July 7, 2011 • 08:16 1
The latest edition of the Symposia Journal is out, a magazine with community driven high quality articles around Cloud Computing (partly in German). We contributed to the latest edition with an article about the top threats of cloud computing in the IaaS space and how to tackle them. Have fun reading!
Filed under: Cloud Computing, Discussions, Symposia Journal
June 23, 2011 • 11:37 0
Sorry to the non-french readers, but I’m often asked for french papers about cloud computing and security. We are proud to be contributors to a french white paper on cloud computing, so here is the link:
http://www.tendances-cloud.com/
Bonne lecture
Filed under: Cloud Computing, Elastic Security, IaaS, News, SaaS, Secure Cloud, Amazon EC2, Cloud Computing, Elastic Detector, Elastic Security, Monitoring, SaaS, SecludIT, Security, Tutorial
June 16, 2011 • 09:02 0
Amazon EC2 administrators have to deal with daily problems such as:
We would like to provide you some insights in our solution to address those problems and to facilitate the life of cloud-administrators by detecting security related issues and events: Elastic Detector. What makes this product unique is that it is fully automated and agentless. You can see how Elastic Detector works on this short video:
Filed under: AWS, Cloud Computing, Elastic Security, IaaS, Internals, Secure Cloud, Solutions, Amazon EC2, AWS, Cloud Computing, Elastic Detector, Elastic Security, Monitoring, SaaS, SecludIT, Security, Tutorial
April 19, 2011 • 21:48 0
Earlier in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:
But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.
I still have some open questions:
In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?
Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.
Here is AWS blog-post for more information: A New Approach to Amazon EC2 Networking
Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.
Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.
Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.
/fred
Filed under: AWS, Cloud Computing, Amazon, Amazon EC2, AWS, EC2, security groups, SecurityGroups, VPC
March 30, 2011 • 14:57 0
There are two terms that are referred to significantly often in discussions about cloud computing, its drivers, and its impact. The first term is “DevOps“ – a combination of the terms development and operations. It refers to the fact that the tasks of developers and system administrators get increasingly closer in a cloud-based IT world where infrastructure resources become programmable fostering application centric deployment and agile development processes. System administrators are supposed to write sophisticated scripts to automate large parts of operations and think as a developer. (Interesting Links: [here][here] and [here])
The other term is “IT Consumerization” – it refers to the observation that applications, tools, and technologies from the consumer world find their way into the enterprise. This movement has several drivers: employees that are getting more and more mobile are necessarily forced to access their data from different locations and devices (laptops, mobile phones, PCs). As a consequence, enterprise IT infrastructures become ubiquitous and heterogenous: the former one-size-fits approach of IT departments to centralize administration, management, and security of every PC, is no longer feasible today with the number of increasing devices and accelerated technological progress. Thus, employees are given more and more control about what devices and tools they can pick (BYOT – “Bring You Own Technology”). This movement opened the door into the enterprise for SaaS tools like GMail or Salesforce – but also for cloud infrastructure services such as Amazon EC2: quickly need a demo-machine? need some machines for load-testing? need to share some really big files? Amazon EC2 offers the immediate solution to it – without following the lengthy processes of the IT department that may result in rejection of the demand or a purchase with a delivery that takes several weeks. Speed and simplicity play an important role here. (Interesting Links: [here][here] and [here])
While people assume that both are just two sides of the same medal, I find they are somehow conflicting movements. The DevOps movement requires highly skilled IT workers that combine the competences of developers and system administrators and that are able to write sophisticated automation scripts. IT Consumerization means a shift from classical heavy-weight tools (such as HP OpenView, for example) to a broad variety of simpler tools (mostly SaaS tools) that focus on specific use-cases, have a much smaller feature set than classical tools, and are far easier to use. Those tools (let’s cite Pingdom for monitoring as an example, but also the EC2 Management Console) take away a lot of the burden of administrators, extremely simplify their work, and thus even allow less-skilled people to manage a big part of the IT needs of a company.
Is there an error in my reasoning? Where’s the breakup? Feedback welcome!
Filed under: Cloud Computing, Discussions, Devops, IT Consumerization
March 23, 2011 • 16:30 0
Last week I attended the CloudOps Summit in Frankfurt. The motto of this conference was “Run the Cloud” and the central idea to show how cloud computing is already used today, how hands-on solutions and architectures look like, how cloud systems are operated, and what tools are already available.
While web-startups almost immediately understand the advantages of public cloud infrastructures such as Amazon EC2, Rackspace or GoGrid and already use those intensively to avoid up-front investments into hardware, scale their infrastructure dynamically to their needs, and benefit from a pay-per-usage model, established enterprises are much more hesitant in adoption – mostly due to security concerns, fear of vendor lock-in, the costs for migrating their legacy data, or the constraints of remaining compatible with existing software. This leads to the funny situation that the big ones listen carefully to learn from the new and small ones.
