Cloudar has achieved the AWS Global Security & Compliance Acceleration (GSCA) certification, underscoring our commitment to providing secure, compliant cloud solutions. For AWS users, this milestone brings several benefits, helping them streamline operations, meet compliance requirements, and ensure the highest levels of security.

About the AWS Global Security & Compliance Acceleration Program

AWS designed the GSCA program to support partners in strengthening the security and compliance of cloud environments. Through the GSCA program, we have gained access to advanced training, resources, and AWS experts, enabling us to fine-tune our security capabilities and stay ahead of ever-evolving threats.

This program emphasizes automation, governance, and continuous monitoring, empowering us to proactively address security challenges and scale securely in the cloud.

Enhanced security posture

With this certification, Cloudar can provide customers with ready-to-go security solutions, customized to fit their unique requirements. From secure infrastructure setup to automated incident response, we can ensure your workloads are protected from day one.

By adhering to AWS’s best practices, we can ensure that your infrastructure is secure by design. We leverage tools like AWS Security Hub, Amazon GuardDuty and AWS Config to provide customers with continuous threat detection, rapid incident response, and real-time insights into security events. This means your business can identify and mitigate risks before they escalate.

Regulatory compliance

Compliance is no longer an afterthought. Cloudar uses AWS-native tools to continuously monitor for regulatory compliance and offers pre-built templates to help meet industry standards, reducing the time and effort required to maintain compliance.

Whether your business operates in a heavily regulated industry like healthcare, finance, or government, the GSCA certification ensures that we can help you meet key regulatory requirements such as GDPR, HIPAA, SOC 2, and more.

Faster time-to-market:

By automating security and compliance processes such as patch management, configuration drift detection, and log monitoring, we can significantly reduce the time it takes to implement secure, compliant workloads on AWS.

Cloudar ensures that our customers can maintain a high security posture without the overhead of manual intervention. This leads to lower operational costs and more efficient resource allocation, so you can focus on innovation and growth, while we handle the complexities of cloud security.

Cloudar helps you leverage the power of AWS Security

Cloudar’s approach goes beyond simply implementing AWS’s built-in tools. We work closely with your teams to tailor solutions that fit your specific business needs, ensuring that you get the most out of the AWS cloud while keeping your data secure and compliant.

We design cloud architectures that follow AWS’s security best practices, but are customized to fit the scale, complexity, and compliance needs of your business.

Whether you’re migrating to the cloud or optimizing existing workloads, Cloudar ensures a smooth integration of AWS security services with your current operations.

But our support doesn’t stop after deployment: Cloudar continuously monitors your cloud environment, ensuring you stay compliant and secure as your business grows.

The Cloudar Difference

At Cloudar, we understand that security and compliance aren’t just checkboxes – they’re critical to building trust with your customers and staying ahead in a competitive market.

By achieving the Global Security & Compliance Acceleration on AWS, Cloudar once again proves that we are not just a partner, but a trusted ally in your cloud journey.

We provide peace of mind that your AWS workloads are not only running efficiently but are also secured against threats and aligned with the latest regulatory standards.

If you’d like to learn more about how Cloudar can enhance your cloud security and compliance, or if you’re ready to take your AWS workloads to the next level, don’t hesitate to get in touch with our team today!

The post Achievement Unlocked: Global Security & Compliance Acceleration on AWS appeared first on Cloudar.

We’re thrilled to announce that Cloudar will be attending AWS re:Invent 2024 in Las Vegas! As the biggest annual gathering for cloud enthusiasts, experts, and innovators, AWS re:Invent offers countless opportunities to learn, connect, and discover what’s new in the world of cloud technology. But with so much happening—from keynotes to hands-on labs, networking sessions to deep-dive discussions—it can sometimes feel overwhelming to navigate everything this event has to offer.

That’s why we initially developed our re:Invent Chatbot, a friendly assistant designed to make your re:Invent experience smoother and more enjoyable! While we’re excited to share the concept, due to AWS guidelines, the chatbot will not be available for use at this year’s event. However, the development of this tool still serves as a great example of how cloud-driven AI can transform the event experience.

Meet the re:Invent Chatbot – A Vision for Personalized Event Assistance

Even though the chatbot is offline for now, it’s an exciting demonstration of how technology can make large-scale events like AWS re:Invent easier to navigate. Whether you’re searching for the perfect session, need quick answers to FAQs, or just want help organizing your schedule, the chatbot was designed with the user in mind.

Here’s what the re:Invent Chatbot would have been able to do:

• Session Navigation: With hundreds of sessions happening at once, it’s easy to lose track. Our chatbot could help you quickly find sessions that match your interests or needs—just ask for recommendations, and you’d be pointed in the right direction.
• Answer FAQs: From event logistics to session details, the chatbot was equipped with a wealth of knowledge to answer questions on the fly.

Taking it Further: Imagine a Chatbot for Music Festivals

Let’s take the concept one step further. Imagine attending a large music festival with dozens of stages and hundreds of performers over a few days. It can be daunting to decide who to see and when. That’s where a Music Festival Chatbot could come in handy.

For example, you could tell the chatbot your favorite genres—let’s say you’re into electronic music, indie rock, and a bit of jazz on the side. The chatbot could take that input and instantly suggest a personalized lineup for you, complete with the times and locations of each performance. It could also help you with last-minute schedule changes or even recommend food trucks or merch stands nearby during set breaks.

Here’s what this Music Festival Chatbot could do:

• Personalized Lineup Recommendations: Based on your music preferences, the chatbot could suggest artists, DJs, or bands you might enjoy, even introducing you to new acts within your favorite genres.
• Time Schedule: Once your lineup is set, the chatbot could create a custom schedule for you which you could use throughout the event.

