盤點2020 | AWS雲上安全最佳實踐

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020已接近尾聲，在當下快速發展的互聯網潮流中，雲計算釋放無限能力，助力企業數字化轉型，爲企業業務創新帶來新的契機，但是企業上雲之後，傳統安全邊界變得更加模糊，核心業務在雲端，使得數據可視化和安全風險洞察力都大打折扣，這給企業業務轉型的可持續發展埋下了隱患。如何才能安全無憂地暢享雲計算帶來的紅利，爲應用構建更安全可靠的防護屏障呢？本文就AWS雲上安全話題進行探討，從安全模型到最佳實踐，從安全架構規劃到系統內部加固，對企業上雲的安全部署提供系統化的全景建議，讓您更直觀地瞭解雲上安全問題，從而防患未然，構築雲上安全堡壘。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"一 雲安全概述","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.1 雲計算中的機遇與挑戰","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當雲計算重構IT產業的同時，也賦予了企業嶄新的增長機遇。通過充分利用雲計算的能力，企業可以釋放更多精力專注於自己的業務。雲計算極大地降低了企業的數字化轉型成本，釋放更多效能進行業務創新，雲計算爲企業業務創新帶來無限可能。但是當人們在享受使用雲計算帶來的便利的同時，雲上安全問題也不容忽視，CC*","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"、DDoS[DDoS]","attrs":{}},{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"、病毒、蠕蟲...，用戶的業務應用就像在黑暗森林中的行者，四周潛伏着看不見的野獸惡魔，稍有不慎便被惡意","attrs":{}},{"type":"text","text":"*趁虛而入，給企業帶來極大的損失。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.2 三問雲上安全性","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲計算帶來了機遇與挑戰，那麼對於挑戰，我們該如何看待？","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"雲平臺安全","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當企業接入雲端，如何判斷雲平臺的安全能力？合規性是一個重要考量因素，此外建議企業還可以瞭解雲平臺是否有關於身份與訪問、網絡安全、數據保護、應用安全、可視性與智能相關的安全策略，全面客觀地評判雲平臺安全實力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"隔離防護","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲平臺爲多租戶模式，租戶方應該採取哪些措施或服務來達到安全的目的？該藉助哪些服務來達到等級保護的要求？","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"安全流程規範","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"儘管企業已經對雲端安全做了詳盡周密的部署，但是仍不免遭遇安全*","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"。一旦發生安全風險，雲平臺是否有一系列規範的安全響應流程來幫助企業抵禦","attrs":{}},{"type":"text","text":"*，降低安全風險？","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"帶着上面的問題，下文將從安全分類、安全模型、雲上安全最佳實踐等方面，對雲上安全進行詳細分析。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"二 雲上安全分類","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於雲計算安全帶來的挑戰，雲上安全問題大體可分爲以下四類：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"物理和基礎架構安全","attrs":{}},{"type":"text","text":"：包括雲計算環境下數據中心內服務器、交換機等軟硬件設備自身安全、數據中心架構設計層面的安全；","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"應用安全","attrs":{}},{"type":"text","text":"：在雲計算環境下的業務相關應用系統的安全管理，包括應用的設計、開發、發佈、配置和使用等方面的安全；","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"訪問控制管理","attrs":{}},{"type":"text","text":"：雲計算環境中對資源和數據的訪問權限管理，包括用戶管理、訪問權限管理、身份認證等方面；","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"數據安全","attrs":{}},{"type":"text","text":"：指客戶在雲計算環境中的業務數據自身的安全，包括收集與識別、分類與分級、訪問權限與加密等方面。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將雲上安全問題清晰歸類後，企業就可以針對自身安全問題有的放矢地進行優化完善。在此將詳細闡述AWS在雲端的前沿技術與產品解決方案，看AWS如何爲企業轉型賦能，幫助企業從容上雲，爲應用構建安全城堡。