AWS Storage Options – S3 & Glacier

May 23, 2016 ~ Last updated on : June 8, 2018 ~ jayendrapatil ~ 30 Comments

Amazon S3

highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.

provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from within Amazon EC2 or from anywhere on the web.
allows you to write, read, and delete objects containing from 1 byte to 5 terabytes of data each.

number of objects you can store in an Amazon S3 bucket is virtually unlimited.
highly secure, supporting encryption at rest, and providing multiple mechanisms to provide fine-grained control of access to Amazon S3 resources.
highly scalable, allowing concurrent read or write access to Amazon S3 data by many separate clients or application threads.

provides data lifecycle management capabilities, allowing users to define rules to automatically archive Amazon S3 data to Amazon Glacier, or to delete data at end of life.

Ideal Use Cases

Storage & Distribution of static web content and media
- frequently used to host static websites and provides a highly-available and highly-scalable solution for websites with only static content, including HTML files, images, videos, and client-side scripts such as JavaScript
- works well for fast growing websites hosting data intensive, user-generated content, such as video and photo sharing sites as no storage provisioning is required
- content can either be directly served from Amazon S3 since each object in Amazon S3 has a unique HTTP URL address
- can also act as an Origin store for the Content Delivery Network (CDN) such as Amazon CloudFront
- it works particularly well for hosting web content with extremely spiky bandwidth demands because of S3’s elasticity
Data Store for Large Objects
- can be paired with RDS or NoSQL database and used to store large objects for e.g. file or objects, while the associated metadata for e.g. name, tags, comments etc. can be stored in RDS or NoSQL database where it can be indexed and queried providing faster access to relevant data

Data store for computation and large-scale analytics
- commonly used as a data store for computation and large-scale analytics, such as analyzing financial transactions, clickstream analytics, and media transcoding.
- data can be accessed from multiple computing nodes concurrently without being constrained by a single connection because of its horizontal scalability

Backup and Archival of critical data
- used as a highly durable, scalable, and secure solution for backup and archival of critical data, and to provide disaster recovery solutions for business continuity.
- stores objects redundantly on multiple devices across multiple facilities, it provides the highly-durable storage infrastructure needed for these scenarios.
- it’s versioning capability is available to protect critical data from inadvertent deletion

Anti-Patterns

Amazon S3 has following Anti-Patterns where it is not an optimal solution

Dynamic website hosting
- While Amazon S3 is ideal for hosting static websites, dynamic websites requiring server side interaction, scripting or database interaction cannot be hosted and should rather be hosted on Amazon EC2
Backup and archival storage
- Data requiring long term archival storage with infrequent read access can be stored more cost effectively in Amazon Glacier

Structured Data Query
- Amazon S3 doesn’t offer query capabilities, so to read an object the object name and key must be known. Instead pair up S3 with RDS or Dynamo DB to store, index and query metadata about Amazon S3 objects
- NOTE – S3 now provides query capabilities and also Athena can be used

Rapidly Changing Data
- Data that needs to updated frequently might be better served by a storage solution with lower read/write latencies, such as Amazon EBS volumes, RDS or Dynamo DB.
File System
- Amazon S3 uses a flat namespace and isn’t meant to serve as a standalone, POSIX-compliant file system. However, by using delimiters (commonly either the ‘/’ or ‘’ character) you are able construct your keys to emulate the hierarchical folder structure of file system within a given bucket.

Performance

Access to Amazon S3 from within Amazon EC2 in the same region is fast.
Amazon S3 is designed so that server-side latencies are insignificant relative to Internet latencies.

Amazon S3 is also built to scale storage, requests, and users to support a virtually unlimited number of web-scale applications.
If Amazon S3 is accessed using multiple threads, multiple applications, or multiple clients concurrently, total Amazon S3 aggregate throughput will typically scale to rates that far exceed what any single server can generate or consume.

Durability & Availability

Amazon S3 storage provides provides the highest level of data durability and availability, by automatically and synchronously storing your data across both multiple devices and multiple facilities within the selected geographical region

Error correction is built-in, and there are no single points of failure. Amazon S3 is designed to sustain the concurrent loss of data in two facilities, making it very well-suited to serve as the primary data storage for mission-critical data.
Amazon S3 is designed for 99.999999999% (11 nines) durability per object and 99.99% availability over a one-year period.
Amazon S3 data can be protected from unintended deletions or overwrites using Versioning.

Versioning can be enabled with MFA (Multi Factor Authentication) Delete on the bucket, which would require two forms of authentication to delete an object
For Non Critical and Reproducible data for e.g. thumbnails, transcoded media etc., S3 Reduced Redundancy Storage (RRS) can be used, which provides a lower level of durability at a lower storage cost
RRS is designed to provide 99.99% durability per object over a given year. While RRS is less durable than standard Amazon S3, it is still designed to provide 400 times more durability than a typical disk drive

Cost Model

With Amazon S3, you pay only for what you use and there is no minimum fee.
Amazon S3 has three pricing components: storage (per GB per month), data transfer in or out (per GB per month), and requests (per n thousand requests per month).

Scalability & Elasticity

Amazon S3 has been designed to offer a very high level of scalability and elasticity automatically

Amazon S3 supports a virtually unlimited number of files in any bucket
Amazon S3 bucket can store a virtually unlimited number of bytes
Amazon S3 allows you to store any number of objects (files) in a single bucket, and Amazon S3 will automatically manage scaling and distributing redundant copies of your information to other servers in other locations in the same region, all using Amazon’s high-performance infrastructure.

Interfaces

Amazon S3 provides standards-based REST and ~~SOAP web services~~ APIs for both management and data operations.
NOTE – SOAP support over HTTP is deprecated, but it is still available over HTTPS. New Amazon S3 features will not be supported for SOAP. We recommend that you use either the REST API or the AWS SDKs.
Amazon S3 provides easier to use higher level toolkit or SDK in different languages (Java, .NET, PHP, and Ruby) that wraps the underlying APIs

Amazon S3 Command Line Interface (CLI) provides a set of high-level, Linux-like Amazon S3 file commands for common operations, such as ls, cp, mv, sync, etc. They also provide the ability to perform recursive uploads and downloads using a single folder-level Amazon S3 command, and supports parallel transfers.
AWS Management Console provides the ability to easily create and manage Amazon S3 buckets, upload and download objects, and browse the contents of your Amazon S3 buckets using a simple web-based user interface
All interfaces provide the ability to store Amazon S3 objects (files) in uniquely-named buckets (top-level folders), with each object identified by an unique Object key within that bucket.

