Power of AWS: EC2, AMIs, and Secure Cloud Storage Solutions

AWS Regions and API Endpoints

Amazon Web Services (AWS) is a cloud platform offering a vast array of services that can be accessed and managed via APIs. These services are hosted in multiple regions across the globe, and each AWS service in a region has a unique endpoint. An endpoint is a URL that consists of a service code and region code, following the format:

<service-code>.<region-code>.amazonaws.com

Examples of Service Codes:

• EC2: Elastic Compute Cloud (VMs) - ec2

• S3: Simple Storage Service - s3

• IAM: Identity and Access Management - iam

  
  

The list of all AWS services and their corresponding service codes can be found.

https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html

Example of an API Endpoint

To interact with EC2 instances in the US-East-1 region, the endpoint would be:

ec2.us-east-1.amazonaws.com

AWS operates over 200 services globally, each accessible through region-specific endpoints.

Reference:

https://aws.amazon.com/what-is-aws/

--------------------------------------------------------------------------------------------------------------------------

Amazon Resource Name (ARN)

Amazon Resource Names (ARNs) are unique identifiers used in AWS to refer to resources programmatically. ARNs follow a specific format to ensure resources can be identified across all AWS regions and services. ARNs are commonly found in logs or configuration files when you need to specify a resource precisely.

ARN Format

arn:partition:service:region:account-id:resource
Example:
arn:aws:iam:us-east-1:690735260167:role/flowlogsRole

• Partition: Typically aws (for standard AWS regions)

• Service: The AWS service code (e.g., ec2, s3)

• Region: The AWS region (e.g., us-east-1)

• Account-ID: The AWS account ID associated with the resource

• Resource: Specifies the resource or resource type (can include wildcards)

While ARNs can precisely specify resources, they also allow for wildcards in some instances (e.g., for querying multiple resources). However, wildcard usage in configurations can lead to overly broad permissions, posing security risks.

Reference:

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

--------------------------------------------------------------------------------------------------------------------------

AWS Cloud Networking Constructs

AWS provides a flexible and secure networking model using Virtual Private Cloud (VPC), which allows users to create isolated networks for hosting services. Within a VPC, several components are used to manage and structure the networking:

1. VPC (Virtual Private Cloud): A logically isolated section of the AWS cloud where you can launch AWS resources (such as EC2 instances) within a defined network.

Components within a VPC:

• Subnet: A segment within a VPC that allows the network to be divided into smaller sub-networks. Each VPC must have at least one subnet.

• Route Table: Similar to a router in a traditional network, a route table defines how traffic is routed between subnets or to external networks like the Internet. A route to the Internet requires either an Internet Gateway or NAT Gateway.

• Internet Gateway: This allows EC2 instances with public IPs to access the Internet. While the instance's network interface retains its private IP, an Internet Gateway enables the routing of traffic between the instance's public IP and external sources.

• NAT Gateway: Used for outgoing Internet traffic from instances with private IP addresses. It performs a similar function to home network NAT gateways, allowing private instances to connect to the Internet.

• Security Group: A virtual firewall that controls inbound and outbound traffic for EC2 instances. Security groups can be specific to an individual EC2 instance or shared across multiple instances within the same VPC.

Reference:

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

--------------------------------------------------------------------------------------------------------------------------

AWS Computing Constructs

EC2 (Elastic Compute Cloud) is AWS's scalable virtual machine (VM) service that runs on their proprietary hypervisor. EC2 provides a range of instance types to suit different workloads, from general-purpose instances to compute-optimized and memory-optimized configurations. You can explore the variety of available instance types on the AWS EC2 instance types page.

Key Features:

• Instance Types: Different combinations of CPU, memory, storage, and networking to fit various use cases.

• Auto-Scaling: EC2 instances can be dynamically scaled based on traffic or load requirements.

• Pay-As-You-Go Pricing: You only pay for what you use, based on the time and resources consumed.

