Posts

Showing posts from May, 2017

Chapter 12: Security on AWS (Part 5)

Image
An "identity pool" (painting by Waterhouse)? see below. Amazon ElastiCache The next puzzling comment was: Amazon ElastiCache for Redis provides backup and restore functionality. I thought ElastiCache was a cache service? Why would you need to back it up? Surely this messes up the cache refresh mechanisms? I.e. if you save a cache and back it up later on it will be out of sync with the underlying data store??? Redis actually looks like it can function not just as a cache, but as as a in-memory database. Redis persistence explained here. It can also work with durability! So I guess that backup and restores only work if you are using Redis as the database with no backing data store...? More AWS docs. So now I'm confused again. Redis is just another AWS database option?  How does it compare with open source NoSQL like Cassandra? DynamoDB etc? A blog comparing Redis with Cassandra: Following is  point  by point comparison of Cassandra and Redis. The

Redshift four-tier key-based encryption architecture explained simply

Image
The simplest explanation of the Redshift four-tier key-based encryption architecture? Redshift uses a four-tier key-based architecture for encryption , Why 4??? Is this really enough? If four tiers is good surely five is better :-? It's tricky to find other references to four-tier encryption. Is this only an AWS thing?  There is a paper on a four-tier architecture. Oh, and can't believe that one of the certification exam questions is how many tiers does the Redshift encryption architecture use (1, 2, 3, 4)!  Talk about pub trivia quiz night.   Maybe they should ask: Why does it matter how many tiers Redshift uses for encryption? I think this is just an example of multiple encryption, may be better to explain it in this context. Is this the same as an N-tier algorithm using multiple private keys to encrypt the data? And another question. If a four-tier key-based architecture for encryption is good enough for Redshift why isn't it used for other Amazon datab

Chapter 12: Security on AWS (Part 4)

Image
Dedicated Instances and Dedicated Hosts Dedicated instances are possible. But why? If AWS is so sure that the VM isolation is so good what does this add?  Why do they offer dedicated instances? Maybe marketing and auditing ? And how are dedicated instances any different/better than say other cloud vendors bare metal instances? Price? Performance? Security? And then there's dedicated Hosts as well (which the book doesn't mention in this chapter odd) Are there any security differences? Nope . I guess there are architectural, licensing (for O/S?) and price differences: from the docs; There are no performance, security, or physical differences between Dedicated Instances and instances on Dedicated Hosts. However, Dedicated Hosts give you additional visibility and control over how instances are placed on a physical server. When you use Dedicated Hosts, you have control over instance placement on the host using the Host Affinity and Instance Auto-placement setti

Chapter 12: Security and AWS (Part 3 AWS Gateway services - 9 and counting)

Image
Gateways come in all shapes and sizes! The Porta Nigra (Roman city gate) in France, it's even more impressive inside. AWS Gateways? Virtual Private Gateway (not 1st order service) This is one of many "gateways" in AWS (you could make a computer game up around finding your way into AWS via the correct gateway?)  This one is for private connection between VPC and another network. I thought this was just called a VPN :-) It appears to be a hardware device. Internet Gateway (not 1st order service) Another gateway. To allow internet connection to AWS services. How many other AWS gateways are there? The only 2 gateways that are 1st order AWS services listed in the services/regions page are: Amazon API Gateway (1st order service) Amazon API Gateway Amazon Storage Gateway (1st order service) Amazon Storage Gateway AWS Direct Connect (1st order service) For hybrid storage solutions (on-premises and cloud storage). this seems to also use AWS

Chapter 12: Security on AWS (Part 2)

Image
Encrypted puzzle at rest. This is a long chapter, there's still more to go. Again I'll start with things I'm not familiar with or look odd or interesting. I get the feeling however that this chapter is really just designed to overawe the reader with the extent and variety of security that AWS has provided. At some level I don't think the detail matters. There's security for data in transit and (mostly) at rest, security for networks, security for IP addresses, security for APIs, security for accounts, users, roles, federation, etc. Security for everything!  Again I'm not 100% sure who needs to know all this stuff? I guess security managers and administrators? And there's still the unanswered question of (1) how do you set a security goal and metrics, and (2) how do different combinations of security features get you closer to or further away (or reaching) the goal and metrics? Back to EC2: One way to get your AMIs updated and patched without do