In the AWS Healthcare Days presentation you’ll learn best practices for architecting cloud-based applications for the healthcare industry with a deep technical overview and demos. Topics to be covered in this presentation include building a healthcare analytics pipeline in the cloud, leveraging the cloud for mobile, connected devices, and IoT, and using infrastructure-as-code to automate your security and HIPAA compliance policies. You will also see how cloud technology partner, Cognizant, is helping healthcare providers manage cloud infrastructure at scale, as well as leveraging tooling to maintain the security and compliance of applications and environments through automation.

1. Healthcare and Life Sciences Days
Chicago, IL
Mark Johnston, Director of Global Business Development,
Healthcare and Life Sciences
June 28, 2016

2. 05:00 PM – 06:30 PMClosing Remarks, Q&A and Networking6
04:15 PM – 05:00 PMLeveraging Amazon Echo and AWS to build IoT Applications5
03:30 PM – 04:15 PMCognizant: Managing Cloud Infrastructure at Scale4
02:45 PM – 03:30 PMHealthcare Analytics and Prediction using Amazon Machine Learning3
02:30 PM – 02:45 PMBreak
01:30 PM – 02:30 PMEmbracing DevOps with Improving Compliance and Security Agility and Posture2
01:00 PM – 01:30 PMIntroduction and Opening Remarks1
Agenda

3. 12 Regions
33 Availability Zones
54 Edge Locations
Coming Soon:
5 Regions
11 Availability Zones
AWS global infrastructure

4. * As of 1 Feb 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its services to support virtually
any cloud workload and it now has more than 50 services that range
from compute, storage, networking, database, analytics, application
services, deployment, management and mobile. Since inception AWS
has launched 776 new features and/or services for a total of 1,950
new features and/or services since inception in 2006.
AWS Rapid Pace of Innovation

5. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousin
g
Hadoop
/Spark
Streaming
Data Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click
App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps
Resource
Management
Application
Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational,
NoSQL, Caching,
Migration
Networking
VPC, DX,
DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web
application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming
Data Analysis
Business
Intelligence
Mobile
Analytics

6. Why AWS?
Scalable
Flexible
Agile

7. Alex Dickinson
SVP, Strategic Initiatives
Working with AWS lets us focus
on what we’re good at, which is
doing sequencing

8. William H. Morris
Associate CIO
The cloud can lower the operating
cost, and actually allow us to
focus on what we do well, which
is taking care of patients.

9. David Bennett
EVP of Healthier Populations
The market acceptance of healthcare
running on AWS is pretty exciting to us

10. New technologies are emerging throughout
the industry
Data exchange
throughout your
healthcare network
New innovations in
care delivery
Consumer
applications and
personalized
medicine

11. Use Case: AWS for Precision Medicine
All the compute you need to deal with large,
complex data sets
Easily deploy to physicians throughout your
network
Cost-effective short-term and long-term
storage

12. Jason Gillman
Director of Precision Genomics
we wanted to provide information
to the oncologist as quickly as we
can. These new services ….
powered by AWS, helps provide
that.

13. Innovation in medication adherence
• Medication adherence for depression
and schizophrenia
• Therapeutic has an ingestible sensor
linked to a wearable patch
• Patch talks to the application
• Patient data (or lack of) is
communicated to care managers and
or physicians

14. Innovation in chronic care management
• Sensor attaches to existing inhaler
• Tracks therapeutic utilization
• Application allows environmental
condition capture
• Patient gets feedback regarding
their condition – Asthma and COPD

15. Jeroen Tas
CEO, Healthcare Informatics Solutions and Services
We combine data to make it
actionable….We’re doing that together with
Amazon, because there is only one company
that we can do this with which gives us the
reliability, scale, and performance we need.
Healthcare IoT – Philips HSDP

16. Torsten Kablitz
Vice President, IT Business Services
[Just one] of our customers…..500,000
transactions a day….AWS allows us to
bring up and bring down servers just as we
need them.

17. Security is foundational at AWS
Architected to be one of the most flexible and secure cloud
computing environments available today

18. AWS secures the
infrastructure....
....so you can
secure your
patient dataCustomer
Security: A Shared Responsibility

19. • Environment built for the most security sensitive organizations
• AWS manages 1800+ security controls so you don’t have to
• Certified and regularly audited
AWS secures the
infrastructure....
Security: A Shared Responsibility

20. • You retain ownership of your IP and content – AWS does not have access
• You control where your data is stored
• Enabling end-to-end compliance
....so you can
secure your
patient dataCustomer
Security: A Shared Responsibility

21. In the Cloud, Infrastructure Security is Code
Templates determine what
infrastructure is deployed
and how it is deployed
Built-in tools to monitor
your environment
Automatic logging for audit
support

22. The AWS Cloud Improves your Compliance Posture
Controllable Infrastructure Repeatable Testing Automatic Traceability

23. AWS and Validated Systems
 Major companies run GxP on AWS today
 We have GxP resources available to help you
migrate GxP systems to the AWS Cloud
 Developed with input from Lachman
Consultants
 Multiple partners with solutions available: Sparta,
TraceLink, Waters, Medidata, etc.

