Your Future with Cloud Computing - Dr. Werner Vogels - AWS Summit 2012 Australia

Your Future with Cloud Computing Dr. Werner Vogels CTO, Amazon.com

AWS Global Infrastructure GovCloud US West US West US East South America EU Asia Pacific Asia(US ITAR Region)(Northern California) (Oregon) (Northern Virginia) (Sao Paulo) (Ireland) (Singapore) Pacific (Tokyo) AWS Regions AWS Edge Locations

Powering the Most Popular Internet Businesses

Trusted by Enterprises

And Government Agencies

Partner EcosystemSystem Integrators Independent Software Vendors

What Enterprises are Running on AWS Business Applications Web Applications Big Data & High Performance Computing Disaster Recovery & Archive

What Analysts are Saying about AWSInfrastructure-as-a-Service Leader in 2011 Gartner IaaS Leader in 2011 Forrester Market Share Leader Magic Quadrant Hadoop Wave

The Scale of AWS: Amazon S3 Growth Peak Requests: 650,000+ per secondTotal Number of Objects Stored in Amazon S3

The Scale of AWS: Amazon S3 Growth Peak Requests: 650,000+ 762 Billion per second Total Number of Objects Stored in Amazon S3 262 Billion 102 Billion 14 Billion 40 Billion2.9 BillionQ4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011

The Scale of AWS: Amazon S3 Growth 905 Billion Peak Requests: 650,000+ 762 Billion per second Total Number of Objects Stored in Amazon S3 262 Billion 102 Billion 14 Billion 40 Billion2.9 BillionQ4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011 Q1 2012

Our Price Reduction Philosophy Scale & Innovation… … Drive Costs Down Invest in CapitalAttract MoreCustomers Invest in Technology 19 Price Reductions Reduce Improve Prices Efficiency

AWS Platform Overview Deployment & Administration App ServicesCompute Storage Database Networking AWS Global Infrastructure

AWS Global InfrastructureSecure, redundant Cloud infrastructurefor global companies and global apps Regions Deployment & Administration Availability Zones App Services Compute Storage Database Networking Edge Locations AWS Global Infrastructure

AWS Networking ServicesExtend your enterprise infrastructure tothe AWS Cloud Amazon Virtual Private Cloud VPN to Extend Your Network Topology to AWS Deployment & Administration AWS Direct Connect Private, Dedicated Connection to AWS App Services Compute Storage Database Amazon Route 53 Networking Scalable Domain Name Service AWS Global Infrastructure

Compute ServicesScalable Linux and Windowscompute services Amazon EC2 Virtual Servers in the AWS Cloud Deployment & Administration Auto Scaling App Services Rule-driven scaling service for EC2 Compute Storage Database Amazon Elastic Load Balancing Networking Virtual load balancers for EC2 AWS Global Infrastructure

Storage ServicesScalable and Durable High Performance Cloud Storage Amazon S3 Redundant, High-Scale Object Store Deployment & Administration App Services Amazon Elastic Block Store Persistent block storage for EC2 Compute Storage Database Networking AWS Storage Gateway AWS Global Infrastructure Seamless backup of enterprise data to S3

Database ServicesScalable and Durable HighPerformance Cloud Storage Amazon DynamoDB High Performance NoSQL Database Service Amazon RDS Deployment & Administration Managed Oracle & MySQL Database Service App Services Compute Storage Database Amazon ElastiCache Managed Memecached Service Networking AWS Global Infrastructure

AWS App ServicesHighly abstracted services that Amazon CloudFrontreplace software for commonly Global Content Delivery Serviceneeded application functionality Amazon CloudSearch Managed Search Service that Automatically Scales Amazon SWF Deployment & Administration Simple Workflow Service App Services Amazon SNS Simple Notification Service Compute Storage Database Amazon SQS Networking Simple Queuing Service AWS Global Infrastructure Amazon SES Simple Transactional Email Service

Ecosystem App Services3rd party highly abstracted services that Securityreplace software for commonly needed Servicesapplication functionality… and already run on AWS Log Analysis Services Deployment & Administration Developer Services App Services BI Services Compute Storage Database Networking Test Services AWS Global Infrastructure

Deployment & Administration3rd party managed services thatreplace software for commonly AWS Ecosystemneeded application functionality … AWS Management Consoleand already run on AWS Web-based management interface Amazon Elastic MapReduce Big Data Analytics Service a Deployment & Administration AWS IAM Identity & Access Management App Services Amazon CloudWatch Automated monitoring & alerts Compute Storage Database AWS CloudFormation Networking Automated AWS resource provisioning AWS Elastic Beanstalk AWS Global Infrastructure Java & PHP App deployment & management

