The video (4:43) shows a diagram depicting the firewall and hypervisor layers as distinct and separate. Yet, it was mentioned in the same video that the hypervisor and firewall reside in the same layer. Can someone please provide additional insight? Thanks you.
1 Answers
Hi Sect2249,
I spent most part of my morning trying to find the answer to this question and this is what I’ve found:
The image in question (and this whole lecture’s content) actually comes from the 2017 AWS Security whitepapter. It also appears in the book AWS Certified SysOps Administrator Official Study Guide by Stephen Cole et. al.
In the article it states:
"Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which provides awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, so that one customer’s data is never unintentionally exposed to another. In addition, memory allocated to guests is scrubbed (set to zero) by the hypervisor when it is unallocated to a guest. The memory is not returned to the pool of free memory available for new allocations until the memory scrubbing is complete.
AWS recommends customers further protect their data using appropriate means. One common solution is to run an encrypted file system on top of the virtualized disk device."
From the above quote, the relevant information is "the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts." So I’m going to assume that the hypervisor layer in this diagram is actually supposed to encompass the firewall layer, security group layer and virtual interface layer
Cheers,
Julian