Friday, March 11, 2016

AWS Support Tiers

AWS provides Four tiers of Support

Free - Basic, Forum-based & health check support
Developer - Email support & best practice guidance
Business - Phone/Email/Chat support,  1 hour response time
Enterprise - 15 min response time, dedicated Technical Account Manager

Support plan Comparison

Exam Scenario Questions
  1. What are the four levels of AWS Premium Support?
    • Basic, Developer, Business, Enterprise
    • Basic, Startup, Business, Enterprise
    • Free, Bronze, Silver, Gold
    • All support is free
  2. What is the maximum response time for a Business level Premium Support case?
    • 120 seconds
    • 1 hour
    • 10 minutes
    • 12 hours



Thursday, March 10, 2016

AWS VPC Peering

Overview
  • A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses.
  • Instances in either VPC can communicate with each other as if they are within the same network
  • VPC peering connection can be established between your own VPCs, or with a VPC in another AWS account within a single region.
  • AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

VPC Peering Rules & Limitations

1. VPC peering connection cannot be created between VPCs that have matching or overlapping CIDR blocks.

2. VPC peering connection cannot be created between VPCs in different regions.
3. VPC peering connection are limited on the number active and pending VPC peering connections that you can have per VPC.


4. VPC peering does not support transitive peering relationships 
In a VPC peering connection, your VPC does not have access to any other VPCs that the peer VPC may be peered with even if established entirely within your own AWS account.

5. VPC peering does not support Edge to Edge Routing Through a Gateway or Private Connection
In a VPC peering connection, your VPC does not have access to any other connection that the peer VPC may have and vice versa.
Connections that the peer VPC can include
  • A VPN connection or an AWS Direct Connect connection to a corporate network
  • An Internet connection through an Internet gateway
  • An Internet connection in a private subnet through a NAT device
  • A ClassicLink connection to an EC2-Classic instance
  • A VPC endpoint to an AWS service; for example, an endpoint to Amazon S3.

6. Only one VPC peering connection can be established between the same two VPCs at the same time
7. Maximum Transmission Unit (MTU) across a VPC peering connection is 1500 bytes.
8. A placement group can span peered VPCs; however, you do not get full-bisection bandwidth between instances in peered VPCs.
9. Unicast reverse path forwarding in VPC peering connections is not supported.
10. Instance's public DNS hostname does not resolve to its private IP address across peered VPCs.


Exam Scenario Questions

1.    A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?
  • Create a new peering connection Between Prod and Dev along with appropriate routes.
  • Create a new entry to Prod in the Dev route table using the peering connection as the target.
  • Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
  • The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

AWS Security Whitepaper Overview

Shared Security Responsibility Model

In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.


AWS Security Responsibilities
  • Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.  
  • AWS provide several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations
    AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB
  • For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
Customer Security Responsibilities
  • AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
  • Management of the guest OS (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
  • For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additional tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service.
 

AWS Global Infrastructure Security 

 

AWS Compliance Program
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3
And meet several industry-specific standards, including:
  • Criminal Justice Information Services (CJIS)
  • Cloud Security Alliance (CSA)
  • Family Educational Rights and Privacy Act (FERPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Motion Picture Association of America (MPAA) 

 

Physical and Environmental Security 


Storage Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices. 


Network Security 


Amazon Corporate Segregation
AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access. The Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host.
Networking Monitoring & Protection
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.

AWS network provides protection against traditional network security issues :-
  1. DDOS - AWS uses proprietary DDoS mitigation techniques. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
  2. Man in the Middle attacks - AWS APIs are available via SSL-protected endpoints which provide server authentication
  3. IP spoofing - AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  4. Port Scanning - Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Penetration/Vulnerability testing can be performed only on your own instances, with mandatory advance approval, and must not violate the AWS Acceptable Use Policy.
  5. Packet Sniffing by other tenants - It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.

 

Secure Design Principles

AWS’s development process follows :-
  • Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
  • Static code analysis tools are run as a part of the standard build process
  • Recurring penetration testing performed by carefully selected industry experts

 

AWS Account Security Features

AWS account security features includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks

AWS Credentials
Individual User Accounts
Do not use the Root account, instead create an IAM User for each User and provide them with a unique set of Credentials and grant least privilege as required to perform their job function

Secure HTTPS Access Points
Use HTTPS for data transmissions, which which uses public-key cryptography to prevent eavesdropping, tampering, and forgery, which is provided by all AWS services 
 
Security Logs
Use Amazon CloudTrail which provides logs of all requests for AWS resources within your account and captures information about every API call to every AWS resource you use, including sign-in events

Trusted Advisor Security Checks
Use Trusted Advisor service which helps inspect AWS environment and provide recommendations when opportunities may exist to optimize cost, improve system performance, or close security gaps

