SlideShare a Scribd company logo

AWS Account Best Practices

Amazon Web Services
Amazon Web Services

To find out more about training on AWS, visit: www.globalknowledge.co.uk/aws AWS Pop-up Loft | London, April 28, 2016

Technology
1 of 39
Download to read offline
AWS Account Best Practices Steven Bryen Manager, Solutions Architecture, AWS @steven_bryen sbryen@amazon.com
• Account Management & Billing • Network Infrastructure & Connectivity • Security & Compliance • Optimizing for Cost • Managing & Auditing Access AGENDA
ACCOUNT MANAGEMENT & BILLING
AWS ACCOUNTS Accounts act as the main billing entity for AWS Resources Also a security boundary for environments, applications and organisational units.
BILLING Different billing options are available including invoicing Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’ Set up billing alerts, AWS Budgets and automated bill reporting for better insight. Utilise tagging for better cost allocation.
AWS Budgets & Cost Management Tools
Fully Centralized Model aws.invoices@mycompany.com Master Account • Centrally managed business and IT • Centralised Governance
Autonomous Model division.a.invoices@mycompany.com Division A Master Account • Autonomous Business and IT functions (Geographic, Departmental, Project) • Independent Business and IT Governance division.b.invoices@mycompany.com Division B Master Account
Single Master Hierarchical Model division.a@mycompany.com Division A • Central Governance • Devolved IT Function division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
Multi-Master Hierarchical Model • Multiple Autonomous Governance Bodies • Multiple IT Functions division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
Resource Tagging division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z
Billing Alerts & Programmatic Access division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z S3 CSV
What can I share between Accounts? EC2 Virtual Machine Template Pre-configured, templated Amazon Machine Images, can be used to package together the following elements Operating System Application Code Configuration EC2 AMIs S3 Bucket Policies Amazon Simple Storage Service is organized into buckets. You can control access to S3 buckets using bucket polices Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Buckets Block File system Snapshot As with a traditional SAN storage infrastructure, EBS volumes can be snapshotted and the data shared. EBS Volumes and Snapshots support a wide range of file systems e.g. NTFS EXT2/3/4 EBS Snapshots
Sign up for AWS Accounts • Sign up with a real, monitored email address • Create accounts with the same domain • Populate the alternate contacts for billing, operations and security • AWS accounts and Amazon retail accounts are linked • Leverage consolidated billing to simplify payments and make use of volume discounts • Move to invoicing payment • Enable support • Enable Billing Alerts
VPCs VPC is a private, isolated section of the AWS cloud where YOU define the networ king within it. A VPC spans all AZ’s in a region. VPC Peering allows you to peer multiple VPCs across AWS accounts in a single region. Route Table Elastic Network Interface Amazon VPC Router Internet Gateway Customer Gateway Virtual Private Gateway VPN Connection Subnet
Connectivity Options Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon VPC providing dedicated bandwidth between your site and AWS Configure redundant, secure VPN connections between your VPC and your site Alternatively you can connect directly to your VPC using a secured internet chan nel (SSH, RDP etc).
Basic VPC 10.1.0.0/16 Availability Zone A Availability Zone B Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
Private & Public Subnets 10.1.0.0/16 Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Segregate Environments into VPCs Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Staging (10.1.0.0/16) Test/Dev (10.0.0.0/16) Production (10.2.0.0/16)
Shared Services Model Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer (10.0.0.0/16)
Putting it all together Production Account aws.invoices@mycompany.com Master Account Consolidated billing information Dev/Test Account Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer
Consider using CloudFormation to manage VPCs "Public2Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"2"]}, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Public2Subnet" } ] } }, "Private1Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]}, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"1"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Private1Subnet" } ] } }, Template your Environments • Version Control your datacenter with Cloudformation! • One click deployments • Reproduce anywhere in the globe in minutes • Segregation of Duties between infra structure and application owners.
Plan your VPC IP space before creating it Consider future AWS region expansion Consider how date will need to flow between VPCs Consider future connectivity to corporate networks VPC can be /16 down to /28 CIDR cannot be modified once created Overlapping IP spaces = future headache
SECURITY & COMPLIANCE
Shared Responsibility Model Amazon Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data You
Security Tools & Techniques Granular network filtering “This instance can only receive HTTP traffic on port 80” Applied to instance ENI (up to 5 per) Stateful Allow Only (whitelist) Rules evaluated as a whole SGs can reference other SGs in same VPC Security Groups Control access to S3 buckets “Allow read access to all but put access from a restricted list of IP addresses” Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Bucket Policies Enforcing baseline security policy “No TFTP, NetBIOS or SMTP shall egress this subnet” Applied to subnets (1 per) Stateless Allow & Deny (blacklist) Rules processed in order ACLs
Security Tools & Techniques cont. Notification on changes to resources “Tell me when changes are made to my AWS resources” Integration with 3rd Party Tools Notification via SNS Config Rules allows you to take action based on rules. e.g. If instances are not tagged with an ’owner’ notify me AWS Config Automated Security Assesment “Can I assess my Application in AWS for known vulnerabilities or best practices” Pre built assessments for known compliance programmes. Agent based, API driven and delivered as a service. Enforce Security Standards for your AWS Applications AWS Inspector Auditing of AWS Account Usage “Who did what in my account at a specific time” Capture logs of all AWS API invocations. Logs are sent to S3 or Cloudwatch Logs Integration with 3rd Party Tools AWS CloudTrail
Security Best Practices Use ACLs sparingly, keep it simple Utilise Security Groups for fine grained control Utilise security groups to manage access to instances that have similar functions and security requirements Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices. pdf
CIS Foundations Benchmark
OPTIMISING FOR COST
Many pricing options available Reserved Make a low, one-time payment and receive a significant discount on the hourly charge For committed utilization Free Tier Get Started on AWS with free usage & no commitment For POCs and getting started On-Demand Pay for compute capacity by the hour with no long-term commitments For spiky workloads, or to define needs Spot Bid for unused capacity, charged at a Spot Price which fluctuates based on supply and demand For time-insensitive or transient workloads Dedicated Launch instances within Amazon VPC that run on hardware dedicated to a single customer For highly sensitive or compliance related workloads
Run the right instances at the right time Stop or terminate instance when they’re not required Utilise CloudFormation to tear down and recreate whole environments on demand Use CloudWatch to monitor instance load and scale vertically and/or horizontally to maximise instance utilisation Utilise Reserved Instances to lower TCO
MANAGING & AUDITING ACCESS
Identity & Access Management Account Administrators Developers Applications Bob Tomcat Jim Brad Mark Susan Reporting Console IAM Groups IAM Roles
IAM Policies Policy Driven • Declarative definition of rights for g roups • Policies control access to AWS APIs { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*” ], "Resource": "*" } ] }
Audit User Actions AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via: • AWS Management Console • AWS SDKs • Command line tools • Higher-level AWS services (such as CloudFormation).
Control access through fine grained policies Use multi factor authentication for console access Use groups to define access levels and assign IAM policies to groups Even the superuser group should have some explicit denies Utilise IAM roles to ensure no API credentials are places onto EC2 instances Utilise tagging to define fine grained control to resources Consider IAM federation into AD to simplify user management
Thank You @steven_bryen sbryen@amazon.com
awsloft.london closing.party && startup.showcase 28 April :: 18:00 >> 22:00

