AWS Security Best Practice for Static WEB

When you are selecting the AWS you should know what are the best security practices are available and what will suits you. Today I'm going to talk about how to select the security with best practice for Static WEB

What is this Static web ?? Why we should use it? 

Static WEB provides HTML, Image, Video, JavaScript(JS), and other files for your web. These Static webs are more suitable for simply marketing or for a personal web. The best part of this static web is Low Cost and Very high Reliability, Minimum Administrations needed and capable to handle enterprise-level traffic without additional work.

This is the scenario that  I'm going to discuss about the static WEB

Best Practices

• When you create a bucket name you won’t be able to change it aging so think and give a proper name to your bucket


• Create a separate S3 bucket for logs management.*

• Provide only the necessary permission to the S3 bucket content for public access.**

• Do not include any sensitive data for the Bucket name (account number etc..) bucket the name will be appearing in the URL that shows the object in the bucket

• When you selecting a Region selects the minimize latency, cost, and regulatory requirements.

• When creating a bucket adds user accounts (only the web developers) and user permissions read and write permission to the developers using IAMsuch as
  

• Using Amazon S3 Block Public Access


• Enable object lock for the bucket when you enable this object will be protected in the bucket

• Use the Cloud Front web distribution for more secure access (HTTPS) ***

• Use Certificate Manager, AWS Certificate Manager (ACM) ****

• Creating the Cloud Front distributions *****

• Create a A record using the Route53 (R53)

* By using cloud front and a separate S3 bucket we can maintain access logs for the web site. In this way, it's easy to manage and monitor the site accessibility by the users. Unusual and suspicious accesses can be mitigated by this method.

**Since the content will be accessed by the public, its necessary to provide public access to the content. Since the web is a static website only read-only permission can be provided only for the relevant web content

*** Why Cloud Front Amazon S3 users SSL and wildcard certificate that can not be used in custom domains. That is why we cannot access the stick web site hosted on the HTTPS. Using Cloud front we can access the HTTPS, using cloud Front, in front of the S3 static web site.  

**** When you are using ACM to select a Public type certificate. The important thing is when creating a certificate ACM required to create in US east 1 region use by cloud Front

***** When we are creating cloud front distributions settings

In the Default cache behaviors settings select

View Protocol Policy -: Redirect HTTP to HTTPS 

Allowed HTTP Methods: GET HEAD OPTION

The logical view of Statci WEB

Image Source

References -:  https://docs.aws.amazon.com/AmazonS3/latest/dev/website-hosting-custom-domain-walkthrough.html

 

References -: https://aws.amazon.com/getting-started/projects/host-static-website/

Identity Access Management (IAM)

In this post, I'm going to talk about Identity Access Management (IAM)

 

What is IAM?

 

Essentially, IAM allows you to control users and their access level to the AWS Console. It is important to understand the IAM and how it works for Administrating a company's AWS account.

 

What does the IAM give you?

• Centralize control for AWS Accounts 

• Shared access  to AWS accounts  

• Multifactor authentication

• Provide temporary access for users /devices /services 

   

   

Let see what is IAM Console is

 

 

 This the console interface when you log in 

Now go to the services tab top left corner and  select IAM from the list or you can search bar to search the services

When you select the IAM you will get this window four Options

When you click Create individual IAM users and click Manage users to get this window. the users are already created.

These are the main option for users Permissions, Groups, Tags, Security Credentials and Access advisor

These are the main option for Groups User, Permissions and Access advisor

Now we are going to add users to the groups I'm going to add user-1 to the S3-Support, user-2 to the EC2-Support, and user-3 to the EC2-Admin. The method will be the same for every user

Select the user Go to the group tab and click add a user to the group ad select the group that you want to add.

When you have added all the users to their groups you can see which groups there are in.

After creating the accounts we can use highlighted ink to log in to the accounts Copy that link and open the link in a new tab.

Note -: 

If you like you can change the link by clicking the CUSTOMIZE button and you can add  Account alias.

 

 

When you open the link it will be like this. log in using the user name and password

USER-1

 

Different users have different permissions this is user-1 

 

 

user-1 does not have permission to view or add users to groups.  Do not have permission to view Instances

USER-2

This is user-2 he has the permissions to view the Instances but, that user does not have permissions to stop the instances. When the user-2 try to stop the instances it gives an error.

USER-3

 

 

 This is user-3 he has the permissions to stop the Instances

Summary -:

Form this we can understand that IAM controls the user's permission, and the different users may have different access permissions.

Let's learn about Amazon Web Services (AWS)

Image source

What is AWS???

AWS is one of the most popular Cloud services providers in the world its offer compute power, database storage, content delivery, and many more functions.

Are there any other Cloud services providers?

YES

Who are they?

• Microsoft Azure
• Google Cloud Platform
• IBM Cloud
• Rackspace

Who has the highest market share in Cloud services?

Image source

What we need to consider when we select a cloud?

• Cost
• Security
• Reliability
• Availability 
• Scalability

How To get the actual cost for your requirement?

In AWS they have already provided a Calculator for us to calculate depending on our requirement using their online calculator.

USE THE SIMPLE MONTHLY CALCULATOR FROM HERE

Example of cost calculation 

Step 1

According to the given Document, we have to select  EC2 Server

NOTE-:

On the left side, all the Services are included and on the right side, Requirements are list down.

When you goto the calculator it will be the same as I mention left would have Services and right will have Requirements. We just have to fill the calculator form according to the above  Scenario.

Now we will start the calculation

First EC2 go to the calculator and select the region as US West (Oregon) (Region Tab will be in the top of the Form) and select Amazone EC2 from the right side 

EC2 (Elastic Compute Cloud)

This is the virtual machines that you can control this virtual machine in Operating System (OS) Level

The description you can put anything you prefer  Select the Two Linux t3.2xlarge with 2 Instances with 20 Hors per day and billing with no upfront costs for 1 year.

S3(Simple Storage Service)

This for storage such as Files, Images, Documents, and Folder, etc... 

NOTE -: This can not be used to install OS, Software, and Games. 

 

Now we will check the Second Requirement. It is about the Amazon S3 this has many requirements such as, Three Application Load Balancers, Average of 50 connections/second per Application Load Balance are a few of them. See the above Image 

NOTE-: In this server, according to the requirements we need to select the Cross Region Replication

Elastic Load Balancing

Distribute traffic of the incoming applications crossways the multiple target. It accepts the incoming traffic of routes request to saved targets apart from that it monitors the health of saved targets  

 Here is the requirement for the  Elastic Load Balancing

Amazon Route 53

Its support the domain name system (DNS), it’s a very cost-effective way to route to end users Internet applications

Amazon Relational Database  Service (Amazon RDS) 

These services allow you to run databases such as MySQL, MariaDB, PostgreSQL, Oracle or SQL Server and those are fully secure with installing antivirus.

AWS Support

Aws support has various level depending on  the level you will get the support and Important thing is when the support level is high the cost also going to be high.

In the above image, you can see the Service that I have select according to the scenario

Final step

Above images show the Full cost for the Scenario

According to the Calculteror Total Cost per month is $28,994.69