Saturday, 19 May 2018

Guardian is utilising encrypted Elastic Cloud Compute root volumes on Amazon Web Services

AWS Security


The Guardian, a British daily newspaper company adopts Amazon Web Services Cloud for a variety of services for their website and the content management systems. They are constantly aiming to enhance their security practices so they have taken the decision to adopt the policy of encrypting everything by default so as to make their security protocol more strong. AWS services makes it convenient when utilizing Amazon Simple Storage Service buckets, Relational Database Service instances, EBS volumes or Dynamo tables. Encrypting the root volume of the Elastic Cloud Compute instance is non-trivial which is a  notable exception.

The Guardian said in their post that encrypting their root volume will change how they create and distribute the Amazon Machine Images. Their previous approach was to bake all of the Amazon Machine Image in a single Amazon Web Service accounting and then grant permission for all the other accounts to utilize them. But however, the Amazon Web Services which is encrypted can only be used in the account where they are created so now they have to create individuals encrypted Amazon Machine Image in each account that they want to use it.

They chose to create the lambda function called Image Copier in each account that fires when the new Amazon Machine Image is being created by AMIgo. Guardian find Lambda simple because it makes the encrypted copy of the Amazon Machine Image in the local AWS account and then adds tags to the new Amazon Machine Image to indicate the AMI which was copied.

A large number of complicated details needed would be omitted by using this simplified description.

Firstly, if one wishes to copy an AMI, permission has to be given by the other AWS account for both launching the AMI and accessing the EBS snapshot which has been associated with the AMI. To bake AMIs, the Guardians use Hashicorp’s Packer and also an upgrade was required to their current version to one that supported snapshot permissions.

Secondly, any tags that are associated with an AMI aren’t visible from other accounts restraining them from being copied with the AMI. But, tags are needed for keeping a track of the identity of every image. Hence, Guardian included a few sets of tags on the SNS topic for triggering the Lambda. Including these, two new tags were added; Encrypted and CopiedFromAMI. This will indicate that the AMI comes with an encrypted root volume along with the original AMI ID where it was copied from.

Thirdly, Guardians didn’t focus on making an encrypted copy of every single image that AMIgo bakes in every account containing the Image Copier Lambada. For solving this problem, every recipe in AMIgo contains a list of all target accounts which have also been sent through the message on the specified topic. When the message has been received by the Image Copier Lambda, it will first find out whether it comes from an account listed in the message. If so, it creates an encrypted copy and if not, it ignores the message.

Lastly, AWS CloudFormation StackSets are mainly used for deploying the Lambda function to all accounts for avoiding the inconvenience of doing it by hand and for auto-updating in the future.

No comments:

Post a Comment

Amazon Macie: Identifying Sensitive Information in S3 Objects

Amazon Macie: An Overview Amazon Macie is an AWS service designed to help detect sensitive information, such as Personally Identifiable Info...