Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Elastic Cloud Compute (EC2) (Instances (Security Best Practice…
AWS Elastic Cloud Compute (EC2)
Defined
web service for secure & scalable cloud computing
primary computing resource
eliminates the need to invest in h/w upfront
scale up or down
to help handle changes in req's or spikes
reduce need to forecast traffic
Features
diff computing instances
Instance = concrete occurrence of any object, during run time of program
for diff use cases
small = economic ; big = high performance
pre-configed templates
Amazon Machine Images (AMI's)
package bits needed for your server ( O/S & added s/w)
various configs of CPU
for memory, storage & networking capacity for instances
called instance types
secure login info
for instances
using key pairs
AWS stores public key & you store private key
storage vols for temp data
deleted when instance = stopped or terminated
called instance store volumes
persistent storage volumes
using Amazon Elastic Block Store (EBS)
called Amazon EBS volumes
multiple physical locations
for your resources (ie: instances & EBS vols)
called Regions and Availability Zones (A.Z)
firewall
you specify the protocols, ports & source IP ranges
ranges that can reach your instances via security groups
static ipv4 addresses
for dynamic cloud computing
called Elastic IP addresses
metadata
create & assign to your Amazon EC2 resources
called Tags
virtual networks
user created
logically seperate from AWS cloud
called Virtual Private Cloud (VPC)
Related Services
instances and volumes can be provisioned directly from EC2
can provision EC2 resources using other services in AWS
EC2 AutoScaling
= provisioning
AWS Elastic Beanstalk Developer
= provisioning
AWS CloudFormation
= provisioning
AWS OpsWorks
= provisioning
Elastic Load Balancing
= auto distribute incoming app traffics via multiple instances
Amazon CloudWatch
= monitor basic stats for instances & Amazon EBS vols
Amazon CloudWatch events
= automate actions like a Lambda action when EC2 instance starts
AWS CloudTrail
= monitor calls made to EC2 API for your account. Also for calls made to AWS Management Console, command line tools & other services
Amazon Relational Database Service (RDS)
= get managed relational database in the cloud.
Amazon Relational Database Service Developer
= allows you to handle your database management tasks (ie: patching s/w,backing up,storing backup)
VM Import/Export
= import virtual machine images from local environment into AWS & covert them to ready-to-use AMI's / instances
Accessing Amazon EC2
Amazon EC2 console = web based interface
access EC2 console via AWS Management Console
access via the Command Line Interface (CLI)
provides commands
for a broad set of AWS products
supported on windows, mac & linux
start at command line interface guide
commands at ec2 in AWS CLI command reference
Windows PowerShell
Provides commands those who script in PowerShell
start at AWS PowerShell user guide
commands at PowerShell Cmdlet reference
EC2 provides a Query API
requests are HTTP or HTTPS
use http verbs 'GET' or 'POST'
use query parameter named 'action'
more actions at Amazon EC2 API reference
AWS Libraries, sample code, tutorials = building apps using language specific APIs
Pricing Amazon EC2
On-Demand Instances
pay for instances used by th sec
no long commitments or upfront fee
Reserved Instances
low, 1 time upfront fee for an instance
reserve for 1 or 3 year term
pay significantly low hourly rate
Spot Instances
Request unused EC2 instances
can lower cost significantly
Amazon EC2 pricing = complete list of charges & specific prices for ec2
Cloud Economics Center = calc cost of sample provisioned environment
PCI DSS Compliance
Amazon EC2 supports credit card data
for processing, storage & transmission by merchant or SP
compliant with Payment Card Industry (PCI) Data Security Standard (DSS)
PCI DSS
Instances and AMI's
Amazon Machine Image (AMI) = template with s/w config, OS, app server and apps
launch instance from AMI (ie: copy of AMI running as a virtual server in the cloud
can launch multiple instances of an AMI
instances run til stopped or til they fail. Can launch new instance if failed.
