• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

AWS EC2 security addons encryption security


     I am trying to save myself some research related to cloud security for AWS.  I am looking for either AWS or solutions beyond AWS.  Solutions like CipherCloud are in scope.  Here are some topics, but open to other suggestions.

1. Hard Drive like encryption - Is there anything that can encrypt the OS for cloud instances of OS's?  I suspect not, but I am asking anyway.
2. CloudTrail - I know AWS can store logs, but what kind of analytics can come out of that?
3. How does one transfer out of the cloud if it is a requirement?
4. Any other interesting cloud services or addons?  I know HSM
4 Solutions
Phil PhillipsDirector of DevOps & Quality AssuranceCommented:
1.  You can encrypt on the storage layer (Elastic Block Store) level.  To the instances, the volume will look like any other, but the data will be encrypted in-transit between the instance and EBS.  Amazon has pretty good documentation on this: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

2.  CloudTrail can pretty much store all of API calls made to AWS.  This includes anything you do through the AWS console.  For example, when you add/remove/modify instances, a record is stored by CloudTrail.  The main use is for auditing changes to your environment.

3. It depends what you mean by transfer.  If it's raw data, then it's not really any different than a physical machine.  You can use your preferred method of moving data around (archive, rsync, etc).

4. AWS Config is another good service for security auditing.  It allows you to keep track of inventory + configuration history.  Amazon also offers a Key Management System that you can use to create and control encryption keys.
btanExec ConsultantCommented:
1. Specific to OS encryption I believe it is still the disk or volume encryption and layered with file encryption. Hence, AWS volume encryption fits this since all are VM instance and they can be encrypted at volume. The scheme differs in various Model types. Varied implementation in term of key management
e.g. you own everything (include key and platform etc),
e.g. you own the key only
e.g. you own nothing.

Catch pg 18 for the quick summary for AWS solution to encrypt this, it helps in a glance which Model is suitable and available in AWS suite. http://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf

Here is another example, e.g. Encrypting Ephemeral Storage and EBS Volumes on Amazon EC2

2. Indeed Cloudtrail is logging all the API calls made on your account, it fits more of compliance rather than Analytics. the latter required information, like past, and current to enhance awareness of the next experience of predicted actions. Huge logs or data supposed to carry those bit and pieces for the analytic s/w to chunk out intelligence based on their data, meta data and semantics. in my view, Cloudtrail is just another source of contributor to log... the analytic s/w can be such as https://www.cloudlytics.com/

3. CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account. The log file should be available from the CLI (with rights granted)

You can also monitor Log files with Amazon CloudWatch Logs. E.g. CloudTrail integration with CloudWatch Logs delivers API activity captured by CloudTrail to a CloudWatch Logs log stream in the CloudWatch Logs log group you specify. You can use CloudWatch Logs to archive log data and should be accessible as well in its CLI e.g.

The overall CLI blog can be handy - http://blogs.aws.amazon.com/cli/

For info, you can configure the EC2Config service to send a variety of data and log files to CloudWatch including: custom text logs, Event (Application, Custom, Security, System) logs, Event Tracing (ETW) logs, and Performance Counter (PCW) data.  http://aws.amazon.com/cloudwatch/faqs/

Eventually I believe it is the AWS Import/Export - that may be the one moving large amounts of data into and out of the AWS cloud using portable storage devices for transport. http://aws.amazon.com/importexport/

I did not delve further in this aspects likewise for the specific CLI and files though..but someone shared experience

4. Amazon AWS Identity and Access Management (IAM) worth checking out though can be slightly out of the "encryption" discussion here, where I come from is the privileged account mgmt so that abuse and tamper can be monitored and centrally monitor at the apps and system level with granularity.

probably other is see how architecture fits the compliance at global security standard, not that straightforward considering the amount of controls in NIST SP800-53 as an example...

Minor bit may include Amazon RDS for Microsoft SQL Server now supports the use of Transparent Data Encryption (TDE). AWS CloudHSM and on-premises SafeNet Luna SA HSMs are supported in Amazon Redshift
Here is what we found while implementing the Sumologic CloudTrail application for our customers:
* A bug in the production deployment system that caused 30,00 daily extra calls to the AWS API.
* An unauthorized usage of EC2 resources - a night shift devops was spinning up to 50 temporary EC2 instances to run some code for his thesis.
* Hijacking of an AWS account, manifested by logins from unlikely locations. A PC was found with keylogger software.

So yeah, CloudTrail can be very important for your business.

To transfer out of a cloud, you have to give up many addons and most everything that is interesting, or at least make it a non-critical part of the architecture.

For example, let's assume that you use RDS, the AWS database as a service.
You can always spin up database servers elsewhere, anywhere, and migrate your databases over to the new location.
However, if your business SLA depends on the high availability and DR capabilities built into the RDS service, then you will have to replicate these capabilities elsewhere, and that is painful to even think about.

The beautiful thing about AWS is not the fact that they spin up servers, storage and bandwidth on demand. Any VPS vendor does that, and Amazon did not invent this wheel.
The beautiful thing is the entire datacenter ecosystem and solutions catalog, like backup, vpc, permissions, HA. This is the real value Amazon brings to the table, the fact that a small firm has enterprise grade datacenter management solutions on demand.

Regarding other interesting cloud services or addons: there is a lot of those, but they are mostly meaningless to a systems person. Things like SQS, SNS, Kinesis, Mobile Analytics, RedShift.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

btanExec ConsultantCommented:
Some thoughts:-

AWS is really no different from any other Cloud provider, probably they are the leading one of the few pioneer. the suite varies and lately (or have been earlier) they are into security and compliance. Logs exported likely need to via some connector APIs to run through wire to pipe (in near real time) to your SOC/NOC. I seen through projects doing such scope but met long haul in milestones though it eventually still work out practical means that is still secure in fashion. It can be easy feat now since AWS likely has such expertise with Govt folks ...to extend of a SOC (using SIEMS) to get log real time.

However, besides the key mgmt not within user premise is and still a concern to end user - you cannot control what you do not possess or even see within the boundary of trust. AWS can work out dedicated network connection from your premises to AWS via its Direct Connect and safeguarded with boundary construct via VPC, but we still still very much still rely in black and white writing the need for AWS assurance since we (and your stakeholder) is overall responsible for such engagement.

Thus AWS is big time on compliance. You can see it from their listing. http://aws.amazon.com/compliance/ 
This is likely the pull factor (or their plus) compared to others targeting public and govt services. There is the "AWS GovCloud" (http://aws.amazon.com/govcloud-us/)
There is also thoughts (or concern) from other to still helm data within country but need to balance the the purpose of high availability (meaning having local AWS POPs) and not being too restricted.
awakeningsAuthor Commented:
Folks, I became busy for a couple of days, but I've quickly gotten up to speed with many of the solutions.  I've checked into some of the solutions you recommend and they are all very helpful.  Thanks everyone for the fantastic input!  It is all greatly appreciated!

awakeningsAuthor Commented:
Thank you for fantastic feedback!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now