AWS Well Architected Framework and White papers

(I) Overview of AWS:

  • Cloud Computing: Its the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing. Cloud computing provides a simple way to access servers, storage, databases, and a broad set of application services over the Internet. Cloud computing providers such as AWS own and maintain the network-connected hardware required for these application services, while you provision and use what you need using a web application.
    • Types of Cloud Computing:
      • Infrastructure as a Service (IaaS): Infrastructure as a Service, sometimes abbreviated as IaaS, contains the basic building blocks for cloud IT and typically provide access to computers (virtual or on dedicated hardware),  data storage space and networking features. e.g  Amazon EC2, Windows Azure, Google Compute Engine, Rackspace.
      • Platform as a Service (PaaS): Platforms as a service remove the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allow you to focus on the deployment and management of your applications. e.g AWS RDS, Elastic Beanstalk, Windows Azure, Google App Engine
      • Software as a Service (SaaS): Software as a Service provides you with a completed product that is run and managed by the service provider. In most cases, people referring to Software as a Service are referring to end-user applications. e.g Gmail, Microsoft Office 365, AWS DynamoDB and S3.
    • Cloud Deployment Models:
      • Cloud: A cloud-based application is fully deployed in the cloud and all parts of the application run in the cloud.
      • Hybrid: A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing on-premises resources.
      • On-premises (private cloud): Deploying resources on-premises, using virtualization and resource management tools, is sometimes called “private cloud”.
  • Advantages:
    • Trade Capital Expenses for variable expenses.
    • Benefit from massive economics of scale.
    • Stop guessing about capacity.
    • Increase speed and agility.
    • Stop spending money running and maintaining data centers.
    • Go global in minutes.
  • Security and Compliance:
    • State of the art electronic surveillance and multi factor access control systems.
    • Staffed 24 by 7 security gaurds
    • Access is authorized on a “least privilege basis”
    • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, SOC3
    • FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, ISO 9001, ITAR, FIPS 140-2
    • HIPA, Cloud Security Alliance (CSA), Motion Picture Association of America (MPAA)

(II) Overview of Security Process:

  • AWS Shared Security Responsibilities Model:
    • It describe what AWS is responsible for and what the customer is responsible for when it relates to security. Amazon is responsible for securing the underlying infrastructure that support the cloud (i.e security of cloud), and you are responsible for anything you put in the cloud or connect to the cloud (i.e security in cloud).
      • Infrastructure Services:
        • This includes AWS services like VPC, EC2, EBS and Auto Scaling.
        • Amazon is responsible for security of the cloud.
          • The Global Infrastructure (Regions, AZs, Edge Locations)
          • The Foundation Services (Compute, Storage, Database, Networking)
        • The customer is responsible for security in the cloud.
          • Customer Data
          • Platforms and Applications
          • OS and  Network configs (patching, security groups, network ACLs)
          • Customer IAM (password, access keys, permissions)
      • Container Services:
        • The include services like RDS, ECS and EMR.
        • AWS is responsible for:
          • The Global Infrastructure (Regions, AZs, Edge Locations)
          • The Foundation Services (Compute, Storage, Database, Networking)
          • Platforms and Applications
          • OS and network configs
        • The customer is responsible for:
          • Customer Data
          • Customer IAM (password, access keys, permissions)
      • Abstracted Services:
        • The include services like S3, DynamoDB and Lambda.
        • AWS is responsible for:
          • The Global Infrastructure (Regions, AZs, Edge Locations)
          • The Foundation Services (Compute, Storage, Database, Networking)
          • Platforms and Applications
          • OS and network configs
          • Network traffic protection
        • The customer is responsible for:
          • Customer IAM
          • Data in transit and client-side
        • Additional Services:
          • Data encryption
          • Data integrity
  • AWS Security Responsibilities:
    • Amazon is responsible for protecting the Compute, Storage, Database, Networking and Data Center facilities (i.e Regions, Availability Zones, Edge Locations) that runs all of the services in AWS cloud.
    • AWS is also responsible for security configuration of its managed services such as RDS, DynamoDB, S3, Redshift, EMR, WorkSpaces.
  • Customer Security Responsibilities:
    • Customer is responsible for Customer Data, IAM, Platform, Applications,  Operating System, Network & Firewall Configuration, Client and Server Side Data Encryption, Network Traffic Protection.
    • IaaS, that includes such as VPC and EC2 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
    • Managed Services (RDS, S3, DynamoDB), AWS is responsible for patching, antivirus etc, however you are responsible for account management and user access. Its recommend that MFA be implemented, connect to theses services using SSL/TLS, in addition API and user activity should be logged using CloudTrail.
  • Storage Decommissioning:
    • When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
    • AWS uses the techniques detailed in DoD 5220.22-M (Department of Defense) or NIST 800-88  (National Institute of Standards and Technology) or Guidelines for Media Sanitization to destroy data as part of the decommissioning process.
    • All decommissioned magnetic stage devices are degaussed and physically destroyed in accordance with  industry standard practices.
  • Network Security:
    • Transmission Protection: You can connect to AWS  services using HTTP and HTTPS. AWS also offers Amazon VPC which provides a private subnet within AWS cloud, and the ability to use an IPsec VPN connection between AWS VPC and your on-premises data center.
    • Amazon Corporate Segregation: Logically, the AWS public cloud network is segregated from the Amazon corporate network by means of a complex set of network security segregation devices.
  • Network Monitoring and Protection:
    • It protects from:
      • DDoS (Distributed Denial of Service)
      • Man in the middle attacks (MITM)
      • Port scanning
      • Packet sniffing by other tenants
      • IP Spoofing: AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
    • Unauthorized port scans by AWS customers on their or others’ EC2 instances are a violation of the AWS Acceptable Use Policy. You must request permission from AWS in advance to conduct vulnerability scans on your own EC2 instances (t2.micro or t2.small instance types are not allowed) as required to meet your specific compliance requirements.
  • AWS Credentials:
    • Passwords: Used for AWS root account or IAM user account login to the AWS Management console. AWS passwords must be 6-128 chars.
    • Multi-Factor Authentication (MFA): Its a six digit single-use code that’s required in addition to your password to login to your AWS root account or IAM user account.
    • Access Keys: Digitally signed requests to AWS APIs (using the AWS SDK, CLI or REST/Query APIs). Include an Access key ID and a Secret Access Key. You use access keys to digitally sign programmatic requests that you make to AWS.
    • Key Pairs: Its a used for SSH login to EC2 instances and CloudFront signed URLs. Its required to  connect to EC2 instance launched from a public AMI. They are 1024-bit SSH-2 RSA keys. You can get automatically generated key pair by AWS when you launch EC2 instance or you can upload your own before launching the instance.
    • X.509 Certificates: Used for digitally signed SOAP requests to AWS APIs (for S3) and SSL server certificate for HTTPS. You can have AWS create X.509 certificate and private key or you can upload your own certificate using Security Credentials page.
  • AWS Trusted Advisor: It analyzes your AWS environment and provides best practice recommendations in following five categories:
    • Security
    • Performance
    • Cost Optimzation
    • Fault Tolerance
    • Service Limits
    • Available to all customers for access to seven core checks:
      • Security (security groups, IAM MFA on root account, EBS and RDS public snapshots)
      • Performance (service limits)
    • Available to Business and Enterprise support plans:
      • Access to full set of checks
      • Notifications (weekly updates)
      • Programmatic access (retrieve results from AWS Support API)
    • Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may exist to save money, improve system performance or close security gaps.
    • It provides alerts on several of the most common security misconfigurations that can occur, including:
      • Not using MFA on your root AWS account.
      • Neglecting to create IAM accounts for your internal users
      • Allowing public access to S3 buckets
      • Leaving certain ports open that make you vulnerable to hacking and unauthorized access
      • Not turning on user activity logging (AWS CloudTrail)
  • Instance Isolation:
    • Different instances running on the same physical machines are isolated from each other via the Xen hypervisor. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface.
    • All packets must pass through this layer, thus an instance’s neighbors have no more access to that instances than any other host on the Internet and can be treated as if they are on separate physical host. The physical RAM is separated using similar mechanism.
    • Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customers, so that one customer’s data is never unintentionally exposed to another.
    • In addition, memory allocated to guests is scrubbed (set to zero) by the hypervisor when its unallocated to a guest. The memory is not returned to the pool of free memory available for new allocations until the memory scrubbing is complete.
  • Guest Operating System: Virtual instances are completely controlled by the customer. You have full root or administrative access over accounts, services and applications. AWS doesn’t have any access rights to your instances or the guest OS.
    • Encryption of sensitive data is generally a good security practice, and AWS provide the ability to encrypt EBS volumes and their snapshots with AES-256.
    • In order to be able to do this efficiently and with low latency, the EBS encryption feature is only available on EC2’s more powerful instance types (e.g M3, C3, R3, G2).
  • Firewall: AWS EC2 provides a complete firewall solution, this mandatory inbound firewall is configured in a default deny-all mode and AWS EC2 customers must explicitly open the ports needed to allow inbound traffic. All ingress traffic is blocked and egress traffic is allowed by default.
  • Elastic Load Balancing: SSL termination on the load balancer is supported. Allows you to identify the originating IP address of a client connecting to your servers, whether you are using HTTPS or TCP load balancing.
  • Direct Connect: Bypass Internet service providers in your network path. You can procure rack space withing the facility, housing the AWS Direct Connect location and deploy your equipment nearby. Once deployed, you can connect this equipment to AWS Direct Connect using a cross-connect.
    • Using industry standard 802.1q VLANs, the dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources (e.g S3 buckets) using public IPs, and private resources such (e.g EC2 instances in a VPC) using private IPs, while maintaining network separation between the public and private environment.

