Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Immersion Day - Introduction to AWS Workshop

1,068 views

Published on

Want to learn how to get started on AWS?

Learn about the basics of cloud computing and get started building on the AWS console. Gain familiarity with AWS and cloud computing concepts, quickly build real solutions using AWS services and discover the airtight security measures of the AWS Cloud.

AWS Immersion Day - Introduction to AWS Workshop

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introduction to AWS
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What is AWS? AWS provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers millions of customers in 190 countries around the world. Benefits • Low Cost • Agility and Instant Elasticity • Open & Flexible • Secure • Global Reach
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What sets AWS apart? Building and managing cloud since 2006 165+ services to support any cloud workload History of rapid, customer-driven releases 20 regions, 60 availability zones, 160+ edge locations 69 proactive price reductions to date Experience Service Breadth & Depth Pace of Innovation Global Footprint Pricing Philosophy Ecosystem Thousands of consulting/system integrator & technology partners
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Experience with Operational Reliability • We have spent over a decade building the world’s most reliable, secure, scalable, and cost-effective infrastructure. • Service SLAs between 99.9% and 100% availability. Amazon S3 is designed for 99.999999999% durability. • Availability Zones exist on isolated fault lines, flood plains, and electrical grids to substantially reduce the chance of simultaneous failure. • The AWS Service Health Dashboard provides 24/7 visibility in the real-time operational status of all services around the globe. We are driven to remove any and all causes of failure. Our goal is to make our operational performance indistinguishable from perfect.
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Pricing Philosophy High volume / low margin businesses are in our core DNA Trade CapEx for variable expense Our economies of scale provide us with lower costs 69 price reductions since 2006 Pricing model choice to support variable and stable workloads On-demand Reserved Instances Spot Save more money as you grow bigger Tiered pricing Volume discounts Custom pricing
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Global Infrastructure 20 Regions 60 Availability Zones 160+ Edge Locations
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Web Services Region Availability Zone Availability ZoneAvailability Zone Region Availability Zone Availability ZoneAvailability Zone AWS Global Infrastructure
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Service Breadth & Depth Integrated Networking Rules Engine Device Shadows Device SDKs Device Gateway Registry Local Compute Machine Learning Conversational Interface Virtual Desktops App Streaming Schema Conversion Image Recognition Sharing & Collaboration Exabyte-Scale Data Migration Text to Speech Corporate Email Application Migration Database Migration Regions Availability Zones Points of Presence Data Warehousing Business Intelligence Elasticsearch Hadoop/Spark Data Pipelines Streaming Data Collection ETL Streaming Data Analysis Interactive SQL Queries Queuing & Notifications Workflow Email Transcoding Deep Learning Frameworks Server MigrationCommunications Business Apps Business Intelligence DevOps Tools Security Networking StorageDatabases API Gateway Single Integrated Console Identity Sync Mobile Analytics Mobile App Testing Targeted Push Notifications One-click App Deployment DevOps Resource Management Application Lifecycle Management Containers Triggers Resource Templates Build and Test Analyze and Debug Compute VMs, Auto-scaling, Load Balancing, Containers, Virtual Private Servers, Batch Computing, Cloud Functions, Elastic GPUs, Edge Computing Storage Object, Blocks, File, Archivals, Import/Export, Exabyte-scale data transfer CDN Databases Relational, NoSQL, Caching, Migration, PostgreSQL compatible Networking VPC, DX, DNS Identity Management Key Management & Storage Monitoring & Logs Configuration Compliance Web Application Firewall Assessment & Reporting Resource & Usage Auditing Access Control Account Grouping DDOS Protection Support Professional Services Optimization Guidance Partner Ecosystem Training & Certification Solutions Management Account Management Security & Billing Reports Personalized Dashboard TECHNICAL & BUSINESS SUPPORT MARKETPLACE Monitoring Manage Resources Data Integration Integrated Identity & Access Integrated Resource & Deployment Management Integrated Devices & Edge Systems Resource Templates Configuration Tracking Server Management Service Catalogue Search HYBRID ARCHITECTUREANALYTICS MOBILE SERVICESDEV/OPS IoT AI ENTERPRISE APPS MIGRATION APP SERVICES INFRASTRUCTURE CORE SERVICES SECURITY & COMPLIANCE MANAGEMENT TOOLS
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Elastic Compute Cloud – EC2
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Terminology AMI Virtual Machine Configuration Running or Stopped VM VPC AZ Availability Zone Amazon S3 EBS EBS EBS VPC EBS EBS EBS EBS Snapshots S3 Buckets Region EC2 Instance
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Network Environment Virtual Private Cloud Bring your own network Customer-managed subnets and routing Additional network controls (Security Groups, NACLs, routing) Hardware VPN options between corporate networks Instances have Security Group−controlled private IPs (dynamic public IPs or EIPs optional Default VPC Automatically assigned network and subnets (can now include NAT) VPC
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Broad Set of Compute Instance Types M5 General purpose Compute optimized C5 Z1 Storage and IO optimized I3 F1 GPU & FPGA enabled Memory optimized R5 D2 Bare Metal X1 P3
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Purchasing options at a glance Reserved Instances Pay a low upfront price Reserve an instance slot Secure a low hourly rate Sell & modify reservations if your needs change On-Demand Instances Pay as you go Flat hourly rate No commitment Spot Instances Bid what you like—your Spot instances run while your bid > the Spot price Save up to 90% off of On- Demand Run 1,000s of instances 10:00 10:05 10:10
