More Related Content
Similar to 實際架構實踐演化與解決方案 (20)
實際架構實踐演化與解決方案
- 1. Copyright © CKmates. All rights reserved 1
實際架構實踐演化與解決方案
Camel Camel
P r o v i d e a l l y o u n e e d
- 2. Copyright © CKmates. All rights reserved
Agenda
2
• Hello, How about me
• Architecture Design
• Maintenance
• Serverless CI/CD Work on AWS
- 3. Copyright © CKmates. All rights reserved
About me
3
• Focus on AWS - 2012
• Handled hundreds of customers
• Get Professional Certified
- 5. Copyright © CKmates. All rights reserved 5
Meeting discussion
• 團隊認知或程度
• 考量需求、改善或目標
• 架構上共識(階段性)
• 角色所負責及無法勝任工作
• 團隊整合及分權劃分
- 6. Copyright © CKmates. All rights reserved
Architecture Design Metric[1]
6
• 主要客群所在區域- Area
• 服務類型- AP/Live Stream
• 預算成本/可靠度- Cost
• 安全性/網路效能- ACL
• 自已維護能力- Ability
• 未來擴展延申性- Scalability
Service
Security
Monitor
- 7. Copyright © CKmates. All rights reserved
Metric got the answer
7
• Region Choose – Region
• AWS Service Choose – EC2/RDS/CDN/R53/AS
• AWS Service Define – EC2/AZ
• Public/Private subnet/CDN/VPN/DC/WAF/Shield – VPC
• IAM/CloudTrail/CloudWatch/trusted advisor – Support team
• Serverless/AS/ELB/SQS/dynamodb – Loose Coupling
- 24. Copyright © CKmates. All rights reserved 2424
經討論後實際架構圖stage 1
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
security group
Amazon EC2
- 25. Copyright © CKmates. All rights reserved 2525
經討論後實際架構圖stage 1
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
security group
Amazon EC2
Performance
- 26. Copyright © CKmates. All rights reserved 2626
數據增長實際架構圖stage 2
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
- 27. Copyright © CKmates. All rights reserved 2727
數據增長實際架構圖stage 2
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
Loose Coupling
- 28. Copyright © CKmates. All rights reserved 2828
活動人數增長實際架構圖stag 3
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
Amazon EC2
Elastic Load Balancing
S3
bucket
- 29. Copyright © CKmates. All rights reserved 2929
活動人數增長實際架構圖stag 3
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
Amazon EC2
Elastic Load Balancing
S3
bucket
Reliability
- 30. Copyright © CKmates. All rights reserved 3030
活動指標後實際架構圖stag 4
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
Amazon EC2
S3
bucket
Amazon
RDS
multi-az
CloudFront
distribution
Auto Scaling
- 31. Copyright © CKmates. All rights reserved 3131
活動指標後實際架構圖stag 4
region
Private subnet
Public subnet
