Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud

1,796 views

Published on

Starting Your Journey in the Cloud

Published in: Technology
  • Be the first to comment

AWS Enterprise Summit Netherlands - Starting Your Journey in the Cloud

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brian Wagner AWS Professional Services Security Consultant Sep 21st 2016 Starting your Journey in the Cloud
  2. 2. Getting Started with AWS: Agenda Best practices you should focus on when getting started Resources you can use to learn more Getting Started with AWS
  3. 3. http://aws.amazon.com/getting-started/ Getting Started with AWS
  4. 4. Choose Your First Use Case Well 1
  5. 5. Chose Your First Use Case Well Make your first project a S.M.A.R.T one
  6. 6. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Make your first project a S.M.A.R.T one
  7. 7. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Make your first project a S.M.A.R.T one
  8. 8. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Make your first project a S.M.A.R.T one
  9. 9. Chose Your First Use Case Well Dev & Test Spin environments up and down on demand Decouple development and test environments from operations constraints Explore elasticity in a sandboxed environment Backup & DR Take part of your data or business applications step- by-step into non- production DR use Understand cloud dynamics and test during controlled failover Greenfield Project Embody best practice of cloud computing in unconstrained greenfield projects Self contained web projects, document archiving etc Pain point Move specific service aspects causing undue cost or management burden Workflows, search indexing, media streaming, document archiving, constrained databases Make your first project a S.M.A.R.T one
  10. 10. Plan Evolution and Set Goals Understand services Test performance Architect for scale Develop team capabilities Implement monitoring Change control and management Security management Scalability Automate corrective actions Auto-scaling Zero downtime deployments System backup and recovery Proof of Concept Production Automation SampleActivities
  11. 11. Lay Out Your Foundations 2
  12. 12. Accounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Lay Out Your Foundations
  13. 13. BillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Lay Out Your Foundations
  14. 14. Enable delivery of billing reports with resources & tags Billing preferences Billing Settings
  15. 15. Billing Master Account aws.invoices@mycompany.com
  16. 16. Billing Consolidated Billing Relationship Master Account aws.invoices@mycompany.com Division B admin@divisionB.com User2 Dev2 Admin2 IAM
  17. 17. Billing Consolidated Billing Relationship Master Account aws.invoices@mycompany.com Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Tags: (key-value) e.g Own=Div Proj=R
  18. 18. Billing Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  19. 19. Billing Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  20. 20. S3CSV Billing ANALYSIS Programmatic Billing Access Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  21. 21. S3CSV Billing ANALYSIS Programmatic Billing Access Consolidated Billing Relationships Master Account aws.invoices@mycompany.com Business Unit C admin@busUnitC.com User3 Dev3 Admin3 IAM Tags: Own=BusC Proj=X Tags: Own=BusC Proj=Y Tags: Own=BusC Proj=Z Division B admin@divisionB.com User2 Dev2 Admin2 IAM Tags: Own=Div Proj=P Tags: Own=Div Proj=Q Tags: Own=Div Proj=R Operating Co. A admin@opcoA.com User1 Dev1 Admin1 IAM Tags: Own=OpCo Proj=A Tags: Own=OpCo Proj=B Tags: Own=OpCo Proj=C
  22. 22. 3rd Party Cost Management Tools
  23. 23. Access KeysBillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Lay Out Your Foundations
  24. 24. Groups & RolesAccess KeysBillingAccounts Create an account structure that makes sense Use accounts like environments where you need separation and control e.g. Dev Sandboxes Test Environments Business Units Products & Services Control access to billing information Use IAM users to keep billing information in the master account Consolidate billing into a single account Let one account pick up the bill for multiple ‘sub accounts’ Setup billing alerts and automated bill reporting Get CloudWatch notifications when billing reaches a point and output csv reports to S3 for analysis Decide upon a key management strategy Control access to EC2 instances via SSH and embedded public key: e.g. EC2 Key Pair per group of instances, EC2 Key Pair per account Consider SSH key rotation & automation Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings on running instances Consider bootstrap automation to grant developer access with developer unique keypairs Use IAM Groups to manage console users and API access Provide developers with IAM user login and unique API access credentials Control & restrict what IAM users can do by placing them in groups with associated policies Assign EC2 Instances IAM roles Let AWS manage API access credentials on running instances by assigning a system entitlement to an instance e.g. instance can only read S3 bucket Lay Out Your Foundations
