公有云安全

1 前言

Tips

Cloud tenant security is not within the scope of discussion

Cloud-native application vulnerabilities are slightly involved

Microservices are not covered by the discussion

Cloud security configuration errors and incorrect "case" demonstrations are important reasons for frequent security problems

1.1 为什么要上云

The traditional border of security is blurred

all in cloud

More and more companies

1.2 相关资料

https://aws.amazon.com/n/training/

https://edu.aliyun.com

https://cloud.tencent.com/edu/training

https://cloud.google.com/certification/

https://www.microsoft.com/zh-cn/learning/azure-training.aspx

1.3 常见的云产品

2 常见概念

2.1 元数据 - metadata

In cloud computing, Metadata is not an unfamiliar concept. Literally, Metadata means metadata. In cloud computing, the Metadata service can inject some additional information into the virtual machine, so that the virtual machine can have some customized configuration after it is created. In OpenStack, the Metadata service can provide virtual machines with hostname, ssh public key, some customized data passed in by users, and other information. These data are divided into two categories: metadata and user data. metadata mainly includes some data of the virtual machine itself, such as hostname, ssh key, network configuration, etc. while user data mainly includes some customized scripts, commands, etc. But no matter which data it is, the way openstack provides data to the virtual machine is consistent.

Tips

Can be compareddocker file

2.2 可用区 - Available Zone 和区域 - Region

Let’s first look at the concept of Region. AWS cloud services have data centers in different places around the world, such as North America, South America, Europe and Asia. Correspondingly, based on geographical location, we call the collection of infrastructure services in a certain area a region. Through AWS regions, on the one hand, AWS cloud services can be geographically closer to our users, and on the other hand, users can choose different regions to store their data to meet regulatory compliance requirements

Take Alibaba Cloud as an example:

2.3 IAM - Identify and Access Management

helps you securely control user access to AWS resources. IAM allows you to control who can use your AWS resources (authentication) and the resources they can use and how they adopt (authorization).

IAM-AWS

RAM-Ali Cloud

CAM-Tencent Cloud

IAM-Huawei Cloud

2.3.1 用户

If you purchased multiple cloud server ECS instances and have multiple users in your organization (such as employees, systems, or applications) that need to use these instances, you can create a policy that allows some users to use these instances. Avoid the risk of leaking the same AccessKey to multiple people.

2.3.2 用户组

You can create multiple user groups and grant different permission policies to achieve batch management effect. For example:

To enhance network security controls, you can authorize a user group a permission policy that specifies that if the user's IP address is not from the enterprise network, such users are denied requests to access the relevant ECS resources.

You can create two user groups that manage people with different job responsibilities, and if a developer's job responsibilities change to become a system administrator, you can move them from the Developers user group to the SysAdmins user group.

SysAdmins: This user group requires permissions to create and manage. You can grant the SysAdmins group a permission policy that grants user group members permission to perform all ECS operations, including ECS instances, mirrors, snapshots, and security groups.

Developers: This user group requires permissions to use the instance. You can grant the Developers group a permission policy that grants user group members permissions to call DescribeInstances, StartInstance, StopInstance, RunInstance, and DeleteInstance.

2.3.3 角色

Instance RAM role allows you to associate a role to an ECS instance, accessing the API of other cloud products based on STS (Security Token Service) temporary credentials within the instance, and the temporary credentials will be periodically updated. That is, it can ensure the security of cloud account AccessKey, and it can also achieve refined control and permission management with the help of access control RAM.

2.4 VPC - Virtual Private Cloud

Proprietary Network VPC allows users to build a logically isolated partition on the cloud, allowing users to create and run new network resources in a virtual network they define. Users have full control over your virtual network environment, including selecting IP address ranges, creating subnets, and configuring routing tables.

2.5 ARN - Aliyun Resource Name

The format of the resource ARN is :

arn:acs:${Service}:${Region}:${Account}:${ResourceType}/${ResourceId}

The meanings of each field are as follows:

Service: Cloud product code.

Region: Region ID.

Account: Alibaba Cloud Account ID.

ResourceType: Resource type.

ResourceId: Resource ID.

arn:acs:ecs:cn-hangzhou:123456789\*\*\*\*\*:instance/i-