture Framework
Security
Reliability
Performance efficiency
Cost optimization
Operational Excellence
Security
Data protection - encrypt using ELB, EBS, S3 and RDS
Priviledge management -- IAM , MFA
Infrastructure Protection -- VPC, CCTV, ACL
Detective controls -- Cloud Trail, AWS config, Amazon cloud watch
How to encrypting and protecting the data at rest?
How to encrypting and protecting the data in transit?
How to protect access to and use of the root account credentials?
How to define roles and responsibilities of system users to control human access to the management console and APIs?
How can limiting automated access (such as from applications, scripts ot third party tools or services to resources?
How to manage keys and credentials?
RFID controls, Security , Lockable cabinets, CCTV
What Infrastructure protection exists at a VPC level
How to enfocre network and host-level boundary protection?
How enforcing AWS service level protection?
How to protect the integrity of the operating systems on EC2 intances?
How are capturing and analyzing logs?
Reliability
Foundation -- IAM VPC
Change management -- AWS Clouud Trail
Failure management -- AWS cloudformation
Comments
Post a Comment