AWS Pace of Innovation… 82 Including: 61 AWS Oregon Region Elastic Beanstalk (Beta) Amazon SES (Beta) Including: AWS CloudFormation Amazon SNS Amazon RDS for Oracle Amazon CloudFront AWS Direct Connect Amazon Route 53 48 S3 Bucket Policies AWS GovCloud (US) Amazon ElastiCache Including: RDS Multi-AZ Support VPC Virtual Networking Amazon RDS RDS Reserved Databases VPC Dedicated Instances Amazon VPC AWS Import/Export SMS Text Notification Amazon EMR AWS IAM Beta 24 EC2 Auto Scaling AWS Singapore Region CloudFront Live Streaming AWS Tokyo Region EC2 Reserved Instances Cluster Instances for EC2 Including: SAP RDS on EC2 EC2 Elastic Load Balance Micro Instances for EC2 Amazon SimpleDB 9 Amazon Cloudfront AWS Import/Export Amazon Linux AMI SAP BO on EC2 Win Srv 2008 R2 on EC2 AWS Mngmt Console Oracle Apps on EC2 Including: Amazon EBS Win Srv 2003 VM Import Win Srv 2008 on EC2 SUSE Linux on EC2 Amazon FPS EC2 Availability Zones Amazon S3 SSE IBM Apps on EC2 VM Import for EC2 Red Hat Enterprise on EC2 EC2 Elastic IP Addresses 2007 2008 2009 2010 2011

…Continuing in 2012 15 Amazon DynamoDB in Europe Storage Gateway in South America CloudFront Live Streaming 9 Route 53 Latency Based Routing PHP and Git for Elastic Beanstalk Live Smooth Streaming for Amazon CloudFront Lowers Content Expiration CloudFront 7 RDS Increases Backup Retention Reserved Cache Nodes for Amazon ElastiCache 6 IAM Password Management AWS CloudSearch Amazon DynamoDB IAM User Access to Account Billing AWS Marketplace AWS Storage Gateway Amazon Simple Workflow Service Amazon RDS Free Trial program DynamoDB Announces BatchWriteItem Amazon RDS on Amazon VPC Amazon DynamoDB in Japan Amazon EC2 Medium Instances Feature AWS IAM Identity Federation ElastiCache in Oregon and Sao Paulo 64-bit AMI on Small & Medium AWS Elastic Beanstalk in Japan Windows Free Usage Tier Amazon S3 Lower Prices EC2 Linux Login from Console DynamoDB in Three Regions New Premium Support Features AWS CloudFormation for VPC Beanstalk Resource Permissions AWS CloudFormation in VPCNew AWS Direct Connect Locations New Osaka and Milan Edge Locations EC2, RDS, ElastiCache Lower Prices EC2 CC2 Instance in Amazon VPC January February March April

AWS Direct Connect Private secure connection to AWS AWS Cloud Bypass the public Internet AWS Direct Connect High bandwidth and predictable Internet latencyCorporate Data Center

AWS Storage Gateway Easily backup on-premises data to AWS Snapshots in S3 Amazon S3 Store snapshots in Amazon S3 for backup and disaster recovery Simple software appliance - no changes required to your on-premises architectureAWS Storage Gateway Your Data Center

Amazon Simple Workflow Service Run application workflows and business processes on AWS Amazon SWF Manage processes across Cloud, mobile and on-premises environmentsCloud Mobile On Premises Use any programming language for workflow logic

Amazon DynamoDB Non Relational (NoSQL) Database Fast & predictable performance Seamless Scalability Zero administration

Oracle Multi-AZ Replicates database updates across two Availability Zones Automatically fail over to the standby for planned maintenance and unplanned disruptions Increased durability and availabilityAvailability Zone Availability Zone

PHP & Git Deployment for AWS Beanstalk git push Elastic Beanstalk Run and manage existing PHP applications with no changes to application code PHPYour App Apache HTTP Server Provides full control over the Amazon Linux infrastructure and the software Elastic Load Balancer yourApp.elasticbeanstalk.com

