For architecting a multi-tenant SAAS serverless application on AWS, This is how we plan to manage "users" and multi-tenancy. A relevant blog post here: https://medium.com/#tarekbecker/serverless-enterprise-grade-multi-tenancy-using-aws-76ff5f4d0a23
In order to ensure business continuity, we would also like to ensure
Regional failover
Data residency for personally identifiable information
Disaster recovery
What changes should be made in the following architecture in order to integrate these aspects into the serverless application?
Related
I am about to launch a webapp based on subscription. FYI, the web application manages health care data, and my customers are concerned about the security of data in the cloud.
Is there any certificate, or any official information I can give to my customers on the behalf of AWS proving that the data in any storage used by my application will be encrypted?
THANK YOU
From What is AWS Artifact?:
AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls. AWS Artifact provides documents about AWS only. AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies.
It explains what AWS does. However, you would also need to prove that you are using the cloud correctly, such as verifying user's identities and not making buckets public.
NO, there is no such a document, you need to apply and obtain this certificate.
AWS is complaint, for there part Security of the cloud, and you are responsible for the Security in the cloud. AWS Artifact is a repository.
AWS Config is the tool you will use to monitor the configuration of
your stack, can repair configurations also.
AWS Cloudwach will monitor the performance, brings you alerts and evoke Lambda
AWS Cloud Trail will monitor the API calls.
AWS Macy to check your buckets for Personal Identifiable information.
Then you are the one who enable encryption and choose the Key management and rotation, AWS KMS.
Just to mention few services to be aware of. Best regards.
Which AWS services are GDPR ready? Can I build and run GDPR compliant applications on AWS?
All AWS Services can be used in compliance with GDPR
Many requirements under the GDPR focus on ensuring effective control and protection of personal data. AWS services give you the capability to implement your own security measures in the ways you need in order to enable your compliance with the GDPR, including specific measures such as:
Encryption of personal data
Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
This is an advanced set of security and compliance services that are designed specifically to handle the requirements of the GDPR. There are numerous AWS services that have particular significance for customers focusing on GDPR compliancea and AWS has 500+ features and services focused on security and compliance.
For more information, have a look at the AWS GDPR Center.
The AWS Shared Responsibility Model and GDPR
AWS has a shared responsibility model with the customer and this doesn't change under GDPR. AWS is responsible for securing the underlying infrastructure that supports the cloud and the services provided; while customers, acting either as data controllers or data processors, are responsible for any personal data they put in the cloud.
You can find more information about the shared responsibility under GDPR in the AWS Security Blog.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 years ago.
Improve this question
Starting with AWS seems to be a pain in the neck. I've already spent countless hours trying to squeeze out some information about what does what in their ocean of products and brand names. But there are no simple answers. First I have to read through countless pages congratulating me on choosing AWS and confirming how easily I'll be able to begin. Then I have to watch a dozen videos in which some deputy chief architect manager of whatever department explains how excited they are to see me. Yeah, thanks, but will you finally tell what does this crap do?! I don't have all the world's time.
Is there a list somewhere a clear and concise lists of AWS services and products without all the inspirational corporate bullshit, something like this one (entirely fictional):
Daffodil: User management service which can be embedded in your codebase.
Trainwreck: Geospatial database API.
Footsmell: Industrial automation API to control robots and drones.
Wristwatch: Thesaurus and grammar checker.
If there was a similar one for Google's services, the better.