Glacier

extremely low-cost storage service that provides highly secure, durable, and flexible storage for data backup and archival
can reliably store their data for as little as $0.01 per gigabyte per month.
to offload the administrative burdens of operating and scaling storage to AWS such as capacity planning, hardware provisioning, data replication, hardware failure detection and repair, or time consuming hardware migrations

Data is stored in Amazon Glacier as Archives where an archive can represent a single file or multiple files combined into a single archive
Archives are stored in Vaults for which the access can be controlled through IAM
Retrieving archives from Vaults require initiation of a job and can take anywhere around 3-5 hours

Amazon Glacier integrates seamlessly with Amazon S3 by using S3 data lifecycle management policies to move data from S3 to Glacier
AWS Import/Export can also be used to accelerate moving large amounts of data into Amazon Glacier using portable storage devices for transport

Ideal Usage Patterns

Amazon Glacier is ideally suited for long term archival solution for infrequently accessed data with archiving offsite enterprise information, media assets, research and scientific data, digital preservation and magnetic tape replacement

Anti-Patterns

Amazon Glacier has following Anti-Patterns where it is not an optimal solution

Rapidly changing data
- Data that must be updated very frequently might be better served by a storage solution with lower read/write latencies such as Amazon EBS or a Database

Real time access
- Data stored in Glacier can not be accessed at real time and requires an initiation of a job for object retrieval with retrieval times ranging from 3-5 hours. If immediate access is needed, Amazon S3 is a better choice.

Performance

Amazon Glacier is a low-cost storage service designed to store data that is infrequently accessed and long lived.

Amazon Glacier jobs typically complete in 3 to 5 hours

Durability and Availability

Amazon Glacier redundantly stores data in multiple facilities and on multiple devices within each facility

Amazon Glacier is designed to provide average annual durability of 99.999999999% (11 nines) for an archive
Amazon Glacier synchronously stores your data across multiple facilities before returning SUCCESS on uploading archives.
Amazon Glacier also performs regular, systematic data integrity checks and is built to be automatically self-healing.

Cost Model

Amazon Glacier has three pricing components: storage (per GB per month), data transfer out (per GB per month), and requests (per thousand UPLOAD and RETRIEVAL requests per month).
Amazon Glacier is designed with the expectation that retrievals are infrequent and unusual, and data will be stored for extended periods of time and allows you to retrieve up to 5% of your average monthly storage (pro-rated daily) for free each month. Any additional amount of data retrieved is charged per GB
Amazon Glacier also charges a pro-rated charge (per GB) for items deleted prior to 90 days

Scalability & Elasticity

A single archive is limited to 40 TBs, but there is no limit to the total amount of data you can store in the service.
Amazon Glacier scales to meet your growing and often unpredictable storage requirements whether you’re storing petabytes or gigabytes, Amazon Glacier automatically scales your storage up or down as needed.

Interfaces

Amazon Glacier provides a native, standards-based REST web services interface, as well as Java and .NET SDKs.

AWS Management Console or the Amazon Glacier APIs can be used to create vaults to organize the archives in Amazon Glacier.
Amazon Glacier APIs can be used to upload and retrieve archives, monitor the status of your jobs and also configure your vault to send you a notification via Amazon Simple Notification Service (Amazon SNS) when your jobs complete.
Amazon Glacier can be used as a storage class in Amazon S3 by using object lifecycle management to provide automatic, policy-driven archiving from Amazon S3 to Amazon Glacier.

Amazon S3 api provides a RESTORE operation and the retrieval process takes the same 3-5 hours
On retrieval, a copy of the retrieved object is placed in Amazon S3 RRS storage for a specified retention period; the original archived object remains stored in Amazon Glacier and you are charged for both the storage.
When using Amazon Glacier as a storage class in Amazon S3, use the Amazon S3 APIs, and when using “native” Amazon Glacier, you use the Amazon Glacier APIs

Objects archived to Amazon Glacier via Amazon S3 can only be listed and retrieved via the Amazon S3 APIs or the AWS Management Console—they are not visible as archives in an Amazon Glacier vault.

AWS Certification Exam Practice Questions

You want to pass queue messages that are 1GB each. How should you achieve this?
1. Use Kinesis as a buffer stream for message bodies. Store the checkpoint id for the placement in the Kinesis Stream in SQS.
2. Use the Amazon SQS Extended Client Library for Java and Amazon S3 as a storage mechanism for message bodies. (Amazon SQS messages with Amazon S3 can be useful for storing and retrieving messages with a message size of up to 2 GB. To manage Amazon SQS messages with Amazon S3, use the Amazon SQS Extended Client Library for Java. Refer link)
3. Use SQS’s support for message partitioning and multi-part uploads on Amazon S3.
4. Use AWS EFS as a shared pool storage medium. Store filesystem pointers to the files on disk in the SQS message bodies.

Company ABCD has recently launched an online commerce site for bicycles on AWS. They have a “Product” DynamoDB table that stores details for each bicycle, such as, manufacturer, color, price, quantity and size to display in the online store. Due to customer demand, they want to include an image for each bicycle along with the existing details. Which approach below provides the least impact to provisioned throughput on the “Product” table?
1. Serialize the image and store it in multiple DynamoDB tables
2. Create an “Images” DynamoDB table to store the Image with a foreign key constraint to the “Product” table
3. Add an image data type to the “Product” table to store the images in binary format
4. Store the images in Amazon S3 and add an S3 URL pointer to the “Product” table item for each image

References

AWS Storage Options

AWS Encrypting Data at Rest – Whitepaper – Certification

April 10, 2016 ~ Last updated on : February 9, 2017 ~ jayendrapatil ~ 11 Comments

Encrypting Data at Rest

AWS delivers a secure, scalable cloud computing platform with high availability, offering the flexibility for you to build a wide range of applications

AWS allows several options for encrypting data at rest, for additional layer of security, ranging from completely automated AWS encryption solution to manual client-side options
Encryption requires 3 things
- Data to encrypt
- Encryption keys
- Cryptographic algorithm method to encrypt the data