Just like our re:Invent Chatbot concept, this Music Festival Chatbot shows the potential of AI to personalize experiences, turning chaotic, multi-day events into seamless, curated adventures.

Why Build a Chatbot?

At Cloudar, we believe that technology should make life simpler, not more complicated. The re:Invent Chatbot embodies that philosophy. By leveraging cloud-based AI, we aimed to enhance attendees’ experiences, reducing the stress of juggling schedules or missing key moments.

Though the tool won’t be live this year, we hope it sparks inspiration for the many possibilities that cloud technologies can offer in the future. And, of course, we’ll be keeping this idea in our toolkit for future events.

Let’s Connect in Las Vegas!

We can’t wait to see you at AWS re:Invent 2024! If you’re attending, don’t hesitate to reach out—we’d love to grab a cold beer together and chat about all things cloud. Whether you want to talk about AWS, share your re:Invent experience, or discuss how tools like the re:Invent Chatbot could evolve, we’re always eager to connect.

The post Cloudar at AWS re:Invent 2024 – Your Guide to an Unforgettable Experience appeared first on Cloudar.

1 day published by ENTSOE

12 days predicted by EPPM

The Need for Advanced Forecasting

In our era of energy efficiency and cost management, accurate electricity price predictions are a game-changer. For businesses, this means optimizing operations and reducing costs. For consumers, it translates to better planning and substantial savings. EPPM employs state-of-the-art machine learning algorithms and AWS services to deliver highly accurate electricity price predictions.

How EPPM Works

EPPM utilizes a comprehensive approach, integrating various data sources and sophisticated analytical techniques to generate precise forecasts. Here’s a step-by-step breakdown of the process:

• Data Collection: Every day at 3 a.m., our system kicks off data collection using AWS Step Functions. We gather information from multiple sources, including weather data, historical energy prices, and other relevant factors, all stored in Amazon S3.

• Data Preprocessing: The raw data undergoes meticulous cleaning and processing using AWS Step Functions and AWS Lambda, ensuring consistency and reliability—the foundation for accurate predictions.

• Model Training: Every Monday, new models are trained using Amazon SageMaker with the latest datasets. Hyperparameters are optimized, and the most effective model is saved in Amazon S3 for future predictions.

• Prediction Generation: Leveraging the best-performing model, predictions are generated daily using Amazon ECS at 11 a.m. These forecasts offer a detailed view of hourly electricity prices for the upcoming weeks, saved into another S3 bucket.

• Data Delivery: The predicted data is delivered via a REST API running inside AWS ECS on a Fargate container. This API is consumed by a frontend application, also running as a Fargate container, ensuring scalability, reliability, and seamless integration. Users can select date ranges and view comprehensive graphs comparing predicted and actual prices through an intuitive interface.

Real-World Applications

The applications of EPPM are extensive. Businesses can optimize their energy consumption by scheduling energy-intensive operations during low-cost periods. Utility companies can better balance supply and demand, reducing the risk of outages. Regulatory bodies can use these insights to develop policies that promote sustainable energy practices.

Conclusion

Predicting electricity prices weeks in advance is set to revolutionize energy management. EPPM not only provides this capability but does so with exceptional precision and dependability, thanks to AWS native services. As EPPM evolves, it promises to make a significant impact on the energy sector, driving efficiency and sustainability.

Imagine a future where energy usage is perfectly optimized, leading to substantial savings and a greener planet. With EPPM, that future is within reach.

The post EPPM: Forecasting Energy Prices with Precision appeared first on Cloudar.

At Cloudar, our break room isn’t just for coffee breaks – it’s the battleground for the legendary ‘Pinball Grand Champion Cup.’  – a prestigious, though temporary, ownership. Every few months, we swap out the pinball machine, igniting a fresh round of competition. This means that every three to six months, we must ‘relearn’ a new game, which, while fun, can be a distraction from our actual (#AWSome) work. Some of us embrace the challenge as a delightful learning experience, while others simply want to know how to do multi-balls & gain extra bonusses.

Enter Claude Chatbot (aka Pinbot)

But, learning each new game can be a bit of a time sink, right? That’s where our latest creation, the Claude Chatbot on AWS, comes into play. It is a chatbot with RAG (Retrieval-Augmented Generation) capabilities. This means Claude can be loaded up with a wealth of knowledge from various sources like PDFs, YouTube videos, spreadsheets, even webpages.

Instead of loading Claude with legal texts or company manuals, I thought, “Why not make him a pinball wizard?” So, I programmed Claude to become the ultimate guide for our Teenage Mutant Ninja Turtle pinball machine. I fed it YouTube videos of expert players, detailed rule sheets, and tips on mastering the game. In just a few minutes, TMNT Pinbot was ready to roll.

Playing Like a Pro

Imagine standing in front of the pinball machine, unsure of your next move. You simply ask TMNT Pinbot, “How do I play as Michelangelo?” and within seconds, it gives you the exact shots you need to make. No more endless YouTube searches – instant answers and higher scores. This saves time, and increases revenue (or in this case; your score on a pinball game). Plus, the Pinbot can reference its sources, so you can see exactly where the tips are coming from.

Beyond Pinball: Claude’s Endless Possibilities

Sure, the Pinbot is a fun & quick gimmick, but Claude Chatbot’s potential goes far beyond gaming. Picture a world where your company’s entire knowledge base is just a question away. Need to check a guideline? Ask Claude. Trying to find a procedure buried in a mountain of documents? Claude’s got it. This isn’t just about saving time – it’s about enhancing productivity and ensuring consistency across the board; no more risky “creative” interpretations of your procedures/documentation.