24. Build HIPAA-compliant applications that store, process and transmit PHI
Business Associate Agreement (BAA) addendum available
HIPAA-eligible services for broad range of applications:
Compute Storage Database
Managed
Big Data
Archiving
Data
Warehousing
Enabling Compliance
Networking

25. Lee Kim
Director, Privacy and Security
HIMSS North America
Most healthcare institutions don’t have
the time and resources
to devote to cybersecurity that an
established cloud provider
might have

26. Embracing DevSecOps while improving your
compliance and security agility and posture
Scott Paddock
Security Solutions Architect
Gerry Miller
Founder & CTO, Cloudticity

27. Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to assist
• Example Compliance Workflows

28. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements and metrics
Building, coding and configuration
Ensuring quality; acceptance, regression testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application and infrastructure
Release coordination, promotion, scheduling, rollback and recovery

29. DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Manual Hacking

30. Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help
the business make decisions…

31. DevSecOps: Security as Code
Establishing these principles…
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response

32. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery

33. Amazon
EC2
Amazon
EMR
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
Amazon ECS AWS Elastic
Beanstalk
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
SQS
SNS
AWS Config
AWS
Device Farm
AWS HIPAA Eligible Services
(as of 4/21)
AWS Non-HIPAA Eligible Services
Consult with compliance and security organizations before implementing

34. Observed industry cloud techniques with AWS

35. Let’s start at the end…

36. How do we achieve this?

37. Automate everything (CloudFormation)

38. Automate everything (CloudFormation)

39. Automate everything (CloudFormation)

40. Automate everything (Scripting)

41. Automate everything (Chef)

42. Log everything

43. Monitor everything (ELK)

44. Monitor everything (AWS Config)

45. Monitor everything (Compliance as a Service)

46. Monitor everything (Compliance as a Service)

47. Monitor everything (Other Suggestions)

48. Act on (and automate workflow)

49. Act on (and automate workflow)

50. Act on (and automate workflow)

51. Actual workflow (diagram)
Post-commit hook

52. Actual workflow (diagram)
Post-commit hook
• Build & test
• Notify if failure - or
• Package manifest on success
• Executables
• Required resources
• Any other necessary
metadata

53. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• Install and configure any
packages or roles
• OS configuration and updates
• Download any required static
files

54. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• CloudFormation wait conditions
• CloudWatch events (uses tags)

55. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack
“New” Stack

56. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack – 90%
“New” Stack – 10%

57. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack – 50%
“New” Stack – 50%

58. Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack
“New” Stack – 100%

59. Variations on workflow
Gitflow pull request approvals
Stack per branch
• Variation – naming conventions
Stage gates (human intervention) using Slack
Blue/green vs. destructive deployments
Deployment dashboards

60. Some practical considerations

61. Some practical considerations

62. Some practical considerations

63. Some practical considerations

64. Consult internally before implementing
These slides have been practices we have
used in industry – but security and compliance
is determined by YOU, the customer. So
please, please:
• Consult with your internal best practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance organization
• Do your due diligence

65. Thank You
Any questions?
Scott Paddock Gerry Miller
spaddock@amazon.com gerry@cloudticity.com

66. Advanced Analytics & Machine
Learning on AWS
Ujjwal Ratan
Healthcare and Life Sciences Solutions Architect
Amazon Web Services

67. This Talk Will Cover
 Analytics on AWS overview
 Reference architectures
 Amazon Machine Learning (AML) Overview
 Application of AML to a real world problem - patient readmission
 A look at the end user application
 Q&A

68. Gartner: User Survey Analysis: Key Trends Shaping the Future of Data Center Infrastructure Through 2011
IDC: Worldwide Business Analytics Software 2012–2016 Forecast and 2011 Vendor Shares
Available for analysis
Generated data
Data volume - Gap
1990 2000 2010 2020
A growing gap…

69. Amazon S3
Amazon Kinesis
Amazon DynamoDB
Amazon RDS (Aurora)
AWS Lambda
KCL Apps
Amazon
EMR
Amazon
Redshift
Amazon Machine
Learning
Collect Process Analyze
Store
Data Collection
and Storage
Data
Processing
Event
Processing
Data
Analysis
Data Answers
Analytical pipeline on AWS

