Revision Cloud Theory - Campus-Castolo/m300 GitHub Wiki

What is "Cloud Computing"?

Cloud computing is a model that enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). These resources can be rapidly provisioned and released with minimal management effort or service provider interaction. This model consists of five essential characteristics, three service models, and four deployment models.

Amazon Web Services (AWS) defines "Cloud Computing" as:

Cloud computing is the on-demand provision of IT resources over the internet with usage-based pricing. Instead of purchasing, owning, and maintaining physical data centers and servers, you can access technology services such as computing power, storage, and databases as needed via a cloud provider like Amazon Web Services (AWS).

Cloud computing offers several advantages over traditional data centers:

  1. Agility: Acquiring and setting up IT infrastructure, such as servers, can be a lengthy process, often taking weeks or months. Additionally, it is difficult to predict the hardware needed upfront, as it’s often unclear how many end-users will actually use the application. For AWS customers, this process is greatly simplified, allowing servers to be used within minutes and released when no longer needed. Trying out new business ideas is also easier with cloud-based infrastructure, as there is no large upfront investment in hardware.

  2. Elasticity: The usage of applications can vary significantly, even throughout a day or year. A common example is Black Friday sales, when IT infrastructure must handle a much higher volume of requests. Traditional data centers typically design applications for a fixed load, which can result in unused resources for most of the year or insufficient resources during peak times, like Black Friday. Cloud providers like AWS have a vast pool of IT capacity and allow dynamic scaling based on actual demand, ensuring sufficient provisioning without overutilization.

  3. Cost Savings: The advantages of agility and elasticity also impact the costs of IT solutions. For example, less hardware is required compared to constant over-provisioning. Additionally, the business risk is lower when using cloud services, as large investments in servers are not needed upfront. Businesses only pay for the cloud services they actually use. When usage is low, costs are lower, but as usage increases, so do costs. However, increased use of applications can also lead to greater business benefits.

  4. Security: The number of cyber-attacks has steadily increased, and protecting IT applications requires continuous investment in various security mechanisms. A common attack is a Distributed Denial-of-Service (DDoS) attack, where web servers are overwhelmed with a flood of requests. Traditional data centers often require significant investments in security measures, or they may not be able to fend off such attacks. AWS prioritizes security, offering a wide range of security services that are either automatically enabled or can be activated within minutes. The benefit for AWS customers is that they can access the same security services used by institutions like the CIA or large financial organizations without additional upfront investment.

  5. Global Availability in Minutes: Traditionally, a company's data centers are located in the country where the company operates. If a company later expands into other countries, it may need to open data centers in those regions due to technical reasons, such as high network latency, or regulatory requirements, such as data residency laws. Cloud providers like AWS have standardized infrastructure across regions, making it much easier to deploy IT applications in multiple countries or geographic areas.

The Shared Responsibility Model

In a traditional data center, businesses are fully responsible for all aspects of its operation. This includes building management, physical access control, server setup, and operating IT applications. The scope of responsibility is wide and includes everything from physical security to software management. Companies have started questioning whether all of these tasks are industry-specific and provide a real value when carried out internally. Many companies now focus on agility, the ability to respond quickly to market changes, rather than differentiating based on their data center infrastructure.

When companies use cloud services, they no longer carry the full responsibility for all aspects of the data center. Instead, certain responsibilities are shifted to the Cloud Service Provider (CSP). This separation of duties is illustrated in the Shared Responsibility Model.

image

CSP's responsibilities: The cloud provider is responsible for the lower part of the stack, which includes physical security, hardware, and infrastructure management.

Customer's responsibilities: The customer (user) is responsible for the upper part, including areas like data encryption, identity management, and the management of customer data.

The Shared Responsibility Model serves as a starting point for discussions about roles and responsibilities, though the exact division can vary depending on the services used. For example:

Amazon EC2: Users are responsible for managing the operating system of the EC2 instance, which can be likened to managing a virtual machine. AWS Lambda: The cloud provider manages the underlying operating system, so users only need to focus on writing functions without worrying about system updates or maintenance.

What is Identity and Access Management (IAM)?

In businesses, managing access to sensitive information is crucial to ensure that only authorized individuals can access it. Identity and Access Management (IAM) has gained significant importance within companies, even outside of the cloud context. Central elements of IAM include Principals (users who access information) and Resources (information sources that need to be protected). Typical users can be company employees or customers consuming company services, while resources may include applications, databases, or network drives. Access to these resources is either allowed or denied, with the granularity of control being as detailed as restricting access to specific tables or columns in a database.

In the context of cloud services, Cloud Service Providers (CSPs) offer IAM services to control access to cloud services. In AWS, this service is called AWS Identity and Access Management (IAM).

Authentication vs. Authorization

Two important terms in IAM are Authentication and Authorization, which are often confused:

  • Authentication: This process verifies the identity of a person or application. In IT, common methods include usernames, passwords, or SMS codes for two-factor authentication. Outside the IT context, authentication might involve proving your identity with personal details, like when calling customer service or ordering from a government office.

  • Authorization: This determines what a user or principal can and cannot do, typically following successful authentication. For example, in a hotel, only authenticated guests receive a room card to access their rooms and amenities, while cleaning staff have a card that allows them access to all rooms during working hours.