  25. 25. Identity & Access Management - IAM Account ApplicationsAdministrators Developers
  26. 26. Identity & Access Management - IAM Account ApplicationsAdministrators Developers Groups Multi-factor Authentication
  27. 27. Identity & Access Management - IAM Account ApplicationsAdministrators Developers Groups Roles Multi-factor Authentication AWS API Credentials
  28. 28. IAM Policies { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*", "ec2:*", "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:*", "sns:*" ], "Resource": "*" } ] } Create a policy to assign permissions to a user, group, role or resource. Policies are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions. Policies control access to AWS APIs
  29. 29. Identity and Access Management - IAM For more details on IAM, visit: aws.amazon.com/iam
  30. 30. Think Security 3
  31. 31. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data AmazonYou Shared Security Responsibility
  32. 32. Understand your customer & determine your security stance Leverage AWS Security External Audience Regulatory Audience Internal Audience Architecture Administration IAM Certifications White Papers QSA Process Your Processes Your Certifications Penetration Test Results
  33. 33. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Leverage AWS Security Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001) Security assessments take time, so allow for this in your planning Undertake architecture reviews early in your design/deployment process
  34. 34. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Use comprehensive materials and certifications provided by AWS Leverage AWS Security For more details on AWS Security, visit: aws.amazon.com/security Risk and compliance white paper AWS security processes white paper CSA consensus assessments initiative questionnaire (requires NDA)
  35. 35. Understand your customer & determine your security stance Engage with security assessors early in your adoption cycle Use comprehensive materials and certifications provided by AWS Build upon the security features of AWS to implement ‘security by design’ Leverage AWS Security
  36. 36. Direct Connect & VPNVirtual Private CloudControl & AuditTiered Access IAM Control users and allow use IAM Roles to provide API credentials for instances to enable access to AWS resources via APIs APIs vs Instance Provide developers with API credentials with separately controlled access to SSH keys/administrative logins Temporary Credentials Provide temporary API credentials for access to AWS resources Instance firewalls Firewall control on instances via Security Groups AWS CloudTrail The AWS API call history recorded by CloudTrail enables security analysis, resource change tracking, and compliance auditing AWS Config A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance Subnet control Create low level networking constraints for resource access, such as public and private subnets, internet gateways and NATs Bastion hosts Only allow access for management of production resources from a bastion host. Turn off when not needed and restrict startup via MFA VPC Peering Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts. Private connections to VPC Secured access to resources in AWS over software or hardware VPN and dedicated network links Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications. Build on AWS Security Features
  37. 37. Build on the Strengths of the AWS Cloud 4
  38. 38. e.g. Application performance improvement by migration of static content to Amazon S3 & CloudFront Review application architectures early – assess their fit for the cloud Can cloud benefits be delivered with minimum effort & outlay? e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures* e.g. Faster development cycles for dev/test, reduced cap-ex for application environments Will cloud yield top-line growth, cost savings or agility improvements? e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments Can automation lead to a more robust, agile & secure services? Build on the Strengths of the AWS Cloud 1 2 3 4
  39. 39. Disposable compute Design systems that can tolerate instance failures Build on the Strengths of the AWS Cloud ✖ ✖ Dispose of compute when it is not required ✖ ✖
  40. 40. Disposable compute Flexible capacity Design systems that can dynamically scale from zero to hundreds of instances Build on the Strengths of the AWS Cloud ✖ ✖ ✖ Use Auto-scaling (events, schedules etc) to drive capacity availability ✖ ✖ ✖