Instances
virtual server in cloud
its config at launch = copy of AMI specified
instance type = determines h/w of the host comp used for the instance
each instance = diff compute & memory capabilities
select instance type based on memory&compute power needed for app or s/w planned to run on instance
more info h/w spec = Amazon EC2 instance types
can use sudo to run commands that req root priveleges
AWS account has limit to # of instances running
see limits & how to request for increase @ How many instances can i run in Amazon EC2 (at General FAQ)
Instance Storage
root device has image used to boot instance
instance can have local storage volumes = instance store volumes
after vol adding&mapping to instance = availed to mount & use
can config ISV's at launch with block device mapping (ie: Block Device mapping pg961)
data lost if instance fails / terminated so volumes best for temp data
use replication strategy across multiple instances for safety
OR store persistent data in Amazon S3 or Amazon EBS volumes (ie: storage pg182)
Security Best Practice
Control access to resources & instances = Use AWS Identity Access Management (IAM)
create AWS IAM users & groups under AWS account ; assign security creds to each ; control each ones access to resources & services in AWS
see Controlling access to Amazon EC2 Resources (pg630)
restrict access by only allowing trusted hosts or networks to access ports on your instance
can create security groups to deal with instances of diff security reqs
can create a bastion security group that allows external logins ; keep remainder of instances in group that doesnt allow external logins
disable password based logins for instances launched from AMI. #pwords can be found or cracked.
See Disable password based remote logins for root (pg105)
more for safely sharing AMIs see, Shared AMIs (pg99)
Stopped instance
= shutdown > stopped state
all EBS vols remain, can start instance later
no charged while stopped
changed instance = charge for new instance rate
can attach or dettach EBS vols during stop
can create an AMI ; change kernel, RAM disk, instance type
Terminated instance
= shutdown
root device deleted by default ; instance deleted
any attached EBS vols preserved by defualt , determined by each vols 'deleteontermination' attribute setting
can disable termination ; set = true
AMIs
alot pubished by AWS
contain s/w configs for public use
can create custome AMIs
categorised as 'backed by Amazon EBS'
category = root device is an EBS volume
categorised as 'backed by instance store'
category = root device is an instance store vol ..
created from template stored in S3
Regions and Availability Zones
EC2 hotsed in many locations
locations made of regions & AZs
EC2 allows to place resources & instances in many places
resource not replicated unless you do so
Regions = completely independent
A.Z = isolated
AZ in 1 region connected via low latency links
instances globally tied to a region or AZ (see Resources Location p970)
Region
greatest fault tolerance & stability via isolating each
will only see resources tied the region you specified
launch instance selecting AMI in same region
if AMI in another region = copy AMI to region specified (see copying an AMI pg150)
charge for data transfer between regions (see Amazon EC2 pricing-Data Transfer)
Availability Zones
can select or have one chosen for you
distributed instances across AZs whn 1 fails can design for instance request handling by another AZ
can use elastic IP add to mask failure of instance by remapping address to another AZ (see elastic IP addresses pg707)
represented by a region code followed by letter identifier (eg: us-east-1a)
independently map AZs to names for each AWS account
to coordinate AZ across accounts, must use AZ ID = unique & consistent identifier for an AZ (eg: use1-az1, is an AZ ID for us-east-1 region...with same location in every AWS account
viewing AZ IDs enables you to determine location of resources in 1 account relative to the resources in another
eg: subnet share in AZ with AZ ID use-az2 with another,..subnet is availed to that account in AZ whose AZ ID is also use-az2
AZ ID for each VPC & subnet is displayed in the Amazon VPC console (see Working with VPC sharing in Amazon VPC user guide)
your account determines regions available to you
AWS account provides multiple regions to launch your instances
see table with lists of Regions provided by an AWS account
to use available regions, must enable (see Managing AWS Regions in AWS General reference))
get list of AZ availed to your account, use Amazon EC2 console or CLI (see Describing your regions & AZs pg9)