Amazon Web Services provides JPL with a vast array of capabilities to store, process, and analyze mission data. JPLers were early to adopt AWS services to build complex solutions, but quickly grew to over 50 AWS accounts, 80 IAM users, and hundreds of resources. To deal with this complexity, a team of engineers inside JPL's Office of the CIO developed a cloud governance model. The true challenge was implementing it on existing deployments. Learn about their model and how they overcame the challenges.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Bringing Governance to AWS at NASA's Jet Propulsion Laboratory
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
speaker@company.com
Bringing Governance to an Existing Cloud
at NASA’s Jet Propulsion Laboratory
Jonathan Chiang
Matthew Derenski
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Introductions
• Jonathan Chiang – IT Chief Engineer
• Matthew Derenski – Cyber Security
Engineer
3. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Agenda
• Provide a brief background of JPL
• Detail why JPL uses Amazon Web Services
• Understand JPL uses cases for AWS
• Describe JPL’s early engagement with AWS
• Review JPL’s implementation of its governance plan
• Utilizing governance to achieve organizational efficiency
• Measuring the value
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Who Is JPL?
• We are a federally funded
research and development center
(FFRDC) managed by Caltech
• We have 21 spacecraft and 9
instruments conducting active
missions
• We manage NASA’s Deep Space
Network (DSN)
• We “dare mighty things”
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Why Does JPL Use AWS?
• Quick and easy to provision/deprovision
• Reduce CapEx and large initial
investments
• Pay as you go, only for what you use
• Automation and reusability
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSHPC/data processing
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWS
Mars Exploration Program
Mars.jpl.nasa.gov
Eyes on the Solar System
Eyes.jpl.nasa.gov
Night Sky Network
Nightsky.jpl.nasa.gov
Public outreach
8. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSStorage, backup, and disaster recovery
Mars exploration rovers Station fires
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSCollaboration
Rapid development
Enterprise applications
10. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Early AWS Engagement
• Issued 60+ root level AWS accounts to
various project teams
• Added all accounts to consolidated billing
• Associated a single project/task number
for charge back and bill back
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
The Problem
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Key Principles of JPL’s
Governance Model
1. Understand your users and their use cases
– Identify the services they will be utilizing
– Do any of the services conflict with institutional
offerings? Do they interface with existing services?
2. Apply policy and accountability
– Ensure roles and responsibilities are understood
– Define and deploy a clear account management model
– Identify training needs and opportunities
– Create a hosting or provisioning account
13. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Key Principles of JPL’s
Governance Model
3. Provide auditing and traceability
– Create “describe” API roles in each account
– Enforce tagging policy for shared accounts
– Create a security response and forensics plan
4. Leverage an iterative implementation
– The cloud is agile enough to conform to a changing
governance model
– Don’t wait to implement all aspects of governance before
using the cloud
14. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Account Management
Resources
IAM accounts
AWS root – MFA, managed by IT
Sec
Consolidated Billing
Consolidated
Billing
(No users or
resources)
MSL account
IAM user 01
auditing
IAM user 02
MSL developer
AMI 1 AMI 2
MER account
IAM user 02
MER developer
AMI 1 AMI 2
Hosting
account
IAM user 01
auditing
IAM user
hosting
provisioning
AMI 1 AMI 2
+50 more
15. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
C&A Package
15
16. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Organizational Efficiency
(DevOps)
• Automated configuration
management
• Monitoring, notification,
escalation
• Networking and security
operations
• Verification and validation
Dev
Ops
17. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS at JPL
• All standard work loads are run in GovCloud
– Using GovCloud and VPC allows traffic to be
inspected and protected by JPLs existing security
systems
– Public AWS is reserved for unique deployments
17
18. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
IAM Account Creations
• Account for forensics
– Power User
• Account for asset tracking
– Read only API access
• Account for account owners
– Power User access
– Cannot make changes to networking or IAM
– Responsible for and maintains full access to all AWS resources
and resource creation
18
19. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Common Mistakes
• Incorrect meta data
• Instances left running
• Default user accounts
• Unpatched systems
• Using the wrong cloud
20. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Measure the Value
• Calculate the cost of implementing governance
along with the cost of cloud resources
• Consider the benefits of organizational efficiencies
gained by cloud and governance
• Compare agility and speed to market vs. adoption
of governance
21. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You
Jonathan Chiang
Matthew Derenski
Editor's Notes
JPL is a Federally Funded Research and Development Center managed by the California Institute of Technology. Our primary funding comes from NASA.
There are currently 21 spacecraft and 9 instruments conducting active missions. Our Voyager spacecraft recently reached interstellar space and is in its 36th year of active mission.
We manage NASA’s DSN, the international network of antennas that supports interplanetary spacecraft missions and radio and radar astronomy observations for the exploration of the solar system and the universe.
JPL celebrated its 50th anniversary of planetary exploration. The world’s first planetary mission, Mariner 2, was launched in August of 1962. It was the first spacecraft to successfully fly by another planet – venus.