  41. 41. Disposable compute Flexible capacity Cost effective storage Use Amazon S3 for durable & cost effective storage Build on the Strengths of the AWS Cloud ✖ ✖ ✖ Deploy & scale relational databases with RDS & use DynamoDB for high throughput NoSQL tables ✖ ✖ ✖
  42. 42. Disposable compute Flexible capacity Cost effective storage Automation and control Automate everything from deployment, to scaling, to instance recovery from failure Build on the Strengths of the AWS Cloud ✖ ✖ ✖
  43. 43. 1. Use multiple availability zones
  44. 44. 2. Use RDS with replicas and slaves
  45. 45. 3. Use auto-scaling groups
  46. 46. 4. Use Elastic Load Balancing
  47. 47. 5. Use Route53 to host DNS zones
  48. 48. Auto-ScalingRDSRoute 53Elastic Load Balancing Use at regional level Combined with autoscaling will balance requests and resource capacity across availability zones Within VPC Use to load balance between application tiers within an availability zone Instance migrations Easily move instances from dev environments to test environments by moving between ELBs Leverage SLA Improve application reliability with Route 53’s SLA on requests served Weighted routing Perform A/B analysis, and staged application roll-outs by moving a portion of traffic to new infrastructure Control TTLs and updates Take absolute control of DNS updates for more decisive system updates Scale databases without admin overhead Choose instance size for databases and scale up over time Add high availability from management console Create master-slave configurations and read-replicas. AWS takes care of the failover and recreation of a new slave in event of master DB loss Dynamically scale resources & control costs Only provision the resources that are required with scale up and cool down policies that match demand Build on the Strengths of the AWS Cloud For more details, visit the AWS architecture center: aws.amazon.com/architecture
  49. 49. Services not Software 5
  50. 50. AWS Cloud Infrastructure & Services Your Business More Time to Focus on Your Business Configuring Cloud Services 70% 30%70% Self Managed Software & Infrastructure 30% Managing All of the “Undifferentiated Heavy Lifting” Services Not Software
  51. 51. Relational Database Service Easy to set up, operate, and scale Handles time-consuming database management tasks, such as backups, patch management, and replication Supports MySQL, Oracle, Microsoft SQL Server, and PostgreSQL, with Amazon Aurora in preview NoSQL Database Service Fast, predictable performance Supports document & key-value data models Fully distributed, fault tolerant architecture Amazon RDS Amazon DynamoDB Services Not Software
  52. 52. Amazon SQS Processing task/processing trigger Processing results Simple Queue Service Fast, reliable, scalable, fully managed message queuing service Transmit any volume of data, at any level of throughput Amazon SQS Amazon EMR Elastic MapReduce Uses Hadoop, an open source framework, to distribute your data and processing across EC2 instances Integrates with other AWS services, such S3 & DynamoDB Supports the broad Hadoop tools ecosystem Services Not Software
  53. 53. Optimise Your Costs 6
  54. 54. Use the Right Instance Types Use Auto Scaling Turn Off Unused Instances Use Reserved Instances 1 2 3 4 Use Spot Instances5 Use Storage Classes6 Offload Your Architecture7 Use Services, Not Software8 Use Consolidated Billing9 Use Cost Management Tools10
  55. 55. G2 GPU enabled M3 General purpose Memory optimized R3 CR1M2 Storage and IO optimized C4 Compute optimized C1 CC2 I2 HI1 HS1 CG1M1 C3 Use the Right Instance Types
  56. 56. Use Tools & Frameworks 7
  57. 57. Access everything via CLI, API or Console Use one of 9 (soon to be 10) fully supported SDKs to create or make use of existing AWS resources within your own code Leverage a broad ecosystem of open source, free and commercially licensed tools to work with AWS Services Achieve the highest levels of automation to support continuous deployment, define your infrastructure-as-code or automate your development, operations or DevOps processes Find out more at: aws.amazon.com/developers/getting-started/ Everything is Programmable
  58. 58. Resources You Can Use to Learn More aws.amazon.com/getting-started/ aws.amazon.com/premiumsupport aws.amazon.com/architecture aws.amazon.com/security aws.amazon.com/campaigns/emea-getting-started
  59. 59. Certification aws.amazon.com/certification Self-Paced Labs aws.amazon.com/training/ self-paced-labs Try products, gain new skills, and get hands-on practice working with AWS technologies aws.amazon.com/training Training Validate your proven skills and expertise with the AWS platform Build technical expertise to design and operate scalable, efficient applications on AWS AWS Training & Certification
  60. 60. Thank You! Brian Wagner AWS Professional Services Security Consultant

×