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"三 安全模型","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS責任共擔模型強調安全性和合規性是AWS和客戶的共同責任，AWS提供基礎設施並保證其安全，用戶則負責維護自己運行其上的應用安全。在這裏不少企業用戶會存在認知誤區，認爲只要雲平臺基礎設施安全就足夠了，但事實上企業需要對雲端應用有更深入的安全掌控。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從企業角度而言，用戶需要確保應用的安全性，及利用雲計算基礎設施的安全配置，進行雲上安全加固，例如及時更新操作系統的安全補丁、雲產品的安全策略配置。AWS的安全模型將安全下放到客戶側，更具有靈活性和可控性，有助於用戶在AWS和內部環境中掌控安全，獲得最大限度的保護。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在AWS的責任共擔模型中，人們可以更直觀地看到AWS和企業客戶的責任劃分，其中AWS負責全球基礎設施的安全及合規，客戶完全擁有和控制自己的數據，並可以根據自己的業務選擇合適的雲產品，配置更高安全策略從而提升業務安全。通過這個模型，在AWS的強大雲平臺上，企業擁有更靈活的安全產品搭配，對應用有更強的安全掌控能力，雙方共同構築了雲上安全堡壘。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/3530ff76c9b50374a6ff071a135ed25d.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.1 雲安全責任","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在瞭解了雲上安全模型後，我將對AWS安全責任和客戶安全責任做更詳細的闡述，並通過案例講解，幫助大家更深入地瞭解責任共擔模型。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.1.1 基礎設施安全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在基礎設施安全方面，AWS負責保護提供的所有服務的全球基礎設施的安全。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"在高可用方面","attrs":{}},{"type":"text","text":"：AWS在全球多區域內都部署基礎資源，在同一個區域內的不同可用區也部署了基礎資源。這樣分佈式的資源部署，配合故障切換，能夠最大程度降低單可用區或單區域故障所帶來的危害性，爲基礎設施的高可用性提供了良好的保障。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"在訪問控制方面","attrs":{}},{"type":"text","text":"：AWS全球數據中心專業的安保人員利用視頻監控、***檢測系統和其他電子方式嚴格控制各數據中心入口的物理訪問，確保數據中心人員訪問的合規性。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"在物理安全方面","attrs":{}},{"type":"text","text":"：AWS全球數據中心均配備自動化火災探測和撲救設備，以及全年無中斷冗餘設計的電源系統，這些防護設備及高可用設計方案，能夠大大提升數據中心健壯性。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"在事件響應方面","attrs":{}},{"type":"text","text":"：在遇到突發影響業務的事件時，AWS事件管理團隊會使用行業標準診斷程序來推進事件的解決。專業的管理團隊還會提供全天候響應服務，高效快速處理突發事件，確保基礎設施安全無虞。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.1.2 基本服務安全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全性不僅嵌入到 AWS 基礎設施的每一層，還嵌入到基礎設施之上的每個服務中。AWS的每個服務都提供了廣泛的安全功能，可以幫助用戶保護敏感數據和應用程序。例如，Amazon RDS for Oracle 是一種託管式數據庫服務，在該服務中，AWS 管理容器的所有層，甚至包括Oracle 數據庫平臺。針對雲上服務，AWS提供數據備份服務和恢復工具，用戶負責配置和使用與業務連續性和災難恢復 (BC/DR) 策略有關的工具。用戶通過使用AWS提供的靜態數據加密服務，或者AWS提供的對用戶有效負載的 HTTPS 封裝服務，以保障傳入和傳出該服務的數據安全。對於基本服務AWS也提供了多種有效措施來確保服務的安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.2 客戶安全責任","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全是相對的，且是多維度的，底層基礎設施交由AWS負責，那麼在雲上的資源配置和業務安全則需要由客戶自己來掌控。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.2.1 基礎服務","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基礎服務的安全問題，涉及計算、存儲、網絡等層面，需要與具體的場景結合纔能有針對性地保障其不同側重點的安全性。例如，當業務遷移上雲時，如何保障雲上計算資源全生命週期的安全性，如何規劃雲上網絡才能確保數據傳輸安全，依靠哪些措施保障數據存儲安全。針對計算、網絡、存儲三大基礎服務，AWS提供了不同的解決方案。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"計算資源之EC2","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\t* 服務器開通","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服務器在開通階段，需要進行一系列安全配置，以提升系統安全等級。