Exam Scenario Questions

  1. In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
    • Penetration testing
    • Operating system account security management
    • Threat modeling
    • User group access management
    • Static code analysis 
  2. You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
    • Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access
    • Protect against IP spoofing or packet sniffing
    • Assure all communication between EC2 instances and ELB is encrypted
    • Install latest security patches on ELB. RDS and EC2 instances
  3. In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
    • Controlling physical access to compute resources
    • Patch management on the EC2 instances operating system
    • Encryption of EBS (Elastic Block Storage) volumes
    • Life-cycle management of IAM credentials
    • Decommissioning storage devices
    • Security Group and ACL (Access Control List) settings 
  4. Per the AWS Acceptable Use Policy, penetration testing of EC2 instances: 
    • May be performed by AWS, and will be performed by AWS upon customer request.
    • May be performed by AWS, and is periodically performed by AWS.
    • Are expressly prohibited under all circumstances.
    • May be performed by the customer on their own instances with prior authorization from AWS.
    • May be performed by the customer on their own instances, only if performed from EC2 instances

References


 

Wednesday, March 9, 2016

AWS - IAM Best Practices

Root - Lock away your AWS account (root) access keys
Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information. If you do not use the access keys, delete the Access keys. Permissions associated with your AWS Root account cannot be restricted.

User - Create individual IAM users
Don't use your AWS root account credentials to access AWS, and don't give your credentials to anyone else. Instead, create individual users for anyone who needs access to your AWS account.
By creating Individual users you can give each unique credentials and grant different permissions
To start with create a User with Administrator role, which has access to all resources as the Root user except the Billing information

Groups - Use groups to assign permissions to IAM users
Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group, and then associate IAM users to those groups.
ll the users in an IAM group inherit the permissions assigned to the group
It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission - Grant least privilege
Creation of a New user does not grant any permission to access any AWS resources or services. Users should be grant LEAST PRIVILEGE to perform a task.

Passwords - Configure a strong password policy for your users
Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.

MFA - Enable MFA for privileged users
Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role - Use roles for applications that run on Amazon EC2 instances
Use roles for applications running on Amazon EC2 instances instead of creating user and hardcoding the credentials within that application. Hardcoding of Credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling. With Roles, credentials are temporary are automatically rotated.

Sharing - Delegate by using roles instead of by sharing credentials
Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) use IAM roles to specify the permissions which can then be assumed by them
 
Rotation - Rotate credentials regularly
Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.

Track - Remove unnecessary credentials
Use the Credentials report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices and how recently their credentials have been used. Remove IAM user credentials that are not needed.

Conditions - Use policy conditions for extra security
Define conditions under which your IAM policies allow access to a resource. Conditions would help provide finer access control to the AWS services and resources
Auditing - Monitor activity in your AWS account
You can use logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in your account and the resources that were used. Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Exam Scenario Questions
  1. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
    • Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
    • Configure MFA on the root account and for privileged IAM users
    • Assign IAM users and groups configured with policies granting least privilege access
    • Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)

References

Tuesday, March 8, 2016

AWS S3 Data Durability

Exam Scenario Question :-
A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for web-based property. The customer is storing objects using the Standard Storage class. Where are the customers’ objects replicated?
  1. Single facility in eu-west-1 and a single facility in eu-central-1
  2. Single facility in eu-west-1 and a single facility in us-east-1
  3. Multiple facilities in eu-west-1
  4. A single facility in eu-west-1

Answer :-
The question targets the S3 Data Durability which mentions the objects are stored redundantly across multiple facilities in the same Amazon S3 region.
Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 region. To help better ensure data durability, Amazon S3 PUT and PUT Object copy operations synchronously store your data across multiple facilities before returning SUCCESS. Once the objects are stored, Amazon S3 maintains their durability by quickly detecting and repairing any lost redundancy.

AWS EBS vs Instance Store

EC2 instances can be launched using either Elastic Block Store (EBS) or Instance Store volume as root volumes and additional volumes.

Instance Store (Ephemeral storage)
An Instance store backed instance is an EC2 instance uses Instance store as root device and accesses storage from disks that are physically attached to the host computer. Instance store provides temporary block-level storage for instances. The data on an instance store volume persists only during the life of the associated instance; if you stop or terminate an instance, any data on instance store volumes is lost.

Key points for Instance store backed Instance
  1. Boot time is very fast usually less then a min, as the storage resides on the same machine
  2. Can be selected as Root Volume and attached as additional volumes
  3. Instance store backed Instances can be of maximum 10GiB volume size
  4. Instance store volume can be attached as additional volumes only when is the Instance is launched and cannot be attached once the Instance is up and running
  5. Instance store backed Instances cannot be stopped as one of the main reason being when stopped and started AWS does not guarantee the Instance would be launched in the same host.
  6. Data on Instance store volume is LOST in following scenarios :-
    • Failure of an underlying drive
    • Stopping an EBS-backed instance where instance store are additional volumes
    • Termination of the Instance
  7. Data on Instance store volume is NOT LOST when the instance is rebooted
  8. AMI creation requires usage on AMI tools and needs to be executed from within the server
  9. Instance store backed Instances cannot be upgraded

Amazon Elastic Block Store (EBS)
An "EBS-backed" instance is an EC2 instance which uses an EBS volume as it’s root device.
An EBS volume behaves like a raw, unformatted, external block device that you can attach to a single instance and are not physically attached to the Instance host computer (more like a network attached storage). The volume persists independently from the running life of an instance. After an EBS volume is attached to an instance, you can use it like any other physical hard drive. You can also detach an EBS volume from one instance and attach it to another instance. EBS volumes can also be created as encrypted volumes using the Amazon EBS encryption feature.

