AUI 2 - HackMD

# AUI 2 ## Potential Services * EC2 * IAM * VPC * S3 * RDS * CloudWatch * SNS * AWS Backup ## User Authentication ![](https://i.imgur.com/q6a8GEi.png) |Group/Role|Group/Role Name|Permissions| |------------|---------------|-----------| |Group|SysAdmin|SystemAdministrator| |Group|DBAdmin|DatabaseAdministrator| |Group|Monitor|AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess, AmazonRDSReadOnlyAccess, AmazonRDSEnhancedMonitoringRole, Monitoring role| |Role|EC2toS3IAMRole|New policy - S3 - List, Read, Write - object| |Requirement|Solution| |-|-| |Should be at least 8 characters and have 1 uppercase, 1 lowercase, 1 special character, and a number |IAM Account settings - Set password policy| |Change password every 90 days and ensure that the previous three passwordds can't be re-used| IAM Account settings - Set password policy - Enable password expiration| |All administrators require programmistic access|IAM Users - Add user - select Programmatic access| Administrator sign-in to the AWS Management Console requires the use of Virtual MFA |IAM Users - User Name - Security credentials - Assigned MFA device - Manage MFA Device - Virtual MFA device| ## Design: Web Tier |Requirement|Solution| |-|-| |Architecture must be flexible and handle any peak in traffic or performance|Auto Scaling Group| |The overall acceptable incoming network bandwidth is between 300 Mbps and 750 Mbps.|Storage Gateway Console / m4.xlarge instance type with High Network Performance| |Application adminstrators want to be notified by email if there are more than 100 "400 HTTP errors" per minute in the application.|Load Balancer -> CloudWatch alarms -> HTTP 4XXs Count -> SNS notification| |Web Tier instances should be tagged as "Key=Name" and "Value=web-tier"|Auto Scaling Group Tags Key="Name" Value="web-tier"| ## Design: Application Tier |Requirement|Solution| |-|-| |Architecture must be flexible and handle any peak in traffic or performance.|Auto Scaling Group| |Server capacity should be between 50% and 60%.|Create a custom metric and install needed software in UserData for instances. Then in Auto Scaling Policy use this custom metric. [link](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingAlarmActions.html)| |Overall memory and CPU utilization should not go above 80% and 75% respectively or below 30% for either.|Auto Scaling Policy CPUUtilization >=75% -> +1 and <=30% -> -1| |Internet access is required for patching and updates without exposing the servers.|Security Group with SSH from Anywhere and http + https from internal network only| |Application Tier Instances should be tagged as "Key=Name" and "Value=app-tier".|Auto Scaling Group Tags Key=Name Value="app-tier"| ## Design: Database Tier |Requirement|Solution| |-|-| |Database needs consistent storage performance at 21000 IOPS|Provisioned IOPS| |High availability is a requirement|Standby in a different Availability Zone| |No change to the database schema can be made at this time|???| ## Proposed VPC Architecture Diagram tu diagram ??? ## Network |VPC|Region|Purpose|Subnets|AZs|CIDR Range| |-|-|-|-|-|-| |1|US West (North California)|Headquaters|hq-public, hq-private|us-west-1|172.31.0.0/16| |2|EU (London)|Production|eu-public, eu-private|eu-west-2|172.41.0.0/16| |3|South America (Sao Paulo)|Production|sa-public, sa-private|sa-east-1|172.51.0.0/16| |Subnet Name|VPC|Subnet Type (public/private)|AZ|Subnet Address| |-|-|-|-|-| |hq-public-1|#1|public|us-west-1|172.31.0.0/20| |hq-private-1|#1|private|us-west-1|172.31.64.0/20| |eu-public-1|#2|public|eu-west-2|172.41.0.0/20| |eu-private-1|#2|private|eu-west-2|172.41.64.0/20| |sa-public-1|#3|public|sa-east-1|172.51.0.0/20| |sa-private-1|#3|private|sa-east-1|172.51.64.0/20| ## Proposed Architecture Diagram ![](https://i.imgur.com/qUEcm3g.png) ## Security |Security Group (SG)|SG Name|Rule|Source| |-|-|-|-| |ELB load balancer|elb-sg|???|???| |Web Tier|web-tier-sg|Can receive requests on port 80 and 443|Anywhere| |App Tier|app-tier-sg|Can receive requests on port 443 from Web Servers and SSH from anywhere|Web Servers + Anywhere| |Database Tier|db-tier-sg|Can receive requests on port 433|Application Servers| |Other Security Options|Justification| |-|-| |S3 Bucket files encryption|To maintain security of users files in case of data leakage| ## Design: Encryption |Requirement|Solution| |-|-| |Encryption option for **data at rest**|RDS -> Enable Encryption| |Encryption option for **data in transit**|HTTPs traffic through all layers| ## Intance details |Tier|AMI|Tag|Type|Size|Justification|# of instances| |-|-|-|-|-|-|-| |Web|Red Hat Enterprise Linux 8 (HVM), SSD Volume Type|Key="Name" Value="web-tier"|m4|xlarge|Needs High Network Performance|6| |App|Red Hat Enterprise Linux 8 (HVM), SSD Volume Type|Key="Name" Value="app-tier"|t2|xlarge|Meets client requirements|5| |DB |Red Hat Enterprise Linux 8 (HVM), SSD Volume Type|N/A|m5|2xlarge|Meets client requirements|2| ## Recovery Point Objective **Q**: *How would you achieve a Recovery Point Objective (RPO) of four hours?* **A**: RPO is acceptable loss of data measured in time, so easiest way to do it is make backup of data every 4 hours. Use AWS Backup to do this. ## Document Storage |Storage/Archive Option|Detail| |-|-| |Amazon S3 Standard|For data that is frequently accessed| |Amazon S3 Standard - Infrequent Access|For data that is less frequently accessed| ## Additional AWS Services * Elastic Beanstalk * RDS -> Amazon Aurora with MySQL compatibility * Route 53 ###### tags: `AUI`