1

Me and my company intend to start using ec2 for distributing some cpu-intensive pieces code, involving a few 10s of gb of data, however I have some concern about the protection of the intellectual property which the code holds (and to a much lesser degree the data too).

At least for the code, I figured I could go several ways at this:

  1. Create an ami with an encrypted filesystem inside, then launch many instances out of it.
  2. Same thing just with EBS filesystem (not sure if i can even do this with many instances)
  3. Create the filesystem on s3 and mount it from there by s3fs

Which way is preferable? (important note - the code and data are not supposed to change so i have not problem mounting things as read only)

Andrew Gaul
  • 262
  • 1
  • 7
itai
  • 111
  • 2
  • Amazon's not going to steal your intellectual property. – ceejayoz Aug 14 '12 at 15:58
  • well, thats like... your opinion man :). the threat is more like a rogue employee there or hacker. anyways its not really an option for me. – itai Aug 15 '12 at 07:20
  • 1
    @itai: Be sure you know what you are protecting yourself against. Drive encryption helps against somebody mounting your drive somewhere else. Certainly not against non-amazon hackers. And certainly not against Amazon rogue employees who can access your system while mounted. It would protect against someone physically taking the disk and mounting it in their own computer - except that isn't possible with EC2 as there is no physical disk. So the only protection you'd get is against a rogue employee who can't login to your instance but can mount the EBS volume - no idea whether that exists. – Cookie Nov 30 '12 at 08:43

4 Answers4

1

I suggest doing some test with s3fs and other tools you could use to browse the s3 buckets. In my test s3fs vs s3 explorer in the aws console, the s3fs folders and stuff were not correctly displayed. s3cmd vs s3fs : same problem s3cmd vs s3 explorer in the console : no prob.

Since I do synchronisation for back I went with s3cmd

/my 2 cents

Thomas Christory
  • 11
  • 1
0

If you want to share the filesystem between instances, option 2 is out because you can't do that with EBS. Option 1 is preferable in terms of the performance you get (local filesystem), but option 3 would be more convenient (less setup).

In particular, you could layer something like encfs on top of s3fs. Note that if you're really paranoid about this, you'll have to go with option 1 because you would presumably want everything encrypted, in particular swap.

Lars Kotthoff
  • 646
  • 4
  • 10
  • I was thinking about the setup as well... How bad will the performance be using s3? (if its through http obv. it would be a few orders of magnitude slower, but maybe there's another option?) – itai Aug 15 '12 at 07:27
  • If you want no unencrypted data touching the disk, then you won't be able to do any caching, i.e. everything is pulled directly from s3. If the bandwidth you need is higher than the bandwidth to s3 (roughly like a 100MBit network interface in my experience), then performance will suffer. – Lars Kotthoff Aug 15 '12 at 08:10
0

If your application can be tweaked to talked to S3 directly, S3 can manage encryption/decryption transparently, see this -- http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-side-encryption.html and here -- http://aws.amazon.com/s3/faqs/#What_options_do_I_have_for_encrypting_data_stored_on_Amazon_S3

s3fs should also work 'transparently' but I could be wrong.

Chida
  • 2,491
  • 1
  • 17
  • 29
0

Amazon now offers the expensive but efficient EFS.

I haven't tried it yet, I only use a bit of s3fs, but it looks like a good answer for needs like yours.

EFS is better for large files than s3fs.

See this post for a better idea of what it offers :
https://stackoverflow.com/questions/29575877/aws-efs-vs-ebs-vs-s3-differences-when-to-use

Community
  • 1
Balmipour
  • 314
  • 1
  • 3
  • 10