Strange Clouds by michaelroper (cc) (from Flickr)
I have been doing some testing with both Azure and Amazon Web Services (AWS) these last few weeks and have observed a significant difference in the security setups for both of these cloud services, at least when it comes to Linux compute instances and cloud storage.
First, let me state at the outset, all of my security setups for both AWS and Amazon was done through using the AWS console or the Azure (classic) portal. I believe anything that can be done with the portal/console for both AWS and Azure can also be done in the CLI or the REST interface. I only used the portal/console for these services, so can't speak to the ease of using AWS's or Azure's CLI or REST services.
For AWS
EC2 instance security is pretty easy to setup and use, at least for Linux users:
- When you set up an (Linux) EC2 instance you are asked to set up a Public Key Infrastructure file (.pem) to be used for SSH/SFTP/SCP connections. You just need to copy this file to your desktop/laptop/? client system. When you invoke SSH/SFTP/SCP, you use the "-i" (identity file) option and specify the path to the (.PEM) certificate file. The server is already authorized for this identity. If you lose it, AWS services will create another one for you as an option when connecting to the machine.
- When you configure the AWS instance, one (optional) step is to configure its security settings. And one option for this is to allow connections only from 'my IP address', how nice. You don't even have to know your IP address, AWS just figures it out for itself and configures it.
That's about it. Unclear to me how well this secures your EC2 instance but it seems pretty secure to me. As I understand it, a cyber criminal would need to know and spoof your IP address to connect to or control remotely the EC2 instance. And if they wanted to use SSH/SFTP/SCP they would either have to access to the identity file. I don't believe I ever set up a password for the EC2 instance.
As for EBS storage, there's no specific security associated with EBS volumes. Its security is associated with the EC2 instance it's attached to. It's either assigned/attached to an EC2 instance and secured there, or it's unassigned/unattache. For unattached volumes, you may be able to snapshot it (to an S3 bucket within your administration control) or delete it (if it's unattached, but for either of these you have to be an admin for the EC2 domain.
As for S3 bucket security, I didn't see any S3 security setup that mimicked the EC2 instance steps outlined above. But in order to use AWS automated billing report services for S3, you have to allow the service to have write access to your S3 buckets. You do this by supplying an XML-like security policy, and applying this to all S3 buckets you wish to report on (or maybe it's store reports in). AWS provides a link to the security policy page which just so happens to have the XML-like file you will need to do this. All I did was copy this text and insert it into a window that was opened when I said I wanted to apply a security policy to the bucket.
I did find that S3 bucket security, made me allow public access (I think, can't really remember exactly) to the S3 bucket to be able to list and download objects from the bucket from the Internet. I didn't like this, but it was pretty easy to turn on. I left this on. But this PM I tried to find it again (to disable it) but couldn't seem to locate where it was.
From my perspective all the AWS security setup for EC2 instances, storage, and S3 was straightforward to use and setup, it seemed pretty secure and allowed me to get running with only minimal delay.
For Azure
First, I didn't find the more modern, new Azure portal that useful but then I am a Mac user, and it's probably more suitable for Windows Server admins. The classic portal was as close to the AWS console as I could find and once I discovered it, I never went back.
Setting up a Linux compute instance under Azure was pretty easy, but I would say the choices are a bit overwhelming and trying to find which Linux distro to use was a bit of a challenge. I settled on SUSE Enterprise, but may have made a mistake (EXT4 support was limited to RO - sigh). But configuring SUSE Enterprise Linux without any security was even easier than AWS.
However, Azure compute instance security was not nearly as straightforward as in AWS. In fact, I could find nothing similar to securing your compute instance to "My IP" address like I did in AWS. So, from my perspective my Azure instances are not as secure.
I wanted to be able to SSH/SFTP/SCP into my Linux compute instances on Azure just like I did on AWS. But, there was no easy setup of the identity file (.PEM) like AWS supported. So I spent some time, researching how to create a Cert file with the Mac (didn't seem able to create a .PEM file). Then more time researching how to create a Cert file on my Linux machine. This works but you have to install OpenSSL, and then issue the proper "create" certificate file command, with the proper parameters. The cert file creation process asks you a lot of questions, one for a pass phrase, and then for a network (I think) phrase. Of course, it asks for name, company, and other identification information, and at the end of all this you have created a set of cert files on your linux machine.
But there's a counterpart to the .pem file that needs to be on the server to authorize access. This counterpart needs to be placed in a special (.ssh/authorized) directory and I believe needs to be signed by the client needing to be authorized. But I didn't know if the .cert, .csr, .key or .pem file needed to be placed there and I had no idea how to" sign it". After spending about a day and a half on all this, I decided to abandon the use of an identity file and just use a password. I believe this provides less security than an identity file.
As for BLOB storage, it was pretty easy to configure a PageBlob for use by my compute instances. It's security seemed to be tied to the compute instance it was attached to.
As for my PageBlob containers, there's a button on the classic portal to manage access keys to these. But it said once generated, you will need to update all VMs that access these storage containers with the new keys. Not knowing how to do that. I abandoned all security for my container storage on Azure.
So, all in all, I found Azure a much more manual security setup for Linux systems than AWS and in the end, decided to not even have the same level of security for my Linux SSH/SFTP/SCP services that I did on AWS. As for container security, I'm not sure if there's any controls on the containers at this point. But I will do some more research to find out more.
In all fairness, this was trying to setup a Linux machine on Azure, which appears more tailored for Windows Server environments. Had I been in an Active Directory group, I am sure much of this would have been much easier. And had I been configuring Windows compute instances instead of Linux, all of this would have also been much easier, I believe.
~~~~
All in all, I had fun using AWS and Azure services these last few weeks, and I will be doing more over the next couple of months. So I will let you know what else I find as significant differences between AWS and Azure. So stay tuned.
Comments?
No comments:
Post a Comment