(III) AWS Risk and Compliance:

  • Risk: AWS management has developed a strategic business plan which includes risk identification and the implementation of controls to mitigate or manage risks. AWS management re-evaluates the strategic business plan at least biannually.
    • This process requires management to identify risks within its areas of responsibility and to implement appropriate measures designed to address those risks.
    • AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerability (these scans don’t include customer instances). AWS Security notifies the appropriate parties to re-mediate any identified vulnerabilities. In addition, external vulnerability threat assessments are performed regularly by independent security firms.
    • Findings and recommendations resulting from these assessments are categorized and delivered to AWS leadership. These scans are done in a manner for the health and viability of the underlying AWS infrastructure and are not meant to replace the customer’s own vulnerability scans required to meet their specific compliance requirements.
    • Customers can request permission to conduct scans of their cloud infrastructure as long as they are limited to the customer’s own instances and don’t violate the AWS Acceptable Use Policy.

(IV) Storage Options in the AWS cloud:

(V) Architecting for the AWS Cloud: Best Practices:

  • Business Benefits of Cloud:
    • Almost zero upfront infrastructure investment
    • Just-in-time Infrastructure
    • More efficient resource utilization
    • Usage-based costing
    • Reduced time to market
  • Technical Benefits of Cloud:
    • Automation – Scriptable infrastructure
    • Auto-scalling
    • Proactive scaling
    • More Efficient Development lifecycle
    • Improved Testability
    • Disaster Recovery and Business Contiuity
    • Overflow the traffic to the cloud
  • Design For Failure:
    • Rule of thumb: Be a pessimist when designing architectures in the cloud, assume things will fail. In other words always design, implement and deploy for automated recovery from failure.
    • In particular, assume that your hardware or software will fail, outages will occur, some disaster will strike, traffic will increase.
  • Decouple Your Components:
    • The key is to build components that don’t have tight dependencies on each other, so that if one component were to die, sleep or remain busy for some reason, the other components in the system are built so as to continue to work as if no failure is happening.
    • In essence, loose coupling isolates the various layers and components of your application so that each components interacts asynchronously with the others and treats them as black box.
  • Implement Elasticity:
    • The cloud brings new concept of elasticity in your applications. Elasticity can be implemented in three ways:
      • Proactive Cyclic Scaling: Periodic scaling that occurs at fixed interval (daily – during working hours, weekly – weekdays, monthly, quarterly)
      • Proactive Event-based Scaling: Scaling just when you are expecting a big surge of traffic requests due to a scheduled business event (new product launch, marketing campaigns, black friday sale)
      • Auto-scaling based on demand: By using monitoring service, your system can send triggers to take appropriate actions so that it scales up or down based on metrics (cpu utilization of servers or network i/o for instance).

