Certified Security - Specialty

Sign Up Free or Log In to participate!

Differences between Container and Abstracted services

What’s the main differences between these two services? In both of then, AWS is responsible for managing the OS, the infrastructure, etc, etc. But, how can I know if the service is one or other?

3 Answers

This is a pretty good blog on that: https://aws.amazon.com/blogs/architecture/compute-abstractions-on-aws-a-visual-story/

I think of abstracted services as AWS managed tools for a given service – i.e. Dynamo DB, S3.  Where basically the customer is mainly responsible for their just their data and how to protect the data (encryption settings).    

Container services are less abstract.  RDS is an example, the DB runs essentially runs on an EC2 that AWS manages EVERYTHING about that instance.  AWS manages the underlying infrastructure. But as a user of the service, you have more flexibility (and responsibility) in how you use it things like VPC, network settings, SG/NACLs, backup options etc.  So while the RDS is virtual, its really inst abstract, its just a database contained on a specialized instance.

I also found this confusing. "Container services" is mentioned on pp.5,6,9 of https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf The phrase is unfortunate because in 2019 most of us understand container service to mean something completely different.

I interpret "container services" to be something between IaaS and a fully managed PaaS. Services in which you are aware of the EC2 instances under the covers, have some ability to configure them, and may even be able to ssh into them (in the case of EB).

Hi All, 

I agree that the terminology that they used is pretty misleading here. 

What they call "Infrastructure" services are EC2, ELB, VPC etc and you have the freedom to set these up as you wish and configure them to be as secure or insecure as you wish/dare. You’ll also need to ensure the services you build are redundant and scalable. – These kind of services are also known as Infrastructure As A Service (IAAS) and a lot of the responsibility is on you.

At the other end of the scale, they have "Abstracted services" like DynamoDB, S3, SES, SQS, these are all services which you can subscribe to, and where you can only access them using the endpoint, or AWS API. You cannot log into the underlying Operating System on which these services are running… and you only have a small set of configuration options that AWS allows you access to. AWS manage all of the durability, recovery, scalability of these services on your behalf as well as the security profile of the service itself (although if you go in and make your own s3 buckets public that it is your own lookout!) – These kind of services are often called Software As A Service (SAAS).

Then they have what they call "Container services" which is something in between "Infrastructure" and "Abstracted", and in my mind this relates to services which are ultimately installed on EC2 instances, but you don’t need to bother about maintaining the operating system yourself. 

The two examples they give are RDS – for which you cannot administer the operating system at all, they always do that for you…. however you do need to be aware that the underlying OS is running on an EC2 instance, because you’ll need to select the correct instance size for your workload when you launch the database. After that, AWS will take care of things… from time to time there will be a security update or new database version released, but you will get to choose when you want these updates to be installed and AWS will handle the rest. If you decide to use replication or go multi-AZ, AWS will handle the setup and configuration of that, you don’t need to worry about the underlying configuration.

With Elastic Map Reduce however, you do get the option to either have AWS administer the underlying Operating System for you , or you can do it yourself. – A lot of users simply want the element of control with EMR, because a lot of the settings that you would want to tweak in an EMR cluster are within the Operating System and to really tailor the platform you your application needs, you’re going to need admin access…. And these kind of services are often called Platform As A Service (PAAS)

I hope that helps, but don’t get too hung up on the weird terminology, you will not see that terminology in the exam…it might help to consider the following: 

Imagine you have installed a MySQL database on an EC2 instance. What sort of tasks would you need to do in order to ensure that your database is secure and not vulnerable to attack? And what is AWS going to take responsibility for? 

Now ask the same questions of a MySQL database you have launched using RDS? What is AWS going to do to ensure that platform is secure and what are you going to do? 

Now ask the same question of a DynamoDB table – what do you need to do? and what will AWS do? 


Adiel Ribeiro

Many thank’s all and Faye! My points about my question: abstracted, AWS abstracts the platform and the management layer, you work with AWS to manage the service, like user creation, it’s made in IAM. Container, AWS offers and management layer for the administration of the service, like user creation, that is not made at IAM, it’s made on the service. Just remembering, I hadn’t this kind of question in my exam.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?