SlideShare a Scribd company logo

AWS Account Best Practices

To find out more about training on AWS, visit: www.globalknowledge.co.uk/aws AWS Pop-up Loft | London, April 28, 2016

1 of 39
Download to read offline
AWS Account Best Practices
Steven Bryen
Manager, Solutions Architecture, AWS
@steven_bryen
sbryen@amazon.com
• Account Management & Billing
• Network Infrastructure & Connectivity
• Security & Compliance
• Optimizing for Cost
• Managing & Auditing Access
AGENDA
ACCOUNT MANAGEMENT &
BILLING
AWS ACCOUNTS
Accounts act as the main billing entity for AWS Resources
Also a security boundary for environments, applications and organisational units.
BILLING
Different billing options are available including invoicing
Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’
Set up billing alerts, AWS Budgets and automated bill reporting for better insight.
Utilise tagging for better cost allocation.
AWS Budgets & Cost Management Tools

Recommended

AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...
AWS re:Invent 2016: NEW SERVICE: Centrally Manage Multiple AWS Accounts with ...Amazon Web Services
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 

More Related Content

What's hot

AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Intro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesIntro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Amazon Web Services
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost ManagementAmazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 

What's hot (20)

AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Intro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute ServicesIntro to AWS: EC2 & Compute Services
Intro to AWS: EC2 & Compute Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
AWS Storage Options
AWS Storage OptionsAWS Storage Options
AWS Storage Options
 
Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
Monitor All Your Things: Amazon CloudWatch in Action with BBC (DEV302) - AWS ...
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost Management
 
AWS CloudWatch
AWS CloudWatchAWS CloudWatch
AWS CloudWatch
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 

Similar to AWS Account Best Practices

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016Amazon Web Services
 
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayPragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayAmazon Web Services
 
AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both WorldsAWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both WorldsAmazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdfbuilding-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdfVadimKadnikov1
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWSAmazon Web Services
 
AWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid ArchitecturesAWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid ArchitecturesAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
AWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAmazon Web Services
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Amazon Web Services
 
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!Adrian Hornsby
 
AWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent reviewAWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent reviewAttila Lengyel
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionAmazon Web Services
 

Similar to AWS Account Best Practices (20)

Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
AWS GovCloud (US) and the Enterprise | AWS Public Sector Summit 2016
 
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlayPragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
Pragmatic Approach to Workload Migrations - London Summit Enteprise Track RePlay
 
AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both WorldsAWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
AWS Enterprise Day | Hybrid IT with AWS: Best of Both Worlds
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdfbuilding-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWS
 
AWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid ArchitecturesAWS June Webinar Series - Deep dive: Hybrid Architectures
AWS June Webinar Series - Deep dive: Hybrid Architectures
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Aws certified solutions architect
Aws certified solutions architectAws certified solutions architect
Aws certified solutions architect
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
AWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWSAWS Summit Auckland - Fundamentals of Networking in AWS
AWS Summit Auckland - Fundamentals of Networking in AWS
 
Débuter sur le cloud AWS
Débuter sur le cloud AWSDébuter sur le cloud AWS
Débuter sur le cloud AWS
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption ...
 
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
Top 5 AWS Services that you will want to integrate with the VMware Cloud on AWS!
 
AWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent reviewAWS User Group Hungary - re:Invent review
AWS User Group Hungary - re:Invent review
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS AdoptionYour First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
Your First Hour on AWS: Building the Foundation for Large Scale AWS Adoption
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersThousandEyes
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Memory Fabric Forum
 
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFE
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFEDNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFE
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFEandreiandasan
 
Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Daniel Toomey
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfThomas Poetter
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaISPMAIndia
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut meManoj Prabakar B
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxMemory Fabric Forum
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupMemory Fabric Forum
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 

Recently uploaded (20)

LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for Partners
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
 
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFE
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFEDNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFE
DNA LIGASE BIOTECHNOLOGY BIOLOGY STUDY OF LIFE
 
Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024Microsoft Azure News - Feb 2024
Microsoft Azure News - Feb 2024
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdfLLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI.pdf
 
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish GuptaBuilding Products That Think- Bhaskaran Srinivasan & Ashish Gupta
Building Products That Think- Bhaskaran Srinivasan & Ashish Gupta
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
My self introduction to know others abut me
My self  introduction to know others abut meMy self  introduction to know others abut me
My self introduction to know others abut me
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
H3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptxH3 Platform CXL Solution_Memory Fabric Forum.pptx
H3 Platform CXL Solution_Memory Fabric Forum.pptx
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product Lineup
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 

AWS Account Best Practices

  • 1. AWS Account Best Practices Steven Bryen Manager, Solutions Architecture, AWS @steven_bryen sbryen@amazon.com
  • 2. • Account Management & Billing • Network Infrastructure & Connectivity • Security & Compliance • Optimizing for Cost • Managing & Auditing Access AGENDA
  • 4. AWS ACCOUNTS Accounts act as the main billing entity for AWS Resources Also a security boundary for environments, applications and organisational units.
  • 5. BILLING Different billing options are available including invoicing Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’ Set up billing alerts, AWS Budgets and automated bill reporting for better insight. Utilise tagging for better cost allocation.
  • 6. AWS Budgets & Cost Management Tools
  • 7. Fully Centralized Model aws.invoices@mycompany.com Master Account • Centrally managed business and IT • Centralised Governance
  • 8. Autonomous Model division.a.invoices@mycompany.com Division A Master Account • Autonomous Business and IT functions (Geographic, Departmental, Project) • Independent Business and IT Governance division.b.invoices@mycompany.com Division B Master Account
  • 9. Single Master Hierarchical Model division.a@mycompany.com Division A • Central Governance • Devolved IT Function division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  • 10. Multi-Master Hierarchical Model • Multiple Autonomous Governance Bodies • Multiple IT Functions division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  • 11. Resource Tagging division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z
  • 12. Billing Alerts & Programmatic Access division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z S3 CSV
  • 13. What can I share between Accounts? EC2 Virtual Machine Template Pre-configured, templated Amazon Machine Images, can be used to package together the following elements Operating System Application Code Configuration EC2 AMIs S3 Bucket Policies Amazon Simple Storage Service is organized into buckets. You can control access to S3 buckets using bucket polices Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Buckets Block File system Snapshot As with a traditional SAN storage infrastructure, EBS volumes can be snapshotted and the data shared. EBS Volumes and Snapshots support a wide range of file systems e.g. NTFS EXT2/3/4 EBS Snapshots
  • 14. Sign up for AWS Accounts • Sign up with a real, monitored email address • Create accounts with the same domain • Populate the alternate contacts for billing, operations and security • AWS accounts and Amazon retail accounts are linked • Leverage consolidated billing to simplify payments and make use of volume discounts • Move to invoicing payment • Enable support • Enable Billing Alerts
  • 15. VPCs VPC is a private, isolated section of the AWS cloud where YOU define the networ king within it. A VPC spans all AZ’s in a region. VPC Peering allows you to peer multiple VPCs across AWS accounts in a single region. Route Table Elastic Network Interface Amazon VPC Router Internet Gateway Customer Gateway Virtual Private Gateway VPN Connection Subnet
  • 16. Connectivity Options Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon VPC providing dedicated bandwidth between your site and AWS Configure redundant, secure VPN connections between your VPC and your site Alternatively you can connect directly to your VPC using a secured internet chan nel (SSH, RDP etc).
  • 17. Basic VPC 10.1.0.0/16 Availability Zone A Availability Zone B Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
  • 18. Private & Public Subnets 10.1.0.0/16 Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
  • 19. Segregate Environments into VPCs Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Staging (10.1.0.0/16) Test/Dev (10.0.0.0/16) Production (10.2.0.0/16)
  • 20. Shared Services Model Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer (10.0.0.0/16)