Real-World Applications

Imagine a repair bot for mechanics. Instead of combing through bulletins for error code 678, a mechanic could just ask the bot and get immediate, accurate suggestions. Or think about a compliance bot that ensures all your creative marketing ideas meet company policies. No more guessing if your booth design follows the AWS logo rules – just ask the bot, and it’ll tell you.

The Future is Conversational

The Pinbot is just a fun demo, but it shows how powerful conversational interfaces can be. As we continue to refine our Claude Chatbot’s capabilities, we’re excited to see how this technology will revolutionize workplaces; From saving time to ensuring compliance. The future of work is conversational, and Cloudar is leading the charge.

Stay tuned for more use cases!

The post Meet our Pinbot Powered by Claude appeared first on Cloudar.

At Cloudar, we are always on the lookout for innovative ways to enhance our operations and provide top-notch services to our clients.

That’s why we’re excited to introduce our Claude Chatbot, an AI-powered chatbot running entirely on AWS infrastructure.

This powerful tool utilizes Aurora VectorDB, AWS Bedrock, and Claude Opus/Sonnet/Haiku to offer a customizable, efficient, and secure solution for all your chatbot needs.

Customizing Your Chatbot

One of the standout features of Claude Chatbot is its customizability. You can tailor the chatbot to meet your specific needs by uploading your own knowledge base. This makes the chatbot not only a general assistant but also an expert in your chosen domain.

• Upload Documentation: Prepare the documentation or information you want the chatbot to know. This could be anything from company policies to technical manuals.
• Train the Chatbot: Upload this documentation to the chatbot. The AI will process this information and integrate it into its knowledge base, making it a permanent part of its understanding.
• Create Custom Bots: You can create multiple bots for different purposes. For instance, at Cloudar, we have a bot specifically for internal use that contains detailed information about our company.
• Expose as API: Any custom chatbot with custom knowledge can be exposed as an API, allowing other applications to interact with it seamlessly.

Claude can support a wide range of knowledge sources, including but not limited to URLs, PDFs, Office files, text files, and even YouTube videos (links)!

Generative AI: The Core of Claude Chatbot

Claude Chatbot leverages the power of Generative AI to provide advanced capabilities that go beyond simple query responses. By using generative models, Claude can:

• Generate Detailed Responses: Craft detailed, contextually relevant responses based on the input it receives.
• Understand Nuanced Queries: Handle complex and nuanced questions with ease, providing accurate and helpful answers.
• Adapt and Learn: Continuously improve its performance based on interactions and newly uploaded knowledge.

Benefits of Using Claude Chatbot

By leveraging Claude Chatbot, you gain several advantages:

• Enhanced AI Capabilities: The Claude models (Opus, Sonnet, and Haiku) provide state-of-the-art natural language understanding and generation.
• Generative AI Power: With Generative AI at its core, Claude Chatbot can create meaningful and contextually appropriate responses, enhancing user experience.
• Data Ownership: All your data is stored within your AWS account, ensuring you retain complete control over your information.
• Easy Customization: Tailor the chatbot to your needs by uploading specific documentation, making it a valuable tool for both internal and external use.
• API Integration: Expose your custom chatbot as an API, enabling seamless interaction with other applications.
• Scalability: Running on AWS infrastructure means the chatbot can scale effortlessly with your needs, whether you’re a small startup or a large enterprise.
• Seamless Billing: All usage and charges are billed through your AWS bill. No new contracts required.

Setting Up Claude Chatbot

Deploying the Claude Chatbot is a breeze, thanks to its seamless integration with AWS. Here’s how we do it:

1. Provisioning Your AWS Account: We take care of setting up your AWS account, ensuring all necessary services are ready to go.
2. One-Click Deployment: With just one click, we deploy the full infrastructure to your AWS account, thanks to the AWS Cloud Development Kit (CDK). This includes, but is not limited to:

• Aurora VectorDB for optimized data handling
• AWS Bedrock to support AI applications
• API Gateway (APIGW) for managing API requests
• Lambda Functions for serverless compute
• S3 Buckets for scalable storage
• DynamoDB for fast and flexible NoSQL database services
• And more necessary AWS services to ensure a robust and scalable deployment

3. Aftercare and Support: Our commitment doesn’t end at deployment. We provide comprehensive aftercare and support to ensure your Claude Chatbot runs smoothly and efficiently.

Case Study: Cloudar’s Custom Chatbot

At Cloudar, we have multiple custom bots at our disposal:

• Internal Knowledge Bot: This bot is equipped with detailed information about Cloudar, assisting us in everything related to our company.
• AWS Services Bot: This bot contains comprehensive knowledge about some of the major AWS services, helping our team stay informed and up-to-date.

These custom bots have significantly improved our efficiency and reduced the time spent searching for information.

Conclusion

Claude Chatbot represents a significant step forward in AI-driven customer service and internal assistance. Its integration with AWS infrastructure makes it a robust, scalable, and secure solution. By leveraging Claude’s Generative AI capabilities and customizing the chatbot with your own knowledge base, you can transform the way you interact with your clients and team members.

Ready to get started? Let us handle the setup and deployment, and experience the future of AI-powered assistance with Claude Chatbot on your AWS account today.

The post Start Leveraging the Power of Generative AI with Our Claude Chatbot on AWS appeared first on Cloudar.

At Cloudar, we pride ourselves on being the only local Premier AWS partner in Belgium. While global system integrators (GSIs) offer their services on a massive scale, we believe that being a smaller, local player comes with unique advantages. In this post, we’ll explore the benefits of partnering with a local AWS expert like us compared to working with a large GSI.

