Amazon Web Services (AWS) — brush up on essentials
Overview
Looking for some best practices
Needing to brush up on Amazon Web Services (AWS) knowledge of best practice for standing up a service using AWS. I thought I'd just curate the best of what I found in case it was useful to someone else.
Before you start!
You'll need an AWS account - why not sign up - theres a free tier and much is free in the first year.
TL:DR — Looking for a quick refresh on AWS - here you are - you're welcome!
Contents
- Amazon Web Services (AWS) — brush up on essentials
- Overview
- Looking for some best practices
- Before you start!
- Amazon Web Services (AWS) brush up on essentials
- Things you need to know to build a professional service on AWS.
- Contents
- Overview
- Amazon Web Services (AWS) brush up on essentials
- Contents
- Governance
- Storage
- Security
- References
- Governance
- Effective deployments and compliance
- Storage
- Amazon S3
- Creating an S3 bucket
- Choice of Amazon S3 storage classes
- S3 Intelligent Tiering
- S3 Storage Lens
- Amazon Elastic Block Store (Amazon EBS)
- Security
- Amazon GuardDuty
- Amazon GuardDuty Pricing
- Amazon GuardDuty Enabled
- AWS Security Hub
- Best practice multi-account strategy
- AWS Config
- Enabling AWS Security Hub
-
References
Amazon Web Services (AWS) brush up on essentials
Things you need to know to build a professional service on AWS.
AWS provide an abundance of documentation, examples, source code, workshops, cookbooks and other self-study resources for IT professionals, architects, and software developers who are interested in learning how to design, build, deploy and support their workloads on AWS. AWS core service prerequisites, DevOps and System Administration, Security, Directory Services, and SQL Server and its alternatives are all relevant here when building out.
Contents
-
Overview
-
Amazon Web Services (AWS) brush up on essentials
-
Contents
-
Governance
-
Storage
-
Security
-
References
Governance
Effective deployments and compliance
There are several governance patterns which can be used in AWS deployments. AWS themselves provide some insights in their blogs, talking about three main aspects of governance.
- Governance level: What component is managed centrally by cloud platform engineers?
- Role of application engineers: What is the responsibility split and operating model?
- Use case: When is each model applicable?
| Model / aspects | Central pattern library | CI/CD as a service | Centrally managed infrastructure |
|---|---|---|---|
| Governance level | Centrally defined infrastructure templates | Centrally defined deployment toolchain | Centrally defined provisioning and management of AWS resources |
| Role of cloud platform engineers | Manage pattern library and policy checks | Manage deployment toolchain and stage checks | Manage resource provisioning (including CI/CD) |
| Role of application teams | Manage deployment toolchain and resource provisioning | Manage resource provisioning | Manage application integration |
| Use case | Federated governance with application teams maintaining autonomy over application and infrastructure | Platform projects or development organizations with strong preference for pre-defined deployment standards including toolchain | Applications without development teams (e.g., “commercial-off-the-shelf”) or with separation of duty (e.g., infrastructure operations teams) |
Governance models for managing infrastructure deployments Source: AWS Architecture Blog
Storage
Amazon S3
Amazon S3 (S3) provides industry leading scale, durability and availability of data. Trillions of objects on many millions of drives, in regions all over the world. To an end user or a developer this is simply an S3 bucket. In an AWS region, AWS have separate data centres in a single Availability Zone (AZ). Each has independent power, security and networking. S3 Objects are stored in multiple devices in multiple Availability Zones. This, say Amazon, is how they can reach 11 9's of availability. You can replicate S3 across AWS regions too. To take advantage of S3 it is key to horizonally scale your applications.
Creating an S3 bucket
Here is the setup page for an S3 bucket using the defaults, except for eu-west-2 because It needs to be in London and Server-side encryption set to Enable to increase data security. After creating the bucket you can upload files and folders to the bucket, and configure additional bucket settings such as storage class.
Picking a storage class depends on your application.
Choice of Amazon S3 storage classes | ||
|---|---|---|
| S3 Intelligent Tiering | AWS Region ≥ 3 AZ | e.g. For data lakes, where data with changing access patterns which needs millisecond access |
| S3 Standard | AWS Region ≥ 3 AZ | e.g. A Streaming app with frequently accessed data distribution world-wide. |
| S3 Standard IA | AWS Region ≥ 3 AZ | e.g. a photo sharing app with infrequently accessed data, 40% cheaper but a retrieval fee when accessed |
| S3 Glacier Instant retrieval | AWS Region ≥ 3 AZ | e.g. Medical records, or news item history same millisecond access 'for data accessed once a quarter', lowest storage cost |
| S3 Glacier Flexible Retrieval | AWS Region ≥ 3 AZ | e.g. Archive data with retrieval options from minutes to hours. Free bulk retrievals. |
| S3 Glacier Deep archive | AWS Region ≥ 3 AZ | e.g. Long term archive data. Retrieval in 12-48 hours. Lowest storage cost in the cloud. |
| S3 One Zone IA | AWS AZ | Re-creatable, infrequently accessed data. Single AZ resilience. Millisecond access. 20% lower cost thand standard IA |
| S3 Outposts | AWS Outposts | On-premises data. Millisecond access, often used for local data processing or data residency needs. |
S3 Intelligent Tiering
Intelligent tiering is chiefly about cost-saving. Use it for data with unknown or changing access patterns. It has five access tiers. Frequent, Infrequent, Archive Instant, Archive, and Deep Archive. The firt three have automatic millisecond access The last two have minutes to hours access. All data starts in the frequent access tier and automatically monotors data and on 30 day intervals, moves among the tiers. If the data in one of the first three access tiers is accessed it moved back to frequently used and the tiering cycle starts again. Additionally there are two archive access tiers. These are opt-in and have different performance. After 90 days data moves to Archive Access then after 180 days to deep archive access with the lowest storage costs in the cloud. Using S3 IA requires no changes to applications and has no operational overhead.
