In this session, data analysts, big data administrators, system administrators, developers, and IT managers learn how to create a robust computing environment for their own teams. As enterprises move to the cloud—providing secure, governed turnkey solutions at scale to a broad set of users faces its own challenges—organizations need to ensure charge back and tracking mechanisms while also rapidly creating new turnkey solutions that are readily available to a broad set of end users to keep up with innovation. With AWS Service Catalog, AWS Lambda, Amazon CloudWatch Events, Amazon DynamoDB, and AWS CloudFormation, Pfizer’s Big Data team is defining and enabling the next paradigm of computing at Pfizer.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Enabling Big Data Computing at Pfizer
with AWS Service Catalog and AWS
Lambda
M S C 3 0 4
N o v e m b e r 2 8 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Governance in AWS with AWS Service Catalog
• Understand how Pfizer is enabling big data computing
• Understand governance while maintaining agility

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog Overview

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Benefits
Standardize
Enforce Consistency and
Compliance
Limit Access
Enforce Tagging
Developer Autonomy
One-stop Shop
Automate Deployments
Single Pane for Provisioning

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog: Gateway to AWS
Backup
Corporate
Email
Sharing &
Collaboratio
n
Virtual
Desktops
Availability Zones Points of PresenceRegions
Compute
VMs, Auto Scaling, & Load
Balancing
Storage
Object, Blocks, Archival,
Import/Export
Databases
Relational, NoSQL, Caching,
Migration
CDN
Networking
VPC, DX, DNS
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
Access Control
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
Resource &
Usage Auditing
Configuration
Compliance
Web application
firewall
Assessment and
reporting
Rules
Engine
Registry
Device
Shadows
Device
Gateway
Device
SDKs
Databases
Networking
Security
Business Apps
DevOps Tools
Storage
Business
Intelligence
Operating
Systems
HYBRID ARCHITECTUREMARKETPLACE
Elastic
Search
Machine
Learning
Data
Warehousing
Hadoop/Spark
Streaming Data
Analysis
Business
Intelligence
Streaming Data
Collection
ANALYTICS
Queuing &
Notifications
Search
Email
Workflow
Transcoding
APP SERVICES
Push
Notifications
API
Gateway
Sync
Mobile
Analytics
Identity
Single Integrated
Console
MOBILE SERVICES
Resource
Templates
One-click App
Deployment
Application Lifecycle
Management
Containers
DevOps Resource
Management
Triggers
DEVELOPMENT & OPERATIONS IoT ENTERPRISE APPS
SECURITY & COMPLIANCE
CORE SERVICES
INFRASTRUCTURE
AWS Service Catalog

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog: Terminology
Constraint
Restriction on the ways that specific
AWS resources can be deployed for a
product, e.g., template constraints to
allow only certain EC2 instance sizes
Product
An IT service (VPC, web server, n-tier
environment, database) that you want
to make available for deployment on
AWS
Provisioned Product
An AWS Service Catalog product is
launched through an AWS
CloudFormation process, and the
collection of launched services is called
a Provisioned Product
Portfolio
A collection of products, together
with configuration information,
launch controls, and administrator-
controlled access

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Features
Tag Enforcement
Portfolio-level IAM Access
Denial of User Access to
Underlying Services
Constraint AWS CloudFormation
Parameters
Share Portfolios
Version and Re-use Products
API, CLI, Console
AWS Marketplace to AWS Service
Catalog Copy

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace to AWS Service Catalog
• Users subscribe to product
• 1-Click copy to AWS Service
Catalog
• Consistent deployment of all
products through AWS Service
Catalog

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service Catalog Brand Your Console
Logo
Primary Color
Accent Color

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabling Big Data at Pfizer
Sampath K. Chaparala – Director, Analytics Architecture and Innovation, Pfizer