SQL Server & .NET Beanstalk Fully managed Express,Web, Standard and Enterprise Editions of SQL Server 2008 R2 .NET SQL Server (Express Edition) covered Text under the free usage tier for a full year Elastic Beanstalk leverages the WindowsSQL Server 2008 R2 AMI and IIS 7.5Server Deploy using AWS Toolkit for Visual Studio

Amazon CloudSearch Fully managed search service Up and running in less than an hour Automatically scales for data and traffic Starting at less than $100 / month

AWS Marketplace Find, buy and run software running on AWS More than 250 listings at launch Sell your software or SaaS app to our hundreds of thousands of customers aws.amazon.com/marketplace

News LimitedCraige Pendleton-BrowneChief Technology Officer

Context •News Ltd runs a single enterprise CMS platform •Supporting 8 major web sites •12 different critical systems •Over 600m page impressions per month •Approximately 2400 new assets created daily34

The Challenge •Complex technology stack – development = 46 servers •All configuration and deployment manual •56 days and 6 teams to build a new environment •Impact – slow project start up – Only run one major project at a time – Lack of innovation The Challenge go from 56 days to 1 day in the cloud35

Current Status •Virtual Private Cloud configured and working •Configuration separated out and all systems packaged •Semi automated build process implemented in EC2 •2 project environments up and running in EC2 •From 56 days to 3 days semi automated36

Current Status •Developers can run up or tear down environments •Two new projects starting this month with poof of concepts in the cloud •Ability to stand up 8 distinct environments quickly •By the end of the month reduce time to 6 hours37

Where to next •An agreed corporate cloud governance model •Seamlessly integrate cloud and physical environments •Automated procedures for managing costs •Move towards a devops model •Move production to the cloud38

The Seven Transformations of Cloud Computing

A common misconception: cloud computing is only about….Saving money Doing things faster

Cloud Transforms what’s possible

Transformation 1:Distributed Architectures Made Easy High Availability

Building Distributed Architectures

Cloud Computing Makes This Easier Distributed Multi-AZ Building Blocks Loosely CoupledInfrastructure Services Process Coordination AWS Regions S3 EC2 SWF Instances DynamoDB SNS Availability Zones Elastic Load SQS RDS Balancer

Architecture Templates for Common Patterns MICROSOFT SHAREPOINTaws.amazon.com/architecture

… open source Simian Armycoming soon

Vodafone Hutchison Australia Easwaren Siva General Manager Technology Strategy & Product

VodafoneCricket LIVEAustralia Behind the Scenes Vodafone Hutchison Australia

Vodafone AustraliaVodafone Australia operated by Vodafone Hutchison Australia (VHA)2009 merger, Vodafone Australia and Hutchison 3G AustraliaOperates Vodafone, 3 Mobile and Crazy John’s brandsVHA mobile services to over 7.0 million customersShareholders operate Mobile Networks across the globe 50