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Operating Systems Supported Windows 2003R2/2008/2008R2/2012/2012R2/2016/2019 Amazon Linux/Amazon Linux 2 Debian Suse CentOS Red Hat Enterprise Linux Ubuntu For more OSes see: https://aws.amazon.com/marketplace/b/2649367011
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Layer your options
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Security and Design
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Details of a Virtual Machine EBS Amazon S3 Hypervisor VM Workspace One or more ephemeral (temporary) drives One or more EBS (persistent) drives Network I/O EBS Snapshot EBS Snapshot EBS Snapshot
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS AMI First Time Boot EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS Snapshot EBS Snapshot EBS Snapshot Drive attaches to hypervisor & boots
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS AMI Restart EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS Snapshot EBS Snapshot EBS Snapshot Drive reattached
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS AMI Terminate (Default behavior) EBS Amazon S3 Hypervisor VM Workspace Network I/O EBS Snapshot EBS Snapshot EBS Snapshot Default behavior: Drive deleted
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Host Virtualization Firewall Physical Interfaces Large Hypervisor Small… …Virtual Interfaces Security Groups Security Groups Security Groups SmallCustomer Instances Physical Host
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Security Groups Security Group Rules • Name • Description • Protocol • Port range • IP address, IP range, Security Group name
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Tiered EC2 Security Groups Hierarchical Security Group Rules • Dynamically created rules • Based on Security Group membership • Create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 IP Addressing Default VPC Virtual Private Cloud Dynamic Private IP Dynamic or Static Private IP Address Dynamic Public IP None by default (can be created with publicIP=true) Optional Static Public IP (EIP) Optional Static Public IP (EIP) AWS-provided DNS names • Private DNS name • Public DNS name AWS-provided public DNS lookup AWS-provided private DNS names Customer-controlled DNS options
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2-Specific Credentials EC2 key pairs • Linux – SSH key pair for first-time host login • Windows – Retrieve Administrator password Standard SSH RSA key pair • Public/Private Keys • Private keys are not stored by AWS AWS approach for providing initial access to a generic OS • Secure • Personalized • Non-generic (NIST, PCI DSS) “Public Half” inserted by Amazon into each EC2 instance that you launch “Private Half” downloaded to your desktop
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Instance access and Key Pairs Linux launch (first boot) • Public key made available through metadata • Public key inserted into ~/.ssh/authorized_keys • User connects with SSH using their private key Instance metadata RSA public key Instance
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Instance access and Key Pairs Linux launch (first boot) • Public key made available through metadata • Public key inserted into ~/.ssh/authorized_keys • User connects with SSH using their private key Windows launch (first boot sequence) • Public key made available through metadata • Sysprep • Random Administrator password • Password encrypted with public key • User decrypts password with their private key Instance metadata RSA public key Instance System log <Password> aGIhplGOqrJQmBJW … K9gTD31Q== </Password>
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Instance Metadata • ami-id • ami-launch-index • ami-manifest-path • block-device-mapping/ • hostname • instance-action • instance-id • instance-type • kernel-id • local-hostname • local-ipv4 • mac • network/ • placement/availability-zone • profile • public-hostname • public-ipv4 • public-keys/ http://169.254.169.254/latest/meta-data/ contains a wealth of info:
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Immersion Lab
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introduction to Amazon EC2 Please visit the following Web Page: https://amazon.qwiklabs.com/focuses/368?parent=catalog
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Networking in AWS
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Overview AWS networking services include: VPC – Extend your network into a virtual private cloud Direct Connect – Physical cross connect into AWS ELB – Managed load balancer service Route53 – Managed DNS service EIP – Elastic IP
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Amazon Virtual Private Cloud (VPC) Your own logically isolated section of AWS Bring your own network: • IP Addresses • Subnets • Network Topology • Routing Tables Multiple Connectivity Options Advanced Security Features
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Amazon Virtual Private Cloud (VPC) • Bring your own network Availability Zone BAvailability Zone A Your Network goes here VPC – Virtual Private Cloud
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Amazon Virtual Private Cloud (VPC) • Bring your own network • Create your own subnets Availability Zone BAvailability Zone A VPC Subnet VPC Subnet VPC – Virtual Private Cloud
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Plan your VPC IP space before creating it IP Addressing • Consider future AWS region expansion • Consider future connectivity to corporate networks • Consider subnet design carefully for growth • VPC IPv4 CIDR block may be sized between /16 (65,536 IP addresses) and /28 (16 IP addresses) • A CIDR block cannot be modified once created • …but you can add new CIDR blocks to expand the VPC IP addressing • Overlapping IP spaces = future headache
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Inbound / Outbound • Instance level inspection • Microsegmentation • Mandatory, all instances have an associated Security Group • Stateful • Can be cross referenced • Works across VPC Peering • Only supports allow rules • Implicit deny all at the end Network Building Blocks Network Control – Security Groups
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Network Control – Security Groups Public Subnet – Web/App Tier Private Subnet – DB Tier TCP 443 TCP 3306 Inbound Security Group SG-DatabaseTier Traffic from Protocol L4 Port Action SG-WebTier MySQL TCP 3306 Allow * * * * Deny Inbound Security Group SG-WebELB Traffic from Protocol L4 Port Action 0.0.0.0/0 HTTPS TCP 443 Allow * * * * Deny Anything Else Inbound Security Group SG-WebTier Traffic from Protocol L4 Port Action SG-WebELB HTTP TCP 80 Allow * * * * Deny TCP 80 TCP 3306 TCP 80 * *