70. Lets rewind to the 90s…. Familiar with this?
https://en.wikipedia.org/wiki/Data_warehouse#/media/File:Data_warehouse_overview.JPG

71. Fast-forward to the present day – Data Lakes
Amazon S3
Application data
Server logs
Internet APIs
Custom Apps
Amazon EMR Amazon RDS
Data Mart
Amazon Redshift
Dashboards
Amazon Machine Learning

72. Amazon
S3
Amazon
Redshift
Amazon Machine
Learning Amazon
EC2
Amazon
EMR
users
Internet
corporate data center
Redshift used to
enrich/transform the
data set to make it
suitable for acting as a
ML data source.
An ML model is created with
Redshift as the data source
EC2 used as a web
server to host a
website to act as a
frontend for AML end
point
Use EMR to process
unstructured/semi-structured data
and store it back as objects on S3.
S3 acts as a scalable
object store for all forms
of data. It is used as a
data lake.
Amazon
S3
Amazon
QuickSight
Amazon
RDS users
A batch prediction can be generated using AML and the
result file stored back in S3. An RDS schema acts as a
source for Amazon QuickSight that generates BI repots on
prediction data.
DB Schemas
CSV Files
Unstructured files
A reference architecture to build smart
applications on AWS

73. Real world problem – Hospital Readmissions
• Hospital Readmission Reduction
Program (HRRP) part of the Affordable
Care Act.
• CMS is required to reduce payments to
hospitals with excess readmissions.
• Not all readmissions can be prevented
as some of them are a part of an
overall care plan for the patient.
• Facilities with high readmission rates
had their Medicare payment cut by 1%
in 2013 which rose to 2% in 2014.

74. Machine Learning
Wouldn’t it be great to proactively predict
patient’s risk of readmission based on some
generic features?
Patient
Demographics
Patient History
Admission
Attributes
Other features
Patient
High Risk Patient
Low Risk Patient
Moderate Risk
Patient

75. Amazon
S3
Amazon
Redshift
Amazon Machine
Learning
users
Internet
CSV Files
1
2
3
5
Amazon
Cognito
S3 Static
Website
Internet
4
A machine learning application to predict
readmissions

76. The data set
The accuracy of ML models become better when more data is used to train it. This is a very limited dataset to build a
comprehensive ML model but this methodology can be replicated with larger data sets as well.
https://archive.ics.uci.edu/ml/datasets/Diabetes+130-US+hospitals+for+years+1999-2008
 Public Data Set from UCI
 consists of 101,766 rows and represents 10 years of clinical care records
 130 US hospitals and integrated delivery networks
 includes over 50 features (attributes) representing Diabetes patient and hospital outcomes.

77. Ingesting Data Into S3 - Staging
Table Name Table Type
admission_source.csv Master
admission_type.csv Master
discharge_dispoition.cs
v
Master
Diabetic_data.csv Transaction
aws s3 cp /tmp/foo/ s3://bucket/ --recursive

78. Schema In Redshift
Fact
create table admission_type (
admission_type_id INTEGER NOT NULL,
description varchar(100)
);
create table discharge_disposition (
discharge_disposition_id INTEGER NOT NULL,
description VARCHAR(500)
);
create table admission_source (
admission_source_id INTEGER NOT NULL,
description VARCHAR(500)
);
create table diabetes_data (
// ~50 attributes
);
Dim2
Dim3
Dim1

79. Data Load and Standardization
COPY<Redshift_Table_Name> FROM's3://<file_path.csv>' CREDENTIALS
'aws_access_key_id=<>;aws_secret_access_key=<>' DELIMETER',' IGNOREHEADER 1;
Data Load
• Update NULL values
• Change attributes values which do not comply with standard patterns. Ex: SSN =
XXX-XX-XXXX
• Complete geographical data where possible
• Add timeline values if possible
• Group granular attributes in sets. Ex: Ages 0 to 20 as young, 20 to 40 as Adult
and so on.
Data Standardization

80. Introducing Amazon ML
Easy to use, managed machine learning
service built for developers
Robust, powerful machine learning
technology based on Amazon’s internal
systems
Create models using your data already
stored in the AWS cloud
Deploy models to production in seconds

81. Create AML Model with Redshift as the source
CreateDataSourceFromRedshift API
Console

82. Real-time predictions
Synchronous, low-latency, high-throughput prediction generation
Request through service API or server or mobile SDKs
Best for interaction applications that deal with individual data records
>>> import boto
>>> ml = boto.connect_machinelearning()
>>> ml.predict(
ml_model_id=’my_model',
predict_endpoint=’example_endpoint’,
record={’key1':’value1’, ’key2':’value2’})
{
'Prediction': {
'predictedValue': 13.284348,
'details': {
'Algorithm': 'SGD',
'PredictiveModelType': 'REGRESSION’
}
}
}

