Security optimize

Installing the Amazon EC2 API tools and ensuring basic security

Nick Hardiman explains the process of creating an auto-scaling group in order to ensure his web service has adequate capacity. But before downloading the needed tools from Amazon, security must be looked to.

I ran stress tests on my web service on AWS and pushed it to its limit. I now know my service can't handle enough concurrent connections. I must add more servers to handle peak load, but I don't want to pay for a big cluster of servers if they are sitting there idle.

I will define an auto-scaling group to provide more capacity if needed. An auto scaling group is one reason the word Elastic is in the name Elastic Compute Cloud (EC2). I must install the Amazon EC2 API tools and use them to create my auto-scaling. This post is focused on the client computer, rather than the server.

I must take a detour into the land of security before I can create my scaling group. Before I install the tools, I have to verify my download file, to make sure it hasn't been tampered with.

I use the PGP application GPGtools to check EC2 tools download, and I use openssl to check my GPGtools download. Here, in excruciating detail, is the procedure to make that happen and explanations of what on earth all the weird snippets of text mean.

Amazon EC2 API tools

Amazon developers have been busy adding services onto the AWS console for the last few years, but not everything is there yet. One of the original features - defining a scaling group - is not possible through the web console. It has to be done through the CLI.

The Amazon EC2 API tools are another way of managing your servers and have been around longer than the web console. The tools get you closer to the AWS system, but not so close you have to mess around with all that programmer stuff like API actions, data types, and SDKs.

Security tools

Our work has to be kept secure. The world of computer security is a place of confusing jargon, where people speak in terms of vectors of system compromise, cryptographic hash functions, digital signing and verification of message integrity. There's no avoiding the security world -- it's a hot topic in cloud computing, and rightly so. No-one wants their hard work stolen or broken.

This is difficult when you download software you don't understand, written by people you have never met, from websites you have never seen before. The trickiest bit about installing the Amazon EC2 API tools is verifying the integrity of the downloaded files. I have to use two security tools, called openssl and GPGTools.

First I use openssl to verify the GPGtools install file. This involves using a something called a checksum. Then I use GPGtools to check the fingerprint of Amazon's public key. Finally I verify the Amazon EC2 API tools install file using a digital signature. These are mathematical things that I explain later.

Keeping software inside a computer secure involves mathematics. Outside the computer, physical security is in place. We all understand physical security - everyone has been stopped by a locked door. Inside the computer is a different matter. A computer is nothing more than an overgrown calculator, so security has to be based on mathematics. Few people understand what the math functions do.

A lot of math has found its way into computer security over the years.

  • In 1978, Rivest, Shamir and Adleman published work on public key cryptography, formed the RSA company and presumably became immensely rich.
  • In 1988, the IETF published the X.509 system. Public key certificates from the X.509 system made e-commerce possible.
  • In 1991 Phil Zimmerman got a friend to post his PGP (Pretty Good Privacy) system on Usenet. PGP was such a good idea it spread around the Internet and got him in trouble with the FBI in 1993, for putting military-grade security technology in the hands of foreigners.

Security verification is not a pleasant process to go through. However, security checks are important. Letting a hacked copy of any software into your organization is not going to help your career. This process does not guarantee safety, but it does remove some risks.

Next time, I will describe some jargon and dig into the security work.

About

Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the ...

0 comments