1. Personalized Attention and Customized Solutions

Unlike larger firms where clients might feel like just another number, we provide personalized attention to each of our clients. Our team takes the time to understand your specific needs, crafting customized AWS solutions that align perfectly with your business objectives. This tailored approach ensures that your company receives the exact support it needs to thrive.

2. Agility and Flexibility

In today’s fast-paced business world, agility is key. Our smaller size allows us to make quick decisions and adapt to your needs rapidly. This flexibility extends to our service offerings, ensuring scalability that supports your business’s growth every step of the way.

3. Local Market Understanding

Our in-depth knowledge of the Belgian market sets us apart. We’re not just AWS experts; we’re experts in how AWS services can best be utilized in Belgium, considering local regulations and market trends. This local insight is invaluable for ensuring compliance and tailoring solutions that work best in our specific market environment.

4. Direct Communication and Stronger Relationships

Working with us means you’ll have direct access to our team of experts. At Cloudar we don’t work with offshoring or nearshoring. This ease of communication fosters stronger, more meaningful relationships. We’re not just a service provider; we’re a partner invested in understanding and contributing to the long-term success of your business.

5. Competitive Pricing and Cost-Effectiveness

We offer competitive pricing that challenges larger GSIs, ensuring that you receive top-notch AWS services without an exorbitant price tag. This cost-effectiveness is part of our commitment to providing value, ensuring that your investment in AWS services yields the maximum return.

6. Community Engagement and Support

As a local business, we’re deeply involved in the Belgian community. We believe in supporting local initiatives and contributing to the local economy. By choosing us, you’re not just getting an AWS partner; you’re contributing to the broader community and fostering local business ecosystem growth.

Choosing a local AWS partner like Cloudar offers a range of benefits that large global system integrators can’t match. From personalized service to local market expertise, our team is dedicated to providing the best possible AWS solutions tailored to your specific needs. If you’re looking for an AWS partner that values your business and is committed to your success, look no further. Contact us today to discuss how we can help your business thrive with AWS.

The post Shop Local appeared first on Cloudar.

At Cloudar, we’ve always believed that security should be at the heart of every cloud strategy. Our commitment to delivering top-notch cloud security solutions has led us to achieve numerous milestones, and today, we’re excited to announce our latest achievement: Cloudar has earned the prestigious AWS Security Competency!

Building on our ISO/IEC 27001 certification since 2018 and our existing AWS competencies, this accomplishment marks a significant milestone in our journey to provide the highest level of security and service to our customers. In this blog post, we’ll dive into what the AWS Security Competency means for us and, more importantly, what benefits it brings to our valued customers.

What is AWS Security Competency?

The AWS Security Competency is not just a fancy title; it’s a recognition of excellence in designing, implementing, and managing security solutions on the Amazon Web Services platform. AWS awards this competency to organizations that demonstrate exceptional proficiency in securing AWS workloads and infrastructure.

Why it matters

Expertise You Can Trust

Achieving the AWS Security Competency is a rigorous process that involves a deep evaluation of an organization’s expertise in various security domains such as identity and access management, data protection, compliance, and more.
This achievement is a seal of approval from Amazon Web Services itself.
It means that Cloudar’s team of experts possesses a comprehensive understanding of AWS security best practices, threat detection, and incident response. It signifies that we have demonstrated proficiency and skill in protecting your cloud infrastructure and data, giving you peace of mind that your assets are in capable hands.

Cutting-Edge Solutions

Our team at Cloudar stays at the forefront of security technology. Achieving the AWS Security Competency ensures that we are equipped with the latest knowledge and tools to keep your AWS environments secure from evolving threats.
Our partnership with Trend Micro played a crucial role in this accomplishment. Trend Micro is a global leader in cloud security, and our collaboration has allowed us to leverage their cutting-edge technology and expertise to enhance our security solutions. Together, we’ve created a formidable team dedicated to safeguarding our customers’ cloud environments.

Dedication to Continuous Improvement

Security is not a static field; it’s an ever-evolving landscape. To maintain this competency, Cloudar continues to invest in training and staying up-to-date with the latest security trends and technologies. We are committed to providing our customers with the most advanced security solutions available.

Proven Track Record

Our attainment of this competency underscores our extensive experience in designing, implementing, and managing secure AWS solutions.
We understand that one-size-fits-all security solutions rarely work. Cloudar’s expertise allows us to tailor security measures to your unique needs, ensuring that your AWS environment is both secure and efficient. We’ve successfully tackled complex security challenges for customers across various industries, consistently delivering exceptional results.

Benefits for our customers

Compliance Assurance

As an ISO/IEC 27001 certified company, Cloudar understands the importance of compliance.
With Cloudar’s AWS Security Competency, you can trust us to help you meet and exceed regulatory compliance requirements. Our deep understanding of AWS services ensures that your cloud infrastructure aligns with industry-specific standards, making audits and certifications a breeze.

Enhanced Security Posture

With our AWS Security Competency and other AWS competencies, you gain access to top-tier security practices and expertise.
We go above and beyond to ensure your AWS environments are fortified against potential threats and vulnerabilities, significantly reducing the risk of data breaches and disruptions.

Cost Savings

Investing in security is an investment in your business’s longevity. By preventing costly breaches and downtime, Cloudar’s expertise can save you substantial financial resources in the long run.

Increased Efficiency

Our tailored security solutions are designed to integrate seamlessly with your existing AWS environment. This ensures that security measures do not impede your operations, allowing for increased efficiency and productivity.

Peace of Mind

In the event of a security incident, Cloudar’s well-practiced incident response teams are ready to spring into action. Our proactive security measures help mitigate threats before they become major issues, minimizing downtime and data loss.
With Cloudar as your trusted AWS Security Competency partner, you can focus on growing your business, knowing that your cloud infrastructure is fortified against threats. Sleep better at night, knowing that experts are on guard.