Big Brother Key Learning: ‘Big Brother’ 05 No Smartphones - No Apps Environments Early days of 3G – 3 Mobile 100% 3G 3 Mobile pioneered ‘Live’ Mobile TV with ‘Live’ interactive TV can drive immense traffic towards your Portals and Content 0 200 400 600 800 16:44:23 16:45:23 16:46:23 16:47:23 16:48:23 16:49:23 16:50:23 16:51:23 16:52:23 16:53:23 16:54:23 16:55:23 16:56:23 16:57:23 16:58:23 16:59:23 17:00:23 17:01:23 17:02:23 17:03:23 17:04:23 17:05:23 17:06:23 17:07:23 17:08:23 17:09:23 17:10:23 17:11:23 17:12:23 17:13:23 17:14:23 17:15:23 17:16:23 17:17:23 17:18:23 17:19:23 17:20:23 17:21:23 17:22:23 17:23:23 17:24:23 17:25:23 17:26:23 17:27:23 17:28:23 17:29:23 17:30:23 17:31:23 17:32:23 17:33:23 17:34:23 17:35:23 17:36:23 17:37:23 17:38:23 17:39:23 17:40:23 17:41:23 17:42:23 17:43:23 17:44:23 17:45:23 17:46:23 17:47:23 17:48:23 17:49:23 17:50:23 17:51:23 17:52:23 17:53:23 17:54:23 17:55:23 17:56:23 17:57:23 17:58:23 17:59:23 18:00:23 18:01:23 18:02:23 18:03:23 18:04:23 18:05:23 18:06:23 18:07:23 18:08:23 18:09:23 18:10:23 18:11:23 18:12:23 18:13:23 18:14:23 18:15:23 18:16:23 18:17:23 18:18:23 18:19:23 18:20:23 18:21:23 18:22:23 18:23:23 18:24:23 18:25:23 18:26:23 18:27:23 18:28:23 18:29:23 18:30:23 18:31:23 18:32:23 18:33:23 18:34:23 18:35:23 18:36:23 18:37:23 18:38:23 18:39:23 18:40:23 18:41:23 18:42:23 18:43:23 18:44:23 18:45:23 18:46:23 18:47:23 18:48:23 18:49:23 18:50:23 18:51:23 18:52:23 18:53:23 18:54:23 18:55:23 18:56:23 18:57:23 18:58:23 18:59:23 19:00:23 19:01:23 19:02:23 19:03:23 19:04:23 19:05:23 19:06:23 19:07:23 19:08:23 19:09:23 19:10:23 19:11:23 19:12:23 19:13:23 19:14:23 19:15:23 19:16:23 19:17:23 19:18:23 19:19:23 19:20:23 19:21:23 19:22:23 19:23:23 19:24:23 19:25:23 19:26:23 19:27:23 19:28:23 19:29:23 19:30:23 19:31:23 19:32:23 19:33:23 19:34:23 19:35:23 19:36:23 19:37:23 19:38:23 19:39:23 19:40:23 19:41:23 19:42:23 19:43:23 19:44:23 19:45:23 19:46:23 19:47:23 19:48:23 19:49:23 19:50:23 19:51:23 19:52:23 19:53:23 19:54:23 19:55:23 19:56:23 19:57:23 19:58:23 19:59:23 20:00:23 20:01:23 20:02:23 20:03:23 20:04:23 20:05:23 20:06:23 20:07:23 20:08:23 20:09:23 20:10:23 20:11:23 20:12:23 20:13:23 20:14:23 20:15:23 20:16:23 20:17:23 20:18:23 20:19:23 20:20:23 20:21:23 20:22:23 20:23:23 20:24:23 20:25:23 20:26:23 20:27:23 20:28:23 20:29:23 20:30:23 20:31:23 20:32:23 20:33:23 20:34:23 20:35:23 20:36:23 20:37:23 20:38:23 20:39:23 20:40:23 20:41:23 20:42:23 20:43:23 20:44:23 20:45:23 20:46:23 20:47:23 20:48:23 20:49:23 20:50:23 20:51:23 20:52:23 20:53:23 20:54:23 20:55:23 20:56:23 20:57:23 20:58:23 20:59:23 21:00:23 21:01:23 21:02:23 21:03:23 21:04:23 Total Concurrent Conenctions (Sun 26th June - 16:45 -> 23:00) 21:05:23 21:06:23 21:07:23 21:08:23 21:09:23 21:10:23 21:11:23 21:12:23 21:13:23 21:14:23 21:15:23 21:16:23 21:17:23 21:18:23 21:19:23 21:20:23 21:21:23 21:22:23 21:23:23 21:24:23 21:25:23 21:26:23 21:27:23 21:28:23 21:29:23 21:30:23 21:31:23 21:32:23 21:33:23 21:34:23 21:35:23 21:36:23 21:37:23 21:38:23 21:39:23 21:40:23 21:41:23 21:42:23 21:43:23 21:44:23 21:45:23 21:46:23 21:47:23 21:48:23 21:49:23 21:50:23 21:51:23 21:52:23 21:53:23 21:54:23 21:55:23 21:56:23 21:57:23 21:58:23 21:59:23 22:00:23 22:01:23 22:02:23 22:03:23 22:04:23 22:05:23 22:06:23 22:07:23 22:08:23 22:09:23 22:10:23 22:11:23 22:12:23 22:13:23 22:14:23 22:15:23 22:16:23 22:17:23 22:18:23 22:19:23 22:20:23 22:21:23 22:22:23 22:23:23 22:24:23 22:25:23 22:26:23 22:27:23 22:28:23 22:29:23 22:30:23 22:31:23 22:32:23 22:33:23 22:34:23 22:35:23 22:36:2351 22:37:23 22:38:23 22:39:23 22:40:23 22:41:23 22:42:23 22:43:23 22:44:23 22:45:23 22:46:23 22:47:23 22:48:23 22:49:23 22:50:23 22:51:23 22:52:23 22:53:23 22:54:23 22:55:23 22:56:23 22:57:23 22:58:23 22:59:23 23:00:23

