From the course: CompTIA Security+ (SY0-701) Cert Prep

Cloud compute resources

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Cloud compute resources

- [Presenter] Before we dive into the specifics of cloud security, it's important to explore the basic building blocks of cloud computing. These are the infrastructure services that make up the cloud platforms offered by Amazon, Microsoft, Google, and other cloud vendors. Let's begin our discussion with computing resources available in the cloud. As we move through this course, we'll explore several different approaches for leveraging computing infrastructure in the cloud, but the primary way that we do this is through the creation and management of virtual servers. These servers running cloud data centers, taking advantage of all of the benefits of the cloud, including dynamic resource allocation between instances and server instances are incredibly easy to create. In fact, let's do just that. Here I am logged into the AWS Management console. I'm going to create a Linux server in AWS, then connect to it, use it for a little bit and destroy it. We'll see how quickly that process goes. The first thing I need to do is choose the AWS service that I'm interested in. I can pull down this dropdown menu and see that there are a lot of services available. I'm going to pick the first one here under Compute. EC2, that's an acronym that stands for Elastic Compute Cloud, and it's Amazon's virtual Server Service. On this first EC2 screen, I can see that I have no instances running, so I'd like to go ahead and launch an instance. I'm going to click the launch instance button, and then Amazon asks me what machine image I would like to use. This is the base operating system and other characteristics of the machine. There can be software pre-installed on it and so on. If I scroll through this list, I see there's choices for Amazon Linux, Red Hat Linux, Ubuntu, Microsoft Windows, and a variety of other operating systems and variations on those operating systems. I'm going to stick with the Amazon Linux operating system. Just select that, and then I'm asked to choose what type of instance I'd like. Now, there are a lot of instance types. You can scroll through this list and see all of these choices that are available to you. Instance types are just different configurations of processor, memory, and networking that are available to you as the base computing resource that you'll be using. I'm going to scroll all the way up to the top and choose a very small instance type. I'll take this default setting of T2.Micro, which is a one CPU machine with one gigabyte of memory. It's very cheap and easy to use. Then I'm going to configure some details of that instance. I'm just going to accept all these default options. I'll take an eight gigabyte hard drive as the default. Let's name this instance, so we create a key called name and give it the value Mike's test instance. Then I need to configure a security group, and the default here is creating a security group that has SSH open to it. So a security group is like the firewall rules for your instance, and this rule is just saying that the instance I create is going to be open for anyone to connect to it using the SSH protocol of report 22. Now, normally I would lock this down a little more, but we're just doing a quick demonstration here, so we'll leave this alone. We'll click review and launch where I'm presented with a screen that summarizes the instance I'm asking for, and then I click the launch button. Now the next thing it asks me to do is to choose the key pair that will be used to connect to this instance. I don't have any key pair set up right now, so I'm going to go ahead and create a new one. I can do that by changing this to create a new key pair and then giving it a name. We'll call this mic test, and then I have to download the key pair, that saves it to my computer so that I can use this key to access the machine after it launches. It's very important to protect that file because it literally is the key to logging into your instance. Then I'll click the launch instance button. The instance is now launching. I can go back to my list of EC2 instances and it still says zero running instances. That's because the instance is pending. Right now, Amazon's going through all the steps of creating my machine from that image and spinning it up in their data center. I can click the refresh button and see how that's going. It's still pending, and now my instance is running and available for me to connect to it. Now I need to know a little bit more information before I can connect to this instance. One thing I can do is just hit the connect button here and then it gives me instructions on how to connect to this instance, and I'm actually just going to take this example command line here and copy it, close this, and then go over to a terminal window. Now if you recall, that key file that I downloaded was just saved in my downloads directory, so I'm just going to change directory to go to my downloads directory so that the command that I cut and paste will work since it references that key file, and this is just saying it wants to open a shell connection using my key file to that instance name ed2-18-223 and so on, using the default EC2 dash user account. So I'll run this command and I get a warning message because this is the first time I'm connecting to this instance, and it just wants to make sure that I understand that this is an unrecognized key, so I'll accept that error. Then I get another error message telling me that my private key file is unprotected, so I just need to make a modification to the permissions for that key file. I'm going to use the schmand command, and I'm going to set it so that only I have access to it, and then I'm just going to rerun my SSH command to try to connect to the server again. This time the connection goes through and now I have a prompt. Everything that I'm doing from this point forward is on the server that I've just created in Amazon Linux. So for example, I can see here that the server has some updates available. There's one package needed for security, and there's three update packages available, and it gives me the command to go ahead and apply those updates. It's sudo yum update that uses the Yum package manager just to update the available packages. I can go through this process and all of these things that are running right now are running in Amazon's cloud. I'm not using my own computer's resources. I'm accessing a virtualized server running in Amazon's Ohio data center in this case. Now, I don't have any use for this instance, so I'm not going to continue to keep it running. I'm going to go back to the console and I'm going to kill this instance. I'm going to go to the instant state and then stop would just turn the instance off, but it would leave it there available for me to turn back on at a later date. I don't have any use for this at all, so I'm just going to terminate the instance so that it no longer exists and that will destroy it, and I won't need to pay for either the server or the storage it uses anymore. Now, we just walked through this process of creating a server in the cloud, and it was really easy. It took us just a few minutes to get it up and running, log into it, and then to destroy it again. During that time, we spent probably less than 1 cent to run that server in the cloud for just a couple of minutes there. As you work with servers in the cloud, you'll need to understand how traditional security concepts apply. From an availability perspective. You may wish to create cloud instances in different zones or regions offered by your service provider. The use of different zones provides added high-availability by insulating you against a failure in a single zone. The fact that the cloud makes creating servers so simple increases the importance of maintaining instance awareness to avoid VM sprawl. An issue that I discussed earlier in this course. If you aren't conscious of the server instances running in your environment, you may wind up operating insecure outdated servers and incurring unnecessary costs.

Contents