In part one of “How Does AWS Work” series, we looked at the beginnings of cloud computing, with AWS – the pioneer of it all – leading the public cloud space. In part two, we’re going to give an overview of AWS global infrastructure – the vast network of resources that is the muscle behind the entire cloud – and demonstrate why it’s crucial to understand it properly, both for the sake of cost and security.
We’ll also cover the AWS Shared Responsibility Model and explain the role that Amazon has in protecting the cloud, as well as your responsibilities so that you can protect your environment running in it.
AWS Global Infrastructure
AWS provides great agility, but also near-unlimited scalability for those in need of resources in the cloud. But behind the ethereal representation of it all, there’s an enormous collection of actual physical hardware, and understanding how it all works behind the scenes can be instrumental when working with the AWS cloud.
The AWS Global Infrastructure is divided into multiple regions, with each region being a fully isolated geographical location that includes redundant power supplies, networking and connectivity. There are currently around 20 regions around the world, covering almost every inhabited continent except Africa (with the Cape Town region coming soon as well).
The regions consist of two or more Availability Zones (with some regions like N. Virginia having as many as six), which help customers achieve high availability and fault tolerance – spreading your resources between multiple locations is always preferable.
These Availability Zones contain one or more data centers. There’s always a distance between them so that, if one of them fails for some reason (a natural disaster, power outage, or even man-made attack), the other one will most likely still be operational. This is why a full regional outage is a very rare occurrence.
AWS data centers themselves are built using high-end technology (along with redundant power and dedicated connectivity), and are protected utilizing multiple layers of security – from camera systems and guards to various intrusion detection and prevention mechanisms.
AWS Regions And Data Protection
We live in a world where data is of most critical importance, and naturally there are many laws and compliance rules which regulate data storage in order to protect it – AWS is certified for most of the programs available today.
To comply with the strict regulations, among other things, AWS will never move the data from your region to another one without your permission.
For instance, all the services that replicate the data (to increase data durability and availability) will do so within your region only. So when you upload something to S3 buckets (object level storage), it’s immediately replicated to 2 more Availability Zones – but always in the same region.
When it comes to data protection laws, AWS gives you all the tools required to geofence data if needed – whether it’s because of compliance requirements, or simply a business decision. It is, however, vital to understand how AWS and its service work in order to properly implement data geofencing, and not move the data out of the region by mistake. This is especially true if your business environment is not limited to a single region only.
AWS gives you all the tools to geofence data if needed – whether it's because of compliance requirements, or simply a business decision. Click To TweetShared Responsibility Model
When it comes to compliance laws and security, AWS operates using the Shared Responsibility Model, which defines the roles that AWS and their customers have in protecting the cloud resources.
The role of AWS is to maintain the security of the cloud itself, which means protecting all the physical infrastructure (hardware and networking) on top of which the cloud runs. AWS is also responsible for all the managed services they provide (both uptime and functionality). For example, if you run a Relational Database Service (RDS), the patching is always done by Amazon, as you can’t even access the system to patch it yourself.
On the other hand, customers have the responsibility to configure and manage all the resources in the cloud that they control. The primary security concern here is AWS firewalls – usually the most common one being Security Groups (SG), and in some cases Network Access Control Lists (NACL).
Other things that fall under the customer’s responsibility are encryption (both in transit and at rest), as well as user administration by applying various permissions. Naturally, guest operating system management (patches, updates, etc.) is also done by the customer, as they are the ones who create and control the instances.
Make sure you understand these roles properly, especially your own responsibilities, before you start working with AWS. This will help you create and maintain a secure cloud environment.
Summary
There are many components to consider when looking at AWS Global Infrastructure, but general familiarity is crucial, both when looking to design a cloud environment and working with an existing one.
Security should always be the primary concern, and the lack of it can cost your company a lot of time and money, so make sure you understand the pieces you’re working with.
AWS Shared Responsibility Model is also an important consideration, as you need to be aware of what you have to do yourself, while leaving the rest to Amazon to take care of for you.
In the third and final part of this series, we’ll explore AWS Services and provide a high-level overview of the ones you’re likely to get involved with whatever your role in the cloud may be.
Jatheon Cloud is a fourth-generation, cloud-based email archiving platform that runs on AWS. To learn more about Jatheon’s cloud archive, contact us or schedule your personal demo.