AWS provides different models for Securing data at rest on the following parameters
- Encryption method
  - Encryption algorithm selection involves evaluating security, performance, and compliance requirements specific to your application
- Key Management Infrastructure (KMI)
  - KMI enables managing & protecting the encryption keys from unauthorized access
  - KMI provides
    - Storage layer that protects plain text keys
    - Management layer that authorize key usage
Hardware Security Module (HSM)
- Common way to protect keys in a KMI is using HSM
- An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device.
- An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized use.
- A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys in the HSM
AWS CloudHSM
- AWS CloudHSM appliance has both physical and logical tamper detection and response mechanisms that trigger zeroization of the appliance.
- Zeroization erases the HSM’s volatile memory where any keys in the process of being decrypted were stored and destroys the key that encrypts stored objects, effectively causing all keys on the HSM to be inaccessible and unrecoverable.
- AWS CloudHSM can be used to generate and store key material and can perform encryption and decryption operations,
- AWS CloudHSM, however, does not perform any key lifecycle management functions (e.g., access control policy, key rotation) and needs a compatible KMI.
- KMI can be deployed either on-premises or within Amazon EC2 and can communicate to the AWS CloudHSM instance securely over SSL to help protect data and encryption keys.
- AWS CloudHSM service uses SafeNet Luna appliances, any key management server that supports the SafeNet Luna platform can also be used with AWS CloudHSM
AWS Key Management Service (KMS)
- AWS KMS is a managed encryption service that allows you to provision and use keys to encrypt data in AWS services and your applications.
- Masters key, after creation, are designed to never be exported from the service.
- AWS KMS gives you centralized control over who can access your master keys to encrypt and decrypt data, and it gives you the ability to audit this access.
- Data can be sent into the KMS to be encrypted or decrypted under a specific master key under you account.
- AWS KMS is natively integrated with other AWS services (for e.g. Amazon EBS, Amazon S3, and Amazon Redshift) and AWS SDKs to simplify encryption of your data within those services or custom applications
- AWS KMS provides global availability, low latency, and a high level of durability for your keys.

Encryption Models in AWS

Encryption models in AWS depends on the on how you/AWS provides the encryption method and the KMI

You control the encryption method and the entire KMI
You control the encryption method, AWS provides the storage component of the KMI, and you provide the management layer of the KMI.

AWS controls the encryption method and the entire KMI.

Model A: You control the encryption method and the entire KMI

You use your own KMI to generate, store, and manage access to keys as well as control all encryption methods in your applications
Proper storage, management, and use of keys to ensure the confidentiality, integrity, and availability of your data is your responsibility

AWS has no access to your keys and cannot perform encryption or decryption on your behalf.
Amazon S3
- Encryption of the data is done before the object is sent to AWS S3
- Encryption of the data can be done using any encryption method and the encrypted data can be uploaded using the PUT request in the Amazon S3 API
- Key used to encrypt the data needs to be stored securely in your KMI
- To decrypt this data, the encrypted object can be downloaded from Amazon S3 using the GET request in the Amazon S3 API and then decrypted using the key in your KMI
- AWS provide Client-side encryption handling, where you can provide your key to the AWS S3 encryption client which will encrypt and decrypt the data on your behalf. However, AWS never has access to the keys or the unencrypted data
Amazon EBS
- Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. Amazon EBS volumes are network-attached, and persist independently from the life of an instance.
- Because Amazon EBS volumes are presented to an instance as a block device, you can leverage most standard encryption tools for file system-level or block-level encryption
- Block level encryption
  - Block level encryption tools usually operate below the file system layer using kernel space device drivers to perform encryption and decryption of data.
  - These tools are useful when you want all data written to a volume to be encrypted regardless of what directory the data is stored in
- File System level encryption
  - File system level encryption usually works by stacking an encrypted file system on top of an existing file system.
  - This method is typically used to encrypt a specific directory
- These solutions require you to provide keys, either manually or from your KMI.
- Both block-level and file system-level encryption tools can only be used to encrypt data volumes that are not Amazon EBS boot volumes, as they don’t allow you to automatically make a trusted key available to the boot volume at startup
- There are third party solutions available, which can help encrypt both the boot and data volumes as well as supplying and protecting keys
AWS Storage Gateway
- AWS Storage Gateway is a service connecting an on-premises software appliance with Amazon S3. Data on disk volumes attached to the AWS Storage Gateway will be automatically uploaded to Amazon S3 based on policy
- Encryption of the source data on the disk volumes can be either done before writing to the disk or using block level encryption on the iSCSI endpoint that AWS Storage Gateway exposes to encrypt all data on the disk volume.
Amazon RDS
- Amazon RDS doesn’t expose the attached disk it uses for data storage, transparent disk encryption using techniques for EBS section cannot be applied.
- However, individual fields data can be encrypted before the data is written to RDS and decrypted after reading it.

Model B: You control the encryption method, AWS provides the KMI storage component, and you provide the KMI management layer

Model B is similar to Model A where the encryption method is managed by you

Model B differs in the approach to Model A where the keys are maintained in AWS CloudHSM rather than than the on-premise key storage system
Only you have access to the cryptographic partitions within the dedicated HSM to use the keys

Model C: AWS controls the encryption method and the entire KMI

AWS provides and manages the server-side encryption of your data, transparently managing the encryption method and the keys.

AWS KMS and other services that encrypt your data directly use a method called envelope encryption to provide a balance between performance and security.
Envelope Encryption method
- A master key is defined either by you or AWS
- A data key (data encryption key) is generated by the AWS service at the time when data encryption is requested
- Data key is used to encrypt your data.
- Data key is then encrypted with a key-encrypting key (master key) unique to the service storing your data.
- Encrypted data key and the encrypted data are then stored by the AWS storage service on your behalf.
Master key (key-encrypting keys) used to encrypt data keys are stored and managed separately from the data and the data keys
For decryption of the data, the process is reversed. Encrypted data key is decrypted using the key-encrypting key; the data key is then used to decrypt your data