11. Legal Disclaimer

12. About Pfizer
$53BILLION
in revenue in 2016
60MANUFACTURING
sites worldwide
175MARKETS
in which Pfizer sells products
9PRODUCTS
with sales greater
than $1 billion in 2016
MORE THAN
140NEW R&D
COLLABORATIONS
in 2016
MORE THAN
91,000
COLLEAGUES
around the world
*As of April 2, 2017

13. Learn More About Pfizer
www.pfizer.com
Get Old
www.getold.com
Pfizer 365
http://pfizer365.com/
Get Healthy Stay Healthy
www.gethealthystayhealthy.com
Get Science
www.getscience.com

14. AWS has over 90+ Services
Not sure of
the best way
to represent
the data
visually
I only need to
use services
for Analytics. I
am lost in the
console..
What are these
security groups?
Should I care?
Is there a policy
I can use?
Isn’t there a
way to create
a product
bundle for
my project?
Tired of
manually
creating
monthly
dashboards
How many
services do I
need to
learn?
Where is the
Easy
button?
How do I
logically
identify my
project
assets?
?
I’d like my
team to use
these
services
consistently
There are too
many steps.
Can we not
automate
this?
Users

15. Motivations and Drivers (for a Service Catalog)
Automation Self Service Ease of Use Bring Agility
Promote
Solution
Patterns
Promote
Reuse
Enable a
technically
diverse user
base
Integration
with Internal
Assets
Tagging Auditing
Enforce
Standards
Security
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity

16. Solution Approach: How it all comes together?
Choose
relevant
Products in
scope
Create a
Portfolio of
Products
Develop Cloud
Formation
Scripts
Stitch together
using a UI
Allocate
Portfolio to a
Project or BU
Share
Portfolios
Integrate with
Pfizer Active
Directory
Notify users
thru emails
Tagging for
reporting and
Spend
Management
Auditing
Usage and
Access
Embed
Hardening
Standards in
AMI’s
Enforce
Security using
Policies
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity

17. Solution Approach: Initial Scope
Choose
relevant
Products in
scope
EC2, S3,
Redshift,
Lambda
Develop
Cloud
Formation
Scripts
Stitch
together using
a UI
Allocate
Portfolio to a
Project or BU
Share
Portfolios
Integrate with
Pfizer Active
Directory
Notify users
thru emails
Tagging for
reporting and
Spend
Management
Auditing
Usage and
Access
Embed
Hardening
Standards in
AMI’s
Enforce
Security using
Policies
Simplify User
Experience
Drive and
Manage
Change
Compliance
without
Complexity

18. End State Solution: Illustration
Portfolio
1Browse
Products
Administrator
Select version,
provisions products,
configures parameters
5
4
3
2
Deploy
Notifications
and outputs
Scheduled
functions
Notifications
and outputs
4
Service
consumers

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agile Governance
Project-based IAM controls

20. Solution Approach - Step 1
Tags
Principals
S3
EC2 Lambda
EMR Redshift
Launch
Launch
Launch
Launch
Launch
Portfolio
Active
Directory
Group
IAM role
The Project (Portfolio) Layout

21. Solution Approach – Step 2
Scale Infrastructure
as Code
Minimize
Human Error
Project
Onboarding
Automate Portfolio Creation

22. Solution Approach - Step 3
Least Privilege Automate Block Lateral
Attacks
Customer
Experience
Dynamically Update IAM Policies

23. Portfolio
Tags as Metadata Glue
Provisioned Product
(Stack)
Tags will be used by Lambda function to identify
the project, its Role, and its Policy
Tags
Enforced

24. IAM Bound Architecture
Data Scientist
S3
SQS
Lambda
Lambda Custom Resource
EC2
Get ARN for S3 bucket
Create IAM Portfolio role
Leverages Portfolio role
Update IAM Role Policy
Lambda Custom Resource

25. Logging and Tracking
Data Scientist
S3
SQS
Lambda
Lambda Custom Resource
EC2
Get ARN for S3 bucket
Update IAM Role Policy

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implementation Details

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ease of Use Secure & Align
Dynamically
Track Changes Automation
Typical Requirements