Recommended

Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost Management
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zone
Igor Ivanovic
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 

Recommended

Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost Management
Amazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
Amazon Web Services
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Aws landing zone
Aws landing zoneAws landing zone
Aws landing zone
Igor Ivanovic
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
CloudHesive
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Amazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
Amazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
Amazon Web Services
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
Martin Yan
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
Amazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Amazon Web Services
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
Amazon Web Services
 
Aberdeen Oil & Gas Event - Introduction to the AWS Cloud
Aberdeen Oil & Gas Event - Introduction to the AWS CloudAberdeen Oil & Gas Event - Introduction to the AWS Cloud
Aberdeen Oil & Gas Event - Introduction to the AWS Cloud
Amazon Web Services
 
Amazon EventBridge
Amazon EventBridgeAmazon EventBridge
Amazon EventBridge
Dhaval Nagar
 
Introduction to Amazon Web Services by i2k2 Networks
Introduction to Amazon Web Services by i2k2 NetworksIntroduction to Amazon Web Services by i2k2 Networks
Introduction to Amazon Web Services by i2k2 Networks
i2k2 Networks (P) Ltd.
 
What is AWS Cloud Watch
What is AWS Cloud WatchWhat is AWS Cloud Watch
What is AWS Cloud Watch
jeetendra mandal
 
AWS 101
AWS 101AWS 101
AWS 101
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
Amazon Web Services
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Amazon Web Services
 

More Related Content

What's hot

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 

What's hot (20)

AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...Managing and governing multi-account AWS environments using AWS Organizations...
Managing and governing multi-account AWS environments using AWS Organizations...
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
Aberdeen Oil & Gas Event - Introduction to the AWS Cloud
Aberdeen Oil & Gas Event - Introduction to the AWS CloudAberdeen Oil & Gas Event - Introduction to the AWS Cloud
Aberdeen Oil & Gas Event - Introduction to the AWS Cloud
 
Amazon EventBridge
Amazon EventBridgeAmazon EventBridge
Amazon EventBridge
 
Introduction to Amazon Web Services by i2k2 Networks
Introduction to Amazon Web Services by i2k2 NetworksIntroduction to Amazon Web Services by i2k2 Networks
Introduction to Amazon Web Services by i2k2 Networks
 
What is AWS Cloud Watch
What is AWS Cloud WatchWhat is AWS Cloud Watch
What is AWS Cloud Watch
 
AWS 101
AWS 101AWS 101
AWS 101
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 

Similar to AWS Account Best Practices

AWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid ArchitecturesAWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid Architectures
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Amazon Web Services
 

Similar to AWS Account Best Practices (20)

Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
 
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayPragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
 
AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both WorldsAWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdfbuilding-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWS
 
AWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid ArchitecturesAWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid Architectures
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Aws certified solutions architect
Aws certified solutions architectAws certified solutions architect
Aws certified solutions architect
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
AWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWS
 
Débuter sur le cloud AWS
Débuter sur le cloud AWSDébuter sur le cloud AWS
Débuter sur le cloud AWS
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
 
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
 
AWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent reviewAWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent review
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Recently uploaded (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