The conference started with a couple of short 6-minute “lightning talks” and was followed by parallel tracks about architecture, management, operations, and presentations of startups.
Some highlights from the Lightening talks
Jean-Paul Schmetz explained in his keynote that cloud computing means that everything becomes software in the cloud – storage, memory, CPU – they all have become resources that can be created and destroyed programatically on demand. Hardware are fixed assets that requires planning, budgeting, and thus accurate predictions of the future, something very hard to achieve in a world of constantly-changing requirements and needs.
Chris Boos sees in cloud computing the big opportunity for system administrators to ged rid of the boring part of operations and maintenance and to concentrate on the interesting and challenging tasks of creating new things. Cloud computing and its inherent need for automation actually liberate the rare IT experts and revalue their skills.
Nicolas Plögert from Sharewise showed how his company outsourced almost all non-critical business processes to more than a dozen of web-services – communication, billing, customer relations management to name a few.
Florian von Kurnatkowski told us that even the automative industrie wants to make their internal network (ENX) more flexible by transforming it into a cloud infrastructure.
Startups
In the startup tracks (in which I presented Elastic Detector, our cloud security monitoring service) there were a couple of interesting products around cloud infrastructures:
ScaleUp builds software that helps providers to build their own public clouds. There focus is on account management, provisioning, and managing the “point of purchase”, i.e. the spot where providers and consumers meet.
Scalarium provides a SaaS product that allows to deploy and scale web-application for Amazon EC2.
CloudSafe allows to store and share critical documents in the cloud. All data is encrypted and different access models are supported.
CentralStationCRM is a CRM SaaS product targeting small companies that are over-whelmed by the complexity of products like Salesforce.
SemYou aims to combine the simplicity of an app-store with the flexibility of SaaS applications. There goal is that users can activate any kind of web-application with a single click on their computer that will run transparently in the cloud.
Impossible Software allows to create “dynamic videos” where logos and brands can be integrated in video templates.
Thanks to the organizers for their great work and looking forward to another CloudOps Summit in Frankfurt next year! All presentations are available behind this link.
Filed under: Cloud Computing, Discussions, Solutions, CloudOps Summit
March 9, 2011 • 16:49 0
Amazon announces that a new AWS Region in Tokyo is supported (see AWS blogpost for more information).
CloudyScripts has been updated in order to support this new AWS Region.
This AWS Region is available in all the following CloudyScripts:
The CloudyScripts Community AMI has also been updated in order to support this new AWS Region. This AMI can be found in EU East (Northern Virginia) Region with the current AMI ID ami-f291639b.
/fred
Filed under: AWS, Cloud Computing, Amazon, Amazon EC2, CloudyScripts, Cloudy_Scripts, EC2
March 8, 2011 • 17:05 0
We have launched a private beta program in December 2010 and first of all we would like to thank all our beta testers for their feedback and comments.
For the last 2 months we have been busy improving Elastic Detector by integrating new features that suit your needs such as more powerful graphs and daily reports. Such features are built on top of our auto-check technology, that allows to ensure the security of your infrastructure with near zero configuration.
We are really excited to announce that the first version of Elastic Detector is ready.
Elastic Detector helps you to achieve full visibility of your Amazon EC2 deployment and monitors your security groups. You may give it a free try for 1 month. Configuration takes only 2 minutes,and then you may check Elastic Detector improving the security of your infrastructure in real time.
We will be very happy to count you among the Elastic Detector Community and we are committed at continuously securing your infrastructure on Amazon EC2.
Filed under: AWS, Cloud Computing, Elastic Security, IaaS, SaaS
February 18, 2011 • 19:04 1
The goal of this document is to enlighten security issues on third party tools that come from some features of the Amazon EC2 console. We are going to explain two security threats, a XSS (cross site scripting), and a command injection, using a second party tool as injection’s vector.
First of all, let’s describe the context of our application. Then we will have a closer look at the security issues introduced using the Amazon EC2 console.
Elastic Detector is complementary to the Amazon EC2 console (or other management console). It retrieves security group information by the EC2 API and it helps users to have a global security overview of their infrastructure on Amazon EC2. In addition it performs analysis of potential security threats.
Amazon EC2 API supports broad characters in the Security Group name. If for example, we define the following Name: <script>alert(“Hello World!!”)</script>
A third party product that displays this Security Group Name without sanitizing the data, it will result on a nice Hello World !! alert popup when browsing this Security Group.