Conclusion

Achieving the AWS Security Competency is not just an accolade for Cloudar; it’s a testament to our unwavering dedication to providing the highest level of security for our customers’ AWS environments.

We are committed to keeping your data safe, your operations efficient, and your business thriving. Your cloud’s security is our priority, and together, we’ll reach new horizons.

To learn more about how Cloudar can secure your AWS environment and help your business grow securely, contact us today and experience the difference of working with an AWS Security Competency holder!

The post Elevating cloud security to new heights: Cloudar earns AWS Security Competency! appeared first on Cloudar.

As the Internet evolved from a small interconnect between universities where every resource had a public IP address, and resources were managed based on mutual respect and consensus to the Internet as we know it today with multiple threads, risks, and shortage of IP addresses, the direct and public accessibility of all resources could no longer be sustained.

As stated in the security pillar of the Well Architected Framework, the main security principle in AWS Cloud is to create several network layers and defense in depth.

The framework states more specifically: “Do not place resources in public subnets of your VPC unless they absolutely must receive inbound network traffic from public sources” SEC05-BP01 Create network layers.

So as a best practice, cloud engineers strive to deploy their resources in private subnets whenever possible. Because of the confidential nature of these subnets, engineers had to invent ways to manage their resources in these private subnets.

2. How to Use Jump / Bastion Hosts to Manage Your Private Subnets

A solution to manage the infrastructure in your private subnets is to deploy a bastion host. Before 2018, this was the recommended way, and it was well-documented:

For Linux Workloads:
https://aws.amazon.com/solutions/implementations/linux-bastion/

For Windows Workloads:
https://aws.amazon.com/solutions/implementations/rd-gateway/

Although these solutions do solve the problem stated above (how to manage your Linux and/or Windows workloads in their private subnets), these solutions have several drawbacks:

• These solutions still need a public IP address to be associated with the virtual machines and open ports to enable remote access.
• The Linux solution is vulnerable to SSH multiplexing access.
• As with all software that is publicly accessible, they need to be strictly maintained and patched:
  • https://www.bleepingcomputer.com/news/security/remote-desktop-zero-day-bug-allows-attackers-to-hijack-sessions/
  • https://www.microsoft.com/en-us/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/
• It’s hard to capture the remote access’s metadata and/or full session logs.
• Password management and access control are needed for the management users.

Because IT is all about answering questions, we are looking for an answer to this question: ‘How can I manage my resources in private subnets in a secure, encrypted, and auditable fashion?’ Luckily, AWS came up with two solutions that answer this question.

3. AWS Systems Manager’s New Session Manager

AWS listened to the drawbacks inherent to using bastion/jump hosts and introduced the Session Manager service as a component of AWS Systems Manager. The Session Manager supports both inside AWS and on-premises:

• Windows
• Linux
• MacOS

This blog post will focus on using it with Elastic Compute Cloud (EC2) Linux instances running in AWS.

3.1 Why AWS Session Manager

Session Manager solves the problem mentioned above: to access instances within private subnets that don’t allow ingress connections from the Internet. This is made possible by the Systems Manager (SSM) agent running on the EC2 instances, which pushes traffic to the Session Manager service managed by AWS outside your EC2 environment. The configuration shown in the diagram below provides an example of how it can be configured:

As you can see in the diagram above, the client machine is outside of AWS. It accesses the internal machines over the Internet using valid user credentials for the AWS environment. To access the internal machines, the client can use several methods:

Via the AWS console, you have two-fold access:

• The AWS Systems Manager console includes access to all the Session Manager capabilities for both administrators and end users.

• The Amazon EC2 console allows end users to connect to the EC2 instances for which they have been granted session permissions.

• Via the AWS Command Line Interface (CLI): this requires the installation of the Session Manager Plugin. It is possible to restrict how users launch sessions, so you could choose only to allow them to invoke a connection via the AWS CLI if your users don’t have access to the console or the other way around.

• The Session Manager SDK consists of libraries and sample code that allows application developers to build front-end applications, such as custom shells or self-service portals for internal users that natively use Session Manager to connect to managed nodes. This allows you to integrate Session Manager into your own tooling or automation workflows.

3.2 Configuration

3.2.1 Network Considerations

As shown in the diagram above, the SSM agent actually uses HTTPS to communicate with the SSM endpoint. As such, port 22 for SSH or port 3389 for RDP are no longer required and should not be allowed as ingress traffic. To make this even more secure, we can use VPC endpoints: they use AWS PrivateLink, so traffic between the target EC2 instances and the Session Manager service does not traverse the Internet. To enable this, create these VPC endpoints in your target VPCs, replacing the region accordingly, for example, eu-west-1

Interface endpoints:

• com.amazonaws.[region].ssm

• com.amazonaws.[region].ssmmessages

• com.amazonaws.[region].ec2messages

• com.amazonaws.[region].ec2 [For Windows workloads]

Optional but recommended:

• com.amazonaws.[region].kms = To encrypt logs in CloudWatch

• com.amazonaws.[region].logs = To send logs to CloudWatch

Gateway endpoint:

• com.amazonaws.region.s3

Systems Manager uses this endpoint to update SSM Agent and to perform patching operations. Systems Manager also uses this endpoint for tasks like uploading output logs that you choose to store in S3 buckets, retrieving scripts or other files you store in buckets, and so on.

