AWS Recap – S3, Security Groups, EIPs

Also read GCP Cloud Storage Basics and S3 for database backups

S3 access over VPN?

No. S3 cannot be isolated s3 at a network level. Access control is done using Bucket Policies, IAM policies or ACLs (Access control lists).

S3  access

• For external access to S3  – Need a programmatic user (in IAM) – so we can get an access key and secret
• S3 is over ports 80 and 443.
• S3 – Cloudberry Desktop Explorere and Cloudberry LabDrive (Map an on prem drive to S3)
• Change Storage Class – aws s3 cp s3://BUCKET/KEY s3://BUCKET/KEY –storage-class STANDARD_IA
• Rename? I think only way is to create a new bucket with correct name and then copy all your objects from old bucket to new bucket. You can do it using Aws CLI.

SGs versus NACLS

Security Groups are:

1. AT INSTANCE LEVEL
2. Stateful  — easier to manage, by just setting rules for one direction.
3. VPC Scoped — work in any AZ or Subnet
4. Allow rules only — everything is implicitly denied
5. Rules processed together as a group
6. Rules processed at the ENI layer

NACLS are:

1. AT SUBNET LEVEL
2. Stateless — Inbound and Outbound rules must always be configured.
3. Subnet Scoped –Must be explictly associated to one or more subnets
4. Allow and Deny rules both
5. Rules processed in order — when a rule is matched, no rules further down the list are evaluated
6. Rules processed at the subnet boundary

ADFS Based Server Claims – Federated Logins to AWS REsources

https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-active-directory-user-attributes/

EC2 Recap – Monitoring, Moving EC2 Instances

1. Moving between AZ? – Create an AMI. Launch from AMI from AMI menu and choose new AZ.

2. While AWS security groups are normally associated with instances on start up, you can also add or remove them from running instances through the AWS Console. Again, go to ‘EC2 > Instances’, select the instance you want to modify, and click Actions > Networking > Change Security Groups’.

3. Detailed vs Basic Monitoring – Basic – Data is available automatically in 5-minute periods at no charge.

Detailed – Data is available in 1-minute periods for an additional cost. To get this level of data, you must specifically enable it for the instance. For the instances where you’ve enabled detailed monitoring, you can also get aggregated data across groups of similar instances.

4. RIs  – Ec2 menu

1. In the left navigation pane, choose “Reserved Instances”.
2. Choose “Purchase Reserved Instances”

For information about pricing, see the Amazon CloudWatch product page.

Elastic IPs (is a Public IP)

• Up to 5 EIPs per account
• An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.

An Elastic IP address doesn’t incur charges as long as the following conditions are true:

• The Elastic IP address is associated with an EC2 instance.
• The instance associated with the Elastic IP address is running.
• The instance has only one Elastic IP address attached to it.

The Enable auto-assign public IPv4 address check box, if selected, requests a public IPv4 address for all instances launched into the selected subnet.

Summary

This was meant to be a quick recap of some of the details around AWS services – particularly S3 and EC2. EIPs and ADFS based federation is also briefly included

Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.