I'm trying to understand the various steps and requirements I need to go through in order to make our website available from China, both on the regulation side (Great Firewall) but also on the technical side (technical limitations and changes to perform) for https://unly.org/
Right now, it doesn't seem to be allowed: http://www.chinafirewalltest.com/?siteurl=https%3A%2F%2Funly.org%2F
I don't need nor want to own a .ch website, I just want to make my website available for Chinese at https://unly.org/. Also, the website is currently hosted on AWS Lambda (using the Serverless framework), and only deployed in the eu-west-1 region (Ireland) only.
The website doesn't sell anything online: It's an information website, not e-commerce.
I've looked into this issue for a few hours, but I'm a bit lost regarding the exact steps needed to make it happen.
Here are a few questions I haven't found answers for:
Does deploying the lambda to cn-north-1 (China Beijing) is a requirement or can Chinese users access my eu-west-1 lambda if I get an ICP license?
Regardless of the deploying region, I seem to need an ICP License, as the AWS FAQ says at
https://www.amazonaws.cn/en/about-aws/china/faqs/#new%20step:
Q: Do I need to file for ICP Recordal or ICP License if I want to host public content on AWS China (Beijing) Region or AWS China (Ningxia) Region?
Yes. In accordance with Chinese laws and regulations, if you use either AWS China Region to host a website providing non-commercial internet information services, you must undertake filing procedures for a non-commercial website (“ICP Recordal”) through the relevant government authority. If you use either AWS China Region to host a website providing commercial internet information services, you must obtain a value-added telecommunications license for a commercial website (“ICP License”) from the relevant government authority. You may be required to produce your ICP Recordal or ICP License, as applicable, before you host public content using one of the AWS China Regions.
AWS China (Beijing) Region is operated by Sinnet, who is responsible for content hosted in the Beijing Region, while AWS China (Ningxia) Region is operated by NWCD, who is responsible for content hosted in the Ningxia Region. Both Sinnet and NWCD provide support at no additional charge for customers seeking ICP related services, though customers are responsible for any fees imposed by the applicable government authorities. To learn more about the filing procedures, please visit Sinnet at http://www.sinnet.com.cn/service.aspx?PartNodeId=35 and NWCD at http://nwcdcloud.cn/ICP.aspx.
As for actually getting the license, it's a bit out of topic here, but I couldn't understand the first provider workflow:
http://www.sinnet.com.cn/en/ website is a mix of english and chinese and I got lost in translation (even when using their english website version)
http://nwcdcloud.cn/ContactUs.aspx seems to require to send an email to support#amazonaws.com.cn, no idea what happens next
Anyway, the process seems to take around 4-6 weeks. So, it likely takes even more time than that.
Regarding the technical details now, it seems like the China region (cn-north-1 Beijing and cn-northwest-1 Ningxia) behave in a very particular way on AWS Lambda.
They only support REGIONAL endpoints
They do not support native Serverless environment variables
See
https://github.com/serverless/serverless/pull/4665#issuecomment-365843810
Lambda - EnvironmentVariablesFeature is not supported in cn-north-1 region
Also, there are technical impacts on the website itself:
Google services are banned, or limited (Google Analytics (limited), Google Tag Manager, Google Fonts (banned)) and must be changed, converted to owned CDN, etc.
And I've probably missed other technical limitations, since that's just those I learned about within 2h of digging around.
Are there other steps I overlooked? (regulation or technical)
Do you have any advices or feedback about how to make a website hosted on AWS Lambda available in China?
Since your question contains several different aspects, I'll split my answer into two parts:
Make your website available from China
From my experience, it doesn't matter whether you're using a .com or .cn domain. You could use a .cn domain to host a Chinese version of your website, of course. But I don't think it would help with any of the problems you describe
For a "standard", international website hosted outside China, it depends on the GFW whether it's accessible from inside China or not. In your case, it seems to be blocked
Google services are banned indeed. There's nothing you can do about it
In order to officially register your website (to get it "unblocked"), you do need an ICP license as you've already found out. A good overview about the registration workflow is given by Alibaba Cloud
I've never went through the complete exercise, but I doubt it's possible without some help from somebody speaking Chinese
AWS Lambda
The setup you describe - deploying lambda functions to two different regions, one being somehow non "standard" (the Chinese one) - might create problems on the techical side as well. I'd suggest starting with a simple (one region) setup first until you get the ICP problem fixed, maybe using some China-aware CDN provider. Or you try with a "standard" AWS region closer to China; for this case, some people recommend the Singapore region.
Related
I am trying to find out if it is correct to say that - In AWS we can only perform vulnerability scanning for EC2 instances.
From my research, it seems like there can be pen tests on other AWS services, but vulnerability scanning seems to be focused on EC2? (https://aws.amazon.com/security/penetration-testing/). If so, would it be safe to assume that vulnerabilities scans can be only focused on EC2 instances, but also periodic pen tests on the AWS services listed in the link above?
Any help is appreciated.
You are correct in seeking out pentesting which goes beyond EC2. However, the type of testing (if any) is highly dependent on which specific services you use.
It's very common that pentests do not cover all services only because they are improperly scoped. Not all AWS services will be relevant to a penetration test, but some may be critical. Here are some worthwhile misconfigurations to consider:
S3 - Buckets have their own access controls and unique API. Without insight to bucket names and AWS expertise, a pentester cannot determine if they are misconfigured. It is fairly common for buckets to allow access to AllUsers which is very dangerous.
