List Title
Amazon EC2 — AMI Basics
Article 1 — This is part of the series of article I am going to publish about Amazon EC2:Elastic Compute Cloud
The EC2 service can be broken down into the following components:
Amazon Machine Images, or AMIs
Instance types,
Instance purchasing options
Tenancy
User Data
Storage options, and
Security
In this article we will be looking into AMIs, Amazon Machine Images.
AMIs are essentially templates of pre-configured EC2 instances which allow us to quickly launch a new EC2 instance based on the configuration defined within the AMI.This prevents us from needing to install an operating system ( Amazon Linux, macOS, Ubuntu, and MS Windows, among others )or any other common applications that we might need to install on a number of other EC2 instances.
AMIs can be categorized in 4 ways —
AWS-managed AMIs
Custom-managed AMIs
AMIs from AWS Marketplace
Community AMIs ( public AMIs)
As mentioned earlier , AWS provides a large number of AMIs covering different operating systems ( known as AWS-managed AMIs).In addition to this we can also create our own AMIs to speed up the deployment process.
For example, we would start by selecting and AWS AMI, perhaps Amazon Linux.And. then, once it is up and running, we may need to install a number of our own custom applications and make other specific configuration changes.Now let’s say we need a second server to perform the same functionality.In this case we have two options. First option would be to go through the same process of selecting the Amazon Linux AMI, and again manually installing the applications and making our configuration changes. Or, second option would be to once we have made those changes on the first instance, we would then simply create a brand new AMI or template of that instance with all our applications installed and configuration changes already made.Then, if we need another instance of the same configuration, all we need to do is select our custom AMI as the base image for a new instance.
AWS-Managed AMI vs Custom-Managed AMI
As we see in the above example the approach adopted in option 2 has many benefits and especially comes in handy when implementing auto-scaling, where multiple instances of our baseline configuration may need to be spun up quickly to meet increasing levels of demand.
Now in addition to both AWS-managed and our own custom-managed AMIs, we could also select an AMI from the AWS Marketplace.The AWS Marketplace is essentially an online store that allows us to purchase AMIs from trusted vendors like Cisco Systems, F5, Palo Alto Networks, and others.These vendor AMIs have specific applications and configurations already made, such as instances that are optimized with built-in security and monitoring tools.
We can also choose from Community AMIs, which are public AMIs that can be created and shared by anyone.
We will continue with further beginner concepts in Article 2……..
AWS
Amazon Ec2
Cloud Services
Cloud Computing
Cloud Security
Amazon EC2 Basics — Instance Types
Article 2 : This is in continuation of my Article 1 ( https://medium.com/@mtvwhydzx/amazon-ec2-ami-basics-7195607407d7 ). In this , I will be covering Instance Types we have in Amazon EC2:Elastic Compute Cloud.
Once we are done with our selection of AMI ( refer Article 1) , we must then select an instance type.
An instance type simple defines the size of the instance based on a number of different parameters, including — vCPUs, processor architecture ( i386,x86,ARM),memory, storage, storage type ( HDD,SSD), network performance ( performance level or rate of data transfer). These all parameters can be chosen on the basis of use case.
Instance type families are :
-
General Purpose
-
Compute Optimised
-
Memory Optimised
-
Accelerated Computing
-
Storage Optimised
-
HPC Optimised
General Purpose — It has balanced mix of CPU, Memory and Storage.It is ideal for small to medium databases, test and development environments, or web servers.
Compute Optimised — It has a greater focus on compute power and are ideal for applications requiring high performance processors, such as batch processing or machine learning.
Memory Optimised — These are primarily used for large-scale enterprise class in-memory applications, such as performing real-time processing of unstructured data.
Accelerated Computing — It utilises hardware accelerators or co-processors to perform floating-point calculations faster and more efficiently.
Storage Optimised — These are optimised for enhanced storage. Instances in this family use SSD backed instance storage for low latency and very high input/output or I/O performance, including very high IOPS which is input/output operations per second.These instances are useful for data file systems and log processing applications.
HPC Optimised — These are designed for high performance computing, or HPC (High Performance Computing ) workloads.
Cloud Security
Cloud Services
Cloud Computing
AWS
Aws Ec2
AWS : Security Control Policies
Service Control Policies are feature of AWS Organisations ( AWS Organisation is a product to manage multiple AWS accounts in cost effective way, with little to no management overhead) which can be used to restrict AWS accounts.
Note : Understanding of AWS Organizations is important to go through the contents of this article — https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html
SCP is POLICY DOCUMENT ( Json document) which can be attached as a whole by attaching them to the Root Container or to one or more Organization Units ( OUs).It can also be attached to individual AWS Accounts.One thing to note is that on whatever entity it is attached to , the underlying entities will also get impacted. For example , if a SCP is attached to the Root Container within an AWS Organization then it impacts all the OUs inside that Root Container . Another example would if a SCP is attached to an Organisational Unit ( OU), then it impacts all the AWS accounts inside that OU and all other OUs under the main OU.
It is important to note that Management Account is never affected by SCP, even if Management Account is part of OU or Root Container ( to which SCp is applied).Management Account is the only account in AWS Organizations which cannot be restricted using SCPs.
SCPs can be called as Account Permission Boundaries.They limit what an AWS account ( including Root Account User) can do.
SCPs “DON’T GRANT” any permissions.They are just boundaries.They define the limit of what is and what is not allowed within the account.We still need to give “IDENTITIES” within that AWS account permission to AWS resources, but SCPs will limit the permissions that can be assigned to individual identities.
SCPs can be used in two ways : ALLOW LIST & DENY LIST.
DENY LIST — In AWS by default when we enable SCP , DENY LIST is there.As soon as SCP is enabled AWS applies a default policy , which is called FULL ACCESS POLICY. This policy is applied to the organization and all OUs within that organization.This Policy means that in the default implementation, Service Control Policies have no effect since nothing is restricted.Now in this default we need to add services which we want to deny ( explicit deny).One of its benefits is low admin overhead — with ever changing and enhancement of services in AWS world, we don’t to keep track os all the services, we just need to take care of what we don’t want identities/accounts to access and add those services in deny.
ALLOW LIST — This is implemented in two part architecture.One part is to remove the AWS FULL ACCESS POLICY ( which means only Implicit Default Deny is active).Then we need to add any services which we want to allow into a new SCP policy.It is more secure compared to Deny List as in this it is explicitly mentioned which services can be allowed access for users in those accounts.One of the cons is it has got much more Admin Overhead.
Depiction — What is actually allowed after implementation of Identity based policy and SCP
Links for SCP —
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#
https://learn.cantrill.io/p/aws-certified-security-specialty
Video Channel Name
Video Channel Name
Video Title
Video Title
Video Title
