cloud, the hard way · 2020. 1. 17. · i love the cloud you can find me at @__muscles 2. 0....
TRANSCRIPT
Cloud, The Hard Way
HELLO!I am Will BengtsonI love the cloudYou can find me at @__muscles
2
0.PREFACEThe Hard Way is Easier
3@__muscles
◈ Cover the basics◈ Build on them◈ Run free
THE HARD WAY IS EASIER
4@__muscles
1.INTRODUCTIONGetting started in the cloud
5@__muscles
◈ Challenges◈ Understand Datacenter vs. AWS
GETTING STARTED IN THE CLOUD
6@__muscles
◈ Dynamic environment◈ Huge scale◈ Diverse applications
CHALLENGES
7@__muscles
Datacenter◈ Firewall◈ RBAC◈ Cluster◈ Syslog◈ VLAN◈ Datacenter
DATACENTER VS AWS
AWS◈ Security Group◈ IAM◈ Auto Scaling Group◈ CloudWatch◈ VPC◈ Region / AZ
8@__muscles
MAPS
9@__muscles
MAPS
10@__muscles
2.EXERCISE 0Let’s get to the root of things
11@__muscles
◈ First AWS account◈ Highest level of access◈ Sensitive
ROOT ACCOUNT
12@__muscles
◈ Break glass superuser◈ S3 Bucket ACL
USE CASES OF ROOT
13@__muscles
THROW AWAY THE KEY14@__muscles
3.EXERCISE 1Auditing - CloudTrail
15@__muscles
CLOUDTRAIL◈ Logs AWS API activity
◆ Like a credit card statement
◈ AWS API transactions◆ Who / When / What (Call) / Which (Resource)
16@__muscles
17
EXAMPLE: HOW TO CLOUDTRAIL
@__muscles
4.EXERCISE 2Identity and Access Management (IAM)
18@__muscles
◈ Users◈ Groups◈ Roles◈ Policies
IDENTITY AND ACCESS MANAGEMENT (IAM)
19@__muscles
◈ Can log into the console◈ Credentials are static◈ Avoid if you can
IAM USERS
20@__muscles
◈ Used to provide similar permissions to users◈ Think of them like AD groups
IAM GROUPS
21@__muscles
◈ Preferred method for operating in AWS◈ Similar to users, but credentials are
temporary◈ Used throughout all services within AWS◈ Single Sign-On (SSO)
IAM ROLES
22@__muscles
◈ Permissions that can be applied to anything◈ Managed Policies◈ Inline policies
POLICIES
23@__muscles
Works EVERYWHERE!24@__muscles
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::sans-sj"
}
]}
25@__muscles
5.EXERCISE 3Simple Storage Service (S3)
26@__muscles
◈ It is like a folder on the internet◈ Can be used to store your data on AWS◈ Cheap
S3
27@__muscles
◈ Buckets◆ Globally unique◆ Can make files (objects) public
◈ Objects◆ Contain data and metadata◆ Can be public even though bucket is not!
S3
28@__muscles
6.EXERCISE 4Base AMI
29@__muscles
◈ Immutability◆ No SSH◆ Config change == new build
◈ Every application has the same base layer◆ Logging◆ Security◆ Secrets Management
BASE AMI
30@__muscles
7.EXERCISE 5Lambda
31@__muscles
◈ Someone else’s container◈ Highly scalable◈ Pay for what you use◈ Multiple languages
◆ Bring your own runtime
Lambda A.K.A Serverless
32@__muscles
◈ Deploy in VPC◈ Configurable memory and runtime
◆ More memory ~= more power◈ Easy to get started◈ Be careful with versions
Lambda A.K.A Serverless
33@__muscles
8.TOOLSSome awesome open source
34@__muscles
35
STREAMALERT
@__muscles
36
REPOKID
@__muscles
CLOUD INQUISITOR
37@__muscles
CLOUD CUSTODIAN
38@__muscles
39
THANKS!Any questions?@__muscles