企業可以自主選擇多種操作，例如選擇穩定的操作系統版本、開通服務器安全防護功能、開通監控日誌服務、安全組最小化精確授權、配置快照備份策略、設置IAM訪問權限、配置服務器告警策略等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\t* 服務器配置","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過一些列系統內優化加固操作，提高系統安全性，例如在系統內部使用系統默認防火牆對業務進行安全防護，調整文件打開數和進程數，優化系統內核參數，刪除系統內無效用戶，禁用超級管理員登錄，使用普通用戶切換到超級管理員操作，對業務系統日誌進行切割分級等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\t* 運維","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於後期服務器運維，需要企業客戶定期更新軟件系統，及時修復新暴露的軟件漏洞，定期巡檢服務器各項監控指標，企業還可以針對業務使用情況優化系統配置，並對EC2服務器進行安全測試，使用安全產品進行EC2安全加固。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡安全之VPC","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於Amazon Virtual Private Cloud安全，用戶需要根據自身業務特點，結合業務網絡連通性和後期可擴展性進行綜合考慮。[和後面4.1.2 VPC規劃的分層設計內容重複]對Web應用/APP應用/DB應用進行分層設計，通過制定嚴格的網絡安全策略實現業務管控，保證安全；用戶還可以配置帶寬監控，這樣一旦網絡發現異常流量就會告警，確保企業網絡安全可用。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"存儲安全之Amazon S3","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在對象存儲安全方面，Amazon S3基於請求時間（日期條件）限制訪問，無論該請求是使用 SSL（布爾值條件）還是使用申請方的 IP 地址（IP 地址條件）發送的，都可基於申請方的客戶端應用程序（字符串條件）限制訪問。通過 SSL 加密型終端節點，安全地將數據上傳/下載到 Amazon S3，保證數據傳輸到Amazon S3的安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.2.2 託管服務","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於AWS託管服務，例如Amazon RDS具有豐富功能，可以提高關鍵生產數據庫的可靠性，包括數據庫安全組、權限、SSL 連接、自動備份、數據庫快照和多可用區部署。企業還可以選擇將數據庫實例部署在 Amazon VPC 中以享受額外的網絡隔離。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從訪問控制層面來看，企業首次在 Amazon RDS 內創建數據庫實例時，將會創建一個主用戶賬戶，它僅在 Amazon RDS 環境中用來控制對用戶數據庫實例的訪問。同時創建數據庫子網組，這些組是用戶可能需要爲 VPC 中的 RDS 數據庫實例指定的子網集合，每個數據庫子網組應至少包含給定區域中每個可用區的一個子網，從網絡層面保證服務安全性；","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"終端訪問加密方面，可以使用 SSL 對應用程序和數據庫實例之間的連接進行加密，避免數據被竊取和篡改；","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於自動備份和數據庫快照，用戶可根據業務合理配置託管服務器的備份恢復策略，當數據遭受破壞時能輕鬆地實現數據恢復；","attrs":{}}]}],"attrs":{}},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於告警，AWS提供RDS服務，可以幫助企業全面掌握雲端應用狀況，如實例是否已關閉、備份啓動、發生故障轉移、安全組發生更改、存儲空間不足等，企業可以在第一時間發現潛在安全問題，並執行相應修復操作，提升託管服務安全性。","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"四 安全架構最佳實踐","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.1 訪問入口","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.1.1 邊界架構安全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS WAF","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS WAF是一種Web應用程序防火牆，顧名思義防火牆能夠根據一些設定好的ACL規則或內置安全策略，對網絡上的安全風險進行攔截，包括SQL注入、跨站腳本、特點惡意IP訪問等安全威脅。利用AWS WAF能夠爲業務提供安全的訪問入口。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS CloudFront","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Amazon CloudFront 能加快將靜態和動態 Web 內容（如 .html、.css、.js 和圖像文件）分發到用戶的速度，當出現海量網絡攻 擊情況時，可利用全球的節點輕鬆扛住海量攻 擊。不僅如此，如下圖所示，Amazon CloudFront 還可將HTTP請求重定向到HTTPS，爲應用提供強有力的安全防護入口。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ec/ec0c084066b1567faf89c3e4e11a320c.