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Network Control – Network Access List • Optional level of security • By default, allow all traffic • Subnet level inspection • Stateless • IP and TCP/UDP port based • Supports allow and deny rules • Deny all at the end
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Network Control – Network Access List VPC – Virtual Private Cloud Public Subnet Inbound Network ACL Source Protocol L4 Port Action 10.0.10.0/0 TCP MySQL 3306 Allow * * * * Deny 10.0.10.0/24 10.0.30.0/24 Outbound Network ACL Destination Protocol L4 Port Action 10.0.10.0/0 TCP * * Allow * * * * Deny TCP 3306 * Private Subnet
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Network Control – Route Rules • Each subnet can have a unique Route Table • Direct traffic out of the VPC • IGW • VGW • VPC Endpoints • Direct Connect • VPC Peering
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Network Control – Route Rules AWS Cloud Public Subnet Private Subnet VPC – Virtual Private Cloud Corporate Datacenter VPC 172.16.0.0/16 192.168.0.0/16 10.0.10.0/24 10.0.20.0/24 10.0.0.0/16 Destination Target 10.0.0.0/16 local 192.168.0.0/1 6 pcx- 172.16.0.0/16 vgw- 0.0.0.0/0 igw-
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks VPC Gateways – Internet Gateway (IGW) Public Subnet Private IP: 10.0.20.9 Private Subnet VPC – Virtual Private Cloud AWS Cloud Internet Gateway Private IP: 10.0.10.6 Public Internet Elastic IP: 198.51.100.2 Private IP: 10.0.10.7 Private IP: 10.0.20.9
  44. 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Public Subnet Private IP: 10.0.20.9 Private Subnet VPC – Virtual Private Cloud AWS Cloud Internet Gateway Private IP: 10.0.10.6 Public Internet Elastic IP: 198.51.100.2 Private IP: 10.0.10.7 Private IP: 10.0.20.9 Network Building Blocks Elastic IP Address X Elastic IP: 198.51.100.2
  45. 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Internet Gateway + Elastic IPs • IGW - Internet Gateway • One per VPC • Horizontally scaling • Redundant • Highly available • EIP - Elastic IPs • Public IP address • Can be re-associated
  46. 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks VPN – Virtual Private Network (1.25 Gbps max) AWS Cloud VPC – Virtual Private Cloud Corporate Datacenter Amazon S3 DynamoDB API Gateway Other AWS Services Virtual Private Gateway (VGW) Customer Gateway (CGW) VPN Connection 2x IPSEC Tunnels
  47. 47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks VGW – Virtual Private Gateway • One VGW per VPC • Redundant VPN Tunnels • Terminating in different AZs • IPSec • AES 256-bit encryption • SHA-2 hashing • Scalable • BGP or Static Routing
  48. 48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks AWS Direct Connect (10 Gpbs max) DirectConnect Location VPC – Virtual Private Cloud AWS Cloud Corporate Datacenter Direct Connect Customer Gateway WAN Public VIF Private VIF VGW Amazon S3 DynamoDB API Gateway Other AWS Services
  49. 49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • 1 Gbps or 10 Gbps fiber cross connect • 50M - 500M available through APN Partners • Single VIF per connection through APN Partners • Consistent Network Performance • Lower latency compared to a VPN connection Network Building Blocks AWS Direct Connect (10 Gpbs max)
  50. 50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC – Virtual Private Cloud Availability Zone A Availability Zone B Public Subnet Public Subnet Elastic Load Balancer Private Subnet Private Subnet Elastic Load Balancer Network Building Blocks Elastic Load Balancer (ELB)
  51. 51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks ELB - Application Load Balancer • Layer 7 Load Balancing • Content-Based Routing (host and path based) • Containerized Application Support (ECS, EKS) • HTTP/2 Support • WebSockets Support • Deletion Protection • Request Tracing • Web Application Firewall (WAF) integration
  52. 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks ELB - Network Load Balancer • Layer 4 Load Balancing • Connection-based Load Balancing • High Throughput • Low Latency • Preserve source IP address • Static IP and Elastic IP • Long-lived TCP Connections • Ideal for WebSockets • IP addresses as Targets New! TLS termination
  53. 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Elastic Load Balancer (ELB) – Classic Load Balancer • Layer 4 & Layer 7 Load Balancing • Region level service • Cross AZ • Built-in Health Check • Auto Scaling Integration • SSL Supported • Client SSL Termination • Backend ELB-to-Server mutual SSL • Sticky Sessions
  54. 54. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Network Building Blocks Route 53 • AWS DNS service • 100% availability SLA • Domain Registration • Domain name resolution • Health Checks • DNS Failover • Latency Based Routing • Geo Based Routing • Weighted Round Robin • Private DNS for VPC
  55. 55. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Cloud AWS RegionAWS Region Route 53 Main Site healthy? A/B Testing95% 5% Yes No App Version A App Version B App DR Network Building Blocks Route 53
  56. 56. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark VPC Immersion Lab
  57. 57. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introduction to Amazon Virtual Private Cloud (VPC) Please visit the following Web Page: https://amazon.qwiklabs.com/focuses/279?parent=catalog
  58. 58. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Storage on AWS
  59. 59. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Why choose AWS for storage? Compelling Economics Easy to Use Reduce risk Speed, Agility, Scale Pay as you go No upfront investment No commitment No risky capacity planning No need to provision for redundancy or overhead Self service administration SDKs for simple integration Durable and Secure Avoid risks of physical media handling Reduce time to market Focus on your business, not your infrastructure
  60. 60. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Block vs File vs Object Block Storage Raw Storage Data organized as an array of unrelated blocks Host File System places data on disk e.g.: Microsoft NTFS, Unix ZFS File Storage Unrelated data blocks managed by a file (serving) system Native file system places data on disk Object Storage Stores Virtual containers that encapsulate the data, data attributes, metadata and Object IDs API Access to data Metadata Driven, Policy-based, etc
  61. 61. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Storage - Characteristics Durability Availability Security Cost Scalability Performance Integration Measure of expected data loss Measure of expected downtime Security measures in place Amount per storage unit, e.g. $ / GB Upward flexibility Performance metrics Ability to interact with Some of the ways we look at storage:
  62. 62. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Storage Services AWS Snowmobile Amazon Snowball & Snowball Edge AWS Storage Gateway Amazon Glacier Amazon S3 (Simple Storage Service) Amazon EC2 Instance Store (Ephemeral Volumes) Amazon Elastic File System (EFS) Amazon EBS (Elastic Block Storage)
  63. 63. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon EBS • Persistent block level storage for EC2 • Pay only for what you provision • Native redundancy and write cache • Consistent and low-latency performance • Optimized for random I/O • Native support for encryption at rest (data volumes) • Ability to modify the size, type or IOPS of volume
  64. 64. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon EBS Network attached block device • Independent data lifecycle • Virtual disks • Multiple volumes per EC2 instance • Only one EC2 instance at a time per volume • Can be detached from an instance and attached to a different one Raw block devices • Unformatted block devices • Ideal for databases, filesystems Available in multiple types • Magnetic (Throughput Optimised, and Cold) • SSD (General Purpose, and Provisioned IOPS)
  65. 65. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS EBS Features Durable Secure Low-latency SSD Consistent I/O Performance Stripe multiple volumes for higher I/O performance Identity and Access Policies Encryption Scalable Unlimited capacity when you need it Easily scale up and down Backup Designed for five 9’s reliability Redundant storage across multiple devices within an AZ Point-in-time Snapshots Copy snapshots across AZ and Regions Performance
  66. 66. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS Volume Types Comparison General Purpose (SSD) Provisioned IOPS (SSD) Throughput Optimized (HDD) Cold (HDD) Performance Burstable Predictable throughput intensive workloads less frequently accessed workloads Use Cases Boot volumes Small to Medium DBs Dev & Test I/O Intensive Relational & NoSQL DBs Big data, data warehouses, log processing Colder data requiring fewer scans per day Media SSD SSD HDD HDD Max IOPS Baseline 3 IOPS/GB Burstable to 16,000 IOPS Consistently performed at provisioned level, up to 64,000 IOPS 500 250
  67. 67. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS Provisioned IOPS EBS Optimized Instances • Dedicated storage throughput Predictable Performance • 100-64000 IOPS per volume • Single digit millisecond latency Performance Design • Deliver within 10% of PIOPs, 99.9% of the time Provisioned IOPS (SSD) Predictable I/O Intensive Relational & NoSQL SSD Consistently performed at provisioned level, up to 64,000 IOPS $.125/GB/Month $.065/provisioned IOPS
  68. 68. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Internet AWS Cloud EBS Snapshots EC2 Availability Zone EC2 Amazon S3 EBS EC2 EC2 EBS EBS EBS EBS EBS EBS Snapshot EBS Snapshot EBS Snapshot EBS Snapshot EBS Snapshot Create Snapshot Clone From Snapshot
  69. 69. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EBS Volume How Do Snapshots Work? Time Snapshot 1 Snapshot 2 Snapshot 3 S3 Block 1 Block 2 Block 3 Block 4 Chunk 1 Chunk 2 Chunk 3 Chunk 4
  70. 70. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark EC2 Instance Store (Ephemeral Volumes) Free with your EC2 instance • SAS and SSD options • Size/type based on instance type Local, direct attached resource Consistent sequential reads and writes Use only for non-persistent data
  71. 71. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Elastic File System (EFS) • Fully managed file system for EC2 instances • Provides standard file system semantics • Works with standard operating system APIs • Sharable across thousands of instances • Elastically grows to petabyte scale • Delivers performance for a wide variety of workloads • Highly available and durable • NFS v4–based • Accessible from on-premise servers
  72. 72. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon S3 (Simple Storage Service) • Web accessible object store • Pay for exactly what you use • Highly durable (99.999999999% design) • Limitlessly scalable • Natively online
  73. 73. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon S3 (Simple Storage Service) • Parallel I/O for max speed (Multipart Upload, Ranged GETs) • Resource-level IAM permissions • Bucket Policies & ACLs • Direct access through APIs • Server Side Encryption • Static Website Hosting • Data Lifecycle Rules • S3 Select - Allows selection of subset of data from object • Amazon Athena - Interactive Query Service that makes it easy to analyze data in Amazon S3 using standard SQL
  74. 74. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark S3-IA File Sync & Share Active Archive Enterprise Backup Media Transcoding Disaster Recovery / Geo Redundancy Glacier Deep / Offline Archives Tape Vaulting Replacement WORM Compliant Data S3 Cloud Applications Big Data Analytics Content Distribution Primary Data Temporary & Small Objects Object Storage Use Cases Secondary Backups Easily Re-Creatable Data S3 Cross-Region Replication Target S3 One Zone IA Datatiering
  75. 75. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Glacier Low-Cost Archival Storage Secure • SSL & AES-256 Durable • Designed for 99.999999999% durability Optimized for data archiving and backup • Suitable for RTO measured in hours • Includes storage costs and retrieval costs Three retrieval options: Expedited, Standard, Bulk Integrated with S3
  76. 76. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Storage Gateway hybrid storage solutions Enables using standard storage protocols to access AWS storage services AWS Storage Gateway Amazon EBS snapshots Amazon S3 Amazon Glacier AWS Identity and Access Management (IAM) AWS Key Management Service (KMS) AWS CloudTrail Amazon CloudWatch Files Volumes Tapes
  77. 77. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Storage Gateway – Files, volumes, and tapes File gateway NFS (v3, v4.1) & SMB (v2, 3) interface On-premises file storage backed by Amazon S3 objects Tape gateway iSCSI virtual tape library interface Virtual tape storage in Amazon S3 and Glacier with VTL management Volume gateway iSCSI block interface On-premises block storage backed by S3 with EBS snapshots
  78. 78. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Storage Gateway – Common capabilities Standard storage protocols integrate with on-premises applications Local caching for low-latency access to frequently used data Efficient data transfer with buffering and bandwidth management Native data storage in AWS Stateless virtual appliance for resiliency Integrated with AWS management and security
  79. 79. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark File gateway On-premises file storage maintained as objects in Amazon S3 Customer Premises File Gateway Data stored and retrieved from your S3 buckets One-to-one mapping from files-to-objects File metadata stored in object metadata Bucket access managed by IAM role you own and manage Use S3 Lifecycle Policies, versioning, or CRR to manage data GlacierS3 Standard - Infrequent Access HTTPS NFS v3 / v4.1 Application Server S3
  80. 80. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Customer Premises Application Server Volume gateway On-premises volume storage backed by Amazon S3 with EBS snapshots Block storage in S3 accessed via the volume gateway Data compressed in-transit and at-rest Backup on-premises volumes to EBS snapshots Create on-premises volumes from EBS snapshots Up to 1PB of total volume storage per gateway Amazon EBS snapshots Storage Gateway bucket in Amazon S3 iSCSI HTTPS Volume Gateway
  81. 81. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Customer Premises Tape Gateway Archived Tapes stored in Glacier HTTPS Virtual Tapes stored in S3 Tape gateway Virtual tape storage in Amazon S3 and Glacier with VTL management Virtual tape storage in S3 and Glacier accessed via tape gateway Data compressed in-transit and at-rest Unlimited virtual tape storage, with up to 1PB of tapes active in library Supports leading backup applications: MEDIA CHANGER TAPE DRIVE Backup Server
  82. 82. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Snowball & Snowball Edge Terabyte scale data transport Uses secure appliances Economic and fast Faster than Internet for significant data sets Import into S3
  83. 83. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What is Snowball? Terabyte scale data transport E-ink shipping label Ruggedized case “8.5G Impact” All data encrypted end-to-end 80 TB 10G network Rain & dust resistant Tamper-resistant case & electronics
  84. 84. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Amazon Snowmobile • Exabyte-scale data transfer service • Each Snowmobile can transfer up to 100PB • Connects to your network via removable high-speed network switch • Appears as network-attached data store • Data encrypted with 256-bit encryption keys, managed through KMS • Snowmobile driven back to AWS and data is loaded into S3, Redshift, Glacier
  85. 85. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark S3 Immersion Lab
  86. 86. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introduction to Amazon Simple Storage Service (S3) Please visit the following Web Page: https://amazon.qwiklabs.com/focuses/278?parent=catalog
  87. 87. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security Essentials
  88. 88. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What are your preconceptions on cloud security?
  89. 89. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark At AWS, cloud security is the highest priority! Whitepaper: Introduction to AWS Security
  90. 90. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark “Security OF the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. “Security IN the Cloud” - Customer responsibility will be determined by the AWS Cloud services that a customer selects. Shared Responsibility Model
  91. 91. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Foundation Services Compute Storage Database Networking Infrastructure Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for end-to-end security in their on-premises data centers Traditional On-Premises Security Model Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
  92. 92. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS Security Model when using Infrastructure Services AWSIAMCustomerIAM APIEndpoints Mgmt Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
  93. 93. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS Security Model when using Container Services AWSIAMCustomerIAM APIEndpoints Mgmt Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
  94. 94. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS Security Model when using Abstracted Services AWSIAM APIEndpoints API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection
  95. 95. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Automate with deeply integrated security services Inherit global security and compliance controls Highest standards for privacy and data security Largest network of security partners and solutions Scale with superior visibility and control Move to AWS Strengthen your security posture
  96. 96. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Inherit global security and compliance controls
  97. 97. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Australian Government ISM Certification This is currently the highest data security certification available in Australia for cloud providers on the Certified Cloud Services List (CCSL). With this new certification, public sector organisations can easily store highly sensitive workloads in the AWS Cloud. Now, with 42 services certified PROTECTED in our commercial Sydney Region, AWS offer the most PROTECTED services of any cloud provider. Importantly, all 42 services are available at current publicly listed prices, so that customers are able to use the AWS Cloud without paying a premium for security. You will find AWS on the ACSC’s Certified Cloud Services List (CCSL) at PROTECTED for AWS services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), AWS Lambda, AWS Key Management Service (AWS KMS), and Amazon GuardDuty. For more information visit: https://aws.amazon.com/compliance/services-in-scope/ The Australian Cyber Security Centre (ACSC) has awarded PROTECTED certification to AWS
  98. 98. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Your own accreditation Your own certifications Your own external audits Applications built on top of AWS services, are not implicitly compliant to security controls (that AWS services are complaint with). AWS Services Customer Applications Customer applications & Compliance Customers need to certify applications separately by engaging with external auditors.
