DAB 202 IT Service Management (Week 2) PDF

DAB 202 IT Service Management Week 2 AWS Global Infrastructure AWS Global Infrastructure ▪ AWS is deployed across the globe ▪ The infrastructure is built around – AWS Regions – Multiple availability zones within region – Data centers in the available zones ▪ Global infrastructure improves latency (delay between action and a response) ▪ Each region is completely isolated form the other regions ▪ Place instances and store data within multiple AWS regions as well as across multiple Availability Zones within each AWS Region ▪ Availability Zones are physically separated within a typical metropolitan region and are located in lower risk flood plains ▪ https://aws.amazon.com/about-aws/global-infrastructure/ AWS Global Infrastructure AWS Global Infrastructure ▪ Availability Zones (AZs) are independent of each other in network and power sources ▪ Region is made up of two or more Availability Zones ▪ Many Availably Zones belong to a Regions ▪ You should choose a Region closest to your end users ▪ Prices and SLAs are not identical across all Regions Regions & Availability Zones Source https://cloudacademy.com/blog/aws-global-infrastructure/ AWS Global Infrastructure ▪ Compliance requirements may dictate which Region you use. ▪ High availability may be achieved by placing duplicate copies of resources in multiple Availability Zones or Regions ▪ Resiliency: Ability to provide uninterrupted performance during natural disasters – Disaster Recovery (DR) ▪ Redundancy: Having multiple copies of data in different data centers AWS Regions and Availability Zones ▪ https://aws.amazon.com/about-aws/global- infrastructure/ ▪ https://aws.amazon.com/about-aws/global- infrastructure/regions_az/ ▪ https://www.youtube.com/watch?v=RPis5mbM8c8 Content Delivery Network (CDN) ▪ Data is dispersed geographically and stored near consumers for faster access. AWS CloudFront ▪ CloudFront is a global Content Delivery Network (CDN) ▪ Sees where the user is based and routes their traffic to the closest cached location to have the quickest loading time ▪ Content is delivered based on location of the user, origin of the website/application, location of the content delivery server ▪ Integrates with many AWSservices to provide optimal performance and security AWS CloudFront ▪ Uses edge locations all around the world to cache resources for quicker retrieval by users close to the Edge Locations ▪ Makes loading websites/apps for end users faster by using edge locations to cache files and resources https://aws.amazon.com/cloudfront/ Security AWS Well-Architected Framework: Security Well-Architected Framework Security Pillar Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Keep people away from data – Prepare for security event https://docs.aws.amazon.com/pdfs/wellarchitected/latest/security- pillar/wellarchitected-security-pillar.pdf#welcome The Shared Responsibility Model & Security ▪ Cloud Service Providers (CSPs) are responsible for security of the cloud: – Data center – Data isolated between businesses – Network security within the data center ▪ Cloud consumers are responsible for security of in the cloud: – Direct user-access to data (permissions) – Backup and restoration of data AWS Security & Compliance ▪ The AWS Cloud enables a shared responsibility model. While AWS manages security of the cloud, you are responsible for security in the cloud. ▪ You retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center. ▪ AWS provides security-specific tools and features across network security, configuration management, access control, and data encryption. ▪ AWS environments are continuously audited, with certifications from accreditation bodies. ▪ https://aws.amazon.com/security/ AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/ Cloud Service Models AWS responsibility: Security of the cloud AWS responsibilities: ▪ Physical security of data centers AWS services – Controlled, need-based access ▪ Hardware and software infrastructure Compute Storage Database Networking – Storage decommissioning, host operating system (OS) access logging, and auditing AWS Global Regions Infrastructure Availability Zones ▪ Network infrastructure Edge locations – Intrusion detection ▪ Virtualization infrastructure – Instance isolation © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19 Customer responsibility: Security in the cloud Customer responsibilities: ▪ Amazon Elastic Compute Cloud (Amazon EC2) Customer data instance operating system – Including patching, maintenance Applications, IAM ▪ Applications – Passwords, role-based access, etc. Operating system, network, and firewall configuration ▪ Security group configuration Network traffic Client-side data Server-side ▪ OS or host-based firewalls protection encryption and encryption – Including intrusion detection or prevention systems (encryption, data integrity (file system or integrity, authentication data) identity) ▪ Network configurations Customer-configurable ▪ Account management – Login and permission settings for each user © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20 Service characteristics and security responsibility (1 of 2) Example services managed by the customer Infrastructure as a service (IaaS) ▪ Customer has more flexibility over configuring networking and storage settings ▪ Customer is responsible for managing more aspects of the Amazon Amazon