AWS Identity and Access Management (IAM)

Within an AWS account, the AWS Identity and Access Management (IAM) service is used to manage users, groups, and roles, and it controls access to AWS services and resources. Security is a top priority for AWS, so permissions must be explicitly granted by the user, and by default, they are not available.

image

Key IAM Concepts:

  • Principal: A principal represents an identity, such as an individual user (employee) or an application granted permissions via a role. Users can be organized into groups (e.g., database administrators), where all members inherit group permissions. Applications typically receive permissions via roles, which provide temporary access to resources.

  • Authentication: Before sending a request to AWS, a principal must authenticate. For AWS account users, this involves logging in with an email address and password. IAM users require an AWS account ID or alias with a username and password, or API/CLI users need an Access Key and Secret Key.

  • Request: When a principal attempts an action (e.g., starting a virtual machine) via the AWS Console, API, or CLI, they send a request specifying the action and the resource. IAM checks the request against policies to determine if authorization is granted.

  • Authorization: To perform an action, a request must be authorized. AWS evaluates the request based on permissions defined in policies (typically JSON documents), which specify allowed or denied actions. If multiple conflicting policies exist, the request is denied. By default, all requests are denied unless explicitly allowed by a policy.

AWS Root User vs IAM User

  • Root User: This is the user who created the AWS account and has full permissions within the account. It is highly recommended to secure this user with multi-factor authentication (MFA). For day-to-day tasks, it is advisable to use an IAM user with a limited set of permissions rather than using the root user.

Introduction to Encryption

Encryption, also known as ciphering, transforms plaintext (normal text or data) into ciphertext using a key. This ciphertext can be decrypted back to plaintext with the appropriate key. Encryption ensures that data remains confidential, such as ensuring that messages on messaging platforms are protected so that they cannot be read by unauthorized parties. The strength of the protection depends on the encryption key chosen.

Types of Encryption

There are two primary types of encryption:

  1. Symmetric Encryption: The same key is used for both encryption and decryption. Modern encryption often uses block ciphers, which first break the text into equal-sized blocks before encrypting them.

  2. Asymmetric Encryption: This method uses a public key to encrypt the text and a private key to decrypt it. The public key can be used by anyone, but once the message is encrypted, only the intended recipient, who holds the private key, can decrypt it. This type of encryption is commonly used in email communications.

Data Encryption Responsibilities

When data is stored in the cloud, encryption can be applied as an additional security measure. This can be done in two scenarios: in transit and at rest.

In Transit

When data is in motion (being transferred), it must be protected. For example, the Application Layer of the OSI model can use encryption protocols such as TLS (Transport Layer Security) or SSL (Secure Socket Layer). These protocols create a secure connection between the server and the client. Both symmetric and asymmetric encryption are used in these protocols: asymmetric encryption establishes the connection, while symmetric encryption encrypts the data being transferred.

At Rest

Once data is stored, it can also be encrypted for security. The method of encryption depends on how the user manages the encryption process.

  1. Client-side Encryption (CSE): The user encrypts their data locally before uploading it to the cloud. This gives the user full control and responsibility over the encryption process and the keys.

  2. Server-side Encryption Client (SSE-C): The user provides the encryption key in the cloud, and the server handles the encryption. The user doesn’t need to perform the encryption themselves, but they manage the key.

  3. Server-side Encryption by AWS: To reduce the administrative burden on users, AWS offers the Key Management Service (KMS), which can generate, store, and rotate encryption keys. The server performs the encryption and decryption processes. If the encryption standard AES-256 (Advanced Encryption Standard) is needed, AWS also offers SSE-S3, a service designed to handle this specific encryption.

The choice of encryption method depends on the level of key management effort the user is willing to undertake and the necessary encryption technique.

Access Methods to AWS Platform and Services

There are several ways to access the AWS platform and its services. Below are the key methods:

To perform exercises, access to the AWS platform via a regular AWS account or AWS Academy account is required.

1. AWS Management Console

The AWS Management Console is a graphical user interface (GUI) for AWS, accessible via a browser. It provides access to all AWS services across AWS regions, allowing for configuration and monitoring. All interactions with the AWS Management Console directly engage with the service APIs.

  • Access: With a regular AWS account, the AWS Management Console can be accessed via the link: [AWS Management Console](https://console.aws.amazon.com/console/home).

  • AWS Academy Account: If accessing via an AWS Academy account, it must be done through the AWS Academy platform. It's important to note that only the “us-east-1” and “us-east-2” AWS regions are available for exercises within AWS Academy.

2. AWS CLI (Command Line Interface)

The AWS Command Line Interface (CLI) is an open-source tool that enables direct access to AWS APIs via a shell. With minimal configuration, the AWS CLI allows the execution of commands that interact with the same AWS service APIs used in the AWS Management Console.

  • Supported Operating Systems:

    • Linux
    • Windows
    • macOS
    • Docker

  • Installation: The AWS CLI documentation provides installation instructions for each operating system.

Note: The AWS CLI is not required for performing exercises in the training modules. Amazon Cloud9 Web IDE is used in these modules, and the AWS CLI is already installed there.

3. AWS SDK (Software Development Kit)

The AWS SDK is designed for developers to integrate AWS services into their applications. It is available for many modern programming languages, including:

  • C++
  • Go
  • Java
  • JavaScript
  • .NET
  • Node.js
  • PHP
  • Python
  • Ruby

Each programming language has its own documentation for installation and usage. Some examples include:

  • Python:

    • AWS SDK for Python Installation
    • AWS SDK for Python API Reference

  • JavaScript:

    • AWS SDK for JavaScript Installation
    • AWS SDK for JavaScript API Reference

Note: An AWS SDK is not required for completing exercises in the training modules.