83. Real-time Predictions Using AML
Create a real-time endpoint using the console of the CreateRealTimeEndpoint
API. Once enabled, the model can be queried in real time using the end point
Target Attribute for the Binary Classification Model : Readmission_Result

84. Application website hosted on S3
var machinelearning = new AWS.MachineLearning({apiVersion:
'2014-12-12'});
var params = {
MLModelId: ‘<AML Model ID>',
PredictEndpoint: ‘<AML Model Real Time End Point>',
Record: <Selected Attributes record set>
};
var request = machinelearning.predict(params);
Application calls the Predict() API using necessary parameters
Website hosting feature of S3 allows us to host websites without any web servers
and takes away the complexities of scaling hardware based on traffic routed to your
application.

85. Thank You.. Any Questions?
Before we end, here’s a look at the application
http://predictreadmission.s3-website-us-west-2.amazonaws.com

86. © 2016 Cognizant
© 2016 Cognizant
June 28, 2016
Managing Cloud Infrastructure at Scale
Shashank Joshi
Principle Architect – Cognizant Cloud Services
AWS Certified Solution Architect - Professional

87. © 2016 Cognizant88
Agenda
Managing Cloud Infrastructure at Scale
• What is different at scale?
• Examples & Case studies

88. © 2016 Cognizant89
What is different at scale?
Provisioning & Orchestration
• Manual vs automated provisioning
• Provisioning entire application stacks
• Complex scenarios
Global Deployment
• Multi-geography requirements
• Hybrid scenarios
• Disaster Recover & Business
Continuity
User Access Management
• Number of users & roles
• Multiple accounts
• AD Federation
Monitoring & Tools Solution
• Integrated monitoring solution
• IT Service management
• Build vs Buy
Cloud Operations Service
• Manual vs automated activities
• Pricing models
• Skill development and management
Cost Management & Optimization
• Tracking & reporting
• Manual vs automated policy
enforcement

89. © 2016 Cognizant90
Example 1 – DR Automation, Multi-region deployment
Background:
The application, GeoLocus, is a telematics solution including in-car device option,
smartphone apps, configurable scoring and user portals. Application is hosted in the AWS
Cloud and contains the following:
• Application servers hosted on Amazon EC2
• MySQL server hosted using Amazon RDS
• PostgreSQL server hosted using Amazon RDS
Objective:
Automate steps in multi-region DR

90. © 2016 Cognizant91
Example 1 – AWS Products and Services Used
Amazon CloudWatch
• Monitor deployment logs
• Raise an event once a pre-specified keyword appears in the monitored log file
AWS Lambda
• Invoke Python scripts based on different events
AWS SDK for Python
• Perform automation activities such as AMI build, copy etc.
Amazon S3
• Store CloudFormation templates
• Amazon S3 Events are used to trigger Lambda functions once an action is completed
AWS CloudFormation
• Deployment Stack for the DR region, which can be triggered in case of a disaster

91. © 2016 Cognizant
Example 1 – Bringing it all together
EU Frankfurt EU Ireland
Production server
CloudWatch Log Monitoring
Create Image Function
Production web server AMI
Pending-AMI-Id.txt
Pending AMI Event
CheckAMIStatus
Function
Pending AMI Event
Available AMI Event
Copied Production Image
Pending-AMI-Id.txt/
Available-AMI-Id.txt
Copy Image Function

92. © 2016 Cognizant93
Example 1 – Bringing it all together
EU Frankfurt EU Ireland
Copied Production Image
Copy Image Function
CloudFormation JSON
with copied AMI ID
MySQL Snapshot Event
Copy RDS Snapshot
Function
Copy RDS Snapshot
Function
CloudFormation JSON
with copied MySQL
Snapshot ID
CloudFormation JSON
with copied PostgreSQL
Snapshot ID
PostgreSQL Snapshot Event
Latest PostgreSQL Snapshot
Latest MySQL Snapshot

93. © 2016 Cognizant94
Example 1 – Key Takeaways for Managing at Scale
Provisioning
• Custom AMIs
• AMI vs Dynamic configuration
Automation
• Event-based and scheduled tasks
• Region-dependent services
Cost optimization
• Pick the right DR model
• Design for the RPO/RTO
• Use Serverless compute