Availability Zone Availability Zone
Private subnet
Public subnet
Amazon EC2
Amazon
RDS
Amazon EC2
S3
bucket
Failover
Amazon
RDS
multi-az
CloudFront
distribution
Auto Scaling
- 33. Copyright © CKmates. All rights reserved
運維要件
1.Identity and a ccess man agement(身份和成本管理)
2.Detective controls(檢測控制)
3.Infrastructure protection(基礎設施保護)
4.Data protection(數據保護)
5.Incident response(回應)
- 34. Copyright © CKmates. All rights reserved
運維要件
1.Identity and a ccess man agement(身份和成本管理)-IAM
2.Detective controls(檢測控制)-CloudWatch
3.Infrastructure protection(基礎設施保護)-VPC/WAF/-Trusted Advisor
4.Data protection(數據保護)-Private/DC/堡壘/AD-CloudTrail
5.Incident response(回應)-VPC Flow Logs/CLI/CloudWatch-SNS/Slack
- 35. Copyright © CKmates. All rights reserved
• 身份和成本管理-IAM[6]
隱藏您的 AWS 賬戶根用戶訪問密鑰
創建單獨的 IAM 用戶
盡量使用由 AWS 定義的策略分配權限
使用組向 IAM 用戶分配權限
授予最低權限
使用訪問權限級別查看 IAM 權限
為您的用戶配置強密碼策略
為特權用戶啟用 MFA
針對在 Amazon EC2 實例上運行的應用程序使用角色
通過使用角色而非共享憑證來委託訪問
定期輪換憑證
刪除不需要的憑證
使用策略條件來增強安全性
- 46. Copyright © CKmates. All rights reserved 4646
• 顧問分析工具- Trusted Advisor
分析四象限:成本最佳化/資源利用率/資訊安全/架構可靠度
Cost Optimization / Performance / Security /Fault Tolerance
- 48. Copyright © CKmates. All rights reserved 4848
自已維護能力- Business Support
7 x 24hrBusiness Support
• Prewarm
• 技術咨詢
• 系統障礙
• 攻擊壓測
• 使用建議
• RI
- 49. Copyright © CKmates. All rights reserved 4949
• 在地化服務- Support
每位專業服務人員都擁有AWS的Associate&Professional架構師證照,
並且承諾SLA答覆時間於指定時間內回覆您的問題,為您做專業的解答。
顧問
- 51. Copyright © CKmates. All rights reserved 5151
Security
Console MFA/CloudTrail/IAM(最低)
架構 DC/VPC/SG(最低)
正常服務,異常行為 CDN/WAF/清洗/BW
- 52. Copyright © CKmates. All rights reserved 5252
Security-針對性
異常
CDN/R53 高可靠快速擴展
防禦:WAF/清洗
正常
PTVA 事先預防
Arc Sight Log事件分析
- 55. Copyright © CKmates. All rights reserved 5555
Security-PTVA
掃描顯示出網站或主機的弱點及潛在隱藏風險。可藉此修復, 避免被有心人士
利用,當完全掃描完畢後,將以報告方式呈現。
- 56. Copyright © CKmates. All rights reserved
資訊安全檢測服務項目
56
• 根據弱點掃描結果,對主機的弱點進行模擬攻擊行
為,確認該弱點的有效性與影響範圍
• 建議每年對重要系統至少執行一次滲透測試
• 為基礎弱點掃描的延伸,會根據其掃描結果加入人
工檢測動作來進一步判斷,以減少誤判
• 建議每一季的基礎弱點掃描可提升為進階掃描
• 使用自動工具進行檢測一般常見弱點,例如:未上
Patch的軟體、弱密碼認證和設定錯誤等等項目
• 建議每月執行一次,其結果可用於趨勢分析、偵測
網路上的新增設備,以及發現新的弱點等等
進階弱點掃描
滲透測試
基礎弱點掃描
- 57. Copyright © CKmates. All rights reserved
什麼是弱點掃描?
• 弱點掃描是針對企業組織資訊系統的弱點,進行偵測、有效性評估,和判定影響程度的一連串過
程
• 弱點掃描服務可分為:
- 基礎弱點掃描服務
‣ 使用自動化掃描工具檢測一般弱點
‣ 建議每月執行一次
- 進階弱點掃描服務
‣ 人工進行判讀與檢測相關弱點,降低誤判機率
‣ 建議每季執行一次
57
- 58. Copyright © CKmates. All rights reserved
什麼是滲透測試?