AMI (Amazon Machine Images)

AMIs are pre-configured VM templates designed for easy deployment. These images come with the necessary operating systems and utilities to run in AWS. AMIs vary from minimal base OS images (such as Linux or Windows) to complex images pre-installed with software for specific tasks.

• SIFT AMI: One notable AMI available is the SANS Community SIFT VM, a preconfigured forensic image, which can be found via its GitHub repository.

  
  

• AWS Marketplace: Thousands of AMIs are available through the AWS Marketplace, including those with licensed commercial software.

--------------------------------------------------------------------------------------------------------------------------

AWS Storage Constructs

AWS provides a variety of storage options, including S3 (Simple Storage Service) and EBS (Elastic Block Storage), each serving different purposes based on accessibility, scalability, and performance needs.

S3 (Simple Storage Service)

S3 is an object storage service known for its scalability, flexibility, and durability. S3 allows users to store any type of data (files, media, backups) and access it from anywhere on the internet.

• Highly Scalable: You can store an unlimited amount of data.

• Object-Based Storage: Ideal for files and media rather than application disk storage.

• Access Controls: S3 features complex permission settings, including bucket policies, access control lists (ACLs), and encryption.

S3 Security: Despite its flexibility, S3 has been involved in multiple data breaches due to misconfigurations. While AWS has improved the UI to minimize user errors, poor configurations have historically exposed large amounts of data. For example:

• High-profile breaches occurred due to public access settings or misinterpretations of policies, like the "Any authenticated AWS user" option, which inadvertently opened data access to any AWS account.

EBS (Elastic Block Storage)

EBS is a block storage service primarily used as a hard drive for EC2 instances. EBS volumes are tied to specific EC2 instances and are ideal for applications requiring consistent, low-latency disk storage.

• Volume Types: Different types of EBS volumes support various workloads, such as SSD for high transactional applications and HDD for throughput-focused tasks.

• Snapshots: EBS volumes can be easily backed up using snapshots, which can be stored long-term or used for disaster recovery.

  
  

References.

https://aws.amazon.com/ebs/

--------------------------------------------------------------------------------------------------------------------------

S3 in the News for the Wrong Reasons

Several S3 data breaches have occurred over the years, often due to misconfigurations rather than inherent security flaws. Two common issues include:

1. Overly Broad Permissions: Administrators have mistakenly allowed public access or configured the built-in group "Any authenticated AWS user," granting access to anyone with an AWS account rather than just their organization.

2. Hard-coded Security Keys: Developers have accidentally exposed AWS access keys in code repositories, like GitHub, leading to unauthorized access. For instance, in one notable incident, AWS keys were committed to a public GitHub repository, and within 5 minutes, attackers had exploited the keys to spin up EC2 instances for cryptocurrency mining.

To help prevent these issues, AWS has implemented features that detect leaked credentials and restrict public access to S3 buckets by default.

Examples of S3 breaches include:

• U.S. Voter Records: In a 2017 breach, 198 million U.S. voter records were exposed due to a misconfigured S3 bucket .

• Defense Contractor: Sensitive intelligence data was exposed when an S3 bucket belonging to a defense contractor was left publicly accessible .

  
  

https://www.zdnet.com/article/security-lapse-exposes-198-million-united-states-voter-records/

https://arstechnica.com/information-technology/2017/05/defense-contractor-stored-intelligence-data-in-amazoncloud-unprotected/

https://www.theregister.com/2020/07/21/twilio_javascript_sdk_code_injection/

https://github.com/nagwww/s3-leaks

--------------------------------------------------------------------------------------------------------------------------

Conclusion

AWS provides powerful and scalable cloud computing and storage solutions through services like EC2, AMIs, S3, and EBS. These services offer flexibility for a wide range of workloads, whether you need virtual machines, pre-configured templates, or reliable storage options. However, with great flexibility comes responsibility—especially when it comes to security. Misconfigurations in S3 buckets and improper access management can lead to serious data breaches, as seen in numerous high-profile incidents. By following best practices for access control, encryption, and key management, users can leverage AWS’s full potential while maintaining robust security and compliance.

Akash Patel