Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
AWS Account Best Practices
Steven Bryen
Manager, Solutions Architecture, AWS
@steven_bryen
sbryen@amazon.com
• Account Management & Billing
• Network Infrastructure & Connectivity
• Security & Compliance
• Optimizing for Cost
• Man...
ACCOUNT MANAGEMENT &
BILLING
AWS ACCOUNTS
Accounts act as the main billing entity for AWS Resources
Also a security boundary for environments, applicat...
BILLING
Different billing options are available including invoicing
Consolidated billing: Let one account pick up the bill...
AWS Budgets & Cost Management Tools
Fully Centralized Model
aws.invoices@mycompany.com
Master Account
• Centrally managed business and IT
• Centralised Govern...
Autonomous Model
division.a.invoices@mycompany.com
Division A Master Account
• Autonomous Business and IT functions (Geogr...
Single Master Hierarchical Model
division.a@mycompany.com
Division A
• Central Governance
• Devolved IT Function
division....
Multi-Master Hierarchical Model
• Multiple Autonomous Governance Bodies
• Multiple IT Functions
division.a@mycompany.com
D...
Resource Tagging
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master...
Billing Alerts & Programmatic Access
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@...
What can I share between Accounts?
EC2 Virtual Machine Template
Pre-configured, templated Amazon
Machine Images, can be us...
Sign up for AWS Accounts
• Sign up with a real, monitored email address
• Create accounts with the same domain
• Populate ...
VPCs
VPC is a private, isolated section of the AWS cloud where YOU define the networ
king within it. A VPC spans all AZ’s ...
Connectivity Options
Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon
VPC providing dedicated ...
Basic VPC
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
Private & Public Subnets
10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10...
Segregate Environments into VPCs
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2...
Shared Services Model
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Priv...
Putting it all together
Production Account
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Dev/...
Consider using CloudFormation to manage VPCs
"Public2Subnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : {...
Plan your VPC IP space before creating it
Consider future AWS region expansion
Consider how date will need to flow between...
SECURITY & COMPLIANCE
Shared Responsibility Model
Amazon
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Avail...
Security Tools & Techniques
Granular network filtering
“This instance can only receive HTTP
traffic on port 80”
Applied to...
Security Tools & Techniques cont.
Notification on changes to resources
“Tell me when changes are made to my
AWS resources”...
Security Best Practices
Use ACLs sparingly, keep it simple
Utilise Security Groups for fine grained control
Utilise securi...
CIS Foundations Benchmark
OPTIMISING FOR COST
Many pricing options available
Reserved
Make a low, one-time
payment and receive
a significant discount
on the hourly char...
Run the right instances at the right time
Stop or terminate instance when they’re not required
Utilise CloudFormation to t...
MANAGING & AUDITING ACCESS
Identity & Access Management
Account
Administrators Developers Applications
Bob
Tomcat
Jim Brad
Mark
Susan
Reporting
Conso...
IAM Policies
Policy Driven
• Declarative definition of rights for g
roups
• Policies control access to AWS APIs
{
"Stateme...
Audit User Actions
AWS CloudTrail is a web service that records AWS API calls
for your account and delivers log files to y...
Control access through fine grained policies
Use multi factor authentication for console access
Use groups to define acces...
Thank You
@steven_bryen
sbryen@amazon.com
awsloft.london
closing.party && startup.showcase
28 April :: 18:00 >> 22:00
Upcoming SlideShare
Loading in …5
×

AWS Account Best Practices

13,361 views

Published on

To find out more about training on AWS, visit: www.globalknowledge.co.uk/aws
AWS Pop-up Loft | London, April 28, 2016

