Skip to main content

Amazon Web Services (AWS)

Rationale#

AWS is our main IaaS cloud provider.

The main reasons why we chose it over other alternatives are:

  1. It provides a highly granular approach to IaaS, offering over one hundred independent services that range from quantum computing to servers for videogames.
  2. It has a fully granular pay-as-you-go pricing model, which allows us to pay exactly for what we are using.
  3. It complies with many global top security standards.
  4. It has a highly redundant infrastructure that is distributed across the world, making us feel comfortable when it comes to its availability and reliability.
  5. It is a cloud infrastructure leader according to Gartner.
  6. It is the oldest cloud provider.

Alternatives#

  1. Google Cloud Platform: It did not exist at the time we migrated to the cloud. Its service catalogue is much smaller, thus reducing its flexibility.
  2. Microsoft Azure: It did not exist at the time we migrated to the cloud. A deeper review is still pending.

Usage#

We use the following AWS services:

  1. Identity and Access Management: IAM.
  2. Cost management: Cost Management.
  3. Monitoring and logging: CloudWatch.
  4. Elastic cloud computing: EC2.
  5. Cloud file storage: S3.
  6. Serverless computing: Lambda.
  7. Elastic block store: EBS.
  8. Elastic Load Balancing: ELB.
  9. Key management system: KMS.
  10. Application cluster: EKS.
  11. Virtual private cloud: VPC.
  12. NoSQL database: DynamoDB.
  13. In-memory cache: Redis.
  14. Data warehouse: Redshift.
  15. Batch processing: Batch.
  16. Machine learning: SageMaker.
  17. Elastic Container Service: ECS.
  18. Simple queue service: SQS.

Guidelines#

Access web console#

You can access the AWS Console by entering the AWS - Production application via Okta.

Get development keys#

Developers can use Okta to get development AWS credentials.

Follow these steps to generate a key pair:

  1. Install awscli and aws-okta-processor:

    nix-env -i awscli
    pip install aws-okta-processor
  2. Add the following function in your shell profile (~/.bashrc):

    function okta-login {
    local role="${1:-<default-role>}" # Set as default role the role that you uses most
    local role_uppercase="$(echo "${role^^}" | tr - _)" # Used to export the "PRODUC_ENV_*" vars
    local env="${role_uppercase##*_}" # Services compatibility
    local args=(
    authenticate
    --user "<user-email>"
    --pass "<user-password>"
    --organization "fluidattacks.okta.com"
    --role "arn:aws:iam::205810638802:role/${role}"
    --application "https://fluidattacks.okta.com/home/amazon_aws/0oa9ahz3rfx1SpStS357/272"
    --silent
    --duration 32400
    --environment
    ) # Flags required to aws-okta-processor
    if [ "${env}" == 'PROD' ]
    then
    args+=("--no-aws-cache") # If env is PROD cache is not used
    fi \
    && eval $(aws-okta-processor "${args[@]}") \
    && export "${role_uppercase}_AWS_ACCESS_KEY_ID"="${AWS_ACCESS_KEY_ID}" \
    && export "${role_uppercase}_AWS_SECRET_ACCESS_KEY"="${AWS_SECRET_ACCESS_KEY}" \
    && export "${env}_AWS_ACCESS_KEY_ID"="${AWS_ACCESS_KEY_ID}" \
    && export "${env}_AWS_SECRET_ACCESS_KEY"="${AWS_SECRET_ACCESS_KEY}"
    }

    Make sure you replace the parameters:

    - `<user-email>`: Email.
    - `<user-password>`.
    - `<default-role>`: Use `integrates-dev` or another role.
  3. Source your profile:

    source ~/.profile
  4. To get the credentials execute:

    okta-login # To use the default role
    okta-login `<role>` # To use a specific role
  5. Use the --no-aws-cache flag only in case you:

    • Run as prod.
    • Have problems with okta-login or aws credentials.