S3 Storage Lens
Amazon S3 Storage Lens provides an interactive dashboard for visualisation of your S3 storage. Amazon recommend to all customers to go in and turn this on in the free tier.
Amazon Elastic Block Store (Amazon EBS)
Amazon EBS "provides scalable persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud ". EBS volumes are resilient to component failure, and highly available with low-latency performance.
Deep Dive on Amazon Elastic Block Store — This is a really well presented talk on what could otherwise be a very very boring topic, but one you need to grasp especially if you are going to be involved in cost/benefit analysis of your Amazon AWS design choices.
Security
Amazon GuardDuty
AWS Security Services Best Practices – Amazon GuardDuty.
- escalation of privileges,
- exposed credentials,
- communication with malicious IP addresses, domains,
- presence of malware on your Amazon EC2 instances and container workloads
- compromised EC2 instances
- unauthorized infrastructure deployments, ,
- instance deployment in unused regions,
- unusual API calls like a password policy change to reduce password strength
Amazon GuardDuty Pricing
GuardDuty charges — GuardDuty can get expensive. The examples get to around $2,000 per month.
Amazon GuardDuty Enabled
As I have no instances running and nothing in storage theres unsurprisingly nothing for Amazon GuardDuty to report.
AWS Security Hub
But theres more. AWS Security Hub is a security and compliance service that provides security and compliance posture management as a service. You can view and organise security findings from multiple services including Amazon GuardDuty as well as the vulnerability scanning Amazon Inspector for EC2, Amazon Macie that scans S3 buckets for sensitive data, as well as other Amazon and Amazon partner solutions aggregated across the AWS platform.
You can use it to automate security checks, and manage security findings for example for remediation action to be taken.
Best practice multi-account strategy
Amazon suggest a multi-account strategy with a security organisation unit (OU) with accounts set for very specific security purposes. The tool for this is AWS Organisations, which is designed to meet security demands is an AWS service which lets you set up and manage multiple accounts. It sounds a lot like an Active Directory, or Open Directory. It allows the creation and management of organisation units (OU's) for developers, testing, production, networking and operations. For GuardDuty and Security hub AWS recomment a specific Security tooling account be set up within the Security OU.
Essentially you give the Security tooling account permissions for the Security Hub and Guard Duty for any and all AWS member accounts that you need to control in your organisation You do this using a delegated administrator account. Sounds simple to set up, but hard to document and manage to ensure compliance and quality management. Once enabled, findings will be available in the central Security Hub deployment available to your Security Tooling admin account.
AWS Config
AWS Security Hub uses AWS Config and Config rules as its primary mechanism to evaluate the configuration of AWS resources. You need to enable AWS Config in your organisation in each region you wish to manage using AWS Security Hub. "AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting".
Enabling AWS Security Hub
Before you can enable Security Hub standards and controls, you must first enable resource recording in AWS Config. You must enable resource recording for all of the accounts and in all of the Regions where you plan to enable Security Hub standards and controls. Then select the security standards to apply to your organisation and click 'Enable'.
After you enable Security Hub, it can take up to two hours to see the results from security checks for the newly enabled standards. Until then, the controls have a status of "No data".
AWS Security Hub contains workflow tools for your team to be able to manage findings in one place so as to enable teams to see the whole picture of the security status of the organisations AWS platform.
References
See also:
- Amazon Web Services Cloud — Storage — Great Summary whitepaper documentaton
- Use Amazon GuardDuty and AWS Security Hub to secure multiple accounts — AWS re:Invent 2020: with best practices, and guidance to help structure and manage security across multiple AWS accounts.
- AWS Config FAQs — AWS documentation
- AWS Config Pricing — AWS Config bills separately for resource recording. For details, see this pricing page.
- PCI DSS Quick Reference Guide — Understanding the Payment Card Industry Data Security Standard version 3.2.1
- AWS Foundational Security — AWS Best Practices standard
- Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark — CIS Benchmark for CIS Amazon Web Services Foundations Benchmark v1.2.0
- Accelerate deployments on AWS with effective governance — AWS Architecture Blog