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Amazon Route53","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Amazon Route 53 作爲DNS服務器，實施的故障轉移算法不僅用於將流量路由到正常運行的終端節點，在遇到大型DDoS***時還可以起到很好的分流作用，強大的基礎設施爲用戶提供雲上安全可靠的網絡防護。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全接入點","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在全球網絡的衆多接入點，AWS已經配置了專業的接口通信網絡設備，可以對網絡接入點進行管理和安全檢測，從而保障了業務數據在接入點的網絡安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳輸保護","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"普通用戶可使用安全套接字層 (SSL)通過 HTTP 或 HTTPS 連接到 AWS 接入點，但對於安全需求更高的用戶，，AWS 提供Amazon Virtual Private Cloud (VPC)服務，它相當於在AWS 雲內部爲高安全需求用戶打造一張私有子網，通過 IPsec Virtual Private Network (***) 設備在 Amazon VPC 與用戶的數據中心之間建立加密隧道，從而保證業務數據在網絡傳輸中的安全可靠。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"容錯設計：","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS 保障了在多個地理區域內以及在每個地理區域的多個可用區中實例和存儲數據的靈活性，通過將應用程序分佈在多個可用區從而保持彈性，高可用的容錯設計最大程度避免了災難的發生，爲用戶應用安全提供保障。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.1.2 VPC規劃","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於Amazon Virtual Private Cloud安全，用戶需要根據自身業務特點，針對業務網絡連通性和後期可擴展性等方面進行前瞻性規劃考慮。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"高可用設計","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS可以幫助企業將業務部署在不同的VPC中，VPC之間實現網絡互通，企業可以利用路由安全組和網絡ACL來控制安全，不同VPC部署在不同地域，確保業務網絡冗餘性。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分層設計","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"考慮到業務安全性，企業可以在每個 Amazon VPC 內創建一個或多個子網，在 Amazon VPC 中啓動的每個實例均連接至一個子網。傳統的第 2 層安全性***（包括 MAC 欺騙和 ARP 欺騙）被阻斷。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可擴展性","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"業務網絡隨着業務應用的持續發展，需要提前考慮未來可擴展性，做好網段規劃。根據IDC網絡拓撲設計雲上網段，避免在後續打隧道時發生網絡衝突，考慮到業務發展模式，建議企業儘可能採用大的網段劃分，爲未來業務預留網段，確保網絡規劃具有良好的可擴展性。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"維護性","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"企業業務上線後對VPC需要進行帶寬策略配置，監控告警配置等操作。這樣可以在第一時間發現異常流量，並進行處理。日常運維中，企業還需要根據業務動態調整VPC策略，定期巡檢以提升VPC安全。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.1.3 子網規劃","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"VPC的安全一部分是由子網的安全措施來保證的，爲了實施額外的網絡控制，可以通過指定子網的IP地址範圍來隔離不同的應用實例，子網規劃也需要考慮子網中雲資源的數量限制，子網的正確規劃能大大減少來自網絡內的***，及時發現網絡安全問題，防患於未然。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.1.4 安全組","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在應用的訪問中，AWS提供了一整套完整防火牆方案，此方案就是在各個雲資源邊界都有安全組，且強制性入站配置默認爲是拒絕所有請求，客戶需要明確允許入站流量業務所需端口，最小化精細授權訪問，從而提升網絡安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.2 系統架構","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在系統架構安全方面，企業可通過靈活使用負載均衡、業務無狀態設計、分層架構部署等手段構建安全架構。此外企業還可以將業務數據存儲在分佈式存儲中，信息數據存儲在雲產品MQ/DB中，這樣可以最大程度防患於未然，將攻 擊輕鬆化解。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.3 分級管理","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.3.1 訪問分級","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"IAM","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是對雲資源的訪問還是系統的訪問，訪問憑證的安全至關重要。