If you restrict egress networking on the EC2 machines via security groups, you should use the prefix list of the S3 gateway endpoint to send traffic to this gateway endpoint only. Here is an example of security group configuration for a tightly controlled EC2 instance:

As the interface endpoints replace the DNS addresses of the SSM services, the network traffic with the configuration listed above only flows over AWS PrivateLink. You can even further limit access to the S3 buckets that SSM uses by using the structure listed in the AWS documentation: S3 bucket list

3.2.2 EC2 Prerequisites and IAM Configuration

EC2 Prerequisites

The EC2 instance should run the Systems Manager (SSM) agent to support the Systems Manager. The Amazon Linux AMIs support the agent by default, and it can be installed manually on other Linux systems by installing the Systems Manager. The agent allows a lot more than just connecting with Session Manager. More information about its capabilities is available here. Even if you want to use it on a system that is not currently supported, you can always download the open-source code and modify it yourself. However, AWS will not support a modified version of the agent.

IAM Configuration

Each EC2 Instance must have permission to make API calls to the Session Manager Service. All necessary permissions are available in the Amazon-managed IAM policy: AmazonSSMManagedInstanceCore, and this policy should be attached to an Instance profile.

The policy listed above gives you a good baseline, but if you want to lock this down further, you can look up the information here.

Using this method to access the instances does not require any management of SSH keys. Access is only based on IAM policies since everything is managed through the Session Manager.

When configuring Session Manager access for your end-users, you can limit which instances they can access, whether it’s through the command line or the console, and if they are allowed to tunnel SSH or just use the regular Session Manager shell access.
More information about how to configure the IAM policies is available here.

Some AWS policy templates show how to restrict access to specific EC2 instances, but that will probably not be scalable if you really want to implement this for your organization.

Instead, you can refer to the templates available here to see how to configure the policies to allow access based on tags. As shown here, you will also want to ensure you add permissions for users to terminate only the sessions they started. Otherwise, a user may be able to terminate another user’s session.

3.3. Logging

3.3.1. What the AWS CloudTrail Does

Without configuring anything, AWS CloudTrail will collect basic information about sessions. When someone launches a remote access session with Session Manager, SSM will log an event named “StartSession.” This event will include a number of interesting things, such as:

• The username that launched the session
• Whether the user was authenticated with multi-factor authentication (MFA)
• The originating IP address
• The unique ID of the target EC2 instance
• The session ID

The events in CloudTrail are helpful for getting a sense of who’s logging into your instances and when it’s happening. However, it does not provide any information about what they are doing once they’ve established a session.

3.3.2. Session logs

As mentioned in the overview of AWS Session Manager, SSM uses HTTPS to establish sessions, but it is also possible to use it as a tunnel for other protocols, such as SSH or RDP. Be aware that AWS cannot provide full session logs for those connections if you use the tunneling option. The diagram below shows an example configuration for logging full session data either to CloudWatch or S3 when tunneling is not used:

The logs in CloudWatch look like this:

Next to the CloudWatch logs, logging into S3 is also possible.

Please make sure that you attach a policy to your instance profile that allows writing to the S3 bucket you configured to store your session data. The result is that you will see log files written to the specified bucket with the name of the session (the username and a unique string). The logs contain the commands typed, along with their output, which is the same as what is shown in CloudWatch.

3.4. Conclusion

The question: “How can I manage my resources in private subnets in a secure, encrypted, and auditable fashion?” is answered by using the Systems Manager Sessions Manager.

4. Instance Connect and Instance Connect Endpoint

As there are often multiple ways to reach the same goal, AWS delivers a different option to answer the same question: “How can I manage my resources in private subnets in a secure, encrypted, and auditable fashion.” This can also be solved by using Instance Connect with its newest addition: Instance Connect Endpoint

4.1. What Is Instance Connect?

The Instance Connect feature was introduced in 2019 and offers a solution to control SSH access to your instances using AWS Identity and Access Management (IAM) policies and audit connection requests with AWS CloudTrail events. In addition, you can leverage your existing SSH keys or further enhance your security posture by generating one-time use SSH keys each time an authorized user connects.

Instance Connect works with any SSH client, but you can also easily connect to your instances from the EC2 Console.

The question: “How can I manage my resources in private subnets in a secure, encrypted, and auditable fashion?” is not solved by this approach because:

• The machine still needs a public IP address.
• The connection logs cannot be stored in S3 or CloudWatch.

A few months ago, AWS introduced a new Instance Connect Endpoint feature that solves the first drawback listed above.

4.2. Instance Connect Endpoint

With the Endpoint for Instance Connect (EIC) Service, you no longer need a public IP address on your resource or any agent to connect to your resources. The Instance Connect Endpoint Service works in three ways:

• AWS Management Console
• AWS Command Line Interface (AWS CLI)
• SSH Clients like PuTTY or OpenSSH

4.2.1. Instance Connect Endpoint Features

The EIC Endpoint Service is an identity-aware TCP proxy. As described above, it has two modes:

• AWS CLI | SSH CLients
• AWS Console

The AWS CLI client is used to create a secure WebSocket tunnel from your workstation to the endpoint, where authorization happens with your AWS Identity and Access Management (IAM) credentials. When the tunnel is established, point your preferred SSH client at your loopback address (127.0.0.1 or localhost) and connect as usual.

Second, the Console gives you secure and seamless access to resources inside your VPC. Authentication and authorization are evaluated via IAM before traffic reaches the VPC. The diagram below illustrates a user connecting to an AWS EIC.

As shown above, the EIC Endpoints Service provides a high degree of flexibility.

