mailing list archives
Re: AWS and security
From: Warner Tabor <pneusolematic () me com>
Date: Wed, 11 Jul 2012 12:23:30 -0400
You are absolutely correct, PCI is s security standard. What I failed to mention in my previous post is that we
don't keep sensitive CC data on server in the cloud, which is why I haven't give the subject much thought and can't
really speak on it. The reason I mentioned HIPPA and the like is that they are for more strict and cover more points of
data than just billing info. We are talking about just a few data point for PCI, where I would assume there is far more
to consider when it comes to HIPPA, etc.
On Jul 10, 2012, at 8:35 PM, Sean Simpson wrote:
Again, thanks for the insights!
On Jul 10, 2012, at 5:32 PM, Warner Tabor wrote:
No problem. Glad to be of some help. Seem my responses in-line below;
On Jul 10, 2012, at 8:04 PM, Sean Simpson wrote:
Hi Skip, thanks for your insights. Some specifics:
On Jul 10, 2012, at 6:41 AM, Warner Tabor wrote:
We've been using AWS for 3 years now to host our web and app servers without incident. If you make proper use of
EC2 Security Groups you can lock things down pretty tightly. I think that as long as you do your due diligence as
far a security is concerned and make sure you are using known good AMI's (ones that are provided by Amazon, for
example,) I don't think that you'll be at any higher risk for attack than hosting in a co lo.
My main concern is that the "due diligence" is different, and will require a learning curve. For instance, we
don't normally worry about inter-host communications when they only exist on our trusted network. Better to know
that kind of stuff in advance...
This is true and there is a bit of a learning curve, but their web UI makes things pretty simple, and most tasks can
be completed this way. There are certain things that you'll have to refer to the API tools for, but these are few
and far between (attaching ephemeral storage, etc.) One thing that I can suggest to help with the learning curve and
your investigation, is that you launch some Amazon Linux micro instances. These instance are free and will allow you
to play with inter-instance communications, security groups, etc. If you don't want to go the Amazon Linux route,
micro instances for other Linux distros and windows are so cheap per hour that they might as well be free (I think
you'll pay $18 to keep one running 24/7 for a month). A quick aside; for all intents and purposes the Security
groups act as routers/firewalls allowing only specific instances or IPs, subnets, etc access to instances within
You have the ability to launch, test, provision and scale your app in a very fluid and dynamic way.
This is the big draw, particularly since we can re-architect (adding a memcached layer, for instance) with
"practice" servers before changing a live system.
Absolutely. I haven't played with memcachd, but I do know that AWS even offers a service called ElastiCache for
in-memory caching that I believe utilizes memcachd
Services like ELB with Sticky Sessions allow you to load balance your app very easily without worrying about a
whole lot of configuration, extra SSL certs, etc. AWS has certainly allowed us to move far more quickly than we
would have if we were hosting on site or in a co lo.
Have you found that you become "tied" to their services? I'm a bit worried that management will change it's mind
again, and then we will be sent scrambling to handle services in yet another way. With a colo solution, we take
our service solutions with us wherever we go.
Aside from using ELB, there is nothing that I can't replicate elsewhere. And we could certainly implement similar
round-robin load balancing witout too much trouble using another solution if we had to. The rest of our architecture
is all very portable using pretty standard stuff. There are certainly services that they offer that are tempting
that would "tie" is to their service, but we haven't gone that route yet. Note that you do have the ability to
export you images as well as import external images. This would allow you to move your machines to another
virtualization environment, cloud computing service or to baremetal perhaps, but I haven't tried it. If you Google
AWS VMI Import / Export you should turn up some results.
Senior Server/Web Developer
sean () stitcher com
Senior Server/Web Developer
sean () stitcher com
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Re: AWS and security ShiYih Lye (Jul 11)