Cloud Computing
Post By kanra
Blogs Cloud Computing
February 25, 2020
Category
Reference
Tag
BashCloud

Cloud resources

Server-based infrastructure

A virtural machine with OS (typically Linux or Windows)

Infrastructure-as-a-Service

Google Compute Engine

AWS Elastic Compute Cloud
Database servers  Google Cloud SQL  AWS Relational Database Service (RDS)
Containers on servers  Google Container Registry (gcr.io)  AWS Elastic Container Registry (ecr.io)

Serverless applications

You don’t see server that run your application, you only need to focus on developing your app. No machines or networks exposed to the developer (hidden), no need to care about infrastructure engineering, more secure since no machine/network to secure.

Serverless platforms  Google App Engine  AWS Elastic Beanstalk
Serverless functions  Google Cloud Functions  AWS Lambda

Services and APIs

Fully-managed services that your application can use.

Storage
(via “bucket”)		  Google Cloud Storage  AWS Simple Storage (S3)
Databases (NoSQL)  Google Cloud Datastore  AWS DynamoDB
Data warehouses  Google BigQuery  AWS Athena
Logging  Google Cloud Stackdriver  AWS CloudTrail

 

 

 

Cloud security

Legacy security in the cloud

Traditional server-based security, like Unix/Windows account and permission, ssh keys, firewall rules.

SSH

ssh -i id_rsa <EXTERNAL_IP_ADDRESS>

SQL databases

postgresql://<db_user>:<db_password>@<IPAddress>:5432/<db_name>

Firewall rules

similar to Linux iptables, but defined at project-level

ingress (incoming traffic) vs egress (outgoing traffic) with Address ranges of sources/destinations

 

 

Cloud platform security (via IAM)

IAM (Identity and Access Management), use for controlling/managing creation and access to cloud resources.

Identity (Authentication)

Validating users and applications

gcloud auth print-identity-token

Access Management (Authorization)

Policies attached to users or accounts that determine Which actions are allowed on which objects.

gcloud auth print-access-token

Types of access management policies

Discretionary Access Control, object owner decides

Mandatory Access Control, System or admin decides

Role-Based Access Control (RBAC), system decide based on user role

Apply principle of least privilege, apply minimal level of access to user need for tasks

Identity-based policies

Determine who can do what action to which resource

Assigned to pre-defined roles with sets of permissions

Identity: user account, service account, group account, app domain

Roles: Owner, Editor, Reader, Billing Administrator, IT team

Resource: VMs, Database instances, Storage bucket

 

Service accounts: Used to authorize machines and applications, VM run associated with service account’s role

Service account keys,  used to authenticate (a JSON file projectID-87cca44abcc79.json)

Identity tokens

gcloud auth activate-service-account –key-file=key.json

Metadata server: Each VM instance contains an internal web server storing instance details

 

 

GCP Commands

gcloud <subcommand>

gsutil <subcommand>

 

Set Cloud Platform project in a shell session

gcloud config set project <PROJECT_ID>

Activate the service account, application needs to access cloud platform resources

gcloud auth activate-service-account --key-file=start/a2-access.json

Get Service account identity token (OAuth2 tokens), Temporary credentials associated with account, instead of using key.json file

gcloud auth print-identity-token

Get Service account access token (allow access to certain server resources)

gcloud auth print-access-token

 

Compute Engine examples
List instances

gcloud compute instances list

Create instances

gcloud compute instances create myinstance

Get more information on the running instance:

gcloud compute instances describe <instance>

 

Cloud Storage examples
List buckets

gsutil ls
gsutil ls gs://<bucket>

Create bucket (gs:// URI)

gsutil mb gs://<bucket>

List the bucket’s contents

gsutil ls gs://[bucket-name]

Download the secret file, to current folder

gsutil cp gs://[bucket-name]/secret.txt .

 

List the logs on the project:

gcloud logging logs list

Read stackdriver logs

gcloud logging read projects/thunder-ctf-cs494/logs/transactions

 

List the cloud functions in the project:

gcloud functions list

Get info about function

gcloud functions describe a3-func-954431986661

Read the cloud function related logs

gcloud functions logs read

Modify cloud function’s code

gcloud functions deploy [function-name] --source=[path/to/code]

 

 

 

AWS Commands

Use private key to logs in to EC2 (VM) instance:

ssh -i ec2-ssh.pem ec2-user@<PUBLIC_IP4_ADDRESS>           Linux AMI
ssh -i ec2-ssh.pem ubuntu@<PUBLIC_IP4_ADDRESS>             Ubuntu

Log into SQL databases:

postgresql://<db_user>:<db_password>@<IPAddress>:5432/<db_name>

To add credentials for an IAM user as a profile:

aws configure --profile <profile-name>

AWS Resource Names (ARN)

arn:partition:service:region:account:resource

Listing bucket (need to activate profiles at the end)

aws s3 ls s3://<bucket-name> --profile <profile-name>

Copy all files in bucket

aws s3 sync s3://<bucket-name> <local/path> --profile <profile-name>

Copy specific file from bucket (with anonymous request)

aws s3 cp --no-sign-request s3://<bucket-name>/file.txt .

List the Lambda functions

aws lambda list-functions --profile <profile>

Invoke Lambda function

aws lambda invoke --function-name <function> ./out.txt --profile <profile>

List the IAM policies that are attached to a function

aws lambda get-policy --function-name <function> --profile <profile>

 

List all EC2 instances a use can access

aws ec2 describe-instances --profile <profile>

 

List AWS RDS instances

aws rds describe-db-instances --region us-east-1

 

AWS Security Token Service (STS), see what roles associate with the profile

aws sts get-caller-identity --profile <profile>

Show Snapshots (EC2 VM image) that an account ID can access

aws ec2 describe-snapshots --owner-id <AWS_Account_ID> --profile <profile>
aws ec2 describe-snapshots --profile <profile>

Create volumen (Copy Snapshot)

aws ec2 create-volume --availability-zone us-east-1a --region us-east-1 --snapshot-id <SnapshotId> --profile <AccountProfile>

 

Get IAM information

aws iam get-user --profile <profile>

Get role policy informaition

aws iam get-role --role-name <role> --profile <profile>

List user policy

aws iam list-attached-user-policies --user-name <username> --profile <profile>

Get policy information

aws iam get-policy --policy-arn <PolicyArn> --profile <profile>

Get permission information given to the policy

aws iam get-policy-version --policy-arn <PolicyArn> --version-id <DefaultVersionId> --profile <profile>

 

Get API stage

aws apigateway get-stages --rest-api-id "s33ppypa75" --profile <profile>

Elastic Load balancer

aws elbv2 describe-load-balancers --profile <profile>

 

List container image from Elastic Container Registry repository

aws ecr list-images --repository-name <image-name> --region us-east-1 --profile <profile>

Show image information from the Elastic Container Registry service

aws ecr batch-get-image --profile level1 --repository-name level2 --registry-id 653711331788 --region us-east-1 --image-ids imageTag=latest

 

 

 

AUTHOR : kanra
EMAIL : karawakara@gmail.com
Working on Networking, Web Development, Software Development, Server-side deployment. Having fun on doing experiments on new technologies.
Related Posts
VIEW
Reference
Authentication And Authorization
VIEW
Reference
Cisco Certified Network Associate (CCNA) Reference
VIEW
Reference
Authentication And Authorization
VIEW
Reference
Cisco Certified Network Associate (CCNA) Reference