S3 - Security & Encryption

  December 09, 2018 Editor   No comments


  • By default, all newly created buckets are private.
  • You can setup access control to you buckets by using:
    • Bucket policies.
    • Access Control Lists.
  • S3 buckets can be configured to create access logs which log all the requests made to the S3 bucket. This can be done to another bucket.
  • In Transit Encryption:
    • SSL/TLS
  • At Rest Encryption:
  • Server Side Encryption:
    • SSE-S3: S3 Managed Keys
    • SSE-KMS: AWS Key Management Service, managed keys.
    • SSE-C: With Customer provided keys.
  • Client Side Encryption.

AWS - Elastic Container Service (ECS)

  December 09, 2018 Editor   No comments


  • ECS allows you to manage Docker containers on a cluster of EC2 instances.
  • Containers are lightweight OS virtualizations that allow you to run applications and its dependencies in resource isolated processes.
  • Containers are created from read-only templates called images.
  • Images are stored in public or private registries like Docker Hub or AWS Elastic Container Registry (ECR).
  • A task definition is required to run Docker containers in AWS ECS
  • Task definitions are JSON files that describe one or more containers that are part of your application.
  • Task definitions contain configurations such as Image to use, CPU, RAM, launch type, logging, IAM roles etc.
  • ECS Service allows you to run and maintain a specified number of task instances in an ECS cluster.
  • Services work like Autoscaling groups in EC2.
  • ECS Cluster is a logical grouping of containers.
  • Clusters can contain multiple different container types.
  • Clusters are region specific.
  • Container instances can only be part of one cluster.
  • User access to clusters can be managed using IAM policies.
  • ECS can be scheduled in 2 ways:
    • Service Scheduler
    • Customer Scheduler
  • EC2 instances can connect to ECS cluster using linux-only ECS agent.
  • Security groups are applied at instance level, not at  the task or container level.


AWS - Workspaces

  December 09, 2018 Editor   No comments


  • Workspaces provides remote desktops to the users.
  • Users can access their Workspaces desktop by using Amazon Workspaces client and credentials given by the administrator or Active Directory credentials.
  • Uses Windows 7 experience provided by Windows Server 2008 R2.
  • Users can personalize their workspaces. But this can be locked down by Administrator.
  • By default users have Local Administrator access, so they can install softwares and applications required by themselves.
  • Workspaces are persistent
  • D drive is backed up every 12 hrs.
  • AWS account is not needed to login to a workspace.


AWS - Security Token Service (STS)

  December 09, 2018 Editor   No comments


  • Grants users temporary limited access to AWS resources.
  • Supports users from following 3 sources:
    • Federation with Active Directory
      • Uses Security Assertion Markup Language (SAML)
      • Grants access based on users Active Directory credentials. User does not need to be IAM user.
      • Single Sign On allows user to login to AWS console with using an IAM account.
    • Federation in Mobile App
      • Use Facebook/Google/Amazon or other OpenID providers.
    • Cross account access
      • Lets user from one account access resources from another account.
  • Federation:
    • Combining or joining a list of users in one domain ( eg IAM) with list of users in another domain (eg. Facebook, Google etc)
  • Identity Broker:
    • A custom service that allows you to take identity from point A and join it to point B.
  • Identity Store:
    • Services like Facebook, Google, Active Directory etc
  • Identity:
    • A user of the service.
  • Example scenario:
    • Accessing S3 object from companies intranet site.
  • Application flow of intranet site:
    • Users enter credentials on the website.
    • Website sends credentials to Identity Broker.
    • Identity Broker validates credentials through an Identity Service (eg Active directory)
    • Identity Broker calls GetFederationToken function of STS using IAM credentials of Identity Broker. The call must include IAM policy,  duration (1hr to 36 hrs) and policy permissions that should be granted.
    • After validation, STS generates response with 4 values:
      • Access key
      • Secret access key
      • Token
      • Duration
    • Identity Broker sends token to website.
    • Website sends request to S3 with token.
    • S3 verifies token with IAM service.
    • On successful verification, S3 sends object to website.
  • Identity Broker always verifies user credentials first with Identity Store and then sends request to STS.


AWS - Direct Connect

  December 09, 2018 Editor   No comments


  • Makes it easy to create a dedicated private connection from on premise datacenter to AWS.
  • Benefits:
    • Reduced cost when using large volumes of traffic.
    • Increased bandwidth.
    • Increased reliability.
  • Bandwidth:
    • 10 Gbps
    • 1 Gbps
    • < 1Gbps: Can be purchased through AWS partners.
Subscribe to: Posts (Atom)