As AWS estates grow over time with expansions and adjustments it gradually becomes harder to understand, audit for security, visualise, document and analyse your environment.

Duo Security (now owned by Cisco) have developed and released an excellent Open source graphical tool called CloudMapper which allows you to achieve all the above within your AWS environment as well as a recent feature that allows it to be a continuous monitoring and auditing solution. Furthermore providing you comply with their licence, it is free. 

This guide shows you how to setup the Duo CloudMapper with the demo data then link it into your AWS environment.

Often when resizing instance types it just a simple case of shutting the EC2 down, changing the type then starting it up but when changing to an M5 or C5 type the EC2 may not boot up which is normally because it does not have either the enhanced networking module installed, the NVMe module installed or you may have block devices mounted using the device names, fortunately there is an AWS script that can be used to run the pre-requisite tests to ensure these are identified and rectified before attempting the resizing of the instance.

This guide shows you how to run the pre-requisite script to give you the best chance of a successful instance resizing.

AWS have recently launched Amazon EC2 Resource Optimisation Recommendations with certain similarities to 3rd party tools such as CloudCheckr, which can identify idle and underutilised EC2 instances across your accounts and regions using a combination of cloudwatch, resource usage and existing reservations can propose recommendations for reducing costs. Many individuals/companies building new instances or lifting and shifting on-premise servers often have excessive resources allocated which in the cloud world costs you money.

This guide looks at enabling EC2 Resource Optimisation to analyses your spend with the goal to ultimately reduce your AWS costs.

GuardDuty is a security monitoring service that analyses and processes VPC Flow events, CloudTrail and DNS logs. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorised and malicious activity within your environment such as escalation of privileges, or communication with malicious IPs, URLs, or domains. It can detect compromised EC2 instances serving malware or mining bitcoin, monitoring access behaviour for signs of compromise such as unauthorised infrastructure deployments or unusual API calls.

 

This article shows you how to enable GuardDuty then run a DNS query against a known bad DNS server to trigger an alert.

Amazon RDS for MySQL offers many benefits over building and maintaining your own MySQL environments giving you time to focus on application development by managing time-consuming database administration tasks including backups, software patching, monitoring, scaling and replication.

This guide shows you how to move your Joomla MySQL database from an Ubuntu server to an AWS RDS MySQL Database, although this guide focuses around Joomla it could be applied to other MySQL to RDS migrations.

AWS Session Manager is a component of AWS System Manager that allows you to manage your instances through a browser-based shell or AWS CLI. It uses a lightweight agent installed on your servers to execute server management tasks accessible through the console, this can eliminate the requirement of bastion hosts, minimise inbound ports/public ip's or maintaining SSH keys. This tool can also be extremely useful if you have lost communication to your EC2 via your normal method.

This guide shows you how to configure it to connect via SSH to a Linux EC2 and powershell to a Windows EC2 using the session manager within systems manager.

SSL offloading or SSL termination is removing the SSL based encryption from incoming traffic that a web server receives to eliminate the server from processing the burden of encrypting and decrypting traffic sent through SSL allowing it to focus its resources for serving web content. This also greatly reduces your SSL administration not only during the initial build and ongoing certificate renewals but also simplifies auto scaling configurations in addition to addressing certain types of security attacks away from the web servers, there is also cost savings to be had with certificate renewals and reduced server specifications without the decryption/encryption overhead.

By utilising Amazon Certificate Manager with your ALB, the certificate will be stored securely, regularly rotated and updated automatically by AWS with no action on your part and best of all it is free providing you use the AWS load balancer service. This article shows you to do the SSL offloading on an AWS Application Load Balancer (ALB).

In modern IT environments, high availability and resiliency should be ingrained into everything that is built or developed. One common area that is often overlooked is your VPN client endpoint and the issues for remote staff if there is an issue with your client vpn endpoint, if you have a hybrid on-premise/AWS cloud environment with a greater percentage of your services sitting in AWS it makes sense to move your company's VPN endpoint to a managed AWS offering, it can offer greater security, resiliancy, scalability and remove the requirement of additional licences on your VPN endpoint device.

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. It uses OpenVPN and TLS to provide a secure connection into your AWS environment.

This guide shows you how to configure a AWS Client VPN with AWS Managed Microsoft Active Directory. AWS Directory Service creates two domain controllers in separate subnets for resiliency and adding the DNS service, these run on Windows Server 2012 R2.

Athena

With the continuous increase of systems being built or migrated into the cloud, getting a grasp on the vast array of audit logs on the operations, governance and security of systems can be a huge undertaking of resource and time. Key controls such as security groups can often be configured on the fly, tested to make sure the change works then forgotten about with these permissions rarely reviewed let alone documented.

By default, CloudTrail records 90 day's worth of API calls along with account activities such as logins and changes, to go past 90 days a trail has to be configured which pushes these logs to S3, the issue is this then takes it away from the searchable options within Cloudtrail for when you need to find out such things as which administrator opened up a port to the world or when this was done. This is where Athena can be used to link into these S3 logs and using structured queries can analyse huge quantities of logs.

Athena is a fast, cost-effective, interactive query service that makes it easy to analyse massive amounts of data in S3 with no data warehouses or clusters to manage.

AWS Lifecycle Manager

Snapshots of Elastic Block Store (EBS) volumes can now be easily configured and automated to provide regular backups using the Data Lifecycle Manager.

Using tags on EBS volumes, you can define backup and retention schedules for snapshots by creating lifecycle policies. This guide shows you how to create the tags on the volumes then create a simple 7 day backup and retention policy using the Data Lifecycle Manager.