  99. 99. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Encryption at scale with keys managed by our AWS Key Management Service (KMS) or managing your own encryption keys with Cloud HSM using FIPS 140-2 Level 3 validated HSMs Meet data residency requirements Choose an AWS Region and AWS will not replicate it elsewhere unless you choose to do so Access services and tools that enable you to build compliant infrastructure on top of AWS Comply with local data privacy laws by controlling who can access content, its lifecycle, and disposal Highest standards for privacy
  100. 100. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Automate with integrated services CloudWatch Events Amazon CloudWatch CloudWatch Event Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation
  101. 101. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions Infrastructure security
  102. 102. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Secrets Manager AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs AWS Systems Manager AWS Shield AWS WAF – Web application firewall AWS Firewall Manager Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  103. 103. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Authenticate IAM Username/Password Access Key (+ MFA) Federation Audit AWS CloudTrail Amazon CloudWatch Authorize IAM Policies Resource Policies IAM Roles What is Identity Management?
  104. 104. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Security, Governance, and Oversight Authentication + Authorization + Audit/Log Identity & Access Management (IAM) AWS Directory Services AWS CloudTrail Authentication and Authorization on AWS
  105. 105. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Identity and Access Management
  106. 106. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Access to specific services • Access to console and/or APIs • Access to Customer Support (Business and Enterprise) IAM Users, Roles, Federated Users • Access to specific services • Access to console and/or APIs Temporary Security Credentials for Applications • Access to all subscribed services • Access to billing • Access to console and APIs • Access to Customer Support Account Owner ID (Root Account) AWS Principals
  107. 107. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark How do we know you are who you say you are? AWS Management Console API and CLI access Login with Username/Password with optional MFA (recommended) Access API using Access Key + Secret Key, with optional MFA ACCESS KEY ID Ex: AKIAIOSFODNN7EXAMPLE SECRET KEY Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY AWS Identity Authentication Multi-Factor Authentication device
  108. 108. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What are you allowed to do? Account Owner (Root) Privileged for all actions IAM and Resource Policies Privileges defined at User and Resource Level AWS Authorization Immediately turn on MFA for Root!
  109. 109. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Considerations for Layers of Principals Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  110. 110. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Identity and Access Management (IAM) Securely control access to AWS services and resources for your users. Username/User Manage groups of users Centralized Access Control • Password for console access. • Policies for controlling access AWS APIs. • Two methods to sign API calls: • X.509 certificate • Access/Secret Keys • Multi-factor Authentication (MFA) Optional Configurations:
  111. 111. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS IAM Hierarchy of Privileges AWS Account Owner (Root) AWS IAM User Temporary Security Credentials Permissions Example Unrestricted access to all enabled services and resources. Action: * Effect: Allow Resource: * (implicit) Access restricted by Group and User policies Action: [‘s3:*’,’sts:Get*’] Effect: Allow Resource: * Access restricted by generating identity and further by policies used to generate token Action: [ ‘s3:Get*’ ] Effect: Allow Resource: ‘arn:aws:s3:::mybucket/*’ Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies and temporary credentials.
  112. 112. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action, resource and conditions are evaluated. Basic Policy Enforcement
  113. 113. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Moving towards Role-based Authorization AWS Identity and Access Management (IAM) User: EmployeeA IAM Policy: Allow: sts:AssumeRole Deny: Everything Else Group: AccessOnly Belongs to Role: EC2 Administrator Policy: EC2AdminPolicy IAM Policy: Allow: ec2:* Deny: Everything Else Assumes Role Has Policy Action: EC2 Create Instance Performs Logs: “userIdentity”: { “type”:“AssumedRole”, … “username”:“EmployeeA” Logs
  114. 114. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark LDAP Directories Identity and Access Management User DB Common approaches for Applications and Operating Systems Local User Databases AWS Directory Service Domain Controller • On-premise accessed over VPN. • Replicated to AWS (read-only or read/write) • Federated (one-way trusts, ADFS). • Managed Samba-based directories via AWS Directory Services. • Local Password (passwd) files • Local Windows admin accounts • User Databases
  115. 115. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Directory Service
  116. 116. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Managed service for Active Directory AD Connector Connect to your on-premises Active Directory. Integrates with existing RADIUS MFA solutions Simple AD A Microsoft Active-Directory compatible directory powered by Samba 4 Microsoft AD Based on Microsoft Active Directory in Windows Server 2012 R2. AWS Directory Service
  117. 117. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Logging and Auditing Services
  118. 118. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS CloudTrail Web service that records AWS API calls for your account and delivers logs. Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 127.0.0.1 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.17 6
  119. 119. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS CloudWatch Monitoring services for AWS Resources and AWS-based Applications. Monitor and Store Logs Set Alarms (react to changes) View Graphs and Statistics Collect and Track Metrics What does it do? How can you use it? React to application log events and availability Automatically scale EC2 instance fleet View Operational Status and Identify Issues Monitor CPU, Memory, Disk I/O, Network, etc. CloudWatch Logs / CloudWatch Events CloudWatch Alarms CloudWatch Dashboards CloudWatch Metrics
  120. 120. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Encryption Services
  121. 121. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Encryption Protecting data in-transit and at-rest. Details about encryption can be found in the AWS Whitepaper, “Securing Data at Rest with Encryption”. Encryption In-Transit HTTPS SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
  122. 122. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Encryption in Transit
  123. 123. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark I want to provision an SSL/TLS certificate for my web site so visitors can positively identify my site,, connect to it securely over HTTPS, and see a lock icon in the browser’s address bar. - AWS Customer Challenges of SSL/TLS Certificate Management
  124. 124. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 1. Command-line utility (e.g. OpenSSL) to create a key pair and CSR 2. Submit CSR to CA by copying/pasting it into a web site 3. Prove your identity (email or other means) 4. Download and copy the files to your server, ensure order is correct 5. Install or upload to AWS for use with ELB or CloudFront 6. Repeat every year (process may have changed since last time) 7. Avoid expiration, which can cause downtime And… Securely manage and store the private key during the certificate lifetime. The Old Way
  125. 125. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 1. Enter a domain name, and five clicks later a certificate is issued 2. Select the certificate from a drop-down list to deploy it The New Way
  126. 126. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Provision trusted SSL/TLS certificates from AWS for use with AWS resources: • Elastic Load Balancing • Amazon CloudFront distributions • AWS handles the muck • Key pair and CSR generation • Managed renewal and deployment • Domain validation (DV) through email • Available through AWS Management Console, AWS Command Line Interface (AWS CLI), or API • Provided public certificates are: AWS Certificate Manager (ACM)
  127. 127. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Encryption at rest
  128. 128. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Client-side encryption • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in your AWS account Server-side encryption • AWS encrypts data on your behalf after data is received by service • 48 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces, Amazon Kinesis Firehose, CloudTrail Options for using encryption in AWS
  129. 129. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Managed service that simplifies the lifecycle of encryption keys • Integrated with CloudTrail • Available in all commercial regions except China • Integrated with AWS Identity and Access Management (IAM) console: AWS Key Management Service (KMS)
  130. 130. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity How does integration with KMS work?
  131. 131. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM Immersion Lab
  132. 132. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introduction to AWS Identity and Access Management (IAM) Please visit the following Web Page: https://amazon.qwiklabs.com/focuses/281?parent=catalog
  133. 133. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Best Practices on AWS
  134. 134. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Cloud Adoption Framework
  135. 135. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Each cloud journey is unique Different compliance and security needs Different risks Different workloads Different goals Different performance and resilience needs Different legacies Overcoming challenges to achieve business outcomes
  136. 136. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Cloud Adoption Framework (CAF) Building a comprehensive approach to cloud 1. Align cloud strategy to business outcomes 2. Deliver results through new cloud skills and experiences 3. Execute your cloud initiatives 4. Realize your desired business outcomes
  137. 137. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS CAF overview Helping define your approach to meet goals Envision Align technology to business Alignment Identify stakeholders and their concerns Launch Use AWS CAF to develop workstreams Realize value Measure incremental business value
  138. 138. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Executing AWS CAF perspectives Business  Align business and IT needs  Map IT investments to business results Platform  Provision cloud applications and infrastructure  Improve cloud services and solutions Governance  Manage cloud investments  Measure business outcomes Operations  Monitor and maintain system health and reliability  Observe cloud best practices 1 4 3 6 4 63 1 People  Prioritize cloud-based competencies  Drive organizational readiness 2 Security  Align security and compliance with current requirements  Manage access and authorization 5 2 5
  139. 139. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Applying the framework to drive cloud adoption Envision  Clarify business outcomes and align with organizational goals  Define measurable success criteria (metrics)  Demonstrate how technology will enable business outcomes Alignment  Identify critical-to-success stakeholders  Foster stakeholder consensus and alignment  Understand how stakeholders will benefit from cloud  Create a comprehensive Action Plan Launch  Execute your cloud projects  Start the incremental business value of leveraging the cloud  Proactively address stakeholders’ questions, concerns, and blockers Realize value  Recognize ongoing incremental business value  Continually evaluate cloud strategy and align with envisioned outcomes  Identify additional cloud projects that deliver value 1 2 3 4 2 34 1
  140. 140. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Well-Architected Framework