• 滲透測試是:
- 利用模擬攻擊的方式來檢測資訊系統和網路的安全性
- 主動分析可能導致系統漏洞的潛在弱點
- 利用弱點進行實際驗證
• 滲透測試可以達成 :
- 模擬大部分駭客的攻擊方式來檢測系統漏洞
- 試圖找出大部分可被入侵的弱點
• 滲透測試不可以達成:
- 在測試期間找出所有的潛在或未知的弱點
• 在現實環境下,我們會假設駭客有無限的時間來試圖攻破系統
• 建議每年執行一次滲透測試
58
- 59. Copyright © CKmates. All rights reserved
採用業界資安測試標準
• OSSTMM
- 參考公開標準OSSTMM(Open Source Security Testing Methodology Manual)框架進行測試步驟
• SANS Top 20 Internet Vulnerabilities
- 參考SANS所列出的前20大資安嚴重弱點,範圍涵蓋Windows、Unix,及其他跨平台軟體和網路設
備的弱點
• OWASP
- OWASP(開放Web軟體安全計畫 - Open Web Application Security Project)是一個開放社群、非營利
性組織,長期致力於改善網頁應用程式與網頁服務的安全性,本測試亦參考OWASP定期公布的前
10大Web弱點
59
- 60. Copyright © CKmates. All rights reserved
資訊安全檢測服務最佳實務
60
時間軸
(月)
n+12n+11n+10n+9n+8n+7n+6n+5n+4n+3n+2n+1n
基礎弱點掃描建議每月執行
進階弱點掃描建議每季執行
滲透測試建議每年執行
✓
✓
✓
✓ ✓ ✓ ✓ ✓✓ ✓ ✓ ✓ ✓ ✓✓ ✓
- 64. Copyright © CKmates. All rights reserved 6464
Serverless應用
功能抽離,易於建置維護、去耦和擴展的應用程式元件。
Amazon API Gateway + AWS Lambda
? + AWS Lambda + ?
- 69. Copyright © CKmates. All rights reserved 69
Why to do this?
Find Distinct People in a Video with
Amazon Rekognition[11]
- 72. Copyright © CKmates. All rights reserved
Difficulty
7272
• Version MA & Security
• Decentralized version
• Deployed a lot…
• Rollback ?
• Different environment
(Test. Dev. Prod.)
• Server trouble
- 76. Copyright © CKmates. All rights reserved 76
Introduction CodeCommit
(Version)
• Fully Managed
• Secure store
• High Availability
• Faster Development Lifecycle
• Use Your Existing Tools
- 77. Copyright © CKmates. All rights reserved 77
Introduction CodeCommit
(IAM by user key or Credentials)
- 81. Copyright © CKmates. All rights reserved 81
Introduction CodePipeline
(Environment)
• Rapid Delivery
• Improved Quality
• Configurable Workflow
• Get Started Fast
• Easy to Integrate
- 85. Copyright © CKmates. All rights reserved 85
Introduction CodeBuild
(Verify integration)
• Build and Test Your Code
• Configurable Settings
• CI and Delivery Workflows
• Security and Permissions
• Monitoring
- 89. Copyright © CKmates. All rights reserved 89
Introduction CodeDeploy
(Deploy)
• Automated Deployments
• Minimize Downtime
• Centralized Control
• Easy To Adopt
- 95. Copyright © CKmates. All rights reserved 95
Architecture Design Metric[1]
https://d0.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf
主要客群所在區域(Region Choose)[2]
http://www.cloudping.info/
服務類型(AWS Service)[3]
https://aws.amazon.com/tw/architecture/
預算成本- Cost[4]
http://calculator.s3.amazonaws.com/index.html
安全性/網路效能分析對照表-ELB[5]
https://aws.amazon.com/tw/elasticloadbalancing/details/
- 96. Copyright © CKmates. All rights reserved 96
身份和成本管理-IAM[6]
http://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/best-practices.html
身份管理-IAM[7]
https://www.sumologic.com/blog/amazon-web-services/security-analytics-in-aws/
說真的CloudWatch好用,不用嗎[8]
https://cloudpack.media/20642
異常資訊管理-VPC F&CWL[9]
https://www.sumologic.com/blog/amazon-web-services/security-analytics-in-aws/
個人能力及管理YouTube-AWS[10]
https://www.youtube.com/watch?v=1x20FxpiTVE&t=314s
Find Distinct People in a Video with Amazon Rekognition[11]
https://aws.amazon.com/tw/blogs/ai/find-distinct-people-in-a-video-with-amazon-rekog