2011/12 Vodafone Cricket Live Australia iPhone and iPad App Android and Tablet App Scores and Highlights ‘Live’ Cricket TV Streaming Vodafone Viewers verdict

2011/12 Vodafone Cricket Live Australia – Some Stats Over 700K Apps downloaded Approximately 4 Million visits Over 500K streams 24.7TB iPhone streaming data for December Peak 10K Simultaneous Streams Live scores peaked at 1000 rps (Jan)

2011/12 Vodafone Cricket Live Australia – Some Stats Scores Data Requests iPhone Streaming Traffic

Cricket App - Vodafone Viewers Verdict Challenge - managing ‘peak’ load cost effectively 55

Vodafone Cricket Live Australia - Architecture 56

Vodafone Cricket Live Australia - Architecture 57

Vodafone Cricket Live Australia – Amazon Components 2 Elastic Load Balancers (ELB) 3 EC2 instances in idle conﬁguration (2 large 1 small), auto expandable up to 9 (8 large 1 small) under load All EC2 instances are bootstrapped to load application after instantiation. 1 S3 bucket to store application itself 2 auto-scaling groups to protect from hardware failure and give expandability. Any failed server will be automatically replaced MySQL relational database service (RDS) instance to hold all data Cloudwatch CPU usage alarms linked to auto-scaling groups for auto expand and auto shrink Contracted ProQuest to build and optimise our AWS instances/environment

Key Learnings and Next Step Key Learnings Public Cloud Infrastructure - best cost option for Low Frequency but High Demand services Content Delivery Networks (CDN) and Cloud Computing provides an optimal solution Next Step in Progress Uniﬁed Content Management System on Amazon to manage ‘peak demands’ when new devices are released Online Oracle Webcentre Sites / Fatwire 7.6 Content Management System in Production

Transformation 2:Embracing the security advantages of shared systems

ApplicationsFlexibility to Choose the Right Security Model for Each Application You Infrastructure AWS Security Infrastructure SOC 1/SSAE 16/ISAE 3402, Every Customer Gets the Highest ISO 27001, PCI DSS, HIPAA, ITAR, FISMA Moderate, FIPS 140-2 Level of Security

Kit, go fasterTransformation 3: From Scaling by Architecture …to Scaling By Command Yes Michael

Scaling by Architecture: NoSQL Database Cluster Set up Config & Shard & Rinse &more servers Tune Repartition Repeat

Scaling by Command with Amazon DynamoDB Amazon DynamoDB Data is automatically spread across enough hardware to deliver single digit millisecond latency.

Transformation 4:A Supercomputer in the Hands of Every Developer

Supercomputers used to be Privileges of the EliteExpensiveRationed timeOnly for the “highest value” jobs

Supercomputers by the Hour… for Everyone.AWS built the 42 nd fastest supercomputer in the world1,064 Amazon EC2 CC2 instances with17,024 cores240 teraflops cluster (240 trillion calculations per second)Less than $1,000 per hour

Develops leading computational

Instead of $20M in datacenter spend… 51,132 Cores… 3 Hours… $4,828/ hour …

Transformation 5:Experiment Often & Fail Quickly

Traditional Infrastructure Drives up the Cost of Failure … Innovation Suffers $1 2How many big ticket 7 M $technology ideas can your $9 Mbudget tolerate?

Experiment Often & Fail Quickly with AWS  $1 00  $2 K  $5 00  Cost of failure falls dramaticallyPeople are free to try out new ideas  $7 5 $3 3  $3 K More risk taking, more innovation  $2 34  $5 00  $6 92  $1 K  $9 6  $1 2

REA Group Richard Durnall Head of Delivery

• Picture of view from my desk 77

A bit about us• Picture of view from my desk 77

helped by

Distributed Agile helped by

helped by

Continuous Delivery helped by

helped by

Hack Days helped by

helped by

Home Ideas helped by

Transformation 6:Big Data without Big Servers

Attacking Big Data Problems Shouldn’t Be This Complicated Storing Massive Data Investing In Expensive Volumes Into A Huge Data Server Clusters To Process Warehouse The Data

The Cloud Makes This a Lot Simpler Hadoop Clusters Amazon S3Amazon DynamoDB Amazon EMR Load Data in Organize & Visualize the Cloud Analyze Data Results 1 2 3

BrandscreenSeth YatesFounder & CTO

It’s broken

Structurally, acommoditymarket

Low latency. High throughput. Huge volume.