This is a slightly old list from March 2017:
Compute
Amazon EC2: Virtual Servers in the Cloud
Amazon EC2 Container Service: Run and Manage Docker Containers
Amazon EC2 Container Registry: Store and Retrieve Docker Containers
Auto Scaling: Automatic Elasticity
AWS Elastic Beanstalk: Run and Manage Web Apps
Amazon LightSail: Launch and Manage Virtual Private Servers
AWS Lambda: Run your code in response to events
AWS Batch: Run Batch Jobs at any Scale
Storage
Amazon S3 (Simple Storage Service): Scalable Storage in the Cloud
Amazon Glacier: Low-Cost Archive Storage in the Cloud
Amazon EBS (Elastic Block Store): Block Storage for EC2
Amazon EFS (Elastic File System): Managed File Storage for EC2
AWS Storage Gateway: Hybrid Storage Integration
Database
Amazon RDS (Relational Database Service): Managed Relational Database Service
Amazon Aurora: High Performance Managed Relational Database
Amazon DynamoDB: Managed NoSQL Database
Amazon Redshift: Fast, Simple, Cost-Effective Data Warehousing
Amazon ElastiCache: In-Memory Caching System
Migration
Snowball: Petabyte-scale Data Transport
AWS Application Discovery Service: Discover On-Premises Apps
AWS Database Migration Service: Migrate Databases with Minimal Downtime
AWS Server Migration Service: Migrate On-Premises Servers to AWS
Networking & Content Delivery
Amazon Virtual Private Cloud (VPC): Isolate Cloud Resources
AWS Direct Connect: Dedicated Network Connection to AWS
Amazon Route 53: Scalable Domain Name Service
Elastic Load Balancing: High Scale Load Balancing
Amazon CloudFront: Global Content Delivery Network
Developer Tools
AWS CodeCommit: Store Code in Private Git Repositories
AWS CodeBuild: Build and Test Code
AWS CodeDeploy: Automate Code Deployment
AWS CodePipeline: Release Software using Continuous Delivery
AWS X-Ray: Analyze and Debug Your Applications
AWS Command-Line Interface: Unified Tool to Manage AWS Services
Management Tools
AWS CloudFormation: Create and Manage Resources with Templates
AWS Service Catalog: Create and Use Standardized Products
Amazon CloudWatch: Monitor Resources and Applications
AWS CloudTrail: Track User Activity and API Usage
AWS Config: Track Resource Inventory and Changes
AWS OpsWorks: Automate Operations with Chef
Amazon EC2 Systems Manager: Configure EC2 Instances and On-Premises Servers
AWS Trusted Advisor: Optimize Performance and Security
AWS Personal Health Dashboard: Personalized View of AWS service health
Security, Identity & Compliance
AWS Identity & Access Management (IAM): Manage User Access and Encryption Keys
AWS Organizations: Policy-Based Management for Multiple AWS Accounts
AWS Directory Service: Host and Manage Active Directory
AWS Cloud Directory: Create flexible cloud-native directories
AWS Key Management Service (KMS): Creation and Control of Encryption Keys
AWS CloudHSM: Hardware-based Key Storage
AWS Certificate Manager: Provision and Deploy SSL/TLS Certificates
Amazon Inspector: Analyze Application Security
AWS Shield: Managed DDoS Protection
AWS Web Application Firewall (WAF): Filter Malicious Web Traffic
Analytics
Amazon Athena: Query Data in S3 using SQL
Amazon EMR: Hosted Hadoop Framework
Amazon CloudSearch: Managed Search Service
Amazon Elasticsearch Service: Run and Scale Elasticsearch Clusters
Amazon Kinesis: Work with Real-Time Streaming Data
Amazon QuickSight: Fast Business Analytics Service
AWS Data Pipeline: Orchestration Service for periodic Data-Driven Workflows
AWS Glue: Prepare and Load Data
Artificial Intelligence
Amazon Machine Learning: Machine Learning for Developers
Amazon Polly: Turn Text into Lifelike Speech
Amazon Rekognition: Search and Analyze Images
Amazon Lex: Build Voice and Text Chatbots
Mobile Services
Amazon Cognito: User Identity and App Data Synchronization
AWS Device Farm: Test Mobile Apps on Real Devices in the Cloud
AWS Mobile Hub & Mobile SDK: Build, Test and Monitor Mobile Apps
Application Services
Amazon API Gateway: Build, Deploy and Manage APIs
AWS Step Functions: Coordinate Distributed Applications
Amazon Elastic Transcoder: Easy-to-Use Scalable Media Transcoding
Messaging
Amazon Simple Queue Service (SQS): Message Queue Service
Amazon Simple Notification Service (SNS): Push Notification Service
Amazon Simple Email Service (SES): Email Sending and Receiving Service
Amazon Pinpoint: Push Notifications for Mobile Apps
Business Productivity
Amazon Chime: Frustration-free meetings, video calls and chats
Amazon WorkDocs: Enterprise Storage and Sharing Service
Amazon WorkMail: Managed Business Email and Calendaring
Desktop & App Streaming
Amazon WorkSpaces: Desktop Computing Service
Amazon AppStream 2.0: Stream desktop applications to a browser
Internet of Things
AWS IoT Platform: Connect Devices to the Cloud
AWS Greengrass: Local Compute, Messaging, Sync for Devices
AWS IoT Button: Cloud Programmable Dash Button
Game Dev
Amazon GameLift: Dedicated Game Server Hosting
Amazon Lumberyard: Free Cross-Platform 3D game engine
There's even more these days!
