Amazon’s Elastic Compute Cloud (Amazon EC2) is a leading infrastructure cloud service offering clients scalable compute capacity in the cloud. It is touted as one of the more powerful offerings by Amazon Web Services (AWS), which also includes Amazon Elastic MapReduce, for data processing; Amazon CloudFront, for content distribution; and Amazon Simple Storage Service (S3), providing a data storage infrastructure.
Overview & Quick Facts
To use the Amazon EC2, customers first create an Amazon Machine Image (AMI) that contains their operating system (OS), software, data, settings, applications, libraries, etc. This AMI is encrypted and uploaded to the Amazon S3 service, which allows for reliable and secure access to the data. The AMI is then registered with Amazon EC2, which associates a unique identifier to it. Finally, the AMI ID and the Amazon EC2 service are used to run, monitor or terminate instances. Clients are charged for the running time and resources used during the instances.
The Amazon EC2 offers a 99.95% uptime/availability guarantee, which translates into 4.3 hours of non-scheduled downtime per year. Unlike other comparable services (for instance, Rackspace), EC2 does not have a defined time-to-resolve guarantee, nor does AWS offer credits for any missed deadlines. Furthermore, AWS places the responsibility for an SLA (service level agreement) violation notification on the client, which means that it is up to consumers to prove that a service outage took place and request for credit. A number of observers have suggested that the company develop an automated credit function should outages occur.
Amazon EC2 allows clients to access computing resources, while paying only for used capacity. There are a number of different instance types, which are geared towards users with different computing needs. “Instances” refer to running systems based on an AMI. Instances that are based on the same AMI will execute identically. When instances are terminated or in case of failure, any information is lost.
There are six available families of instances, which are discussed below:
- Standard – These instances are recommended for most general applications. There are three instances in the Standard family: small (1.7 GB memory, 160 GB storage), large (7.5 GB memory, 850 GB storage) and extra-large (15 GB memory, 1690 GB storage) instances.
- Micro – Micro instances are designed for lower throughput applications and web sites that periodically consume significant compute cycles. This instance offers 613 MB memory and EBS storage only.
- High-Memory – This family of instances is recommended for high throughput applications, such as database and memory caching. There are three instances in the High-Memory family: extra-large (17.1 GB memory, 420 GB storage), double extra-large (34.2 GB memory, 850 GB storage) and quadruple extra-large (68.4 GB memory, 1690 GB storage).
- High-CPU – Instances in this family offer more CPU resources than memory. They are designed for compute-intensive purposes. There are two instances in this family: a medium instance (1.7 GB memory, 350 GB storage) and an extra-large instance (7 GB memory, 1690 GB storage).
- Cluster Compute – This family provides high CPU resources and superior network performance, to meet the needs of High Performance Compute (HPC) applications and intensive network applications. There is only one instance offered in this family: the Cluster Compute quadruple extra-large instance (23 GB memory, 1690 GB storage).
- Cluster GPU – Instances in this family offer general-purpose graphics processing units (GPUs), marked by high CPU resources and optimized network performance. There is only one instance offered in this family: the Cluster GPU quadruple extra-large instance (22 GB memory, 1690 GB storage).
AWS not only claims to adhere to security best practices, but it also requires its clients to follow best practices and use its numerous security features. The AWS infrastructure has attained ISO 27001 certification and has passed a number of SAS70 Type II audits.
Specific to the EC2 is security on numerous levels, to ensure that data cannot be intercepted by unauthorized systems or users. This includes security on all of the following levels:
- The operating system (OS) of the host system – Administrators are required to use multi-factor authentication to access administration hosts. All access is logged and audited.
- The virtual instance OS/guest OS – EC2 clients are given full access and administrative control over accounts, services and applications. AWS does not retain any access rights, nor can it log into the guest OS.
- The firewall – This is a mandatory inbound firewall, which requires customers to open ports to allow traffic.
- Signed API calls – The customer’s Amazon Secret Access Key is required for calls to: launch/terminate instances; change firewall parameters; and perform other functions.
This article explores the Amazon Elastic Compute Cloud (EC2), Amazon’s offering for scalable compute resources in the cloud. The article briefly describes the service and functionality. EC2 has different sizes of instances, which are running systems based on Amazon Machine Images (AMIs). Instances are grouped into six families: Standard; Micro; High-Memory; High-CPU; Cluster; and Cluster GPU instances. Finally, the article describes the features and best practices of Amazon’s Web Services.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Cloud Service Models (Domain 1)
- Cloud Security Reference Model (Domain 1)