Published in: Technology

AWS Account Best Practices

  1. 1. AWS Account Best Practices Steven Bryen Manager, Solutions Architecture, AWS @steven_bryen sbryen@amazon.com
  2. 2. • Account Management & Billing • Network Infrastructure & Connectivity • Security & Compliance • Optimizing for Cost • Managing & Auditing Access AGENDA
  3. 3. ACCOUNT MANAGEMENT & BILLING
  4. 4. AWS ACCOUNTS Accounts act as the main billing entity for AWS Resources Also a security boundary for environments, applications and organisational units.
  5. 5. BILLING Different billing options are available including invoicing Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’ Set up billing alerts, AWS Budgets and automated bill reporting for better insight. Utilise tagging for better cost allocation.
  6. 6. AWS Budgets & Cost Management Tools
  7. 7. Fully Centralized Model aws.invoices@mycompany.com Master Account • Centrally managed business and IT • Centralised Governance
  8. 8. Autonomous Model division.a.invoices@mycompany.com Division A Master Account • Autonomous Business and IT functions (Geographic, Departmental, Project) • Independent Business and IT Governance division.b.invoices@mycompany.com Division B Master Account
  9. 9. Single Master Hierarchical Model division.a@mycompany.com Division A • Central Governance • Devolved IT Function division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  10. 10. Multi-Master Hierarchical Model • Multiple Autonomous Governance Bodies • Multiple IT Functions division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information
  11. 11. Resource Tagging division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z
  12. 12. Billing Alerts & Programmatic Access division.a@mycompany.com Division A division.b@mycompany.com Division B aws.invoices@mycompany.com Master Account Consolidated billing information Tags Proj=x Tags Proj=y Tags Proj=z Tags Proj=x Tags Proj=y Tags Proj=z S3 CSV
  13. 13. What can I share between Accounts? EC2 Virtual Machine Template Pre-configured, templated Amazon Machine Images, can be used to package together the following elements Operating System Application Code Configuration EC2 AMIs S3 Bucket Policies Amazon Simple Storage Service is organized into buckets. You can control access to S3 buckets using bucket polices Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Buckets Block File system Snapshot As with a traditional SAN storage infrastructure, EBS volumes can be snapshotted and the data shared. EBS Volumes and Snapshots support a wide range of file systems e.g. NTFS EXT2/3/4 EBS Snapshots
  14. 14. Sign up for AWS Accounts • Sign up with a real, monitored email address • Create accounts with the same domain • Populate the alternate contacts for billing, operations and security • AWS accounts and Amazon retail accounts are linked • Leverage consolidated billing to simplify payments and make use of volume discounts • Move to invoicing payment • Enable support • Enable Billing Alerts
  15. 15. VPCs VPC is a private, isolated section of the AWS cloud where YOU define the networ king within it. A VPC spans all AZ’s in a region. VPC Peering allows you to peer multiple VPCs across AWS accounts in a single region. Route Table Elastic Network Interface Amazon VPC Router Internet Gateway Customer Gateway Virtual Private Gateway VPN Connection Subnet
  16. 16. Connectivity Options Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon VPC providing dedicated bandwidth between your site and AWS Configure redundant, secure VPN connections between your VPC and your site Alternatively you can connect directly to your VPC using a secured internet chan nel (SSH, RDP etc).
  17. 17. Basic VPC 10.1.0.0/16 Availability Zone A Availability Zone B Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
  18. 18. Private & Public Subnets 10.1.0.0/16 Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
  19. 19. Segregate Environments into VPCs Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Staging (10.1.0.0/16) Test/Dev (10.0.0.0/16) Production (10.2.0.0/16)
  20. 20. Shared Services Model Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer (10.0.0.0/16)
  21. 21. Putting it all together Production Account aws.invoices@mycompany.com Master Account Consolidated billing information Dev/Test Account Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Availability Zone A Availability Zone B Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24) Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24) Application B (10.0.80.0/20 Application A (10.0.64.0/20) Shared Services (10.0.0.0/18) VPC Peer VPC Peer