Authorized use of encryption keys is done automatically and is securely managed by AWS.
Because unauthorized access to those keys could lead to the disclosure of your data, AWS has built systems and processes with strong access controls that minimize the chance of unauthorized access and had these systems verified by third-party audits to achieve security certifications including SOC 1, 2, and 3, PCI-DSS, and FedRAMP.
Amazon S3
- SSE-S3
  - AWS encrypts each object using a unique data key
  - Data key is encrypted with a periodically rotated master key managed by S3
  - Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES) keys for both object and master keys
- SSE-KMS
  - Master keys are defined and managed in KMS for your account
  - Object Encryption
    - When an object is uploaded, a request is sent to KMS to create an object key.
    - KMS generates a unique object key and encrypts it using the master key; KMS then returns this encrypted object key along with the plaintext object key to Amazon S3.
    - Amazon S3 web server encrypts your object using the plaintext object key and stores the now encrypted object (with the encrypted object key) and deletes the plaintext object key from memory.
  - Object Decryption
    - To retrieve the encrypted object, Amazon S3 sends the encrypted object key to AWS KMS.
    - AWS KMS decrypts the object key using the correct master key and returns the decrypted (plaintext) object key to S3.
    - Amazon S3 decrypts the encrypted object, with the plaintext object key, and returns it to you.
- SSE-C
  - Amazon S3 is provided an encryption key, while uploading the object
  - Encryption key is used by Amazon S3 to encrypt your data using AES-256
  - After object encryption, Amazon S3 deletes the encryption key
  - For downloading, you need to provide the same encryption key, which AWS matches, decrypts and returns the object
Amazon EBS
- When Amazon EBS volume is created, you can choose the master key in KMS to be used for encrypting the volume
- Volume encryption
  - Amazon EC2 server sends an authenticated request to AWS KMS to create a volume key.
  - AWS KMS generates this volume key, encrypts it using the master key, and returns the plaintext volume key and the encrypted volume key to the Amazon EC2 server.
  - Plaintext volume key is stored in memory to encrypt and decrypt all data going to and from your attached EBS volume.
- Volume decryption
  - When the encrypted volume (or any encrypted snapshots derived
    from that volume) needs to be re-attached to an instance, a call is made to AWS KMS to decrypt the encrypted volume key.
  - AWS KMS decrypts this encrypted volume key with the correct master key and returns the decrypted volume key to Amazon EC2.
Amazon Glacier
- Glacier provide encryption of the data, by default
- Before it’s written to disk, data is always automatically encrypted using 256-bit AES keys unique to the Amazon Glacier service that are stored in separate systems under AWS control
AWS Storage Gateway
- AWS Storage Gateway transfers your data to AWS over SSL
- AWS Storage Gateway stores data encrypted at rest in Amazon S3 or Amazon Glacier using their respective server side encryption schemes.
Amazon RDS – Oracle
- Oracle Advanced Security option for Oracle on Amazon RDS can be used to leverage the native Transparent Data Encryption (TDE) and Native Network Encryption (NNE) features
- Oracle encryption module creates data and key-encrypting keys to encrypt the database
- Key-encrypting keys specific to your Oracle instance on Amazon RDS are themselves encrypted by a periodically rotated 256-bit AES master key.
- Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control

Amazon RDS -SQL server
- Transparent Data Encryption (TDE) can be provisioned for Microsoft SQL Server on Amazon RDS.
- SQL Server encryption module creates data and keyencrypting keys to encrypt the database.
- Key-encrypting keys specific to your SQL Server instance on Amazon RDS are themselves encrypted by a periodically rotated, regional 256-bit AES master key
- Master key is unique to the Amazon RDS service and is stored in separate systems under AWS control

Sample Exam Questions

How can you secure data at rest on an EBS volume?
1. Encrypt the volume using the S3 server-side encryption service
2. Attach the volume to an instance using EC2’s SSL interface.
3. Create an IAM policy that restricts read and write access to the volume.
4. Write the data randomly instead of sequentially.
5. Use an encrypted file system on top of the EBS volume
Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
1. Implement third party volume encryption tools —
2. Do nothing as EBS volumes are encrypted by default
3. Encrypt data inside your applications before storing it on EBS
4. Encrypt data using native data encryption drivers at the file system level
5. Implement SSL/TLS for all services running on the server
A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers
1. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys
2. Use Amazon S3 server-side encryption with customer-provided keys
3. Use Amazon S3 server-side encryption with EC2 key pair.
4. Use Amazon S3 bucket policies to restrict access to the data at rest.
5. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
6. Use SSL to encrypt the data while in transit to Amazon S3.

Which 2 services provide native encryption
1. Amazon EBS
2. Amazon Glacier
3. Amazon Redshift (is optional)
4. Amazon RDS (is optional)
5. Amazon Storage Gateway

With which AWS services CloudHSM can be used (select 2)
1. S3
2. DynamoDb
3. RDS
4. ElastiCache
5. Amazon Redshift

References

AWS Securing Data at Rest with Encryption Whitepaper

AWS Interaction Tools – Certification

March 24, 2016 ~ Last updated on : October 15, 2018 ~ jayendrapatil ~ 8 Comments

AWS Interaction Tools Overview

AWS in API driven and AWS Interaction Tools allow plenty of options to enable interaction with its services and includes.

AWS Management console

AWS Management console is a graphical user interface to access AWS
AWS management console requires credentials in the form of User Name and Password to be able to login and uses Query APIs underlying for its interaction with AWS

AWS Command Line Interface (CLI)

AWS Command Line Interface (CLI) is a unified tool that provides a consistent interface for interacting with all parts of AWS
Provides commands for a broad set of AWS products, and is supported on Windows, Mac, and Linux
CLI required Access key & Secret key credentials and uses Query APIs underlying for its interaction with AWS

CLI construct and send requests to AWS for you, and as part of that process, they sign the requests using an access key that you provide.
CLI also take care of many of the connection details, such as calculating signatures, handling request retries, and error handling.

Software Development Kit (SDKs)

Software Development Kits (SDKs) simplify using AWS services in your applications with an API tailored to your programming language or platform

SDKs currently support a wide range of languages which include Java, PHP, Ruby, Python, .Net, GO, Node.js etc
SDKs construct and send requests to AWS for you, and as part of that process, they sign the requests using an access key that you provide.
SDKs also take care of many of the connection details, such as calculating signatures, handling request retries, and error handling.

Query APIs

Query APIs provides HTTP or HTTPS requests that use the HTTP verb GET or POST and a Query parameter named “Action”
CLI required Access key & Secret key credentials for its interaction
Query APIs is the core of all the access tools and requires you to calculate signatures and attach them to the request

AWS Certification Exam Practice Questions

REST or Query requests are HTTP or HTTPS requests that use an HTTP verb (such as GET or POST) and a parameter named Action or Operation that specifies the API you are calling.
1. FALSE
2. TRUE (Refer link)

Through which of the following interfaces is AWS Identity and Access Management available?
A) AWS Management Console
B) Command line interface (CLI)
C) IAM Query API
D) Existing libraries
1. Only through Command line interface (CLI)
2. A, B and C
3. A and C
4. All of the above
Which of the following programming languages have an officially supported AWS SDK? Choose 2 answers
1. PHP
2. Pascal
3. Java
4. SQL
5. Perl
HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named_____________.
1. Action
2. Value
3. Reset
4. Retrieve

AWS DDoS Resiliency – Best Practices – Whitepaper

March 23, 2016 ~ Last updated on : February 9, 2017 ~ jayendrapatil ~ 8 Comments

AWS DDoS Resiliency Whitepaper

Denial of Service (DoS) is an attack, carried out by a single attacker, which attempts to make a website or application unavailable to the end users.