RDS - You should make sure that databases are not publicly accessible from the internet (for obvious reasons).
Cognito, SNS, SQS - If you are pentesting an application, you will need to take a close look at the permission and configuration of authentication and messaging services (if they are in use). Misconfigurations here can allow someone to self-enroll in applications they shouldn't.
It would be worthwhile to spend some time to evaluate each service and get an understanding of it's attack surface. Here's an AWS pentesting guide for reference.
[Not sure this is the correct forum for this question, but I'll give it a shot.]
I'm looking at duplicating an existing solution built on AWS into an AWS China account. From what I've read in AWS' getting started blog post and AWS China's list of services per region, it seems to me that deploying a solution in Beijing or Ningxia using the AWS services we're used to and dependent on would be feasible. But since you cannot create an AWS China account without having a business license (which seems to be a topic in itself, hmm), it seems impossible to actually try things out to get a feel for if there are any differences. I also cannot seem to find any blog posts with testimonies, experiences from developers or architects who've done this, which is surprising.
Basically I want to understand if taking an existing solution built on AWS and setting it up on Chinese infrastructure is straightforward or if I should expect some differences in how things work etc. I know that AWS does not operate these two regions themselves, but through Chinese partner companies. But I'm not sure if the service capabilities, APIs etc are identical (even including the timing of releases of new versions etc).
The only real limitations I can find on the AWS blog is that the free tier is not available, and that EC2 classic instances is not supported. But let's say I have a solution using very stadnard AWS services like Cloudfront, S3, DynamoDB, Lambda, ECS, Elastic Beanstalk, Cognito, KMS etc. Will it be fairly simple to migrate it to an AWS China account or should I expect a struggle?
Regarding the difference, basically AWS China and AWS Global are two seperate cloud and they are not connected to earch other, thus they will have separate Marketplace,Endpoints and ARNs, different service capablities etc. However those differences are not capatured in such details in official AWS documentation.
For example most security related features, landing zone related feature are not available in AWS China. I have tried to customize some AWS global solutions to China, and met lot of issues and challenges, so plug and play won't work here. The best way is to have some parnters or local presence to overcome those challenges especially the team with similar capabilities.
Is it able to ssh to google compute engine virtual machines from mainland China directly (there is no direct access to any google websites)? If the line is unstable or blocked, can we get a good user experience by deploying a proxy server in Hong Kong or some accessible data center in US ?
Google Cloud Platform do not have any restriction on the traffic coming from China.
By looking at your comment, it seems like you are experiencing some issues while accessing Google Cloud Platform products from within
mainland China. It might be caused by networking conditions
in China, rather than Google's own services.
If you required any technical assistance with this issue, you could contact one of Google's Technological partners
Our transparency report found here may also be useful:
Note: If you are interested in setting up any workload connected with Google Cloud Platform in Hong Kong region, you may also use this help center article. As per the article, the Hong Kong cloud region currently offers services like compute, storage, security & networking. These services can be used alongside with various other Google Cloud Platform products(or any compatible outside products) according to your purpose/needs.
The title sums it up. Essentially, I'd like to offer my own closed-source proprietary ML algorithms to Amazon AWS customers on a pay-to-use basis API - e.g., sales volumes prediction algorithm service licensed monthly or annually or per call. Most information found talks about how to build and give it away, or use it internally within one's company, but I'm looking to offer it to the public as a commercial offering on AWS.
Thank you in advance for your help - links to articles, help pages, or direct steps on how to do this.
This is actually very easy to do with AWS.
Create an AWS Marketplace account.
Create an AMI bundled with your software with per hour pricing.
This link will get you started:
Sell on AWS Marketplace
Allow me please to answer my own question. Although not a 100% what I was hoping for, there's certainly support for this in the platform which is great to see: Software-as-a-Service-Based Products
It looks like you need to set up your own EC2 server and then create an API gateway call to invoke your service, and you can create API keys to control access/pricing for your end users.
API Key usage: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-restapi.html
You can also look into AWS Sagemaker to set up your ML pipeline and provide a managed inference endpoint if you don't want to host your own EC2 server, from there can leverage API gateway the same way.
We use AWS as a sort of developer playground --- turning on a server to test app deployment, and execution with a variety of non production data, and then turning it off again.
We also use AWS as a host for our TFS. (because somehow our source code "isn't production data" All in all it's been great, and I would recommend it for corporate work, but that idea doesn't seem to get any traction here. The business is very reluctant to put their data "outside the wire"
What's missing from AWS, and its competitors, to make it a suitable enviornment for private coprorate use.
IMO EC2 is well suited for corporate use - as long as you back up all your critical data off site in case of an outage, which you'd want to do for internal systems anyway. The minimum level of security that Amazon enforces is well above what a lot of traditional hosting providers give you, and also above a lot of internal shops I've worked with. Since you have full access to the operating system, you can add in as many extra levels of security as you like.
Ubuntu offer a cloud solution that you can run within your network if management is worried about information going outside of the corporate firewall.
Details can be found at: http://www.ubuntu.com/products/whatisubuntu/serveredition/cloud
From thier website:
Ubuntu Enterprise Cloud brings Amazon
EC2-like infrastructure capabilities
inside the firewall. The Ubuntu
Enterprise Cloud is powered by
Eucalyptus, an open source
implementation for the emerging
standard of EC2. This solution is
designed to simplify the process of
building and managing an internal
cloud for businesses of any size,
thereby enabling companies to create
their own self-service infrastructure.