1 petabyte10% per month

1.Experimen t 2.Learn 3.PlanAll images sourced fromiStockPhoto.com

Transformation 7:Mobile Ecosystem for a Mobile-First World

Building Mobile

Rich media experienceLocation context awareReal-time presence drivenSocial graph basedUser generated contentRecommendationsIntegration w/ social networksVirtual goods economyAdvertisement / premium supportMulti-device access

Cloud Mobile Ecosystem

PBS Video for iPad PBSKids Video for iPad Launched Nov ‘10 Launched April ‘11

Fun With Numbers - February 2012Total Video Mobile VideoUnique visitors: 30M/mo 115k unique visitors per dayVisits: 57M/mo 310k daily app opensPage views: 367M / mo 27% of hours watched, 40% of streamsVideo streams: 145M/moHours watched: 2.3M/mo

The AWS MissionEnable businesses and developers to use web services to build scalable, sophisticated applications.

Security and Privacyin the CloudStephen SchmidtVice President &Chief Information Security Officer

AWS Security Model Overview Certifications & Accreditations Shared Responsibility Model Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls guest ISO 27001 Certification OS-level security, including patching and PCI DSS Level I Certification maintenance HIPAA compliant architecture Application level security, including password and role based access SAS 70(SOC 1) Type II Audit Host-based firewalls, including Intrusion FISMA Low & Moderate ATOs Detection/Prevention Systems DIACAP MAC III-Sensitive Separation of Access  Pursuing DIACAP MAC II–SensitivePhysical Security VM Security Network Security Multi-level, multi-factor controlled access Multi-factor access to Amazon Account Instance firewalls can be configured in environment Instance Isolation security groups; Controlled, need-based access for AWS • Customer-controlled firewall at the The traffic may be restricted by protocol, employees (least privilege) hypervisor level by service port, as well as by source IPManagement Plane Administrative Access • Neighboring instances prevented access address (individual IP or Classless Inter- Multi-factor, controlled, need-based Domain Routing (CIDR) block). • Virtualized disk management layer access to administrative host ensure only account owners can access Virtual Private Cloud (VPC) provides All access logged, monitored, reviewed storage disks (EBS) IPSec VPN access from existing enterprise AWS Administrators DO NOT have logical data center to a set of logically isolated Support for SSL end point encryption for access inside a customer’s VMs, including AWS resources API calls applications and data

Shared Responsibility Model AWS Customer•Facilities •Operating System•Physical Security •Application•Physical •Security Groups Infrastructure •Network ACLs•Network •Network Infrastructure Conﬁguration •Account Management

AWS Security Resources http://aws.amazon.com/security/ Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011, January 2012respectively Regularly Updated Feedback is welcome

AWS CertificationsSarbanes-Oxley (SOX)ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70(SOC 1) Type II AuditFISMA A&As• Multiple NIST Low Approvals to Operate (ATO)• NIST Moderate, GSA issued ATO• FedRAMPDIACAP MAC III Sensitive ATOCustomers have deployed various compliant applications such as HIPAA(healthcare)

SOC 1 Type IIAmazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 reportevery six months and maintains a favorable unbiased and unqualified opinion from itsindependent auditors. AWS identifies those controls relating to the operational performanceand security to safeguard customer data. The SOC 1 report audit attests that AWS’ controlobjectives are appropriately designed and that the individual controls defined to safeguardcustomer data are operating effectively. Our commitment to the SOC 1 report is on-going and weplan to continue our process of periodic audits.The audit for this report is conducted in accordance with the Statement on Standards forAttestation Engagements No. 16 (SSAE 16) and the International Standards for AssuranceEngagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meeta broad range of auditing requirements for U.S. and international auditing bodies. This audit isthe replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.

SOC 1Control Objective 1: Security OrganizationControl Objective 2: Amazon Employee LifecycleControl Objective 3: Logical SecurityControl Objective 4: Secure Data HandlingControl Objective 5: Physical SecurityControl Objective 6: Environmental SafeguardsControl Objective 7: Change ManagementControl Objective 8: Data Integrity, Availability and RedundancyControl Objective 9: Incident Handling

ISO 27001 AWS has achieved ISO 27001 certification of ourInformation Security Management System (ISMS) coveringAWS infrastructure, data centers in all regions worldwide,and services including Amazon Elastic Compute Cloud(Amazon EC2), Amazon Simple Storage Service (AmazonS3) and Amazon Virtual Private Cloud (Amazon VPC). Wehave established a formal program to maintain thecertification.