Quick and easy to provision/de-provision
Reduces risk in testing different solutions
Procurement and deployment times are reduced
Shorter development cycles
Reduce CapEx and large initial investments
No initial investment needed
No termination fees
No commitments
Clearly published pricing
Pay as you go, only for what you use
Turn resources on/off
Automation and reusability
RESTful API interfaces
One of the primary uses cases for AWS at JPL is in data processing. We use AWS to process Synthetic Aperture Radar data to create Interferograms. We are currently using AWS for radiation simulation for the upcoming Europa Clipper mission. The elasticity and scalability of resources is a primary driver for utilizing AWS. The CARVE aircraft flies seasonally to measure greenhouse gases in the Alaskan Arctic. Since data is only generated a few times annually, the elasticity of compute resources provided by AWS aligns well with the processing needs of this project.
Public outreach and Education is the primary goal of our missions at JPL. We understand that your tax dollars fund our science and research and sharing the knowledge gained from our explorations is crucial to the ongoing success of JPL.
One of the biggest success stories was migrating the entire Mars Exploration Program web portal to AWS only months prior to the Mars Science Laboratory’s Entry, Descent, and Landing event. If this is your sophomore year at RE:Invent, you will remember the keynote a couple of JPL’ers gave on this experience. In short, we were able share live video and raw images from the rover to the world using CloudFront, EC2, RDS, and other AWS technologies. The Mars program sites are still hosted on AWS today. Compared to the MER outreach efforts, migrating Mars to AWS for EDL realized an order of magnitude in savings. Because of this, JPL is actively moving other public outreach sites to AWS.
The Mars Exploration Rovers illustrate a great use case for utilizing AWS for storage and backup. The MER missions were intended to only last 90 days, opportunity has now been in active mission for 10 years. Spirit, which became unresponsive since March of 2010, lasted 7 years. Unfortunately for the mission, the hardware originally procured for the mission did not outlive the rovers. In order to maximize the very small infrastructure budget available, MER utilizes AWS to store its uplink plans and to backup daily data from the Mars rover. MER also leverages AWS’ Simple Work Flow to automate the auditing and checksums of the each backup.
JPL began investigating AWS more than 5 years ago. Because of our various use cases and distinct needs, we quickly issued more than 60 root level AWS root level accounts.
We added all most of these accounts to our consolidated billing account. At that time, consolidated billing account was the root level account for MSL activities.
For each root level account issued, we requested a JPL account number for chargeback from our proprietary system.
All users had full administrative console and API access to the interface
Account owners had access to create additional IAM users and groups that could not be tied back to a JPL user
JPL Cyber Security had no ability to audit the resources running
Security incidents (AWS abuse reports) were sent directly to the account owner
Understand your users and their use cases
Know what services they will be utilizing (Cloudfront, SWF, SNS, SQS, Route53, etc.)
Do any of the services conflict with institutional offerings? Do they interface with existing services?
SES – blocked at JPL perimeter
Route53 and NASA DNS policy
Apply policy and accountability
Make clear the roles and responsibilities of the account owner, cyber security, development, etc.
What are the expectations for security incidents, billing, patching, support, etc.
Define and deploy a clear account management model
MFA the root account – best practice (we gave our root accounts to Cyber Security)
Create IAM users and groups to clearly define the roles
Create IAM policies to ensure compliance
Identify training needs and opportunities
Modified our annual Cyber Security and Export Control training classes to address cloud based resources
Create a Hosting or Provsioning account
Not all users need a root level account, some may only need an instance
Allow your IT professionals to manage this account and the resources
Consider developing or purchasing an abstraction layer
Provide auditing and traceability
Create “describe” API roles in each account
Allows us to audit all resources, users, and tags
Enforce tagging policy for shared accounts
Utilize the Cost Allocation Report and detailed billing to allocate cost
Create a security response and forensics plan
Invest in Developer – Business – Enterprise level support
Test the plan monthly
Request RAM dumps, snapshots, etc.
Conduct full forensics evaluation
Leverage an iterative implementation
The cloud is agile enough to conform to a changing governance model
Don’t wait for to implement all aspects of governance before using the cloud
Have a clear and concise roadmap
Implement your “low hanging fruit”
Explain our C&A process
Third party ITAR cert
OGC/OIG buy in
Integration with existing C&A process followed existing vulnerability management automation
DevOps means different things to different people.
It should be a partnership between software engineers (developers), operations (network, security, support), and quality assurance. Get early buy-in from your operations and QA organizations. The developers tend to be farther ahead and will drive the effort if untethered.
Leverage the
AWS Cloud training on JPLTube
Calculate the cost of implementing governance along with the cost of cloud resources
A considerable amount of Non Reimbursible Engineering was required to fully implement our governance plan
Integration – ITSDB, monitoring, backup, networking, security
Tools – Billing Visualization Tool, Inventory and Audit
Consider the benefits of organizational efficiencies gained by cloud and governance
Engage operations and QA teams early
Compare agility and speed to market vs. adoption of governance