Encryption and software updates
Launching your EC2 instance is just the first step to becoming an AWS professional: securing your cloud resources is something you just can't ignore. In this course the experienced Linux System Administrator David Clinton will share some common best practices to enhance your infrastructure security.
You'll learn how to manage access to your instances with IAM and Multi Factor Authentication, how to encrypt your storage, how to keep your Linux instance updated with security patches, how to monitor your system and your network to ensure that nobody unauthorized is using your resources, and finally, the basic principles of penetration testing and how to use nmap to ensure that your security group is properly configured.
Who should take this course
This course is aimed even at beginners with little or no experience with cloud security. Some basic knowledge about Linux system administration, TCP/IP, and security topics are recommended.
Hi, and welcome to CloudAcademy.com's video series on security in the cloud and specifically security relating to Amazon's AWS services. Today we're going to talk about data encryption. Your data is very important to you and the odds are that your data will be quite valuable to other people too. You don't want them getting access to your data. One tool you can use in defending your instance is data encryption. That is rather than leaving your files whether it's system files or data files in their native format which are readable by anybody who has access to your machine you can convert these files to an encrypted format that will be virtually unreadable unless somebody has a great deal of time and expertise and is able to decrypt your encryption key. It makes it much, much less likely that someone who might gain access to your system can actually do anything with whatever he finds there. When data is moving from place to place from your home computer or office computer to the cloud, or from the cloud back to you office computer, or from a client to your system, or the system to a client. It's perhaps at it's most vulnerable when it's hopping from node to node across the internet.
It's very likely that someone who's trying to gain access to your data might get some or all of those packets. There, therefore it's most important to make sure that your transfers are encrypted. We'll talk more about the techniques you can use to make sure that happens a bit later. Right now we're going to talk about your data when it's at rest, when it's sitting on your instance just minding it's own business.
There too there are vulnerabilities. And there too there are steps we can take to make things a little bit safer. Amazon has a service called S3 which provides buckets. Bucket is a metaphor that Amazon uses to describe a virtual partition in which your files and data can be stored.
Let's click on it. And we have a menu of in this case two different data buckets that we have saved on the, on our AWS account. We can select either one of these click on "Properties," click on "Details" and one of the options we're provided is server side encryption. We can either choose to have no encryption that is the data stored in this bucket will just be stored in it's native format with no conversion and no encryption or as we will choose that it should be encrypted at 256 bits, the AES 256 bit encryption algorithm. Let's save and all the data in that bucket is now saved. It's that simple. Now we'll talk about moving data between machine and machine using encrypted formats. Avoid using unencrypted plain text formats like telnet for connecting two machines together, or ftp, or "cp" for copying files from one machine to another. Instead, use their secure cousins. Instead of ftp, use sftp. The "s" stands for secure. Instead of cp, use scp.
That is again the "s" stands for secure, secure copy. Instead of telnet, use SSH. It might be useful to provide an example of scp in action. We'll create a fictional instance. There's a user who's name is username conveniently. He lives at let's say the IP address 22.214.171.124. That's a fictional IP address I hope. What we are telling the machine to do is to copy from a file on the machine 126.96.36.199 in the account owned by username. Type ":" and "/," and then "home/username" and then the name of the file, filename. And then space and dot. That tells the scp program to copy this file that belongs to username that is found in home and username that is called filename. And the dot tells it to copy it to our current directory on our current machine. When we run this program it will prompt us for a password. Of course, it's not going to do that right now because username and 188.8.131.52 don't actually exist. But it would prompt us for the username's password. And then it would copy that file filename back to our machine. What however would we do if we want to copy a file from our machine to a remote machine? Since the target file is on our machine, we'll first type the name of the target file assuming that it's in the directory that we happen to be in right now then the username and address of the remote machine and the location on that machine you'd like this file to be saved to. This time we don't type the dot at the end of the line because we want the file to go to this remote location not to our current location. Type "enter" fill in the password where prompted and you will have securely transferred this file, called filename from your machine to the remote machine.
David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.
Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.
Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.
His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.