AWS Storage Gateway Security
AWS Storage Gateway service connects on-premises software appliance with cloud-based storage to provide seamless and secure integration between the IT environment and AWS storage infrastructure.
Data Transfer –When we talk about data transfer we consider on-premises storage hardware to AWS over SSL data, which is asynchronously transferred.
Data Storage – The process of data storage is encrypted in Amazon S3 using AES-256, a symmetric key encryption standard using 256-bit encryption keys. Minimizing the amount of data sent over the Internet AWS Storage Gateway only uploads data that has changed.
Database – AWS offers a number of database solutions for developers and businesses, from managed relational and NoSQL database services to in-memory caching as a service and a petabytes-scale data warehouse service.
Amazon DynamoDB Security
NoSQL database service manages Amazon DynamoDB with seamless scalability providing fast and predictable performance. Amazon DynamoDB enables to offload the administrative burdens of operating and scaling distributed databases to AWS, so as to ensure not to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling.
Amazon Relational Database Service (Amazon RDS) Security
Amazon RDS permits to create a relational database instance (DB instance) quickly and flexibly scale the associated compute resources and storage capacity to meet application demand. Amazon RDS manages the DB instance on behalf by performing backups, handling failover, and maintaining the database software. As of the time of this writing, Amazon RDS is available for MySQL, Oracle, Microsoft SQL Server, MariaDB, Amazon Aurora, and PostgreSQL database engines.
DB security groups default to deny all access mode, and customers must specifically authorize network ingress. There are two ways to go for this –
- Authorizing a network IP range
- Authorizing an existing Amazon EC2 security group
DB security groups only allow access to the database server port (all others are blocked) and can be updated without restarting the Amazon RDS DB instance.
Running DB instances in a Multi-AZ deployment can further reduce the impact of a maintenance event, as Amazon RDS will conduct maintenance via the following steps:
- Perform maintenance on standby.
- Promote standby to primary.
- Perform maintenance on old primary, which becomes the new standby.
When an Amazon RDS DB instance deletion API (DeleteDBInstance) is run, the DB instance is marked for deletion.
Application Services –AWS offers a variety of managed services to use with applications, including services that provide application streaming, queuing, push notification, email delivery, search, and transcoding.
Amazon Simple Queue Service (Amazon SQS) Security
Amazon Simple Queue Service (Amazon SQS) is a highly reliable, scalable message queuing service that enables asynchronous message-based communication between distributed components of an application. The components can be computers, Amazon EC2 instances, or a combination of both. To an Amazon SQS queue at any time from any component we can send any number of messages with Amazon SQS.
- Data access – Amazon SQS access is granted based on an AWS account or a user created with IAM. The AWS account has full access to all user operations once authenticated.
- Encryption – Amazon SQS is accessible via SSL-encrypted endpoints. Both the Internet and from within Amazon EC2 gives access to the encrypted endpoints. Data stored within Amazon SQS can be encrypted.
Amazon Simple Notification Service (Amazon SNS) Security
To set up, operate, and send notifications from the cloud is made easy with Amazon SNS web service It provides developers with a highly scalable, flexible, and cost-effective capability to publish messages from an application and immediately deliver them to subscribers or other applications.
- Data access – Amazon SNS provides access control mechanisms so that topics and messages are secured against unauthorized access. For a topic that restrict who can publish or subscribe to a topic, topic owners can set policies.
- Analytics Services –To help you process and analyze any volume of data AWS provides cloud-based analytics services, whether your need is for managed Hadoop clusters, real-time streaming data, petabyte-scale data warehousing, or orchestration.
Amazon EMR Security
Amazon EMR is a managed web service that we can use to run Hadoop clusters that process vast amounts of data by distributing the work and data among several servers. It uses an enhanced version of the Apache Hadoop framework running on the web-scale infrastructure of Amazon EC2 and Amazon S3.
Amazon Kinesis Security
In order to handle real-time streaming of big data Amazon Kinesis is a managed service designed. It can accept virtually any amount of data, from any number of sources, scaling up and down as needed. We can use Amazon Kinesis in situations that call for large-scale, real-time data ingestion and processing, such as server logs, social media, market data feeds, and web clickstream data. In streams Applications read and write data records to Amazon Kinesis. We can control logical access to Amazon Kinesis resources and management functions by creating users under AWS account using IAM and controlling which Amazon Kinesis operations these users have permission to perform.
Deployment and Management Services
AWS provides a variety of tools to help with the deployment and management of applications. This includes services that allow us to create individual user accounts with credentials for access to AWS Cloud services.
AWS Identity and Access Management (IAM) Security
IAM permits to create multiple users and manage the permissions for each of these users within AWS account. A user is an identity (within an AWS account) with unique security credentials that can be used to access AWS Cloud services. Thus IAM eliminates the need to share passwords or keys and makes it easy to enable or disable a user’s access as appropriate. IAM is integrated with AWS CloudFormation. More information on AWS CloudFormation can be found in Chapter 8, “Application Deployment and Management”.
Mobile Services – To build, ship, run, monitor, optimize, and scale cloud-powered applications is made easier by AWS mobile services for mobile devices. Also, these services help authenticate users to mobile application, synchronize data, and collect and analyze application usage.
Amazon Cognito Security –For mobile and web-based applications identity and sync services are provided by Amazon Cognito. The task of authenticating users and storing, managing, and syncing their data across multiple devices, platforms, and applications is simplified by it. It provides temporary, limited-privilege credentials for both authenticated and unauthenticated users without having to manage any back-end infrastructure.
Applications –AWS applications are managed services enables to provide users with secure, centralized storage and work areas in the cloud.
Amazon WorkSpaces Security
Amazon WorkSpaces is a managed desktop service that allows to provision cloud-based desktops quickly for users. Simply choose a Windows 7 or Windows 10 bundle that best meets the needs of users and the number of WorkSpaces that would like to launch. Once the WorkSpaces are ready, users receive an email informing them where they can download the relevant client and log in to their WorkSpace. From a variety of endpoint devices, including PCs, laptops, and mobile devices they can then access their cloud-based desktops.