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solution: Agile Governance
• Step 1: 1:1 portfolio to project mapping
• Enforce tagging
• Align security controls and resource allocation
• Step 2: Automate product and portfolio creation
• Step 3: Dynamically update IAM policies as new resources are
provisioned

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 1: IAM Role Management
• 1:1 Portfolio (Project) to an IAM role: “Portfolio Role”
• 1:1 Portfolio Role to an IAM Policy: “Portfolio Policy”
• Full access between all AWS resources created through Portfolio
• Dynamically update Portfolio Policy and assign Portfolio Role to new resources
• Tags are enforced through AWS Service Catalog
Portfolio

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 2: Automate Product Creation
• YAML configuration file holds
product metadata
• Launch Role is created for each
Service Catalog product
• Launch Roles are managed as
code alongside the product’s
template

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate Portfolio Creation
• YAML configuration file holds Portfolio
metadata
• IAM Portfolio Role and Policy are created
• Portfolio Role, Portfolio Policy and
Portfolio id/name are added as tags
• The ”Products” key lists the products to be
associated with the created portfolio

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Step 3: Dynamically Update IAM
• Get ARN for new AWS resources
• Dynamically create roles and assign them
• Track resources
• AWS CloudFormation custom resources with AWS Lambda
• Enforce tags with AWS Service Catalog
• Track with tags and Amazon DynamoDB
• Need to wait for resource ARN to be available
• Easy user experience with AWS Service Catalog

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation Custom Resources
• Provisioning logic in AWS CloudFormation
templates
• Called for each create, update, or delete
product call
• Invokes a Lambda function
• Invoked Lambda function must respond to
the AWS CloudFormation custom resource
using a signed URL

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Lambda IAM Boundary Logic
• Retrieve new AWS resource information (ARN, Tags, Service)
• Portfolio Policy to include ARN of new AWS resource
• Portfolio Role attached to new AWS resource
• Portfolio Role trust relationship updated

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Portfolio Role
• One IAM role per portfolio (project scope)
• Dynamically assumed by newly created resources
• Attached to the dynamic portfolio policy

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Portfolio Dynamic Policy
• Dynamically insert ARNs to Portfolio Policy for newly created resources
Resources launched
from portfolio

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tracking & Notification Mechanism
• Service Catalog Tag Enforcement
• Two levels of tags: Portfolio (project-specific), Product
• DynamoDB NoSQL database
• Modify number of columns
• Connect through Amazon QuickSight, Tableau to run reports
• Dynamically grows
• User notification
• Leveraging on-premises email server

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Logging and Tracking
Data Scientist
S3
SQS
Lambda
Lambda Custom Resource
EC2
Get ARN for S3 bucket
Update IAM Role Policy

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DEMO
• Provision an Amazon S3 bucket
• Provision Amazon EC2 from the same portfolio
• Provision second S3 bucket

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Takeaways

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Takeaways
 Start small, iterate quickly, and build incrementally
 Align Security and Resource Associations through Portfolios on a
per-project basis
 Automate security processes with AWS Lambda to reduce
turnaround time
 IAM bound your applications through Automation with Tags and
Tag Enforcement through AWS Service Catalog
 Create an easy click-and-go experience for users

43. Road Ahead
Expand Product
Catalog
Pragmatic
Governance
Foundation
Enhancements
• Athena, AWS Glue
• GPU, ML
• RDS, Amazon EMR
• Marketplace
Integration
• Focus on Analytics
Services
• Develop Standard
Policies
• Automated Utilization
Reports
• User Notifications
• Simplify UX

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Time to Market Least Privilege Cost Allocation Scale
Benefits

47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges
• Change security and configuration with new resource provisioning
Developer

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Traditional Method
• Manual processes and/or approval cycles
• Resource Associations, e.g., new Amazon S3 bucket belongs to this specific project
and IAM EC2 role
Developer
InfoSec
Developer