Distributed Denial of Service (DDoS) is an attack, carried out by multiple attackers either controlled or compromised by a group of collaborators, which generates a flood of requests to the application making in unavailable to the legitimate end users

Mitigation techniques

Minimize the Attack Surface Area

This is all all about reducing the attack surface, the different Internet entry points, that allows access to your application

Strategy to minimize the Attack surface area
- reduce the number of necessary Internet entry points,
- don’t expose back end servers,
- eliminate non-critical Internet entry points,
- separate end user traffic from management traffic,
- obfuscate necessary Internet entry points to the level that untrusted end users cannot access them, and
- decouple Internet entry points to minimize the effects of attacks.
Benefits
- Minimizes the effective attack vectors and targets
- Less to monitor and protect
Strategy can be achieved using AWS Virtual Private Cloud (VPC)
- helps define a logically isolated virtual network within the AWS
- provides ability to create Public & Private Subnets to launch the internet facing and non-public facing instances accordingly
- provides NAT gateway which allows instances in the private subnet to have internet access without the need to launch them in public subnets with Public IPs
- allows creation of Bastion host which can be used to connect to instances in the private subnets
- provides the ability to configure security groups for instances and NACLs for subnets, which act as a firewall, to control and limit outbound and inbound traffic

Be Ready to Scale to Absorb the Attack

DDOS mainly targets to load the systems till the point they cannot handle the load and are rendered unusable.
Scaling out Benefits
- help build a resilient architecture
- makes the attacker work harder
- gives you time to think, analyze and adapt

AWS provided services :-
- Auto Scaling & ELB
  - Horizontal scaling using Auto Scaling with ELB
  - Auto Scaling allows instances to be added and removed as the demand changes
  - ELB helps distribute the traffic across multiple EC2 instances while acting as a Single point of contact.
  - Auto Scaling automatically registers and deregisters EC2 instances with the ELB during scale out and scale in events
- EC2 Instance
  - Vertical scaling can be achieved by using appropriate EC2 instance types for e.g. EBS optimized or ones with 10 gigabyte network connectivity to handle the load
- Enhanced Networking
  - Use Instances with Enhanced Networking capabilities which can provide high packet-per-second performance, low latency networking, and improved scalability
- Amazon CloudFront
  - CloudFront is a CDN, acts as a proxy between end users and the Origin servers, and helps distribute content to the end users without sending traffic to the Origin servers.
  - CloudFront has the inherent ability to help mitigate against both infrastructure and some application layer DDoS attacks by dispersing the traffic across multiple locations.
  - AWS has multiple Internet connections for capacity and redundancy at each location, which allows it to isolate attack traffic while serving content to legitimate end users
  - CloudFront also has filtering capabilities to ensure that only valid TCP connections and HTTP requests are made while dropping invalid requests. This takes the burden of handling invalid traffic (commonly used in UDP & SYN floods, and slow reads) off the origin.
- Route 53
  - DDOS attacks are also targeted towards DNS, cause if the DNS is unavailable your application is effectively unavailable.
  - AWS Route 53 is highly available and scalable DNS service and have capabilities to ensure access to the application even when under DDOS attack
    - Shuffle Sharding – Shuffle sharding is similar to the concept of database sharding, where horizontal partitions of data are spread across separate database servers to spread load and provide redundancy. Similarly, Amazon Route 53 uses shuffle sharding to spread DNS requests over numerous PoPs, thus providing multiple paths and routes for your application.
    - Anycast Routing – Anycast routing increases redundancy by advertising the same IP address from multiple PoPs. In the event that a DDoS attack overwhelms one endpoint, shuffle sharding isolate failures while providing additional routes to your infrastructure.

Safeguard Exposed & Hard to Scale Expensive Resources

If entry points cannot be limited, additional measures to restrict access and protect those entry points without interrupting legitimate end user traffic

AWS provided services :-
- CloudFront
  - CloudFront can restrict access to content using Geo Restriction and Origin Access Identity
  - With Geo Restriction, access can be restricted to a set of whitelisted countries or prevent access from a set of black listed countries
  - Origin Access Identity is the CloudFront special user which allows access to the resources only through CloudFront while denying direct access to the origin content for e.g. if S3 is the Origin for CloudFront, S3 can be configured to allow access only from OAI and hence deny direct access
- Route 53
  - Route 53 provides two features Alias Record sets & Private DNS to make it easier to scale infrastructure and respond to DDoS attacks
- WAF
  - WAFs act as filters that apply a set of rules to web traffic. Generally, these rules cover exploits like cross-site scripting (XSS) and SQL injection (SQLi) but can also help build resiliency against DDoS by mitigating HTTP GET or POST floods
  - WAF provides a lot of features like
    - OWASP Top 10
    - HTTP rate limiting (where only a certain number of requests are allowed per user in a timeframe),
    - Whitelist or blacklist (customizable rules)
    - inspect and identify requests with abnormal patterns,
    - CAPTCHA etc
  - To prevent WAF from being a Single point of failure, a WAF sandwich pattern can be implemented where an autoscaled WAF sits between the Internet and Internal Load Balancer

DDOS Resiliency - WAF Sandwich Architecture

Learn Normal Behavior

Understand the normal usual levels and Patterns of traffic for your application and use that as a benchmark for identifying abnormal level of traffic or resource spikes patterns

Benefits
- allows one to spot abnormalities
- configure Alarms with accurate thresholds
- assists with generating forensic data
AWS provided services for tracking
- AWS CloudWatch monitoring
  - CloudWatch can be used to monitor your infrastructure and applications running in AWS. Amazon CloudWatch can collect metrics, log files, and set alarms for when these metrics have passed predetermined thresholds
- VPC Flow Logs
  - Flow logs helps capture traffic to the Instances in an VPC and can be used to understand the pattern

Create a Plan for Attacks

Have a plan in place before an attack, which ensures that:
- Architecture has been validated and techniques selected work for the infrastructure
- Costs for increased resiliency have been evaluated and the goals of your defense are understood
- Contact points have been identified

AWS Certification Exam Practice Questions

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
1. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
2. Use dedicated instances to ensure that each instance has the maximum performance possible.
3. Use an Amazon CloudFront distribution for both static and dynamic content.
4. Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
5. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
6. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
1. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. (Not cost effective)
2. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. (does not protect against new source)
3. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would their pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
4. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. (No advanced protocol filtering in ELB)

References

DDOS Whitepaper

AWS ELB Monitoring

March 18, 2016 ~ Last updated on : September 13, 2021 ~ jayendrapatil ~ 9 Comments

AWS ELB Monitoring

Elastic Load Balancing publishes data points to CloudWatch about the load balancers and back-end instances

Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer.
- If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals.
- If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.