  • 21. Putting it all together Production Account aws.invoices@mycompany.com Master Account Consolidated billing information Dev/Test Account Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer
  • 22. Consider using CloudFormation to manage VPCs "Public2Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"2"]}, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Public2Subnet" } ] } }, "Private1Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]}, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"1"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Private1Subnet" } ] } }, Template your Environments • Version Control your datacenter with Cloudformation! • One click deployments • Reproduce anywhere in the globe in minutes • Segregation of Duties between infra structure and application owners.
  • 23. Plan your VPC IP space before creating it Consider future AWS region expansion Consider how date will need to flow between VPCs Consider future connectivity to corporate networks VPC can be /16 down to /28 CIDR cannot be modified once created Overlapping IP spaces = future headache
  • 25. Shared Responsibility Model Amazon Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data You
  • 26. Security Tools & Techniques Granular network filtering “This instance can only receive HTTP traffic on port 80” Applied to instance ENI (up to 5 per) Stateful Allow Only (whitelist) Rules evaluated as a whole SGs can reference other SGs in same VPC Security Groups Control access to S3 buckets “Allow read access to all but put access from a restricted list of IP addresses” Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Bucket Policies Enforcing baseline security policy “No TFTP, NetBIOS or SMTP shall egress this subnet” Applied to subnets (1 per) Stateless Allow & Deny (blacklist) Rules processed in order ACLs
  • 27. Security Tools & Techniques cont. Notification on changes to resources “Tell me when changes are made to my AWS resources” Integration with 3rd Party Tools Notification via SNS Config Rules allows you to take action based on rules. e.g. If instances are not tagged with an ’owner’ notify me AWS Config Automated Security Assesment “Can I assess my Application in AWS for known vulnerabilities or best practices” Pre built assessments for known compliance programmes. Agent based, API driven and delivered as a service. Enforce Security Standards for your AWS Applications AWS Inspector Auditing of AWS Account Usage “Who did what in my account at a specific time” Capture logs of all AWS API invocations. Logs are sent to S3 or Cloudwatch Logs Integration with 3rd Party Tools AWS CloudTrail
  • 28. Security Best Practices Use ACLs sparingly, keep it simple Utilise Security Groups for fine grained control Utilise security groups to manage access to instances that have similar functions and security requirements Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices. pdf
  • 31. Many pricing options available Reserved Make a low, one-time payment and receive a significant discount on the hourly charge For committed utilization Free Tier Get Started on AWS with free usage & no commitment For POCs and getting started On-Demand Pay for compute capacity by the hour with no long-term commitments For spiky workloads, or to define needs Spot Bid for unused capacity, charged at a Spot Price which fluctuates based on supply and demand For time-insensitive or transient workloads Dedicated Launch instances within Amazon VPC that run on hardware dedicated to a single customer For highly sensitive or compliance related workloads
  • 32. Run the right instances at the right time Stop or terminate instance when they’re not required Utilise CloudFormation to tear down and recreate whole environments on demand Use CloudWatch to monitor instance load and scale vertically and/or horizontally to maximise instance utilisation Utilise Reserved Instances to lower TCO
  • 34. Identity & Access Management Account Administrators Developers Applications Bob Tomcat Jim Brad Mark Susan Reporting Console IAM Groups IAM Roles
  • 35. IAM Policies Policy Driven • Declarative definition of rights for g roups • Policies control access to AWS APIs { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*” ], "Resource": "*" } ] }
  • 36. Audit User Actions AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via: • AWS Management Console • AWS SDKs • Command line tools • Higher-level AWS services (such as CloudFormation).
  • 37. Control access through fine grained policies Use multi factor authentication for console access Use groups to define access levels and assign IAM policies to groups Even the superuser group should have some explicit denies Utilise IAM roles to ensure no API credentials are places onto EC2 instances Utilise tagging to define fine grained control to resources Consider IAM federation into AD to simplify user management