94. © 2016 Cognizant95
Example 2 – Multi-region, multi-environment automated build & deployment
Background:
A multi-tenant SaaS solution deployed in three regions US, EU & APAC. US region consists
of multiple lower environments. Microservices architecture with multiple applications and
services consisting of the following:
• Multi-tier architecture
• AWS Elastic Beanstalk, Amazon EC2 Container Registry
• Amazon RDS PostgreSQL, Amazon DynamoDB
Objective:
Automated code deployment in multiple environments and regions and other tasks

95. © 2016 Cognizant96
Example 2 – Products and Services Used
Amazon EC2 Container Registry
• Manage Docker images
• Managed private repository with IAM integration
AWS CodeCommit
• Store source code
AWS Elastic Beanstalk
• High availability, auto-scaling, health check, monitoring for the deployed environments
• Docker Support
Jenkins
• Continuous Integration, run various jobs
Docker
• Containerize the applications/services

96. © 2016 Cognizant97
Example 2 – Bringing it all together
EC2 Container
Registry
Dockerrun.aws.json
Deploy Docker
Image and run
containers
EB Dev environment EB testing/QA environment EB Prod environment
Continuous Deployment
Continuous Integration
Poll SCM
Build Docker
Image
Export Unit test
result XML file from
container
Tag Docker image
and push to
repository
Docker File
CodeCommit
Jenkins

97. © 2016 Cognizant98
Example 2 – Bringing it all together
Parameterized environment, region and application version for deploy jobs

98. © 2016 Cognizant99
Example 2 – Key Takeaways for Managing at Scale
Provisioning
• Multi-region & multi-environment deployment
• AWS Elastic Beanstalk & AWS CloudFormation
• Rapid feature delivery with CI/CD pipeline
Automation
• Automated deployment, upgrade & operations
• IAM Roles
Cost optimization
• Optimal resource utilization with Docker
• Automated scaling with AWS Elastic Beanstalk

99. © 2016 Cognizant100
Example 3 – Cloud360 Policies
Background:
Cognizant Cloud360 is an Enterprise Cloud Management & Governance solution. It has
core features such as provisioning & orchestration, policy-driven automation, metering &
showback and analytics.
Objective:
Demonstrate use cases for policy-driven automation for cost optimization and compliance.

100. © 2016 Cognizant101
Example 3 – Cloud360 Policies
Monitoring Policy
• Automate monitoring and take immediate action on events
• Auto-healing policies can resolve events impacting application availability
Provisioning Policy
• Control provisioning-related tasks
• Define a set of conditions for managing provisioning tasks
Placement Policy
• Set rules that defines the location where the Compute Instances will be created, to use the available
resources in an efficient way
• Set rules to select these datacenters, hosts, and networks and to ensure their optimum allocation &
usage
Compliance Policy
• Define policies to meet compliance requirements
• Notifications & approval workflow based on the rules defined

101. © 2016 Cognizant102
Example 3 – Cost Optimization Policy - Cloud360
If
LIST (Event ((Status = Open AND Severity = Critical AND Device = CPU), Instance
(“Deployment Name” = production AND “Instance Group Name” = webserver)) > 70
Do
SCALEOUT(“app profile.scaleout”)
Performs scale out when more than 70% of VMs in a Webserver resource pool
of production environment are in critical CPU state
If
COUNT (Instance (“Deployment Name” != Production AND “Instance Group
Name” = Webserver)) >= 20
AND
OPERATION (Instance (“Deployment Name” != Production AND “Instance
Group Name” = Webserver), “Create Instance”) = TRUE
Do
“Restrict the operation”
Restricts any user from creating or powering on webserver VMs, in non-
production environment, if number of powered on VMs is greater than 20
If
LIST (EBSVolume (“Provider Name” = myAWS AND “Volume ID” = vol-12345
AND “Snapshot Count” > 10)) is NOT EMPTY
Do
“Retain EBS Snapshots” (latest 10)
Ensures retention of only the latest 10 Snapshots of a specific volume in AWS
environment
If
LIST (EBSSnapshot (“Creation Date”< -10d)) =! EMPTY
Do
“Delete EBS Snapshots”
Delete Snapshots older than 10 days for any EBS volume
If
Consumption metering (“Compute Date” > -24h AND Usage (“Compute Date”
= -30d) > 50)
Do
Notify the Owner (Usage (Top 5))
Restrict any provisioning operation
If the consumption metering in last 24 hours is 50% over the last 30-day
average, notify the user and also the top 5 users with highest burn rate

102. © 2016 Cognizant103
Example 3 – Key Takeaways for Managing at Scale
Tools solution
• Build vs Integrate vs Buy
Automation
• Operational activities
• Policy enforcement
Cost optimization
• Analytics & reporting
• Implement cost optimization best practices

103. © 2016 Cognizant104
Summary – Tools & levers to manage at scale
Provisioning & Orchestration
• AMIs vs Dynamic configuration
• Docker, CloudFormation, Ops Work
• 3rd party tools, Cloud360
Global Deployment
• Multi-region deployments
• Hybrid connectivity options
• Replication and reuse
User Access Management
• IAM strategies & best practices
• AD Federation
Monitoring & Tools Solution
• Cloud Watch, Cloud Trail, Config
• OS & Application monitoring
• ITSM Tool integration
Cloud Operations Service
• Org structure
• Managed Service Partners
Cost Management & Optimization
• Consolidated billing
• Cognizant Cloud 360, 3rd Party tools

104. © 2016 Cognizant
Thank You!
Shashank Joshi
http://www.cognizant.com/cloud
http://www.aws-partner-directory.com/PartnerDirectory/PartnerDetail?Name=cognizant

105. Leveraging Amazon Echo and AWS to build IoT
Applications
Chris McCurdy
AWS Healthcare and Life Sciences Specialist Solutions Architect

106. Agenda
• What is IoT
• Build an example of an AWS IoT system

107. What is IoT?
The internet of things (IoT) is the network of physical objects—devices,
vehicles, buildings and other items—embedded with electronics, software,
sensors, and network connectivity that enables these objects to collect and
exchange data.
https://en.wikipedia.org/wiki/Internet_of_things
Why AWS IoT?
AWS IoT can support billions of devices and trillions of messages, and can
process and route those messages to AWS endpoints and to other devices
reliably and securely. With AWS IoT, your applications can keep track of and
communicate with all your devices, all the time, even when they aren’t
connected.

108. Grove IoT Kit from Seeed Studio
http://www.seeedstudio.com/wiki/images/d/d0/Aws_kit_edison.JPG

109. Use-Case: Medication Status
Scenario:
Button is pressed by a technician to dispense medication
Requirements:
• Simple example (one of many ways)
• Data stored in queriable repository
• Notification via SMS if medication is not distributed for a day
• Accessible from Amazon Echo/Alexa
AWS

110. Medication Status architecture
IoT MQTT
protocol
IoT
certificate
IoT
rule
IoT
topic
Amazon
Kinesis
AWS
Lambda Amazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
Lambda
AWS
Lambda

111. Elephant in the room
http://nos.twnsnd.co/post/104252656546/elephants-tea-party-robur-tea-room-24-march
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Amazon
SNS
Alexa
AWS IoT
HIPAA Eligible Not HIPAA Eligible

112. What does AWS IoT Consist of?
Device Gateway
The managed backbone of communication between
connected devices and the cloud which supports
the pub/sub messaging pattern, enabling scalable, low-
latency, and low-overhead communication.
IoT Rule Engine
The AWS IoT Rules Engine enables continuous processing
of inbound data from devices connected to the AWS IoT
service in a SQL-like syntax.

113. What doe AWS IoT Consist of? (Part 2)
Device Registry
Allows you to organize and track devices using a logical
handle.
Device Shadow
Used to store and retrieve current state information for a
thing whether it is connected to the internet or not.

114. HTTPS, WebSockets and MQTTS
Supported Protocols
HTTPS, Websockets, Secure MQTT
What is MQTT?
A lightweight pub/sub protocol, designed to minimize network bandwidth and device
resource requirements. MQTT supports TLS for encryption.
MQTTS vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overhead
Source: http://stephendnicholas.com/archives/1217

115. Installing the SDKs
Install jsupm_grove and AWS IoT SDK
$ npm install jsupm_grove@0.4.0
$ npm install aws-iot-device-sdk

116. AWS Generated Certificates

117. Creating a certificate (option 1)
$ aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile
certificate.pem --public-key-outfile public_key.pem --private-key-outfile private_key.pem
{
"certificateArn":
"arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"keyPair": {
"PublicKey":
"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",
"PrivateKey":
"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"
},
"certificateId":
"d7677b0…SNIP…026d9"
}
IoT
certificate

118. Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the key pair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key

119. Client Generated Keypairs
CSR

120. Create a certificate from the CSR (option 2)
$ aws iot create-certificate-from-csr
--certificate-signing-request file://Thing.csr
--set-as-active --certificate-pem-outfile certificate.pem
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"certificateId":
"b5a396e…SNIP…400877b"
}
IoT
certificate

121. Private Key Protection
Protect from Software Threats
• chroot
• Security Enhanced Linux (SELinux)
• One-Time Programmable (OTP) Fuses
Protect from Hardware Threats
• Trusted Platform Modules
• Smartcards
• Locks and Boxes
• FIPS-style hardware