CloudWatch Metrics

HealthyHostCount, UnHealthyHostCount
- Number of healthy and unhealthy instances registered with the load balancer.
- Most useful statistics are average, min, and max
RequestCount
- Number of requests completed or connections made during the specified interval (1 or 5 minutes).
- Most useful statistic is sum
Latency
- Time elapsed, in seconds, after the request leaves the load balancer until the headers of the response are received.
- Most useful statistic is average
SurgeQueueLength
- Total number of requests that are pending routing.
- Load balancer queues a request if it is unable to establish a connection with a healthy instance in order to route the request.
- Maximum size of the queue is 1,024. Additional requests are rejected when the queue is full.
- Most useful statistic is max, because it represents the peak of queued requests.

SpilloverCount
- The total number of requests that were rejected because the surge queue is full. Should ideally be 0
- Most useful statistic is sum.

HTTPCode_ELB_4XX, HTTPCode_ELB_5XX
- Client and Server error code generated by the load balancer
- Most useful statistic is sum.

HTTPCode_Backend_2XX, HTTPCode_Backend_3XX, HTTPCode_Backend_4XX, HTTPCode_Backend_5XX
- Number of HTTP response codes generated by registered instances
- Most useful statistic is sum.

Elastic Load Balancer Access Logs

Elastic Load Balancing provides access logs that capture detailed information about all requests sent to your load balancer.
Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.
Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket

Access logging is disabled by default and can be enabled without any additional charge. You are only charged for S3 storage

CloudTrail Logs

AWS CloudTrail can be used to capture all calls to the Elastic Load Balancing API made by or on behalf of your AWS account and either made using Elastic Load Balancing API directly or indirectly through the AWS Management Console or AWS CLI
CloudTrail stores the information as log files in an Amazon S3 bucket that you specify.

Logs collected by CloudTrail can be used to monitor the activity of your load balancers and determine what API call was made, what source IP address was used, who made the call, when it was made, and so on

AWS Certification Exam Practice Questions

An admin is planning to monitor the ELB. Which of the below mentioned services does not help the admin capture the monitoring information about the ELB activity
1. ELB Access logs
2. ELB health check
3. CloudWatch metrics
4. ELB API calls with CloudTrail

A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
1. Enable AWS CloudTrail for the load balancer.
2. Enable access logs on the load balancer.
3. Install the Amazon CloudWatch Logs agent on the load balancer.
4. Enable Amazon CloudWatch metrics on the load balancer
Your supervisor has requested a way to analyze traffic patterns for your application. You need to capture all connection information from your load balancer every 10 minutes. Pick a solution from below. Choose the correct answer:
1. Enable access logs on the load balancer
2. Create a custom metric CloudWatch filter on your load balancer
3. Use a CloudWatch Logs Agent
4. Use AWS CloudTrail with your load balancer

References

Elastic Load Balance developer guide

AWS Bastion Host

March 14, 2016 ~ Last updated on : September 28, 2022 ~ jayendrapatil ~ 16 Comments

Bastion Host Overview

Bastion means a structure for Fortification to protect things behind it

In AWS, a Bastion host (also referred to as a Jump server) can be used to securely access instances in the private subnets.
Bastion host launched in the Public subnets would act as a primary access point from the Internet and acts as a proxy to other instances.

Bastion Host

Key points

Bastion host is deployed in the Public subnet and acts as a proxy or a gateway between you and your instances
Bastion host is a security measure that helps to reduce attack on your infrastructure and you have to concentrate to hardening a single layer

Bastion host allows you to login to instances in the Private subnet securely without having to store the private keys on the Bastion host (using ssh-agent forwarding or RDP gateways)
Bastion host security can be further tightened to allow SSH/RDP access from specific trusted IPs or corporate IP ranges
Bastion host for your AWS infrastructure shouldn’t be used for any other purpose, as that could open unnecessary security holes

Security for all the Instances in the private subnet should be hardened to accept SSH/RDP connections only from the Bastion host
Deploy a Bastion host within each Availability Zone for HA, cause if the Bastion instance or the AZ hosting the Bastion server goes down the ability to connect to your private instances is lost completely

AWS Certification Exam Practice Questions

A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
3. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select?
1. Run the bastion on two instances one in each AZ
2. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure
3. Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
4. Configure an ELB in front of the bastion instance

You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447
IGW ig-2d8bc445
NACL acl-2080c448
Subnets and Route Tables:
Web server’s subnet-258bc44d
Application server’s subnet-248DC44c
Database server’s subnet-9189c6f9
Route Tables:
rtb-2i8bc449
rtb-238bc44b
Associations:
Subnet-258bc44d: rtb-2i8bc449
Subnet-248DC44c: rtb-238bc44b
Subnet-9189c6f9: rtb-238bc44b
You are now ready to begin deploying EC2 instances into the VPC. Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?
1. Create a bastion and NAT Instance in subnet-258bc44d and add a route from rtb-238bc44b to subnet-258bc44d. (Route should point to the NAT)
2. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within Subnet-248DC44c. (Adding IGW to routertb-238bc44b would expose the Application and Database server to internet. Bastion and NAT should be in public subnet)
3. Create a Bastion and NAT Instance in subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. (Route should point to NAT and not Internet Gateway else it would be internet accessible.)
4. Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)
You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
1. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
2. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
3. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
4. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0

AWS Consolidated Billing

March 13, 2016 ~ Last updated on : June 23, 2022 ~ jayendrapatil ~ 9 Comments

AWS Consolidated Billing

Consolidated billing enables consolidating payments from multiple AWS accounts (Linked or Member Accounts) within the organization to a single account by designating it to be the Management or Payer Account.

Every organization in AWS Organizations has a management account that pays the charges of all the member accounts.
Consolidate billing
- is strictly an accounting and billing feature.
- allows receiving a combined view of charges incurred by all the associated accounts as well as each of the accounts.
- is not a method for controlling accounts, or provisioning resources for accounts.

Management/Payer account is billed for all charges of the member accounts.
Each linked account is still an independent account in every other way.
AWS Organization Consolidated Billing feature does not allow the Payer account to access data belonging to the linked account owners. All Features mode need to be enabled.

However, access to the Payer account users can be granted through Cross-Account Access roles
AWS limits work on the account level only and AWS support is per account only

Consolidated Billing Process

AWS Organizations provides consolidated billing so that the combined costs of all the member accounts in your organization can be tracked.

Create an Organization
Create member accounts or invite existing accounts to join the organization.
Each month AWS charges your management account for all the member accounts in a consolidated bill.

Consolidated Billing Scenarios

have multiple accounts and want to get a single bill and track each account’s charges for e.g. multiple projects, each with its own AWS account or separate environments (Dev, Prod) within the same project
have multiple cost centers to track.
have acquired a project or company with its own existing AWS account and you want a consolidated bill with your other AWS accounts.