Due to the broad character support in Amazon EC2 in Security Group name, we could define the following Name: `cp /etc/passwd /tmp`
So, once this security group is stored in a database without sanitizing, a third party product using shell commands such as eval, exec, mail or printf, could potentially execute the injected command. So a new file name passwd would be added to the /tmp directory in the product as a simple example.
NB: This could also be done using Amazon EC2 Security Instance Tags, in fact every field supports broad characters in Amazon EC2.
These two security issues are examples that illustrate the fact that a third-party tool MUST check and sanitize user’s input (like all software), but also check and sanitize any data coming from other tools or service SaaS.
We would like to thank the Amazon Security Team that fully collaborated and confirmed that broad character support is a feature of Amazon Web Services (especially Don Bailey) and the Certilience Team that helped us as an external auditor of our code.
/fred
Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, Amazon, Amazon EC2, Command, Detector, EC2, Elastic, Injection, Issue, Security, XSS
February 10, 2011 • 12:29 11
The goal of this document is to describe the process for copying an Amazon EC2 EBS-Backed AMI from one region to another.
We have published an opensource project (CloudyScripts) to automatically perform this operation, but we get a lot of questions about it. We will continue to improve Cloudyscripts to better answer all specific issues but here goes the manual HowTo. 
linux-box-source:~$ ssh-keygen -b 1024 -C "Temporary SSH Key" -t rsa -f temp_ssh_key
linux-box-source:~$ ls temp_ssh_key*
temp_ssh_key temp_ssh_key.pub
- Private Key file: AWS_EC2_PRIVATE_KEY.pem
- Certificate Key file: AWS_EC2_CERT.pem
NB: These files can be downloaded from the Access Credentials table, X509 Certificates tab.
- AMI ID: AMI-XXXXXXXX
- EBS Volume size: VOL_SIZE
- Architecture: AMI_ARCH
- Kernel ID (AKI): AKI_XXXXXXXX
- Root Device: ROOT_DEVICE (usually
/dev/sda1)
- This is described at the end of the document.
NB: In this document, we will use to a Linux system (for command line) and Amazon Console (for Console Administration), but feel free to use your preferred tools.
NB: The LABEL part is useful for some Linux distributions (such as RedHat, Fedora, Suse, OpenSuse) as they use labeled file system in their fstab file and in the root option of their GRUB configuration file.
- Launch an instance of the AMI (a micro instance-type should be enough)
- Create a snapshot of the EBS volume
- Create a volume from this newly created snapshot
- Stop the instance
- Launch an instance in the same availability zone of the EBS volume
- Attached the newly created EBS volume to the running instance in that region and check the name of the device (/dev/sdx)
root access:
- Get the device label:
[root@amazon-linux ~]# e2label /dev/sdx
- Create a mount point:
[root@amazon-linux ~]# mkdir /mnt/ebs_volume- Mount the device on that mount point:
[root@amazon-linux ~]# mount /dev/sdx /mnt/ebs_volume/
- Create an archive of the device:
[root@amazon-linux ~]# tar -zcpvf /mnt/system-YYYY-MM-DD.tar.gz /mnt/ebs_volume/
- Detached the newly created EBS volume to the running instance in that region
NB: If needed you can get root access as follows:
[ec2-user@amazon-linux ~]$ sudo su -
[root@amazon-linux ~]#
NB: Avoid bzip2 compression if you use a small CPU instance.
NB: Please note the file system type (ext2, ext3, …), as it will be reused in the target region while creating a new file system
NB: Please note the permissions while creating file system from archive (-p option)
- Using you favorite SSH tool to copy the file.