  22. 22. Consider using CloudFormation to manage VPCs "Public2Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"2"]}, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Public2Subnet" } ] } }, "Private1Subnet" : { "Type" : "AWS::EC2::Subnet", "Properties" : { "VpcId" : { "Ref" : "VPC" }, "CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]}, "AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region" },"1"]}, "Tags" : [ {"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} }, {"Key" : "Name", "Value" : "Private1Subnet" } ] } }, Template your Environments • Version Control your datacenter with Cloudformation! • One click deployments • Reproduce anywhere in the globe in minutes • Segregation of Duties between infra structure and application owners.
  23. 23. Plan your VPC IP space before creating it Consider future AWS region expansion Consider how date will need to flow between VPCs Consider future connectivity to corporate networks VPC can be /16 down to /28 CIDR cannot be modified once created Overlapping IP spaces = future headache
  24. 24. SECURITY & COMPLIANCE
  25. 25. Shared Responsibility Model Amazon Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data You
  26. 26. Security Tools & Techniques Granular network filtering “This instance can only receive HTTP traffic on port 80” Applied to instance ENI (up to 5 per) Stateful Allow Only (whitelist) Rules evaluated as a whole SGs can reference other SGs in same VPC Security Groups Control access to S3 buckets “Allow read access to all but put access from a restricted list of IP addresses” Bucket Policies can also integrate with IAM to give access to all users in different accounts, or a subset of users S3 Bucket Policies Enforcing baseline security policy “No TFTP, NetBIOS or SMTP shall egress this subnet” Applied to subnets (1 per) Stateless Allow & Deny (blacklist) Rules processed in order ACLs
  27. 27. Security Tools & Techniques cont. Notification on changes to resources “Tell me when changes are made to my AWS resources” Integration with 3rd Party Tools Notification via SNS Config Rules allows you to take action based on rules. e.g. If instances are not tagged with an ’owner’ notify me AWS Config Automated Security Assesment “Can I assess my Application in AWS for known vulnerabilities or best practices” Pre built assessments for known compliance programmes. Agent based, API driven and delivered as a service. Enforce Security Standards for your AWS Applications AWS Inspector Auditing of AWS Account Usage “Who did what in my account at a specific time” Capture logs of all AWS API invocations. Logs are sent to S3 or Cloudwatch Logs Integration with 3rd Party Tools AWS CloudTrail
  28. 28. Security Best Practices Use ACLs sparingly, keep it simple Utilise Security Groups for fine grained control Utilise security groups to manage access to instances that have similar functions and security requirements Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices. pdf
  29. 29. CIS Foundations Benchmark
  30. 30. OPTIMISING FOR COST
  31. 31. Many pricing options available Reserved Make a low, one-time payment and receive a significant discount on the hourly charge For committed utilization Free Tier Get Started on AWS with free usage & no commitment For POCs and getting started On-Demand Pay for compute capacity by the hour with no long-term commitments For spiky workloads, or to define needs Spot Bid for unused capacity, charged at a Spot Price which fluctuates based on supply and demand For time-insensitive or transient workloads Dedicated Launch instances within Amazon VPC that run on hardware dedicated to a single customer For highly sensitive or compliance related workloads
  32. 32. Run the right instances at the right time Stop or terminate instance when they’re not required Utilise CloudFormation to tear down and recreate whole environments on demand Use CloudWatch to monitor instance load and scale vertically and/or horizontally to maximise instance utilisation Utilise Reserved Instances to lower TCO
  33. 33. MANAGING & AUDITING ACCESS
  34. 34. Identity & Access Management Account Administrators Developers Applications Bob Tomcat Jim Brad Mark Susan Reporting Console IAM Groups IAM Roles
  35. 35. IAM Policies Policy Driven • Declarative definition of rights for g roups • Policies control access to AWS APIs { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*” ], "Resource": "*" } ] }
  36. 36. Audit User Actions AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via: • AWS Management Console • AWS SDKs • Command line tools • Higher-level AWS services (such as CloudFormation).
  37. 37. Control access through fine grained policies Use multi factor authentication for console access Use groups to define access levels and assign IAM policies to groups Even the superuser group should have some explicit denies Utilise IAM roles to ensure no API credentials are places onto EC2 instances Utilise tagging to define fine grained control to resources Consider IAM federation into AD to simplify user management
  38. 38. Thank You @steven_bryen sbryen@amazon.com
  39. 39. awsloft.london closing.party && startup.showcase 28 April :: 18:00 >> 22:00

×