Consolidated Billing Benefits

One Bill
- A single bill with a combined view of AWS costs incurred by all accounts is generated
Easy Tracking
- Detailed cost reports & charges for each of the individual AWS accounts associated with the “paying account” can be easily tracked
Combined Usage & Volume Discounts
- Charges might actually decrease because AWS combines usage from all the accounts to qualify you for volume pricing discounts

Free Tier
- Customers that use Consolidated Billing to consolidate payment across multiple accounts will only have access to one free usage tier and it is not combined across accounts

Volume Pricing Discounts

For billing purposes, AWS treats all the accounts in the organization on the consolidated bill as if they were one account.

AWS combines the usage from all accounts to determine which volume pricing tiers to apply, giving you a lower overall price whenever possible.

Volume Discounts Example

Consolidate Billing Example

Example AWS Pricing – AWS charges $0.17/GB for the first 10 TB of data transfer out used, and $0.13/GB for the next 40 TB used that translates into $174.08 per TB for the first 10 TB, and $133.12 per TB for the next 40 TB

Usage – Bob uses 8 TB of data transfer out during the month, and Susan uses 4 TB (for a total of 12 TB used).
Actual Individual Bill – AWS would have charged Bob and Susan each $174.08 per TB for their usage, for a total of $2088.96
Volume Discount Bill – Combined 12 TB total that Bob and Susan used, would cost the paying account ($174.08 * 10 TB) + ($133.12 * 2 TB) = $1740.80 + $266.24 = $2007.04

Reserved Instances

All member accounts in an Organization on a consolidated bill can receive the hourly cost-benefit of Reserved Instances that are purchased by any other account.
The management account of an organization can turn off Reserved Instance (RI) discount and Savings Plans discount sharing for any accounts in that organization, including the management account.
RIs and Savings Plans discounts aren’t shared between any accounts that have sharing turned off. To share an RI or Savings Plans discount with an account, both accounts must have sharing turned on.

For e.g., Bob and Susan each have an account on Bob’s consolidated bill. Susan has 5 Reserved Instances of the same type, and Bob has none. During one particular hour, Susan uses 3 instances and Bob uses 6, for a total of 9 instances used on Bob’s consolidated bill. AWS will bill 5 as Reserved Instances, and the remaining 4 as normal instances.

Consolidated Billing Best Practices

~~Paying account should be used solely for accounting and billing purposes~~
Consolidated billing works best with Resource tagging, as tags are included in the detailed billing report, which enables cost to be analyzed and decomposed across multiple dimensions and aggregation levels.

~~Paying account owners should secure their accounts by using MFA (multi-factor authentication) and a strong password~~

AWS Certification Exam Practice Questions

An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the consolidated billing option. Which of the below mentioned statements is true with respect to the above information?
- Master (Payee) account will get only the total bill and cannot see the cost incurred by each account
- Master (Payee) account can view only the AWS billing details of the linked accounts
- It is not recommended to use consolidated billing since the payee account will have access to the linked accounts
- Each AWS account needs to create an AWS billing policy to provide permission to the payee account

An organization has setup consolidated billing with 3 different AWS accounts. Which of the below mentioned advantages will organization receive in terms of the AWS pricing?
- The consolidated billing does not bring any cost advantage for the organization
- All AWS accounts will be charged for S3 storage by combining the total storage of each account
- EC2 instances of each account will receive a total of 750*3 micro instance hours free
- The free usage tier for all the 3 accounts will be 3 years and not a single year
An organization has added 3 of his AWS accounts to consolidated billing. One of the AWS accounts has purchased a Reserved Instance (RI) of a small instance size in the us-east-1a zone. All other AWS accounts are running instances of a small size in the same zone. What will happen in this case for the RI pricing?
- Only the account that has purchased the RI will get the advantage of RI pricing
- One instance of a small size and running in the us-east-1a zone of each AWS account will get the benefit of RI pricing
- Any single instance from all the three accounts can get the benefit of AWS RI pricing if they are running in the same zone and are of the same size
- If there are more than one instances of a small size running across multiple accounts in the same zone no one will get the benefit of RI
An organization is planning to use AWS for 5 different departments. The finance department is responsible to pay for all the accounts. However, they want the cost separation for each account to map with the right cost centre. How can the finance department achieve this?
- Create 5 separate accounts and make them a part of one consolidated billing
- Create 5 separate accounts and use the IAM cross account access with the roles for better management
- Create 5 separate IAM users and set a different policy for their access
- Create 5 separate IAM groups and add users as per the department’s employees

An AWS account wants to be part of the consolidated billing of his organization’s payee account. How can the owner of that account achieve this?
- The payee account has to request AWS support to link the other accounts with his account
- The owner of the linked account should add the payee account to his master account list from the billing console
- The payee account will send a request to the linked account to be a part of consolidated billing (Check Process)
- The owner of the linked account requests the payee account to add his account to consolidated billing
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
- Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
- Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
- Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
- Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
When using consolidated billing there are two account types. What are they?
- Paying account and Linked account
- Parent account and Child account
- Main account and Sub account.
- Main account and Secondary account.

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
- Use AWS Consolidated Billing and disable AWS root account access for the child accounts. (Need to link accounts and disabling root access is just a best practice)
- Enable IAM cross-account access for all corporate IT administrators in each child account. (Provides IT goverance)
- Create separate VPCs for each division within the corporate IT AWS account.
- Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account (Will provide cost oversight)
- Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket (Preferred approach would be to store logs from multiple accounts to a single S3 bucket with CloudTrail for IT Goverance and CloudWatch alerts for Cost Oversight)

An organization has 10 departments. The organization wants to track the AWS usage of each department. Which of the below mentioned options meets the requirement?
1. Setup IAM groups for each department and track their usage
2. Create separate accounts for each department, but use consolidated billing for payment and tracking
3. Create separate accounts for each department and track them separately
4. Setup IAM users for each department and track their usage

References

AWS_Consolidated_Billing

AWS Support Tiers – Certification

March 11, 2016 ~ Last updated on : April 10, 2019 ~ jayendrapatil ~ 1 Comment

AWS Support Tiers Plan

AWS provides Four Support tiers and is per AWS Account (except Enterprise)

- Basic
  - - Customer Service: one-on-one responses to account and billing questions
  - - Support forums
  - - Service health checks
  - Documentation, whitepapers, and best-practice guides

- Developer
  - - All the features from Basic Support Tier
  - - Best-practice guidance
  - - Client-side diagnostic tools
  - Building-block architecture support: guidance on how to use AWS products, features, and services together

