Amazon Web Services Cloud Service-Specific Security

  1. Home
  2. Amazon Web Services Cloud Service-Specific Security

Not only is security built into every layer of the AWS infrastructure, but it’s also built into each of the services available on that infrastructure. With all AWS networks and platforms AWS Cloud services are architected to work efficiently and securely.

AWS provides a variety of cloud-based computing services that include a wide selection of compute instances that can scale up and down automatically to meet the requirements of the application or enterprise.

Amazon Elastic Compute Cloud (Amazon EC2) Security

Amazon EC2 is one of key component in Amazon’s Infrastructure as a Service (IaaS), that provides resizable computing capacity using server instances in AWS datacenters. Amazon EC2 has been designed to make web-scale computing easier with minimal friction by enabling us to obtain and configure capacity.

Multiple levels of security – The Security within Amazon EC2 has been provided on multiple levels – the operating system of the host platform, the virtual instance operating system or guest operating system, a firewall, and signed API calls.

Hypervisor Amazon EC2 at present uses a highly-customized version of the Xen Hypervisor, that takes advantage of paravirtualization (in the case of Linux guests). Since paravirtualized guests rely on the Hypervisor to provide support for operations that normally require privileged access, the guest operating system has no elevated access to the CPU. Such that the CPU provides four separate privilege modes, referred as rings (0–3). The most privileged is Ring 0 and the least privileged is 3. The host operating system executes in Ring 0.

Following figure demonstrates instance isolation within Amazon EC2.

Now, the firewall can be configured in groups, which permits different classes of instances to have different rules. For instance, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. Such that –

  • The group for the application servers would have port 8000 (application-specific) accessible only to the web server group.
  • The group for the database servers would have port 3306 (MySQL) open only to the application server group.
  • All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this approach, which is depicted below in the figure

Here, the ports we open and for what duration and purpose decides the level of security will be afforded by the firewall. Well-informed traffic management and security design are still required on a per-instance basis. AWS further encourages to apply additional per-instance filters with host-based firewalls like IP tables or the Windows firewall and VPNs. This can help to restrict both inbound and outbound traffic.

Networking

AWS also offers a wide range of networking services that permits to create a logically isolated network that we define, establish a private network connection to the AWS Cloud, use a highly available and scalable Domain Name System (DNS) service, and deliver content to our end users with low latency at high data transfer speeds with a content delivery service.

Elastic Load Balancing Security

Amazon EC2 instances are used to manage traffic Elastic Load Balancing is used, that helps to distribute traffic to instances across all Availability Zones within a region. Elastic Load Balancing offers benefits of an on-premises load balancer, together with other several security benefits –

  • It takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer
  • It offers clients a single point of contact that can also serve as the first line of defense against attacks on the customer’s network
  • When used in an Amazon VPC, supports creation and management of security groups associated with Elastic Load Balancing to provide additional networking and security options
  • It also supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use HTTPS connections. Such that when TLS is used, the TLS server certificate used to terminate client connections can be managed centrally on the load balancer, instead of on every individual instance.

Note that HTTPS/TLS uses a long-term secret key to generate a short-term session key that can be used between the server and the browser to create the encrypted message. The process of Elastic Load Balancing configures load balancer with a predefined cipher set that is used for TLS negotiation when a connection is established between a client and the load balancer. The predefined cipher set provides compatibility with a broad range of clients and uses strong cryptographic algorithms.

Menu