122. IoT Button Node

123. Medication Status architecture (AWS side)
IoT MQTT
protocol
IoT
certificate
IoT
rule
IoT
topic
Amazon
Kinesis
AWS
Lambda Amazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
Lambda
AWS
Lambda

124. Creating Things
$ aws iot create-thing --thing-name medication_button_12016de3-794a-4c91-99ee-
7b64851f4961
{
"thingArn": "arn:aws:iot:us-east-
1:789539825478:thing/medication_button_12016de3-794a-4c91-99ee-7b64851f4961",
"thingName": “medication_button
}
IoT
thing

125. Create Policy
$ aws iot create-policy --policy-name medication_button_policy --policy-
document file://iot.policy.js
{
…
} IoT
policy

126. Attach Thing and Policy
$ aws iot attach-thing-principal
-–thing-name medication_button_12016de3-794a-4c91-99ee-7b64851f496
-–principal arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f
$ aws iot attach-principal-policy
--policy-name medication_button_policy
--principal arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f
IoT
certificate
IoT
policy
IoT Thing

127. Creating Kinesis Role and Stream
$ aws kinesis create-stream –-stream-name medication_status_stream –-shard-count 2
Amazon
Kinesis
• Streams are made of Shards
• Each Shard ingests data up to 1MB/sec,
and up to 1000 TPS
• Each Shard emits up to 2 MB/sec
• All data is stored for 24 hours – 7 days
• Scale Kinesis streams by splitting or
merging Shards
• Replay data inside of 24Hr -7days
Window

128. Define IoT Kinesis Policy and Role
IoT
rule
IoT Kinesis Policy
IoT Kinesis Trust Policy

129. Add IoT Kinesis Policy and Role
$ aws iam create-policy --policy-name lambda_medication_status_kinesis_policy --policy-
document file://kinesis.policy.js
{
"Policy": {
…
"Arn": "arn:aws:iam::789539825478:policy/lambda-medication-status-kinesis-policy",
}
$ aws iam create-role --role-name medication_status_kinesis_role --assume-role-policy-
document file://lambda_medication_iot_trust.policy.js
"Role": {
...
"Arn": "arn:aws:iam::789539825478:role/medication-status-kinesis-role"
}
}
$ aws iam attach-role-policy --role-name medication_status_kinesis_role --policy-arn
arn:aws:iam::789539825478:policy/lambda_medication_status_kinesis_policy
$
IoT
rule

130. Create IoT Rule
IoT
rule
IoT
topic
Amazon
Kinesis
$ aws iot create-topic-rule --rule-name medication_status_lambda_forwarder --
topic-rule-payload file://iot.rule.js
$

131. Creating DynamoDB table
Amazon
DynamoDB
ClientID (S-Hash) LastSubmittedDate (N-
Range)
fa99489c-dae3-4a7a-b43c-ee696a883d28 201606261540
74dab686-e04c-4201-8c12-406af33dbdc2 201604051330

132. Creating DynamoDB table
$ aws dynamodb create-table --table-name MedicationStatusTable --attribute-definitions
AttributeName=ClientID,AttributeType=S AttributeName=LastSubmittedDate,AttributeType=N --key-schema
AttributeName=ClientID,KeyType=HASH AttributeName=LastSubmittedDate,KeyType=RANGE --
provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=5
{
"TableDescription": {
"TableArn": "arn:aws:dynamodb:us-east-1:789539825478:table/MedicationStatusTable",
...
}
}
Amazon
DynamoDB
Throughput
• Provisioned at the table level
• Write capacity units (WCUs) are measured in 1KB per second
• Read capacity units (RCUs) are measured in 4KB per second
• RCUs measure strictly consistent reads
• Eventually consistent reads cost ½ of constant reads
• Read and write throughput limits are independent
• Increase as necessary, decrease at most 4 times per UTC day

133. Creating Lambda to Load Dynamo
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB

134. Lambda Role Policies
Lambda Role Policy Lambda Role Trust Policy
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB

135. Creating Lambda Role and Policies
$ aws iam create-policy --policy-name lambda_medication_status_policy --policy-
document file://lambda_medication.policy.js
{
"Policy": {
"PolicyName": "lambda-medication-status",
…
"Arn": "arn:aws:iam::789539825478:policy/lambda_medication_status",
}
$ aws iam create-role --role-name medication_status_role --assume-role-policy-
document file://lambda_medication_status_trust.policy.js
{
"Role": {
...
"Arn": "arn:aws:iam::789539825478:role/medication_status_role"
}
}
$ aws iam attach-role-policy --role-name medication-status-role--policy-arn
arn:aws:iam::789539825478:policy/lambda-lambda-medication-status
$
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB

136. Deploying the Medication Status Lambda
$ aws lambda create-function --function-name MedicationStatus --runtime python2.7 --
role arn:aws:iam::789539825478:role/medication_status_role --handler
medication_kinesis.lambda_handler --timeout 3 --memory-size 128 --zip-file
fileb://medication_kensis_lambda.zip
{
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatus",
...
}
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Resource Sizing
• AWS Lambda offers 23 "power levels"
• Higher levels offer more memory and more CPU power
• 128MB, lowest CPU power
• 1.5GB, highest CPU power
• Compute price scales with the power level
• Duration ranging from 100ms to 5 minutes

137. Attaching Lambda to Kinesis
$ aws lambda create-event-source-mapping
--event-source-arn arn:aws:kinesis:us-east-1:789539825478:stream/medication_status_stream
--function-name MedicationStatus
--starting-position LATEST
Amazon
Kinesis
AWS
Lambda

138. Demo of it all working together!

139. Medication Status architecture (AWS side)
IoT MQTT
protocol
IoT
certificate IoT
rule
IoT
topic
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
Lambda
AWS
Lambda

140. Adding SNS and Subscriptions
$ aws sns create-topic --name MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-
9cd042cd9a78
{
"TopicArn": "arn:aws:sns:us-east-1:789539825478: MedicationStatusGroupContact-
488dbe6f-0ce0-49f5-9e90-9cd042cd9a78”
}
$ aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --attribute-name
DisplayName --attribute-value "Med Status”
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol sms --
notification-endpoint <phone number>
{
"SubscriptionArn": "pending confirmation"
}
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol email -
-notification-endpoint mccurdyc@amazon.com
{
"SubscriptionArn": "pending confirmation"
}
Amazon
SNS

141. Create Medication Status Monitor Lambda
AWS
Lambda
Amazon
DynamoDB

142. Deploying Medication Status Monitor Lambda
$ aws lambda create-function --function-name MedicationStatusMonitor --runtime python2.7 --role
arn:aws:iam::789539825478:role/medication_status_role --handler medication_sns_lambda.lambda_handler --timeout
3 --memory-size 128 --zip-file fileb://medication_sns_lambda.zip
{
"FunctionName": ”MedicationStatusMonitor ",
"MemorySize": 128,
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:lambda-medication-status-monitor",
"Role": "arn:aws:iam::789539825478:role/medication_status_role",
"Timeout": 3,
"Handler": "medication_sns_lambda.lambda_handler",
…
}
AWS
Lambda

143. Adding Polling Lambda Function
$ aws lambda add-permission --function-name MedicationStatusMonitor --statement-id
adding_event_handler --action 'lambda:InvokeFunction' --principal events.amazonaws.com --
source-arn arn:aws:events:us-east-1:789539825478:rule/scheduled_medication_status_check
{
…
}
aws events put-rule --name scheduled_medication_status_check --schedule-expression 'rate(1
hour)'
{
"RuleArn": "arn:aws:events:us-east-
1:789539825478:rule/scheduled_medication_status_check"
}
$ aws events put-targets --rule scheduled_medication_status_check --targets '{"Id" : "1", "Arn":
"arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusMonitor"}'
{
…
}
AWS
Lambda

144. Hi Alexa! Please ask Medication Status, did
device 31 dispense medication today?
Alexa

145. Create Utterances and Intents
GetMedicationStatus has device {DeviceNumber} dispensed medication {Date}
GetMedicationStatus did device {DeviceNumber} dispense medication {Date}
GetMedicationStatus did device {DeviceNumber} deliver medication on {Date}
GetMedicationStatus if device {DeviceNumber} dispense medication on {Date}
Alexa
Utterance
Intents

146. Create Invocation/Lambda
AWS
Lambda
Alexa

147. Deploying Medication Status Monitor Lambda
$ aws lambda create-function --function-name MedicationStatusAlexa --runtime python2.7 --role
arn:aws:iam::789539825478:role/medication_status_role --handler medication_alexa.lambda_handler --timeout
3 --memory-size 128 --zip-file fileb://medication_alexa_lambda.zip
{
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusAlexa ",
…
}
$ aws lambda add-permission --function-name AlexaMedicationStatus –statement-id 1 --action
lambda:invokeFunction --principal alexa-appkit.amazon.com --region us-east-1
{
…
}
AWS
Lambda
Alexa

148. Adding an Alexa skill
Alexa

149. Tie it all together

150. Improvements
• CloudWatch Monitors on all resources
• IoT Shadow
• Viewing Metrics with QuickSight / Elastic Search +
Kibana
• Flush out Alexa Medication Status Monitor python code
Other Use Cases
• Light/Motion Monitor

151. Thank You