• It doesn’t require your VPC to have direct Internet connectivity
• No agent is needed on the resource(s) you wish to connect to
• It preserves existing workflows by allowing your preferred client software to connect
• IAM and Security Groups can be used to control access

4.2.2. Instance Connect Endpoint Security and Logging

IAM

The beauty of this solution lies in the fact that access can be limited to what the user needs: EIC Endpoints Service follows the important security requirements in terms of the separation of privileges for the control plane and the data plane. An administrator with full EC2 IAM privileges can create and control EIC Endpoints (the control plane). However, the same administrator cannot use those endpoints without also having EC2 Instance Connect IAM privileges (the data plane). The DevOps Engineers who may need to use EIC Endpoint to tunnel into VPC resources do not require control-plane privileges to do so.

CloudTrail

Records of data plane connections include the IAM principal making the request, their source IP address, the requested destination IP address, and the destination port. An example of connecting to the instance from the console:

{
“eventVersion”: “1.08”,
“userIdentity”: {
“type”: “FederatedUser”,
“principalId”: “123456789:Example”,
“arn”: “arn:aws:sts::123456789:ExampleUser”,
“accountId”: “123456789”,
“accessKeyId”: “ExampleKey”,
“sessionContext”: {
“sessionIssuer”: {
“type”: “IAMExample”,
“principalId”: “ExampleID”,
“arn”: “arn:aws:iam::123456789:user/exampleuser”,
“accountId”: “123456789”,
“userName”: “exampleuser”
},
“webIdFederationData”: {},
“attributes”: {
“creationDate”: “2023-07-24T12:24:55Z”,
“mfaAuthenticated”: “true”
}
}
},
“eventTime”: “2023-07-24T13:19:22Z”,
“eventSource”: “ec2-instance-connect.amazonaws.com”,
“eventName”: “SendSSHPublicKey”,
“awsRegion”: “eu-west-1”,
“sourceIPAddress”: “123456789”,
“userAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0”,
“requestParameters”: {
“instanceId”: “i-123456789”,
“instanceOSUser”: “ec2-user”,
“sSHPublicKey”: “ssh-ed25519Example\n”
},
“responseElements”: {
“requestId”: “b2a9eeae-7189-4b6c-ac8a-a41e56ea1a42”,
“success”: true
},
“requestID”: “b2a9eeae-7189-4b6c-ac8a-a41e56ea1a42”,
“eventID”: “161427f7-8f1e-459a-83f1-2f54aca879ca”,
“readOnly”: false,
“eventType”: “AwsApiCall”,
“managementEvent”: true,
“recipientAccountId”: “123456789”,
“eventCategory”: “Management”,
“tlsDetails”: {
“tlsVersion”: “TLSv1.3”,
“cipherSuite”: “TLS_AES_128_GCM_SHA256”,
“clientProvidedHostHeader”: “ec2-instance-connect.eu-west-1.amazonaws.com”
},
“sessionCredentialFromConsole”: “true”
}

4.3. Connection Examples

4.3.1. Via the Console

This gives you:

As you can see, the console does not login via SSM-user but via EC2-user and with a private IP.

4.3.2 Via the AWS CLI

To connect via the AWS CLI, make sure that you have the latest AWS CLI installed. Then you can use the new ec2-instance-connect ssh command from the AWS CLI. With this new command, AWS generates ephemeral keys for you to connect to your Instance.

Note that this command requires using the OpenSSH client and the latest version of the AWS CLI. You need IAM permissions, as detailed here, to use this command and connect. You can find an example below:

4.3.3 Via SSH Clients

Create your own private key:

ssh-keygen -t rsa -f mynew_key

Use the following AWS CLI command to authorize the user and push the public key to the Instance using the send-ssh-public-key command. To support this, you need the latest version of the AWS CLI.

aws ec2-instance-connect send-ssh-public-key –region eu-west-1 –instance-id i-0123456789example –availability-zone eu-west-1a –instance-os-user ec2-user –ssh-public-key file://mynew_key.pub

This gives back:

{
“RequestId”: “9c4bf3df-799d-4f40-9e2d-cbc3ed3bbe08”,
“Success”: true
}

After authentication, the public key is made available to the Instance through the Instance metadata for 60 seconds. During this time, connect to the Instance using the associated private key:

ssh ec2-user@[INSTANCE] \
-i [SSH-KEY] \
-o ProxyCommand=’aws ec2-instance-connect open-tunnel \
–instance-id %h’

This gives back:

With this method, plain SSH clients can still be used via short-lived keys.

4.3.4 Connecting to the Windows Machines

How to connect to Windows machines is similar:

aws ec2-instance-connect open-tunnel \
–instance-id i-0123456789example \
–remote-port 3389 \
–local-port any-port

In your RDP Client, set it up like this, mark that the –local-port is set to 5555

4.4 To Sum Up Instance Connect

As shown in the blog post above, Instance Connect allows you to connect to your private resources privately and securely without needing long-lived SSH keys and/or bastion hosts.
The drawback compared to AWS Sessions Manager is that you cannot log session logs towards Amazon S3 or Amazon CloudWatch. The benefit is that you don’t need to install custom agents on your machines, which makes this solution the preferred solution for older Instances and appliances running in your AWS environment.

5. Final Conclusion

AWS provides various methods to connect to Instances, including SSH, RDP, AWS Systems Manager Session Manager, EC2 Instance Connect and Endpoint, bastion hosts, and VPN. The choice of method depends on the operating system, security requirements, network configuration, and personal preference. By leveraging these connection methods, you can securely access and manage your AWS Instances based on your specific use cases and requirements.

What questions do you have after reading this blog post? We would love to answer them!

The post Managing Instances in Private Subnets with Session Manager or Instance Connect appeared first on Cloudar.

#1 Develop a comprehensive strategy

Before deploying your applications on AWS, it is essential to establish a well-defined cybersecurity strategy. This strategy should include conducting a risk assessment, performing threat modelling, and devising a mitigation plan. Identify potential risks and vulnerabilities specific to your cloud infrastructure and implement measures to address them. This will ensure compliance with industry standards and regulations while proactively preventing cyberattacks.

