So let's talk about virtualized. Compute specifically, let's reiterate the cloud provider responsibilities and the cloud consumer responsibilities.
Being a cloud provider isn't a carefree life.
The cloud provider must enforce isolation. Compute processes should not see each other in the sense of compute. This means volatile memory needs to be safe from monitoring
when talking about server lists. The consumer is not supposed to be able to access the runtime environment. This means providers need to limit access to the serverless host environments and keep it to select individuals within their organization.
The provider needs to secure virtual ization infrastructure, hyper visors, air software and, like any software, it can have defects and security vulnerabilities. The host OS also needs to be patched from time to time Justus firmware for the physical host machines. Recall. We spoke about Spectra and meltdown vulnerabilities in the last module.
The provider also needs to establish a secure boot chain. The Cloud consumer has no direct control over how the base image hosting the compute gets provisioned onto the hardware.
The provider needs to make sure that the process is not vulnerable to interception and compromise. Along the way.
It would be ashamed to go through all the effort of implementing immutable images just to find out somebody modified the providers provisioning process, so back doors automatically install in all the M's and run times. This would allow that individual to compromise. The entire cloud provider needs to make sure the image is not compromised
and have preventive measures to prevent one tenant from using or compromising another tenants. Custom Image.
The Shared Responsibilities model doesn't afford a carefree life for the cloud user, either.
Take advantage of security controls. You are given to close gaps and security.
This includes establishing least privilege security settings to control who can manage virtual resource is and then who can log into the different compute environments. We talked about restricting interactive Loggins for mutable images, but I'm realistic enough to know you probably don't apply this practice in all circumstances. It does no good to have a hard and VM
with all the latest and greatest security patches
and so forth. But the root account is called admin and has a password of admin. You're leaving yourself unnecessarily vulnerable.
Monitoring and logging is also different in the cloud, but it's very important you have these in place cloud providers, often equipped with good monitoring for the cloud resource is. But what you have available on your VM containers and serve Earless is very different. Operate with the assumption of if immorality
resource is will come and go just great in the sense that Attackers will have a limited time to work on a compromised asset.
However, it also means you won't have time to look through local system logs after a breach. In the case of Serverless, you won't even have access to the runtime environment, so your application itself will need to improve the way it logs activities.
Whether you're adopting immutable images or not, you want to have guard rails to manage the base images you work off. AWS provides a marketplace where people can post images and virtual machines that have pre installed software configurations. Many of these air great. But be aware that you are exposing yourself or supply chain to whatever vulnerabilities that Image Creator
has purposely or inadvertently left in those images.
A few years back, there was a major scandal. Numerous cloud customers were using an image that included a pre installed ssh key.
This in effect, left the back door for the individual that had the KY toe log into all of those machines. Today, there are many automated scanner solutions that you can use to examine your virtual machine images and automatically detect these kind of vulnerabilities. Be sure to use dedicated hosting when needed.
This way, you ensure no other tenant is running their compute on the host alongside your workloads.
This is more expensive, so only do it when circumstances require it.
If you feel unsure about any items, I just glossed over. Please review the prior module, which goes into each area with much more depth.
In this video, we covered cloud provider responsibilities and cloud consumer responsibilities with regards to virtualized compute.