Generate Your Keys

Now that you have chosen your instance, but before starting you actually start your instance, you need to generate your key pairs. The keypairs are SSH keypairs. A later post will explain SSH in greater detail but the keys come in a pair because there is both public and private components.

SSH is a Secure SHell. This is a command prompt like a DOS box or a telnet connection. However, unlike DOS and Telnet, it is very secure. The private key is the local machine’s secret password. The public key is shared to any host that the local machine will connect to.

Linux Access with SSH & PuTTY

This post will (attempt) to explain what SSH and PuTTY are so that as a user you understand the terminology of AWS and so that you can be productive in the environment. This post will not attempt to make you an expert in SSH. For best practices in implementing SSH, I strongly recommend a book dedicated to hardening *nix (Linux, Unix, Solaris, etc).

SSH

In the early days, not that long ago really, of networking, very simple tools were used to work with remote computers: telnet as a console, ftp for file copying, rsh for remote command execution and others.

AWS Security

Data Center Security

Amazon is a well known entity and works to provide an extremely secure environment for your applications ans your data. Amazon is pursuing Sabanes-Oxley certification (by an external auditing agency) and SAS-70 Type II certification.

Amazon does not broadcast the locations of their data centers and physical security is a top concern for them. They have military grade external protections. Physical access to Amazon data centers controlled by a two-factor authentication and only those Amazon employees with an actual need are ever given access.

Hardware access is provided only to those administrators who directly require it and they must use their own SSH keys to access bastion hosts (kind of like cloud overseers).

Elastic Compute Cloud (EC2)

Elastic Block Storage (EBS)

For most of its life in beta, EC2 offered only two kinds of storage, AMI based transient storage and S3. The transient storage was mounted as a filesystem and S3 was used for backup. To save data during downtime for instances, data had to first be saved off to S3 and the instance brought down. When the instance was brought back up, data was restored from S3. It was a painful process.

Enter EBS, the Elastic Block Store.

Simple Storage Service (S3)

Cost

Storage is cheaper in the US than in Europe. If you are based in Europe, you may want to decide which is more important when getting or adding data: price or latency.

Table 3: S3 Storage Costs

Table 4: S3 Data Transfer Costs

Table 5: S3 Request Costs

These prices are accurate as of the time of writing them.

Simple Storage Service (S3)

Security

Write and delete access to buckets and objects is controlled via Access Control Lists (ACL). You can assign read permissions to any object to specific users. You can also make an object public to grant access to anyone.

Transfer into and out of S3 can utilize SSH which will encrypt data. This prevents any “over the wire” interception of your data. Data at rest is not encrypted and Amazon recommends that users encrypt any sensitive data with their encryption tool of choice.

Cloud Computing Info

Elastic Compute Cloud (EC2)

Security and Security Groups

Security is one of the most important, if not the most important, aspects of any important application. If you are thinking about running any kind of a mission critical application in the cloud, security should be a large part of your research.

AWS has been independently certified as Sarbanes-Oxley compliant and has passed a SAS70 audit. Amazon’s physical data center security follows established norms and is routinely audited.

On the software side, Amazon maintains a separation between host operating systems (those that Amazon are responsible for) and guest operating systems (the AMIs).