It's a fair point, and with so many Amazon Web Service (AWS) services, not an easy one to sum up in a few words.
I'd say start here for a summary of the main services: https://d1.awsstatic.com/whitepapers/aws-overview.pdf
Then I think the Tech Essentials training video from acloud.guru (with 7 day free trial) is a good video to get you going: https://acloud.guru/learn/aws-technical-essentials
Google Cloud Platform is a bit more accessible IMO, their main product page gives a brief description of the products:
https://cloud.google.com/products/
Some context to the services: https://cloud.google.com/docs/overview/cloud-platform-services
And again acloud.guru have an introductory video for CDP: https://acloud.guru/learn/gcp-101
and I might as well complete the trifactor…
Microsoft Azure is a very worthy contender,
High level services: https://azure.microsoft.com/en-gb/services/
Intro Video: https://acloud.guru/learn/intro-to-azure
If you want one liners like you mentioned in your questions then click here
On that page click on the category of the service and it will list out services in that category and one line description.
E.g. Click 'Compute' to see the list of provided compute services, click 'Storage' to list if provided storage services and so on
If you want somewhat detailed explanation, click here
Here also services are grouped in categories, and you click on one of categories and you get to see the services (along with some brief explanation about each of the service) within that category
The documentation page of each product gives explanation in a simple way. Moreover, if you read the FAQ that explains things from scratch.
For our product we are currently storing customer credentials hashed in db (3 tier architecture) . We want the authentication to be done at 1st tier itself ,which aws solution can be used for this ,May be AWS HSM but what changes need to be done at app layer to do this .
This is a website
using cloudfront to route across across edge
using database replication
also we have active-active multi region .
any suggestions would be useful
thanks
I agree that some further details on your architecture would help. Is this a web application, mobile app, other fat client? How are you achieving the active-active multi-region architecture at the DB? I would like to suggest AWS Cognito but the multi-region needs become a bit more complex in that scenario.
Today how do you determine which region your users are routed to? If using AWS Cognito you'd likely need to create a user pool per region but this means your users would need to be routed to the correct user pool based on their region.
I have had great luck with AWS Cognito identities from web, mobile, and fat client apps and have even used many of the Lambda integrations with Cognito for commercial grade applications. Some good examples -
http://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html
http://docs.aws.amazon.com/cognito/latest/developerguide/walkthrough-using-the-ios-sdk.html
http://docs.aws.amazon.com/cognito/latest/developerguide/setting-up-android-sdk.html
We are developing a custom application, API architecture, related services and processes, based on a LAMP stack and all relevant AWS services: Elastic Beanstalk, EC2, S3, ELB, RDS, API Gateway, Lambda, SNS etc. We would propose to manage the app and all related infrastructure for a flat monthly rate to our client base. We would handle all payment details with Amazon directly for all clients. We are essentially building out a multi-tenant application on AWS. We want to be able to service the AWS infrastructure for potentially 1000s of accounts/clients.
Here is the question: What are the pros/cons of:
Option A) hosting all services in a single AWS account using carefully structured IAM roles, users, and permissions, and co-mingling customer data while insuring logical and secure separation of customer data within the account?
- VS -
Option B) creating a unique AWS for each account each client, and manage each account via a local profile. In this approach, all data is fully segregated, but we have to manage common activities (user management, code deployment, operations) across 100s of discrete accounts. There is a data security advantage, but it is feasible to manage that many accounts? Any tools or processes for doing it this way? Each company technician would need a login across every account.
The isolation of option B improves security for each client, as any potential security breach would be limited to a single account. But would code deployments be a nightmare? But what about configuration management?
Is there an account federation service that would help manage option B? Or am I nuts for even considering option B?
Lots to think about, but IMO, in this instance, security trumps all other concerns and that would make me choose option B with the little I know about your setup.
Just think what would happen to your business if the 'master' account was compromised - by a hacker (internal or external) - your clients would be running for the door.
Having lots of accounts to manage is an obstacle, but if treat your infrastructure as code, your code-deployments and everything else can be automated - with 1000s of accounts you will have no choice but to put those systems in place.