AWS Account Best Practices

  • 1. AWS Account Best Practices Steven Bryen Manager, Solutions Architecture, AWS @steven_bryen sbryen@amazon.com
  • 2. • Account Management & Billing • Network Infrastructure & Connectivity • Security & Compliance • Optimizing for Cost • Managing & Auditing Access AGENDA
  • 4. AWS ACCOUNTS Accounts act as the main billing entity for AWS Resources Also a security boundary for environments, applications and organisational units.
  • 5. BILLING Different billing options are available including invoicing Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’ Set up billing alerts, AWS Budgets and automated bill reporting for better insight. Utilise tagging for better cost allocation.
  • 6. AWS Budgets & Cost Management Tools
  • 7. Fully Centralized Model aws.invoices@mycompany.com Master Account • Centrally managed business and IT • Centralised Governance
  • 8. Autonomous Model division.a.invoices@mycompany.com Division A Master Account • Autonomous Business and IT functions (Geographic, Departmental, Project) • Independent Business and IT Governance division.b.invoices@mycompany.com Division B Master Account
  • 9. Single Master Hierarchical Model division.a@mycompany.com Division A • Central Governance • Devolved IT Function division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  • 10. Multi-Master Hierarchical Model • Multiple Autonomous Governance Bodies • Multiple IT Functions division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  • 11. Resource Tagging division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z
  • 12. Billing Alerts & Programmatic Access division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z S3 CSV
  • 13. What can I share between Accounts? EC2 Virtual Machine Template Pre-configured, templated Amazon Machine Images, can be used to package together the following elements Operating System Application Code Configuration EC2 AMIs S3 Bucket Policies Amazon Simple Storage Service is organized into buckets. You can control access to S3 buckets using bucket polices Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Buckets Block File system Snapshot As with a traditional SAN storage infrastructure, EBS volumes can be snapshotted and the data shared. EBS Volumes and Snapshots support a wide range of file systems e.g. NTFS EXT2/3/4 EBS Snapshots
  • 14. Sign up for AWS Accounts • Sign up with a real, monitored email address • Create accounts with the same domain • Populate the alternate contacts for billing, operations and security • AWS accounts and Amazon retail accounts are linked • Leverage consolidated billing to simplify payments and make use of volume discounts • Move to invoicing payment • Enable support • Enable Billing Alerts
  • 15. VPCs VPC is a private, isolated section of the AWS cloud where YOU define the networ king within it. A VPC spans all AZ’s in a region. VPC Peering allows you to peer multiple VPCs across AWS accounts in a single region. Route Table Elastic Network Interface Amazon VPC Router Internet Gateway Customer Gateway Virtual Private Gateway VPN Connection Subnet
  • 16. Connectivity Options Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon VPC providing dedicated bandwidth between your site and AWS Configure redundant, secure VPN connections between your VPC and your site Alternatively you can connect directly to your VPC using a secured internet chan nel (SSH, RDP etc).
  • 17. Basic VPC 10.1.0.0/16 Availability Zone A Availability Zone B Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
  • 18. Private & Public Subnets 10.1.0.0/16 Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
  • 19. Segregate Environments into VPCs Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Staging (10.1.0.0/16) Test/Dev (10.0.0.0/16) Production (10.2.0.0/16)
  • 20. Shared Services Model Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer (10.0.0.0/16)
  • 21. Putting it all together Production Account aws.invoices@mycompany.com Master Account Consolidated billing information Dev/Test Account Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer
  • 22. Consider using CloudFormation to manage VPCs "Public2Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"2"]}, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Public2Subnet" } ] } }, "Private1Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]}, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"1"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Private1Subnet" } ] } }, Template your Environments • Version Control your datacenter with Cloudformation! • One click deployments • Reproduce anywhere in the globe in minutes • Segregation of Duties between infra structure and application owners.
  • 23. Plan your VPC IP space before creating it Consider future AWS region expansion Consider how date will need to flow between VPCs Consider future connectivity to corporate networks VPC can be /16 down to /28 CIDR cannot be modified once created Overlapping IP spaces = future headache
  • 25. Shared Responsibility Model Amazon Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data You
  • 26. Security Tools & Techniques Granular network filtering “This instance can only receive HTTP traffic on port 80” Applied to instance ENI (up to 5 per) Stateful Allow Only (whitelist) Rules evaluated as a whole SGs can reference other SGs in same VPC Security Groups Control access to S3 buckets “Allow read access to all but put access from a restricted list of IP addresses” Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Bucket Policies Enforcing baseline security policy “No TFTP, NetBIOS or SMTP shall egress this subnet” Applied to subnets (1 per) Stateless Allow & Deny (blacklist) Rules processed in order ACLs
  • 27. Security Tools & Techniques cont. Notification on changes to resources “Tell me when changes are made to my AWS resources” Integration with 3rd Party Tools Notification via SNS Config Rules allows you to take action based on rules. e.g. If instances are not tagged with an ’owner’ notify me AWS Config Automated Security Assesment “Can I assess my Application in AWS for known vulnerabilities or best practices” Pre built assessments for known compliance programmes. Agent based, API driven and delivered as a service. Enforce Security Standards for your AWS Applications AWS Inspector Auditing of AWS Account Usage “Who did what in my account at a specific time” Capture logs of all AWS API invocations. Logs are sent to S3 or Cloudwatch Logs Integration with 3rd Party Tools AWS CloudTrail
  • 28. Security Best Practices Use ACLs sparingly, keep it simple Utilise Security Groups for fine grained control Utilise security groups to manage access to instances that have similar functions and security requirements Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices. pdf
  • 31. Many pricing options available Reserved Make a low, one-time payment and receive a significant discount on the hourly charge For committed utilization Free Tier Get Started on AWS with free usage & no commitment For POCs and getting started On-Demand Pay for compute capacity by the hour with no long-term commitments For spiky workloads, or to define needs Spot Bid for unused capacity, charged at a Spot Price which fluctuates based on supply and demand For time-insensitive or transient workloads Dedicated Launch instances within Amazon VPC that run on hardware dedicated to a single customer For highly sensitive or compliance related workloads
  • 32. Run the right instances at the right time Stop or terminate instance when they’re not required Utilise CloudFormation to tear down and recreate whole environments on demand Use CloudWatch to monitor instance load and scale vertically and/or horizontally to maximise instance utilisation Utilise Reserved Instances to lower TCO
  • 34. Identity & Access Management Account Administrators Developers Applications Bob Tomcat Jim Brad Mark Susan Reporting Console IAM Groups IAM Roles
  • 35. IAM Policies Policy Driven • Declarative definition of rights for g roups • Policies control access to AWS APIs { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*” ], "Resource": "*" } ] }
  • 36. Audit User Actions AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via: • AWS Management Console • AWS SDKs • Command line tools • Higher-level AWS services (such as CloudFormation).
  • 37. Control access through fine grained policies Use multi factor authentication for console access Use groups to define access levels and assign IAM policies to groups Even the superuser group should have some explicit denies Utilise IAM roles to ensure no API credentials are places onto EC2 instances Utilise tagging to define fine grained control to resources Consider IAM federation into AD to simplify user management