- Business
  - - Phone/Email/Chat support, 1 hour response time
  - - All the features from Developer Support Tier
  - - Use-case guidance: what AWS products, features, and services to use to best support your specific needs
  - - IAM for controlling individuals’ access to AWS Support
  - - AWS Trusted Advisor, which inspects customer environments and identifies opportunities to save money, close security gaps, and improve system reliability and performance
  - - An API for interacting with Support Center and Trusted Advisor, allowing for automated support case management and Trusted Advisor operations
  - Third-party software support: help with EC2 instance operating systems as well as the configuration and performance of the most popular third-party software components on AWS

Enterprise
- - 15 min response time, dedicated Technical Account Manager
- - All the features from Business Support Tier
- - Application architecture guidance: consultative partnership supporting specific use cases and applications
- - Infrastructure event management: short-term engagement with AWS Support to partner with your technical and project resources to gain a deep understanding of your use case and provide architectural and scaling guidance for an event
- - AWS Concierge
- - Technical account manager
- - White-glove case routing
- Management business reviews

Support plan Comparison

AWS Certification Exam Practice Questions

What are the four levels of AWS Premium Support?
- Basic, Developer, Business, Enterprise
- Basic, Startup, Business, Enterprise
- Free, Bronze, Silver, Gold
- All support is free
What is the maximum response time for a Business level Premium Support case?
- 120 seconds
- 1 hour
- 10 minutes
- 12 hours

References

AWS Support

AWS Security – Whitepaper – Certification

March 10, 2016 ~ Last updated on : February 12, 2020 ~ jayendrapatil ~ 12 Comments

AWS Security Whitepaper

AWS Security whitepaper is one of the most important whitepaper for the Certification perspective

Shared Security Responsibility Model

In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.

AWS Security Shared Responsibility Model

AWS Security Responsibilities

AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.
AWS provide several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations

AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB
For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.

Customer Security Responsibilities

AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.

Management of the guest OS (including updates and security patches), any application software or utilities installed on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
For most of these managed services, all you have to do is configure logical access controls for the resources and protect the account credentials

AWS Global Infrastructure Security

AWS Compliance Program

IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:

SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

SOC 2
SOC 3
FISMA, DIACAP, and FedRAMP

DOD CSM Levels 1-5
PCI DSS Level 1
ISO 9001 / ISO 27001

ITAR
FIPS 140-2
MTCS Level 3

And meet several industry-specific standards, including:

Criminal Justice Information Services (CJIS)
Cloud Security Alliance (CSA)
Family Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act (HIPAA)
Motion Picture Association of America (MPAA)

Physical and Environmental Security

Storage Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.

AWS uses the techniques detailed in DoD 5220.22-M (National Industrial Security Program Operating Manual) or NIST 800-88 (Guidelines for Media Sanitization) to destroy data as part of the decommissioning process.
All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

Network Security

Amazon Corporate Segregation

AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access.

Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network require SSH public-key authentication through a bastion host.

Networking Monitoring & Protection

AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.

AWS network provides protection against traditional network security issues

DDOS – AWS uses proprietary DDoS mitigation techniques. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
Man in the Middle attacks – AWS APIs are available via SSL-protected endpoints which provide server authentication

IP spoofing – AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
Port Scanning – Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Penetration/Vulnerability testing can be performed only on your own instances, with mandatory prior approval, and must not violate the AWS Acceptable Use Policy.
Packet Sniffing by other tenants – It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.

Secure Design Principles

AWS’s development process follows :-

Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
Static code analysis tools are run as a part of the standard build process
Recurring penetration testing performed by carefully selected industry experts

AWS Account Security Features

AWS account security features includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks

AWS Credentials

AWS IAM Credentials

Individual User Accounts

Do not use the Root account, instead create an IAM User for each user and provide them with a unique set of Credentials and grant least privilege as required to perform their job function

Secure HTTPS Access Points

Use HTTPS, provided by all AWS services, for data transmissions, which uses public-key cryptography to prevent eavesdropping, tampering, and forgery

Security Logs

Use Amazon CloudTrail which provides logs of all requests for AWS resources within the account and captures information about every API call to every AWS resource you use, including sign-in events

Trusted Advisor Security Checks

Use Trusted Advisor service which helps inspect AWS environment and provide recommendations when opportunities may exist to optimize cost, improve system performance, or close security gaps

AWS Certification Exam Practice Questions

In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
1. Penetration testing
2. Operating system account security management (User responsibility)
3. Threat modeling
4. User group access management (User responsibility)
5. Static code analysis (AWS development cycle responsibility)

You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
1. Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access (User responsibility)
2. Protect against IP spoofing or packet sniffing
3. Assure all communication between EC2 instances and ELB is encrypted (User responsibility)
4. Install latest security patches on ELB. RDS and EC2 instances (User responsibility)
In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
1. Controlling physical access to compute resources (AWS responsibility)
2. Patch management on the EC2 instances operating system
3. Encryption of EBS (Elastic Block Storage) volumes
4. Life-cycle management of IAM credentials
5. Decommissioning storage devices (AWS responsibility)
6. Security Group and ACL (Access Control List) settings

Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
1. May be performed by AWS, and will be performed by AWS upon customer request.
2. May be performed by AWS, and is periodically performed by AWS.
3. Are expressly prohibited under all circumstances.
4. May be performed by the customer on their own instances with prior authorization from AWS.
5. May be performed by the customer on their own instances, only if performed from EC2 instances

Which is an operational process performed by AWS for data security?
1. AES-256 encryption of data stored on any shared storage device (User responsibility)
2. Decommissioning of storage devices using industry-standard practices
3. Background virus scans of EBS volumes and EBS snapshots (No virus scan is performed by AWS on User instances)
4. Replication of data across multiple AWS Regions (AWS does not replicate data across regions unless done by User)
5. Secure wiping of EBS data when an EBS volume is unmounted (data is not wiped off on EBS volume when unmounted and it can be remounted on other EC2 instance)

References

Amazon_Security_WhitePaper

AWS S3 Data Durability

March 8, 2016 ~ Last updated on : October 4, 2016 ~ jayendrapatil

Sample Exam Question :-

A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for web-based property. The customer is storing objects using the Standard Storage class. Where are the customers’ objects replicated?

Single facility in eu-west-1 and a single facility in eu-central-1

Single facility in eu-west-1 and a single facility in us-east-1
Multiple facilities in eu-west-1

A single facility in eu-west-1

Answer :-

The question targets the S3 Data Durability which mentions the objects are stored redundantly across multiple facilities in the same Amazon S3 region.