(V) AWS Well-Architected Framework:

  • Well-Architected Framework is a set of questions that you can use to evaluate how well your architecture is aligned to AWS best practices. It consists of 5 pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization and .
  • General Design Principles:
    • Stop guessing your capacity needs.
    • Test systems at production scale.
    • Automate to make architectural experimentation easier.
    • Allow for evolutionary architectures.
    • Data-Driven architectures
    • Improve through game days (such as black Friday)
  • (1) Operational Excellence: It includes operational practices and procedures used to manage production workloads. I addition, how planned changes are executed, as well as responses to unexpected operational events.
    • Design Principles:
      • Perform operations with code
      • Annotate documentation
      • Make frequent, small, reversible changes
      • Refine operations procedures frequently
      • Anticipate failure
      • Learn from operational failures
    • Best Practices:
      • Prepare: AWS Config and rules can be used to create standards for workloads and to determine if environments are compliant with those standards before being put into production. 
        • Operational Priorities
        • Design for Operations
        • Operational Readiness
      • Operate: CloudWatch allows you to watch operational health of a workload.
        • Understanding Operational Health
        • Responding to Events
      • Evolve: Elasticsearch Service (Amazon ES) allows you to analyze your log data to gain actionable insight quickly and securely.
        • Learning from Experience
        • Share Learnings
  • (2) Security: It  include the ability to protect information, systems and assets while delivering business value through risk assessments and mitigation strategies.
    • Design Principles:
      • Implement a strong identity foundation
      • Enable traceability
      • Apply security at all layers
      • Automate security best practices
      • Protect data in transit and at rest
      • Prepare for security events
    • Best Practices:
      • Identity and Access management
      • Detective Controls
      • Infrastructure Protection
      • Data Protection
      • Incident Response
  • (3) ReliabilityIt covers the ability of a system to recover from service or infrastructure outages/disruptions as well as the ability to dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
    • Design Principles:
      • Test recovery procedures
      • Automatically recovery from failure
      • Scale horizontally to increase aggregate system availability
      • Stop guessing capacity
      • Manage change in automation
    • Best Practices:
      • Foundations
      • Change Management
      • Failure Management
  • (4) Performance Efficiency: It focuses on how to use computing resources efficiently to meet your requirements and how to maintain that efficiency as demand changes and technology evolves.
    • Design Principles:
      • Democratize advanced technologies
      • Go global in minutes
      • Use server-less architectures
      • Experiment more often
      • Mechanical sympathy
    • Best Practices:
      • Selection
        • Compute
        • Storage
        • Database
        • Network
      • Review
      • Monitoring
      • Trade-Offs
  • (5) Cost Optimization: The Cost Optimization pillar includes the ability to avoid or eliminate unneeded cost or sub-optimal resources.
    • Design Principles:
      • Adopt a consumption model
      • Measure overall efficiency
      • Stop spending money on data center operations
      • Analyze and attribute expenditure
      • Use managed services to reduce cost of ownership
    • Best Practices:
      • Cost-Effective Resources:
        • Appropriately Provisioned
        • Right Sizing
        • Purchasing Options
        • Geographic Selection
        • Managed Services
      • Matching Supply and Demand:
        • Demand-Based
        • Buffer-Based
        • Time-Based
      • Expenditure Awareness:
        • Stakeholders
        • Visibility and Controls
        • Cost Attribution
        • Tagging
        • Entity Lifecycle Tracking
      • Optimizing Over Time:
        • Measure, Monitor, and Improve
        • Staying Ever Green
Advertisements

About Ishtiaque

I am IBM Certified Infrastructure Systems Architect, Linux Foundation Certified System Administrator, Oracle Certified Programmer in Java and Web Component Developer, and TOGAF 9 certified with over 10 years of support and development experience in IBM middleware software and Java. Additionally, have a sound grip in databases and OpenStack administration. I hold the following certifications: IBM Certified Infrastructure Systems Architect Linux Foundation Certified System Administrator (LFCS) TOGAF 9 Certified Oracle Certified Expert, Java EE6 Web Component Developer Oracle Certified Professional – Java 6 Programmer ITIL v3 Foundation Certified IBM Certified Solution Architect – Cloud Computing Infrastructure V1 IBM Certified System Administrator – WebSphere Portal V8, V7, V6.1, V6 IBM Certified System Administrator – WebSphere Application Server V7, V6.1 IBM Certified System Administrator – AIX V7 IBM Certified System Administrator – WebSphere MQ V7 IBM Certified Deployment Professional – Business Process Manager Advanced V7.5 IBM Certified Solution Advisor – Cloud Computing Architecture V3 IBM Certified Solution Developer – WebSphere Portal V5.1
This entry was posted in aws, cloud. Bookmark the permalink.