藉助AWS IAM，用戶可以集中對用戶、安全憑證（如密碼、訪問密鑰）進行統一管理，以及對AWS服務和資源的訪問設置控制權限策略。靈活使用IAM授權可以對應用或雲資源訪問實現分級控制，保障雲資源和訪問入口安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"MFA","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲進一步提高訪問的高安全性和可靠性，企業可爲賬戶中的所有用戶進行Multi-Factor Authentication (MFA)，啓用MFA後，用戶不僅要提供使用賬戶所需的密碼或訪問密鑰，還必須提供來自經過特殊配置的設備代碼，通過雙向認證確保訪問分級的安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"4.3.2 數據分級","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"數據KMS加密","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於數據加密問題，可藉助AWS Key Management Service (AWS KMS) 託管服務輕鬆實現。用戶可以創建和控制客戶主密鑰 (CMK)，這是用於加密數據的加密密鑰，通過使用 AWS KMS，能夠更好地控制對加密數據的訪問權限。目前用戶可以直接在應用程序中使用祕鑰管理和加密功能，也可以通過與 AWS KMS 集成的 AWS 服務使用密鑰管理和加密功能。利用KMS加密服務，能夠快捷簡單保障數據的安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"備份恢復","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於不同的雲資源，AWS提供對應的數據備份功能，例如EC2的快照備份如果實例出現故障，或者被***惡意訪問造成數據被篡改，或被非法加密用於勒索，可以利用快照第一時間對數據進行恢復；通過配置雲產品的備份策略，可以在業務數據發生異常時最快速度進行數據恢復。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"傳輸加密","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於訪問請求傳輸進行加密控制，AWS提供的服務對IPSec 和SSL/TLS均提供支持，以保證傳輸中數據的安全。對於客戶業務請求可以強制HTTPS訪問，企業用戶可以使用 SSL 對 API 調用進行加密，以保持業務數據的機密性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"4.4 運維管理","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"系統加固","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於系統加固，在開通EC2服務器後，除了AWS上備份監控策略外，系統內部的安全加固必不可少，用戶需定期進行補丁更新，後期運維進行定期安全巡檢，通過監控日誌告警來第一時間排查系統安全問題，通過系統加固能在系統內杜絕安全隱患。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"監控管理","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於雲上資源的使用情況，企業可以使用 AWS CloudWatch 進行監控，全方位瞭解資源利用率、運營性能和總體需求模式，並且用戶還可以設置 CloudWatch 警報，使其在超出特定閾值時通知用戶或採取其他自動化操作（例如，在 Auto Scaling 啓用時添加或 移除 EC2 實例），並可以通過分析監控信息排除隱藏的安全問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"日誌管理","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於雲上資源日誌， AWS CloudTrail 提供面向賬戶內的 AWS 資源所有請求的日誌，這包括監控賬號內AWS資源日誌、安全事件記錄、API調用信息，企業可通過日誌進行安全溯源。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"配置管理","attrs":{}}]}],"attrs":{}}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲上資源統一管理就需要使用配置管理，AWS Config幫助用戶監督自己的應用程序資源。企業用戶可以隨時瞭解資源使用情況以及資源的配置方式，在資源被創建、修改或刪除時，企業能夠第一時間得到通知，輕鬆實現對雲資源的安全管控。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"五 反思","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全是相對的，沒有100%的安全，想要在雲上暢行無阻，需要雲廠商和用戶的共同努力。在基礎設施安全方面，雲廠商憑藉多年的深入研究和風險分析，結合自身在安全領域多年的經驗及技術積累，打造了專門針對雲上安全的產品，形成全方位的雲安全能力，爲用戶提供一站式的雲安全綜合解決方案。用戶則需要從自身業務的安全架構設計，雲資源的安全配置，系統內的安全加固，以及後期的運維管理等方面確保安全性。雲上安全，人人有責，無論採用的是哪種雲部署，用戶都要確保自己的應用在這個雲環境中安全無虞。下一代雲安全，是多方協作的。雲安全的智能化，需要雲廠商和用戶的不斷努力，共築雲上安全業務堡壘，創造無限可能。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}