#2 Become familiar with the AWS Well-Architected Framework

AWS offers abundant resources to help organizations enhance their security posture. The AWS Well-Architected Framework provides guidance for designing and operating secure and cost-effective systems in the cloud. The Framework encompasses five key pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. Understanding and leveraging the Framework is key to safeguarding applications against potential cyberthreats.

#3 Implement robust security controls

Taking proactive measures to impose strong cloud security controls is crucial for organizations to secure their AWS cloud infrastructure effectively. As the responsibility falls on you to protect your cloud workloads, consider implementing security controls to minimize the risk of security breaches, including clearly defining user roles, conducting privilege audits, enforcing a strong password policy, and using multi-factor authentication (MFA). Consistent enforcement and adherence to these security controls throughout your organization are essential.

#4 Ensure easy access to security policies

Accessibility to your AWS security policies is key to promoting a culture of security within your organization. These policies should encompass access control, network security, encryption, and incident response guidelines. Making policies accessible helps everyone in your organization understand the importance of security and act in accordance with your policies.

#5 Safeguard data with encryption

Encrypting your data prevents unauthorized access and ensures its confidentiality, even if intercepted or stolen. Encryption is often mandatory for regulatory compliance. AWS provides various encryption options, including server-side encryption, client-side encryption, and transit encryption. Familiarize yourself with these options and choose the appropriate method to secure your sensitive data within your cloud environment.

#6 Back up data consistently

Regular data backups ensure data integrity and availability. In the event of cyberattacks, hardware failures, or accidental deletions, having up-to-date backups provides peace of mind and enables data recovery. The frequency of backups should be based on the criticality and volatility of your data. Regulatory requirements and business needs will determine how long the data will be retained. AWS offers various backup options, such as Amazon EBS, Amazon S3, and AWS Backup. By leveraging these options, you can store your backups in multiple regions to ensure constant protection.

#7 Stay up to date

AWS regularly releases security patches, bug fixes, and updates to address vulnerabilities and counter new threats. Keeping your AWS systems up to date maintains the security of your environment and protects against potential attacks. Take advantage of AWS’s automatic update features, such as Amazon Inspector and AWS Systems Manager, to automate patching and ensure your systems are always current. Configure notifications to receive alerts about new updates, enabling prompt action to stay ahead of security risks.

Want to optimally prepare your organization for cloud-related security threats? Get in touch with Cloudar, an official Next Generation AWS Managed Service Provider Partner.

The post Get it covered: 7 essential practices for AWS security appeared first on Cloudar.

#1 The broadest & deepest

AWS boasts the broadest and deepest capabilities for Windows of any cloud provider, with nearly twice as many Windows Server Instances compared to its closest competitor. It also offers the widest range of cloud services tailored for Microsoft technologies, seamlessly integrated within a cohesive ecosystem. This includes an array of compute, database, application, and deployment services, along with a comprehensive set of management tools, providing a solution for all your business requirements.

#2 Greater reliability & performance

With 77 Availability Zones (AZ) spread across 24 regions, the AWS Cloud guarantees that your workloads remain operational and accessible precisely when you need them. Customers can reduce their unplanned downtime by a whopping 98% by moving their Windows workloads to AWS. AWS delivers double the performance and achieved a 62% reduction in costs in comparison with the next largest cloud provider for a SQL Server workload on an EC2 R5b.8xlarge instance, according to Principled Technologies.

#3 Superior security

AWS offers a staggering 230 security, compliance, and governance services and features, five times more than its closest cloud provider counterpart. AWS also provides encryption across over a hundred distinct AWS services. By leveraging these comprehensive security offerings, customers can effectively safeguard their environments. The AWS Nitro System in EC2 instances offloads virtualization functions to dedicated hardware and software, effectively reducing the potential attack surface and ensuring minimal exposure to vulnerabilities.

#4 Cost optimization

By leveraging AWS for Windows workloads, customers benefit from accelerated growth, increased operational efficiency, and substantial long-term cost savings. According to IDC, customers can reduce their five-year cost of operations by 56% and achieve a 37% reduction in infrastructure costs. This translates to an impressive 442% return on investment (ROI) over a three-year period. Unique pricing models such as Savings Plans offer savings of up to 72% on Amazon EC2 instances, while Amazon EC2 Spot instances enable cost reductions of up to 90% for fault-tolerant workloads.

#5 Smooth migration

AWS has facilitated the seamless migration of millions of enterprises worldwide, including renowned names like Sysco, Hess, Sony DADC, Ancestry, and Expedia. With the time-tested AWS Migration Acceleration Program (MAP) methodology and the extensive expertise offered by AWS partners, customers are able to evaluate, optimize, and seamlessly shift their Windows and SQL Server workloads to AWS with minimal downtime to applications.

#6 Flexible licensing

AWS provides the broadest range of choices in the cloud for utilizing both new and existing Microsoft software licenses. With the purchase of license-included instances in Amazon Elastic Compute Cloud (Amazon EC2) or Amazon Relational Database Service (Amazon RDS), you receive fully compliant SQL Server licenses directly from AWS. You also have the flexibility to bring your existing licenses to AWS using options such as Amazon EC2 Dedicated Hosts, Amazon EC2 Dedicated Instances, or EC2 instances with default tenancy through Microsoft License Mobility via Software Assurance.

Ready to take the next step? Cloudar has unparalleled expertise in maximizing the potential of your Windows workloads on AWS. Get in touch to let us guide your way to higher performance and efficiency.

The post Unsurpassed: 6 reasons to run Microsoft Workloads on AWS appeared first on Cloudar.