In this session, data analysts, big data administrators, system administrators, developers, and IT managers learn how to create a robust computing environment for their own teams. As enterprises move to the cloud—providing secure, governed turnkey solutions at scale to a broad set of users faces its own challenges—organizations need to ensure charge back and tracking mechanisms while also rapidly creating new turnkey solutions that are readily available to a broad set of end users to keep up with innovation. With AWS Service Catalog, AWS Lambda, Amazon CloudWatch Events, Amazon DynamoDB, and AWS CloudFormation, Pfizer’s Big Data team is defining and enabling the next paradigm of computing at Pfizer.
12. About Pfizer
$53BILLION
in revenue in 2016
60MANUFACTURING
sites worldwide
175MARKETS
in which Pfizer sells products
9PRODUCTS
with sales greater
than $1 billion in 2016
MORE THAN
140NEW R&D
COLLABORATIONS
in 2016
MORE THAN
91,000
COLLEAGUES
around the world
*As of April 2, 2017
13. Learn More About Pfizer
www.pfizer.com
Get Old
www.getold.com
Pfizer 365
http://pfizer365.com/
Get Healthy Stay Healthy
www.gethealthystayhealthy.com
Get Science
www.getscience.com
14. AWS has over 90+ Services
Not sure of
the best way
to represent
the data
visually
I only need to
use services
for Analytics. I
am lost in the
console..
What are these
security groups?
Should I care?
Is there a policy
I can use?
Isn’t there a
way to create
a product
bundle for
my project?
Tired of
manually
creating
monthly
dashboards
How many
services do I
need to
learn?
Where is the
Easy
button?
How do I
logically
identify my
project
assets?
?
I’d like my
team to use
these
services
consistently
There are too
many steps.
Can we not
automate
this?
Users
15. Motivations and Drivers (for a Service Catalog)
Automation Self Service Ease of Use Bring Agility
Promote
Solution
Patterns
Promote
Reuse
Enable a
technically
diverse user
base
Integration
with Internal
Assets
Tagging Auditing
Enforce
Standards
Security
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity
16. Solution Approach: How it all comes together?
Choose
relevant
Products in
scope
Create a
Portfolio of
Products
Develop Cloud
Formation
Scripts
Stitch together
using a UI
Allocate
Portfolio to a
Project or BU
Share
Portfolios
Integrate with
Pfizer Active
Directory
Notify users
thru emails
Tagging for
reporting and
Spend
Management
Auditing
Usage and
Access
Embed
Hardening
Standards in
AMI’s
Enforce
Security using
Policies
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity
17. Solution Approach: Initial Scope
Choose
relevant
Products in
scope
EC2, S3,
Redshift,
Lambda
Develop
Cloud
Formation
Scripts
Stitch
together using
a UI
Allocate
Portfolio to a
Project or BU
Share
Portfolios
Integrate with
Pfizer Active
Directory
Notify users
thru emails
Tagging for
reporting and
Spend
Management
Auditing
Usage and
Access
Embed
Hardening
Standards in
AMI’s
Enforce
Security using
Policies
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity
18. End State Solution: Illustration
Portfolio
1Browse
Products
Administrator
Select version,
provisions products,
configures parameters
5
4
3
2
Deploy
Notifications
and outputs
Scheduled
functions
Notifications
and outputs
4
Service
consumers
20. Solution Approach - Step 1
Tags
Principals
S3
EC2 Lambda
EMR Redshift
Launch
Launch
Launch
Launch
Launch
Portfolio
Active
Directory
Group
IAM role
The Project (Portfolio) Layout
21. Solution Approach – Step 2
Scale Infrastructure
as Code
Minimize
Human Error
Project
Onboarding
Automate Portfolio Creation
22. Solution Approach - Step 3
Least Privilege Automate Block Lateral
Attacks
Customer
Experience
Dynamically Update IAM Policies
23. Portfolio
Tags as Metadata Glue
Provisioned Product
(Stack)
Tags will be used by Lambda function to identify
the project, its Role, and its Policy
Tags
Enforced
24. IAM Bound Architecture
Data Scientist
S3
SQS
Lambda
Lambda Custom Resource
EC2
Get ARN for S3 bucket
Create IAM Portfolio role
Leverages Portfolio role
Update IAM Role Policy
Lambda Custom Resource
25. Logging and Tracking
Data Scientist
S3
SQS
Lambda
Lambda Custom Resource
EC2
Get ARN for S3 bucket
Update IAM Role Policy