  141. 141. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark The AWS Well-Architected Framework • Increase awareness of architectural best practices • Addresses foundational areas that are often neglected • Consistent approach to evaluating architectures • Composed of: • Pillars • Design principles • Questions
  142. 142. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Value Proposition of Well-Architected Making informed decisions about architecture in the cloud and understand the potential impact of decisions • Consistent approach to reviewing architectures • Understand and reduce risk in your architecture • Learn best practices • Influence future architectures
  143. 143. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Pillars of Well-Architected Security Reliability Performance Efficiency Cost Optimization Operational Excellence
  144. 144. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Example Benefits • Understanding how well defined and tested your processes are for responding to events. Operational Excellence • Providing additional protection beyond using a password by using a multi- factor authentication device Security • Using AWS services to automatically recover from failure Reliability • Using caching to improve performance Performance • Understanding how to map cost back to individual projects or business units Cost
  145. 145. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Review Process Identify a significant workload Prepare for review Review architecture Identify areas for improvement Receive detailed report
  146. 146. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Organizations
  147. 147. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Prod In the beginning… A developer creates an AWS account A network engineer helps create more VPCs and establishes VPN access Controls are implemented via roles, policies, tagging, security groups, etc. Dev-Test Sandbox
  148. 148. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Today – Cloud adoption at scale Logging Account Cloud team Aus Dev Account Aus Prod Account Data Science Account Security Account Cross-account deployments & configurations Shared Service Production Aus Sandbox Account ISM-Prod Account Centralized policy management Accounts New controls Data aggregations across accounts
  149. 149. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What do enterprise customers need to scale their AWS accounts effectively? Centrally manage policies across accounts View charges and usage across accounts Easily create new accounts at scale (for isolation and grouping)
  150. 150. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What challenges have customers faced as they increased their number of AWS accounts? Creating a new account involves many manual processes IAM policy replication across accounts requires custom automation Billing consolidation requires manual tasks in multiple accounts
  151. 151. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introducing AWS Organizations Control AWS service use across accounts Policy-based Management for Multiple AWS Accounts Consolidate billing and usage reporting Automate account creation
  152. 152. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Typical Use Cases: #1 Control the use of AWS services • Centrally control the use of AWS service APIs across multiple AWS accounts. • Comply with corporate security and compliance policies. • Delegate administration while enforcing centralized guardrails.
  153. 153. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Typical Use Cases : #2 Automate the creation of AWS accounts • API driven AWS account creation. • Reduced friction allows for greater account granularity. • Easy hooks to trigger additional automation.
  154. 154. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Typical Use Cases : #3 Create different groups of AWS accounts • Group AWS accounts according to purpose. • Organize groups of accounts into a hierarchy. • Apply policies at any point in the hierarchy.
  155. 155. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Example Root Master SS_Prod SS_Dev BU1_Prod BU1_Test BU1_Dev BU2_Prod BU2_Test BU2_Dev Organization Root Master account Member accounts Organizational unit Service control policy
  156. 156. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Key Features • Policy framework for multiple AWS accounts. • Control the use of AWS services down to an API level. • Group-based account management. • Account creation and management APIs. • Consolidated billing for all AWS accounts in your organization. • Enable Consolidated Billing Only or All Features.
  157. 157. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach SCPs to those groups to centrally control AWS service use. • Principals in the AWS accounts can only use the AWS APIs allowed by both the SCP and the AWS IAM policies attached to them.
  158. 158. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible. - Define the list of APIs that are allowed – whitelisting. - Define the list of APIs that must be blocked – blacklisting. • Cannot be overridden by local administrator. • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions. • Necessary but not sufficient. • IAM policy simulator is SCP aware.
  159. 159. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Control Tower
  160. 160. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What do customers want to do on AWS? Innovate without sacrificing speed & agility Decentralized self- service model for builders Empower Builders Stay Secure & Compliant Govern at scale using central security and compliance rules Move Fast
  161. 161. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Customer’s journey starts with an AWS Account Security/Resource Boundary API Limits/Throttling Billing Separation As the AWS usage and adoption accelerates…
  162. 162. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Customers end up with Multi-account Challenges Paradox of Choice Too many design decisions Setup Complexity Granular AWS policies across multiple accounts & services Ongoing management Centrally managing compliance and security of multiple accounts
  163. 163. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Multi-Account Recommended Approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Optional Network Path Network Path Log Flow Data CenterDeveloper Accounts Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  164. 164. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introducing AWS Control Tower Consistent and simple multi account management. Automated AWS Setup Launch an automated landing zone with best- practices blueprints Policy Enforcement Pre-packaged guardrails to enforce policies or detect violations Dashboard for Oversight Continuous visibility into workload compliance with controls
  165. 165. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Key Features / Benefits Account Setup Automated, secure, and scalable landing zone Multi-account management using AWS Organizations Central logging and multi-account configuration consistency Built-in best practices Multi-account preventive and detective guardrails Easy to use dashboard and notifications Curated rules in plain EnglishAccount provisioning wizard Guardrails Landing Zone
  166. 166. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Control Tower - Building Blocks AWS Control Tower Account Management Guardrail Enforcement AWS Security Hub Landing Zone AWS Landing Zone AWS Organizations
  167. 167. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Control Tower’s automated landing zone  AWS Organizations with a master and pre-created accounts for central log archive, cross-account audit, and shared services  Pre-configured directory and single sign-on using AWS  Centralized monitoring and alerts using AWS Config, AWS CloudTrail, and AWS CloudWatch Control Tower Master Account AWS Control Tower
  168. 168. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Account Factory • Account factory for controls on account provisioning • Pre-approved account baselines with VPC options • Pre-approved configuration options • End user configuration and provisioning through AWS Service Catalog • Create/update AWS accounts under organizational units
  169. 169. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What’s Next? • Think about your next project and/or business challenge. • What are the things that constrain you currently? • What is the significant workload on AWS you are looking to review.  Reach out to your AWS account team.

×