This could be done as follows on a Linux system:
linux-box-source:~$ scp -i ssh_key_4_amazon-linux_source.pem temp_ssh_key ec2-user@amazon-linux_source.compute.amazonaws.com:~/
- Using you favorite SSH tool, connect to the running instance in the target region and get root access
- Edit file
.ssh/authorized_keysand add you public temporary SSH key contained in filetemp_ssh_key.pub- Reload SSH daemon
[root@amazon-linux ~]# /etc/init.d/sshd reload
Reloading sshd: [ OK ]
[root@amazon-linux ~]# scp -i /home/ec2-user/temp_ssh_key /mnt/system-2011-01-20.tar.gz ec2-user@amazon-linux_target.compute.amazonaws.com:~/
- Create an EBS volume in the target region in the same availability zone as your running instance and of the same size of the EBS volume of your EBS-Backed AMI in the source region
- Attach that volume to the running instance in the target zone
root access:
- Create a file-system on the device (same file system as the one used by your EBS-Backed AMI):
[root@amazon-linux ~]# mke2fs -t ext3 /dev/sdx
- Set device label: LABEL
[root@amazon-linux ~]# e2label /dev/sdx LABEL
- Create a mount point:
[root@amazon-linux ~]# mkdir /mnt/ebs_volume
- Mount the device on that mount point:
[root@amazon-linux ~]# mount /dev/sdx /mnt/ebs_volume/
- Extract the archive to that mount point:
[root@amazon-linux ~]# tar -zxpvf /mnt/system-YYYY-MM-DD.tar.gz -C /
- UnMount the device:
[root@amazon-linux ~]# umount /mnt/ebs_volume/
- Detach the newly created EBS volume to the running instance in that region
NB: If needed you can get root access as follows:
[ec2-user@amazon-linux ~]$ sudo su -
[root@amazon-linux ~]#
NB: Be careful with the permissions while extracting the file system from archive (-p option)
Amazon EC2 API tools:
linux-box-source:~/ec2-api-tools-1.3-62308$ ./bin/ec2-register --private-key AWS_EC2_PRIVATE_KEY.pem --cert AWS_EC2_CERT.pem -v -H --region TARGET_REGION -a AMI_ARCH -s SNAP-XXXXXXXX -d 'CopyAMI Generated' -n 'AMI_DESCRIPTION' --root-device-name /dev/sda1 --kernel AKI-XXXXXXXX
NB: The kernel ID AKI-XXXXXXX is found by the procedure at the end of this post
- Terminate the running instance in the source region
- Cleanup the EBS volume created in the source region
- Cleanup the snapshot created in the source region
- Terminate the running instance in the target region
- Cleanup the EBS volume created in the target region
- Cleanup the snapshot created in the target region
linux-box-source:~/ec2-api-tools-1.3-62308$ ./bin/ec2-describe-images --private-key AWS_EC2_PRIVATE_KEY.pem --cert AWS_EC2_CERT.pem -v -H --region SOURCE_REGION -a -F kernel-id=AKI-XXXXXXXX
linux-box-source:~/ec2-api-tools-1.3-62308$ ./bin/ec2-describe-images --private-key AWS_EC2_PRIVATE_KEY.pem --cert AWS_EC2_CERT.pem -v -H --region SOURCE_REGION -a -F name="*AMI_NAME*"
- I just have to retrieve the KernelID to use in the target region, as follows:
debian-secludit:~/ec2-api-tools-1.3-62308# JAVA_HOME=/usr/lib/jvm/java-6-sun-1.6.0.20 EC2_HOME=/root/ec2-api-tools-1.3-62308 ./bin/ec2-describe-images -K ../amazon-ec2-keys/key-BK54TI5LZQMBWA3GVE4XXFYMCWSUCGVY.pem -C ../amazon-ec2-keys/cert-BK54TI5LZQMBWA3GVE4XXFYMCWSUCGVY.pem -H --region us-east-1 -a -F name="*FreeBSD*"
Type ImageID Name Owner State Accessibility ProductCodes Architecture ImageType KernelId RamdiskId Platform RootDeviceType VirtualizationType Hypervisor
IMAGE ami-c01aeca9 118940168514/FreeBSD/EC2 9.0-CURRENT 2010-12-12 118940168514 available public i386 machine aki-407d9529 ebs paravirtual xen
BLOCKDEVICEMAPPING /dev/sda1 snap-409c852a 1
BLOCKDEVICEMAPPING /dev/sdb snap-ce948da4 9
IMAGE ami-a0fc0dc9 118940168514/FreeBSD/EC2 9.0-CURRENT 2010-12-29 118940168514 available public i386 machine aki-407d9529 ebs paravirtual xen
BLOCKDEVICEMAPPING /dev/sda1 snap-7127841c 1
BLOCKDEVICEMAPPING /dev/sdb snap-291ab944 9
IMAGE ami-f4db2a9d 118940168514/FreeBSD/EC2 9.0-CURRENT 2011-01-01 118940168514 available public i386 machine aki-407d9529 ebs paravirtual xen
BLOCKDEVICEMAPPING /dev/sda1 snap-dbe855b6 1
BLOCKDEVICEMAPPING /dev/sdb snap-2fe35e42 9
IMAGE ami-8cce3fe5 118940168514/FreeBSD/EC2 9.0-CURRENT 2011-01-04 118940168514 available public i386 machine aki-407d9529 ebs paravirtual xen
BLOCKDEVICEMAPPING /dev/sda1 snap-1df57270 1
BLOCKDEVICEMAPPING /dev/sdb snap-e1fe798c 9
- I could register my new AMI using the following KernelID:
aki-407d952
/fred
Filed under: AWS, Cloud Computing, Documentation, Amazon, Amazon EC2, AMI, copy, EBS, EC2, HowTo
Cloudy_Scripts:
Tools for programming Infrastructure Clouds
Elastic Detector
Elastic Security for Amazon EC2
Matthias Jung
Sergio Loureiro
Frederic Donnat
Recent Comments