AWS Shared Responsibility

 

Security and Compliance is a shared responsibility between AWS and the customer.

AWS is responsible for securing the underlying infrastructure that runs all of the services offered in the AWS Cloud.

The customer is responsible for anything that you on the cloud or connects to the cloud.

AWS is responsible for Security of the Cloud :

  • Protecting the global infrastructure.
  • Protection from external attacks of the physical AWS services and resources.
  • Security configurations of managed services like Amazon DynamoDB, RDS, RedShift, EMR, and other services.
  • Operating, managing and controlling the components from the host operating system and virtualization layer.

The customer is responsible for Security in the Cloud :

  • Authentication, authorization, integrity, and encryption of the client-side data
  • The encryption of server-side information via file system or directly into the data storage
  • Securing the configuration related to the network and networking devices configuration like firewall, using securing controls like NACLs (network access control lists) and security groups.
  • Deploying, configuring and deploying security baselines within their AWS available services.

shared_resp.jpg

Visit: Shared Responsibility Model – AWS

Cloud Terminology

# High availability

High availability refers to a system or component that is durable and operates continuously without failure for a higher than normal period. Availability is usually expressed as a percentage of uptime in a given year. High Availability relative to “100% operational” or “never failing.”

 

# Fault tolerant

Fault tolerance is the capability of a component or a computer system to respond to an unexpected software or hardware failure to deliver uninterrupted service and to continue operating properly in the event of the failure of its components.

# Scalability

Scalability is the capability of a system, network, or process to handle an increasing amount of work (load), or its potential to be enlarged to accommodate that growth in load.

# Elasticity

Elasticity is the ability to adapt workload changes by provisioning and de-provisioning resources in an autonomic manner, such that at each point in time the available resources match the current demand as closely as possible.

AWS CLI Installation

The easiest way to install the AWS CLI is using pip, it is a package manager for Python that provides an easy way to install, upgrade, and remove Python packages and their dependencies.

Install Python pip

CentOS :
sudo yum update -y
sudo yum install -y python-pip
Ubuntu :
sudo apt-get update -y
sudo apt-get install -y python-pip

Install AWS CLI using pip

pip install awscli --upgrade --user

–upgrade option tells pip to upgrade any requirements that are already installed.
–user option tells pip to install the program to a subdirectory of your user directory to avoid modifying libraries used by your operating system.

Add the executable path to your PATH variable: ~/.local/bin
export PATH=$PATH:~/.local/bin
Load the profile into your current session
source ~/.bash_profile
Verify that the AWS CLI installed correctly by running aws --version.
aws --version
aws-cli/1.16.19 Python/2.7.5 Linux/3.10.0-862.11.6.el7.x86_64  botocore/1.12.9

Configure AWS CLI

To access aws services using cli, we need to provide the access key and secret key along with a default region. This can be done using a subcommand provided by aws cli.

$ aws configure
AWS Access Key ID [None]: XXXXXXXXXXXXXXXXXXXX
AWS Secret Access Key [None]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Default region name [None]: us-east-1
Default output format [None]: json

 I have used us-east-1 as default region and default output format is JSON. We can format the output as text and table formats as well.

aws configure command creates two configuration files located under .aws in user home directory.

ls ~/.aws/
config credentials
cat config 
[default]
output = json
region = us-east-1
cat credentials 
[default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Verify if AWS CLI configuration

 Describe your regions
aws ec2 describe-regions
{
    "Regions": [
        {
            "Endpoint": "ec2.ap-south-1.amazonaws.com", 
            "RegionName": "ap-south-1"
        }, 
        {
            "Endpoint": "ec2.eu-west-3.amazonaws.com", 
            "RegionName": "eu-west-3"
        }, 
        {
            "Endpoint": "ec2.eu-west-2.amazonaws.com",
            "RegionName": "eu-west-2"
        }, 
        .....
        .....
        {   "Endpoint": "ec2.us-west-2.amazonaws.com", 
            "RegionName": "us-west-2" 
        } 
    ] 
}

How to access EC2 instance without .pem file.

Here are the steps to login into Ec2 instance without .pem file.

Login into Ec2 instance with .pem file.

$ ssh -i "aws-key.pem" ec2-user@ec2-35-154-198-16.ap-south-1.compute.amazonaws.com

Create a new user to access the Ec2 instance with strong password

$ sudo useradd USER_NAME
$ passwd USER_NAME
Changing password for user root.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password: 
passwd: all authentication tokens updated successfully.
$

Add the user to sudoers file visudo command and add the below line

USER_NAME ALL=(ALL) ALL

$ sudo visudo

Enable password authentication by editing /etc/ssh/sshd_config file.

Initial Configuration:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

Change to below configuration:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
#PasswordAuthentication no

Comment for no and uncomment for yes

Restart sshd service.

# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
#

Now, logout from the instance and login with your password.

$ ssh USER_NAME@ec2-35-154-198-16.ap-south-1.compute.amazonaws.com

It will ask for your password. Enter the password and hit Enter key.