ACM.129 Migrating website online recordsdata and configuration earlier than transferring domains
It is a continuation of my collection on Automating Cybersecurity Metrics.
Earlier than I received sidetracked with AWS SSO points which resulted in my final submit:
I had transferred some domains to a brand new account utilizing Route 53 instructions:
Now initially I assumed I might go forward and switch over the web sites related to these domains. However then I began occupied with how I might switch the recordsdata and automate the configuration — a few of which I’ve accomplished and a few of which I’ve not.
As I discussed these web sites are nonetheless purposeful as a result of the NS information for the web sites don’t should be in the identical account the place the area identify is registered.
The websites are utilizing CloudFront and S3 buckets. These websites have to have some route 53 configuration in the identical account because the S3 bucket the place the location is hosted so I would wish to set that up within the new account to switch the recordsdata.
Additionally the website online recordsdata from the previous account must be transferred or copied into the brand new S3 buckets. I ought to arrange the buckets and transfer over the recordsdata earlier than I transfer the NS information for present websites to make sure my websites proceed to operate correctly.
I’ve to contemplate a number of issues when transferring recordsdata from one S3 bucket to a bucket in a distinct account:
- The price of the switch of the recordsdata.
- What’s the best method to switch the recordsdata?
- Whether or not or not I have to encrypt the recordsdata
- Automating the switch and the ensuing configuration
- The place ought to I again up the recordsdata in my new construction?
Value of transferring recordsdata
It appears to be like like if I switch the websites to the brand new account in the identical area I mustn’t incur any charges:
Additionally, the primary 100 GB per thirty days transferred to the Web is free. I don’t suppose I’ve that a lot information however should double verify that.
Knowledge transferred out to the Web over and above that might incur a payment:
However on this case I’m transferring to a different AWS area so I’d have to determine what area I’m transferring to and the quantity over 100GB. In my case, it’s not that a lot so the charges needs to be minimal.
Instructions to switch the recordsdata between S3 buckets
This web page has the instructions to repeat or sync the recordsdata to a different account and area:
aws s3 cp s3:// DOC-EXAMPLE-BUCKET-SOURCE /
s3:// DOC-EXAMPLE-BUCKET-TARGET /
--recursive --source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
aws s3 sync s3:// DOC-EXAMPLE-BUCKET-SOURCE /
s3:// DOC-EXAMPLE-BUCKET-TARGET /
--source-region SOURCE-REGION-NAME --region DESTINATION-REGION-NAME
On this case, I need to copy the recordsdata as a result of I’m going to shut the account the place the websites presently exist.
Encryption
For the websites, the recordsdata is not going to be encrypted, since they must be accessible from the Web. For different recordsdata I might need to make sure that I’ve a KMS encryption key arrange with a purpose to again up the recordsdata. I can implement encryption on the bucket utilizing a particular key and I would wish to grant cross account entry to the important thing to sync the recordsdata. For now we’ll simply take care of the website online recordsdata which don’t want encryption.
Automation
For automation, I might need to automate the next, all of which will likely be coated in future posts:
- NS information
- SSL certificates
- Creation of S3 bucket
- CloudFront configuration
- File switch
- S3 replication for backup functions
Backups
I’d like my backups to go to a separate account with restricted permissions. I at all times inform prospects that they need to not use daily credentials for backups. I can create a backup account and permissions for a useful resource in that account to entry and replicate the recordsdata to the backup account. I might want to restrict who has entry to create customers or change permissions within the backup account.
The next documentation explains the right way to create cross-account replication for an S3 bucket. I ought to most likely set that up first in order that as recordsdata are copied over, the backups are routinely generated.
All that’s much more work than I initially thought-about. As I believe by the automation it looks as if my batch job code that I need to write may very well assist me automate and migrate a few of this information. I’m going to maneuver again to establishing the NS file for my new batch job authentication circulate first. Then I can create reusable templates for all of this and proceed with the switch.
As soon as once more I’m utilizing the precept of abstraction to maneuver frequent performance to a single code base to restrict the quantity of labor I’ll should do in the long run, and hopefully I can implement a safer and sturdy structure within the course of.
Comply with for updates.
Teri Radichel
If you happen to preferred this story ~ clap, observe, tip, purchase me a espresso, or rent me 🙂
Medium: Teri Radichel
Electronic mail Checklist: Teri Radichel
Twitter: @teriradichel
Twitter (firm): @2ndSightLab
Mastodon: @teriradichel@infosec.trade
Put up: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Displays by Teri Radichel
Speakerdeck: Displays by Teri Radichel
Books: Teri Radichel on Amazon
Recognition: SANS Distinction Makers Award, AWS Hero, IANS College
Certifications: SANS
Schooling: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I received into safety: Lady in tech
Purchase me a espresso: Teri Radichel
Firm (Penetration Assessments, Assessments, Coaching): 2nd Sight Lab
Request providers through LinkedIn: Teri Radichel or IANS Analysis
Request providers through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2023
All of the posts on this collection:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts
