Bringing Governance to AWS at NASA's Jet Propulsion Laboratory
•Download as PPTX, PDF•
6 likes•13,963 views
Amazon Web Services provides JPL with a vast array of capabilities to store, process, and analyze mission data. JPLers were early to adopt AWS services to build complex solutions, but quickly grew to over 50 AWS accounts, 80 IAM users, and hundreds of resources. To deal with this complexity, a team of engineers inside JPL's Office of the CIO developed a cloud governance model. The true challenge was implementing it on existing deployments. Learn about their model and how they overcame the challenges.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Bringing Governance to AWS at NASA's Jet Propulsion Laboratory
Similar to Bringing Governance to AWS at NASA's Jet Propulsion Laboratory (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Bringing Governance to AWS at NASA's Jet Propulsion Laboratory
- 1. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 speaker@company.com Bringing Governance to an Existing Cloud at NASA’s Jet Propulsion Laboratory Jonathan Chiang Matthew Derenski
- 2. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Introductions • Jonathan Chiang – IT Chief Engineer • Matthew Derenski – Cyber Security Engineer
- 3. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Agenda • Provide a brief background of JPL • Detail why JPL uses Amazon Web Services • Understand JPL uses cases for AWS • Describe JPL’s early engagement with AWS • Review JPL’s implementation of its governance plan • Utilizing governance to achieve organizational efficiency • Measuring the value
- 4. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Who Is JPL? • We are a federally funded research and development center (FFRDC) managed by Caltech • We have 21 spacecraft and 9 instruments conducting active missions • We manage NASA’s Deep Space Network (DSN) • We “dare mighty things”
- 5. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Why Does JPL Use AWS? • Quick and easy to provision/deprovision • Reduce CapEx and large initial investments • Pay as you go, only for what you use • Automation and reusability
- 6. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 How JPL Uses AWSHPC/data processing
- 7. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 How JPL Uses AWS Mars Exploration Program Mars.jpl.nasa.gov Eyes on the Solar System Eyes.jpl.nasa.gov Night Sky Network Nightsky.jpl.nasa.gov Public outreach
- 8. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 How JPL Uses AWSStorage, backup, and disaster recovery Mars exploration rovers Station fires
- 9. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 How JPL Uses AWSCollaboration Rapid development Enterprise applications
- 10. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Early AWS Engagement • Issued 60+ root level AWS accounts to various project teams • Added all accounts to consolidated billing • Associated a single project/task number for charge back and bill back
- 11. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 The Problem
- 12. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Key Principles of JPL’s Governance Model 1. Understand your users and their use cases – Identify the services they will be utilizing – Do any of the services conflict with institutional offerings? Do they interface with existing services? 2. Apply policy and accountability – Ensure roles and responsibilities are understood – Define and deploy a clear account management model – Identify training needs and opportunities – Create a hosting or provisioning account
- 13. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Key Principles of JPL’s Governance Model 3. Provide auditing and traceability – Create “describe” API roles in each account – Enforce tagging policy for shared accounts – Create a security response and forensics plan 4. Leverage an iterative implementation – The cloud is agile enough to conform to a changing governance model – Don’t wait to implement all aspects of governance before using the cloud
- 14. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Account Management Resources IAM accounts AWS root – MFA, managed by IT Sec Consolidated Billing Consolidated Billing (No users or resources) MSL account IAM user 01 auditing IAM user 02 MSL developer AMI 1 AMI 2 MER account IAM user 02 MER developer AMI 1 AMI 2 Hosting account IAM user 01 auditing IAM user hosting provisioning AMI 1 AMI 2 +50 more
- 15. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 C&A Package 15
- 16. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Organizational Efficiency (DevOps) • Automated configuration management • Monitoring, notification, escalation • Networking and security operations • Verification and validation Dev Ops
- 17. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS at JPL • All standard work loads are run in GovCloud – Using GovCloud and VPC allows traffic to be inspected and protected by JPLs existing security systems – Public AWS is reserved for unique deployments 17
- 18. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 IAM Account Creations • Account for forensics – Power User • Account for asset tracking – Read only API access • Account for account owners – Power User access – Cannot make changes to networking or IAM – Responsible for and maintains full access to all AWS resources and resource creation 18
- 19. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Common Mistakes • Incorrect meta data • Instances left running • Default user accounts • Unpatched systems • Using the wrong cloud
- 20. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Measure the Value • Calculate the cost of implementing governance along with the cost of cloud resources • Consider the benefits of organizational efficiencies gained by cloud and governance • Compare agility and speed to market vs. adoption of governance
- 21. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Thank You Jonathan Chiang Matthew Derenski
Editor's Notes
- JPL is a Federally Funded Research and Development Center managed by the California Institute of Technology. Our primary funding comes from NASA. There are currently 21 spacecraft and 9 instruments conducting active missions. Our Voyager spacecraft recently reached interstellar space and is in its 36th year of active mission. We manage NASA’s DSN, the international network of antennas that supports interplanetary spacecraft missions and radio and radar astronomy observations for the exploration of the solar system and the universe. JPL celebrated its 50th anniversary of planetary exploration. The world’s first planetary mission, Mariner 2, was launched in August of 1962. It was the first spacecraft to successfully fly by another planet – venus.
- Quick and easy to provision/de-provision Reduces risk in testing different solutions Procurement and deployment times are reduced Shorter development cycles Reduce CapEx and large initial investments No initial investment needed No termination fees No commitments Clearly published pricing Pay as you go, only for what you use Turn resources on/off Automation and reusability RESTful API interfaces
- One of the primary uses cases for AWS at JPL is in data processing. We use AWS to process Synthetic Aperture Radar data to create Interferograms. We are currently using AWS for radiation simulation for the upcoming Europa Clipper mission. The elasticity and scalability of resources is a primary driver for utilizing AWS. The CARVE aircraft flies seasonally to measure greenhouse gases in the Alaskan Arctic. Since data is only generated a few times annually, the elasticity of compute resources provided by AWS aligns well with the processing needs of this project.
- Public outreach and Education is the primary goal of our missions at JPL. We understand that your tax dollars fund our science and research and sharing the knowledge gained from our explorations is crucial to the ongoing success of JPL. One of the biggest success stories was migrating the entire Mars Exploration Program web portal to AWS only months prior to the Mars Science Laboratory’s Entry, Descent, and Landing event. If this is your sophomore year at RE:Invent, you will remember the keynote a couple of JPL’ers gave on this experience. In short, we were able share live video and raw images from the rover to the world using CloudFront, EC2, RDS, and other AWS technologies. The Mars program sites are still hosted on AWS today. Compared to the MER outreach efforts, migrating Mars to AWS for EDL realized an order of magnitude in savings. Because of this, JPL is actively moving other public outreach sites to AWS.
- The Mars Exploration Rovers illustrate a great use case for utilizing AWS for storage and backup. The MER missions were intended to only last 90 days, opportunity has now been in active mission for 10 years. Spirit, which became unresponsive since March of 2010, lasted 7 years. Unfortunately for the mission, the hardware originally procured for the mission did not outlive the rovers. In order to maximize the very small infrastructure budget available, MER utilizes AWS to store its uplink plans and to backup daily data from the Mars rover. MER also leverages AWS’ Simple Work Flow to automate the auditing and checksums of the each backup.
- JPL began investigating AWS more than 5 years ago. Because of our various use cases and distinct needs, we quickly issued more than 60 root level AWS root level accounts. We added all most of these accounts to our consolidated billing account. At that time, consolidated billing account was the root level account for MSL activities. For each root level account issued, we requested a JPL account number for chargeback from our proprietary system.
- All users had full administrative console and API access to the interface Account owners had access to create additional IAM users and groups that could not be tied back to a JPL user JPL Cyber Security had no ability to audit the resources running Security incidents (AWS abuse reports) were sent directly to the account owner
- Understand your users and their use cases Know what services they will be utilizing (Cloudfront, SWF, SNS, SQS, Route53, etc.) Do any of the services conflict with institutional offerings? Do they interface with existing services? SES – blocked at JPL perimeter Route53 and NASA DNS policy Apply policy and accountability Make clear the roles and responsibilities of the account owner, cyber security, development, etc. What are the expectations for security incidents, billing, patching, support, etc. Define and deploy a clear account management model MFA the root account – best practice (we gave our root accounts to Cyber Security) Create IAM users and groups to clearly define the roles Create IAM policies to ensure compliance Identify training needs and opportunities Modified our annual Cyber Security and Export Control training classes to address cloud based resources Create a Hosting or Provsioning account Not all users need a root level account, some may only need an instance Allow your IT professionals to manage this account and the resources Consider developing or purchasing an abstraction layer
- Provide auditing and traceability Create “describe” API roles in each account Allows us to audit all resources, users, and tags Enforce tagging policy for shared accounts Utilize the Cost Allocation Report and detailed billing to allocate cost Create a security response and forensics plan Invest in Developer – Business – Enterprise level support Test the plan monthly Request RAM dumps, snapshots, etc. Conduct full forensics evaluation Leverage an iterative implementation The cloud is agile enough to conform to a changing governance model Don’t wait for to implement all aspects of governance before using the cloud Have a clear and concise roadmap Implement your “low hanging fruit”
- Explain our C&A process Third party ITAR cert OGC/OIG buy in Integration with existing C&A process followed existing vulnerability management automation
- DevOps means different things to different people. It should be a partnership between software engineers (developers), operations (network, security, support), and quality assurance. Get early buy-in from your operations and QA organizations. The developers tend to be farther ahead and will drive the effort if untethered. Leverage the
- AWS Cloud training on JPLTube
- Calculate the cost of implementing governance along with the cost of cloud resources A considerable amount of Non Reimbursible Engineering was required to fully implement our governance plan Integration – ITSDB, monitoring, backup, networking, security Tools – Billing Visualization Tool, Inventory and Audit Consider the benefits of organizational efficiencies gained by cloud and governance Engage operations and QA teams early Compare agility and speed to market vs. adoption of governance