Elastic Amazon security EC2 Block Store Virtual Private Cloud ▪ Customer configures the access controls (Amazon EBS) (Amazon VPC) Example services managed by AWS Platform as a service (PaaS) ▪ Customer does not need to manage the underlying infrastructure ▪ AWS handles the operating system, database patching, firewall configuration, and disaster recovery AWS Amazon AWS Elastic Lambda Relational Database Beanstalk ▪ Customer can focus on managing code or data Service (Amazon RDS) © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 Service characteristics and security responsibility (2 of 2) SaaS examples Software as a service (SaaS) ▪ Software is centrally hosted ▪ Licensed on a subscription model or pay-as-you-go AWS Trusted AWS Shield Amazon Chime basis. Advisor ▪ Services are typically accessed via web browser, mobile app, or application programming interface (API) ▪ Customers do not need to manage the infrastructure that supports the service © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22 Access Management Principle of least Authentication Authorization privilege Uses credentials to It takes place only after Grant only the establish the identity of authentication permissions that are the requestor Determines the level of required to perform a Grants or denies access access that an identity task to resources based on has to a resource Start with a minimum identity Common methods set of permissions Utilizes usernames, include attribute-based Grant additional passwords, and multi- access control (ABAC) permissions as factor authentication and role-based access necessary (MFA) among other control (RBAC) Revoke unnecessary methods permissions AWS CloudWatch Monitoring Amazon CloudWatch: ▪ Monitors the state and utilization of most of the resources that you are managing under AWS Amazon CloudWatch ▪ CloudWatch Agent to collect system-level metrics: Alarm Event – Amazon EC2 instances (time-based) – On-premises servers Event Rule (event-based) AWS Identity and Access Management (IAM) ▪ Helps you to securely share and control access to your AWS resources for individuals and groups ▪ Integrates with most AWS services ▪ Supports federated identity management ▪ Supports granular permissions ▪ Supports MFA ▪ Provides identity information for information assurance and compliance audits © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 Data Security Data at rest Data in transit Any data that persists in nonvolatile storage Any data that is sent from one system to for any duration another Protections Protections Implement secure key management. Implement secure key and certificate Enforce encryption at rest. management. Enforce access control. Enforce encryption in transit. Audit the use of encryption keys. Authenticate network communications. Use mechanisms to keep people away Automate detection of unintended data from data. access. Automate data-at-rest protection. Secure data from between VPC or on- Audit data access logs. premises locations. AWS Key Management Service (AWS KMS) ▪ Provides the ability to create and manage cryptographic keys ▪ Uses hardware security modules (HSMs) to protect your keys ▪ Is integrated with other AWS services ▪ Provides the ability to set usage policies to determine which users can use which keys © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27 Logging and monitoring Logging Monitoring ▪ Logging is the collection and recording of ▪ Monitoring is the continuous verification activity and event data. of the security and performance of your resources, applications, and data. ▪ The information logged varies based on the service. ▪ AWS provides several services that give you the visibility to spot issues before ▪ Common log elements include date and they impact operations. time of event, origin of event, and identity of resources that were accessed. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28 CloudWatch Dashboard Amazon CloudWatch dashboards: ▪ Surface data about your running AWS ecosystem. ▪ Can be leveraged by existing monitoring tools. Credit: AWS Academy AWS CloudTrail ▪ Is the primary AWS solution for logging ▪ Assists you to enable governance and compliance as well as operational and risk auditing of your AWS account ▪ Records actions taken by a user, role, or AWS service as events ▪ Can be used to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30 AWS CloudTrail ▪ Logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure ▪ Records API calls for most AWS services – AWS Management Console and AWS CLI activity are also recorded ▪ Is supported for a growing number of AWS services ▪ Automatically pushes logs to Amazon S3 after it is configured ▪ Will not track events within an Amazon EC2 instance – Example: Manual shutdown of an instance CloudTrail AWS CloudTrail can help you answer questions that require detailed analysis. Credit: AWS Academy Amazon CloudWatch ▪ Is a monitoring and observability service ▪ Provides a unified view of the operational health of your AWS resources, applications, and services ▪ Collects metrics in the AWS Cloud and on premises ▪ Can be used to monitor and troubleshoot infrastructure ▪ Provides the ability to customize logs and events © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33 CloudWatch Monitoring Credit: AWS Academy

DAB 202 IT Service Management (Week 2) PDF

Document Details

Tags

Related

Summary

Full Transcript