Key points for EBS backed Instance
  1. Boot time is slower then Instance store and usually less then 5 min
  2. Can be selected as Root Volume and attached as additional volumes
  3. EBS backed Instances can be of maximum 16TiB volume size depending upon the OS
  4. EBS volume can be attached as additional volumes when the Instance is launched and even when the Instance is up and running
  5. Data on the EBS volume is LOST only if the Root Volume is EBS backed and the Delete On Termination flag is checked (Checked by default)
  6. Data on EBS volume is NOT LOST in following scenarios :-
    • Reboot on the Instance
    • Stopping an EBS-backed instance
    • Termination of the Instance for the additional EBS volumes
  7. EBS volumes are tied to a single AZ  in which they are created
  8. EBS volumes are automatically replicated within that zone to prevent data loss due to failure of any single hardware component
  9. AMI creation is easy using a Single command
  10. EBS backed Instances can be upgraded for instance type, Kernel, RAM disk and user data
Exam Scenario Questions :-
  1. EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes?
    • Data is automatically saved in an EBS volume.
    • Data is unavailable until the instance is restarted.
    • Data will be deleted and will no longer be accessible. 
    • Data is automatically saved as an EBS snapshot.
  2. When an EC2 instance that is backed by an S3-based AMI is terminated, what happens to the data on the root volume?
    • Data is automatically saved as an EBS snapshot.
    • Data is automatically saved as an EBS volume.
    • Data is unavailable until the instance is restarted. 
    • Data is automatically deleted.
  3.  Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)
    • The Elastic IP will be dissociated from the instance
    • All data on instance-store devices will be lost
    • All data on EBS (Elastic Block Store) devices will be lost
    • The ENI (Elastic Network Interface) is detached
    • The underlying host for the instance is changed 

      Monday, March 7, 2016

      AWS Trusted Advisor Categories


      Exam Question :- 
      The Trusted Advisor service provides insight regarding which four categories of an AWS account?
      • Security, fault tolerance, high availability, and connectivity
      • Security, access control, high availability, and performance
      • Performance, cost optimization, security, and fault tolerance
      • Performance, cost optimization, access control, and connectivity

      Answer :-

      Trusted Advisor provides best practices for only the below categories 
      1. Cost Optimization
      2. Performance
      3. Security
      4. Fault Tolerance
       
       

      Sunday, March 6, 2016

      AWS - Root access enabled services

      Exam Question :- 
      Which services provide root level access in aws?


      Answer :-
      1. Only the below services provide Root level access
        • EC2
        • Elastic Beanstalk
        • Elastic MapReduce - Master Node
        • Opswork
      2. None of the AWS managed services like RDS, S3, Glacier, DynamoDB provide root or admin access to the underlying servers

      Saturday, March 5, 2016

      AWS - Autoscaling Troubleshooting

      Exam Question Scenario :- 
      EC2 instances fail to launch with Autoscaling configuration

      Description :-
      Autoscaling configuration requires the following :-

      Autoscaling launch configuration which allows you to select an 
        • AMI
        • Instance type
        • IAM role (optional)
        • Security group
        • Key pair file
      Autoscaling group configuration allows you to select AZ to be used to launch the EC2 instances with the selected launch configuration




       Troubleshooting key points :-
      1. AMI id does not exist or is still pending and cannot be used to launch instances
      2. Security group provided in the launch configuration does not exist
      3. Key pair associated with the EC2 instance does not exist
      4. Autoscaling group not found or is incorrectly configured
      5. AZ configured with the Autoscaling group is no longer supported cause it might not be available
      6. Invalid EBS block device mappings
      7. Instance type is not supported in the AZ
      8. Capacity limits reached either cause of the restriction on the number of instance type that can be launched in a region or cause AWS is not able to provision the specified instance type in the AZ (for e.g. no more spot instances or On-demand instances availability)
      More details @ AWS Autoscaling Developer Guide

      AWS - EC2 - Troubleshooting Connecting to an Instance

      Exam Question Scenario :- 
      If you try to connect to your instance and get an error message Network error: Connection timed
      out or Error connecting to [instance], reason: -> Connection timed out: connect.


      Troubleshooting key points :-
      1. Verify the Security groups are properly configured to allow ssh access from the ip to the EC2 instance. For Security groups, Inbound traffic from the public ip address should be enabled
      2. Verify the NACLs are properly configured to allow ssh access from the ip to the EC2 instance. For NACLs, Inbound traffic from the public ip address should be enabled as well as the Outbound traffic for the response should be enabled
      3. Verify you are using the private key file that corresponds to the key pair that you selected when you launched the instance
      4. Verify you are connecting with the appropriate user name for your AMI. Mind the user names used to connect to the EC2 instance are different depending upon the AMI (which also determines the OS for the Instance)
      5. Private User key file is not recognized by the Server
      More details in EC2 User Guide