Physical Security Amazon has been building large-scale data centers formany years Important attributes: •Non-descript facilities •Robust perimeter controls •Strictly controlled physical access •2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed

GovCloud US West US West US East South America EU Asia Asia (US ITAR (Northern (Oregon) (Northern (Sao Paulo) (Ireland) Pacific Pacific Region) California) Virginia) (Singapore) (Tokyo) AWS Regions AWS Edge Locations

AWS Regions and Availability Zones Customer Decides Where Applications and Data Reside

AWS Identity and Access ManagementEnables a customer to create multiple Usersand manage the permissions for each ofthese Users.Secure by default; new Users have no accessto AWS until permissions are explicitlygranted. UsAWS IAM enables customers to minimize theuse of their AWS Account credentials.Instead all interactions with AWS Servicesand resources should be with AWS IAM Usersecurity credentials.erCustomers can enable MFA devices for theirAWS Account as well as for the Users theyhave created under their AWS Account withAWS IAM.

AWS MFA Benefits Helps prevent anyone with unauthorized knowledgeof your e-mail address and password fromimpersonating you Requires a device in your physical possession togain access to secure pages on the AWS Portal or togain access to the AWS Management Console Adds an extra layer of protection to sensitiveinformation, such as your AWS access identifiers Extends protection to your AWS resources such asAmazon EC2 instances and Amazon S3 data

Amazon EC2 SecurityHost operating system• Individual SSH keyed logins via bastion host for AWS admins• All accesses logged and auditedGuest operating system• Customer controlled at root level• AWS admins cannot log in• Customer-generated keypairsFirewall• Mandatory inbound instance firewall, default deny mode• Outbound instance firewall available in VPC• VPC subnet ACLsSigned API calls• Require X.509 certificate or customer’s secret AWS key

Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces

Virtual Memory & Local Disk Amazon EC2 Instances Encrypted File System Amazon EC2 Instance Encrypted Swap File•Proprietary Amazon disk management prevents one Instance from reading the disk contents of another•Local disk storage can also be encrypted by the customer for an added layer of security

Network Security ConsiderationsDDoS (Distributed Denial of Service):• Standard mitigation techniques in effectMITM (Man in the Middle):• All endpoints protected by SSL• Fresh EC2 host keys generated at bootIP Spoofing:• Prohibited at host OS levelUnauthorized Port Scanning:• Violation of AWS TOS• Detected, stopped, and blocked• Ineffective anyway since inbound ports blocked by defaultPacket Sniffing:• Promiscuous mode is ineffective

Amazon Virtual Private Cloud (VPC)Create a logically isolated environment in Amazon’s highly scalable infrastructureSpecify your private IP address range into one or more public or private subnetsControl inbound and outbound access to and from individual subnets using statelessNetwork Access Control ListsProtect your Instances with stateful filters for inbound and outbound traffic usingSecurity GroupsAttach an Elastic IP address to any instance in your VPC so it can be reacheddirectly from the InternetBridge your VPC and your onsite IT infrastructure with an industry standard encryptedVPN connection and/or AWS Direct ConnectUse a wizard to easily create your VPC in 4 different topologies

Amazon VPC Architecture Customer’s isolated AWS resources Subnets Router VPN GatewaySecure VPN AmazonConnection over theInternet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network

Amazon VPC Architecture Customer’s isolated AWS resources SubnetsInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network

Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network

Amazon VPC Network Security Controls

Amazon VPC - Dedicated Instances New option to ensure physical hosts are not shared withother customers $10/hr flat fee per Region + small hourly charge Can identify specific Instances as dedicated Optionally configure entire VPC as dedicated

AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Application Information Network server Physical Network Compliant Isolation Access Policy Isolation Isolation and Facility (US Persons Isolation Only)Commercial Cloud   Public facing apps. Web sites, Dev test etc.Virtual Private     Data Center extension,Cloud (VPC) TIC environment, email, FISMA low and ModerateAWS GovCloud       US Persons Compliant(US) and Government Specific Apps.

Thanks! Remember to visithttps://aws.amazon.com/security

Your Future with Cloud Computing - Dr. Werner Vogels - AWS Summit 2012 Australia

by Amazon Web Services on May 21, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Your Future with Cloud Computing - Dr. Werner Vogels - AWS Summit 2012 Australia Presentation Transcript