Building your workloads on AWS unleashes speed and agility. To keep your foot on the pedal and stay aggressive, you need to infuse governance and best practices into your patterns. In this session, learn how to stay lean, maximize spend and ensure proper controls are in place by focusing on three key areas: cost optimization strategies, right sizing services and managing administrative privileges. Join CloudCheckr Co-Founder/CEO Aaron Newman in this presentation as he walks you through best practices and strategies for successfully scaling out your AWS environment. This session brought to you by AWS Summit San Francisco Platinum Sponsor CloudCheckr.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudCheckr Co-Founder & CEO, Aaron Newman
April 19th 2017
Maximize Scale and Agility:
Leveraging Best Practices and Optimizing Your Cloud

2. Agenda
 Intro to governance and managing elastic workloads
 Cost Management
 Resource Utilization
 Security
 Inventory/Change Monitoring
As you accelerate your infrastructure,
to not lose control it’s critical to infuse governance and
best practices into your cloud
What will we cover today?

3. Intro to governance and managing elastic workloads
 The cloud eliminated the weeks/months of waiting for hardware
 Click a button, get your server in seconds/minutes
 But this can also be big problem in the cloud if you are not careful
 Spinning up workloads and forgetting about them
 Using the cloud without governance leads to waste and cloud sprawl
 Set governance and best practices around use of the cloud to prevent
 Measure what you are doing in the cloud
 Don’t allow governance to inhibit use of the cloud
 Don’t allow yourself to slow down/stop/or make moving to the cloud more difficult
If you can’t measure it, you can’t improve it.
- Peter Drucker
Make educated, data-driven decisions

4. Cost Management – Setting Up Accounts
 Important decisions from the start
 One account with lots of workloads in it
 Individual accounts with one (or few) workloads in it
 Environments (dev, prod, testing) in separate accounts
 Multiple accounts
 Much clearer segregation for permissions, roles, costs
 Can result in cloud sprawl
 Single account
 Easy to have a unified view of resources
 Requires extensive use of tags
 Use AWS Consolidated Billing
 Use AWS Organizations

5. Cost Management – Tagging Strategies
 Build tagging standards of what tags to use
 https://aws.amazon.com/answers/account-management/aws-tagging-strategies/
 Technical Tags, Automation Tags, Business Tags, Security Tags
 Enforcing the tagging strategy on new resources
 Verify when tags are missing – Tag-or-terminate Polices
 Monitoring case-sensitivity for tagging
 Env=prod is not the same as ENV=Prod
 Untaggable Costs
 E.g. Data Transfer charges
 New S3 Object Tagging
 http://docs.aws.amazon.com/AmazonS3/latest/dev/object-tagging.html
New AWS Resource Tagging API to help manage
https://aws.amazon.com/blogs/aws/new-aws-resource-tagging-api/

6. Cost Management – Purchasing Options
 Start with On-Demand (pay as you go)
 Highest rate, no commitment
 Once workloads stabilized look at RIs
 Don’t forget to look on the AWS Marketplace
 Decision: Centralize or Decentralized RI purchasing
 Sharing discounts proportionally
 Amortizing upfront costs
 Look for ways to use Spot Instance
 Savings is typically 85%
30 minutes of training on purchasing options
for your cloud users is a great investment

7. Cost Management – Amazon EC2 Reserved Instance Usage
 Availability vs Discounts
 Convertible vs Standard Reserved Instances
 Regional vs Availability Zone Reserved Instances
 All Upfront, No Upfront, Partial Upfront
 1 year VS 3 years
Effective March 1st, regional RIs now provide instance size
flexibility, in addition to AZ flexibility.
https://aws.amazon.com/about-aws/whats-new/2017/03/amazon-ec2-reserved-instances-
now-offer-instance-size-flexibility-helping-you-reduce-your-ec2-bill/

8. Resource Utilization – Right Sizing
 What happens in the data center when your server is running at 99% CPU utilization?
 Order more hardware, get it in a few weeks
 What happens in AWS when your server is running at 99% CPU utilization?
 Right mouse click, scale up to next instance size
 This is important in how I plan and provision resources
 In the data center, I want to run my workloads at 10% capacity
 In the cloud, I want to run my workloads at 90% capacity
If I can run my workload at 90% instead of 10% that should require 1/9th the cost
It’s hard to break old habits with Right Sizing

9. Resource Utilization – Auto-Scaling
 Lift & Shift vs Re-architect
 Creating stateless architectures
 Cloud is more about architect than infrastructure
 How do I right size automatically scaling environments?
 Measuring utilization of Tags, not of specific Resources
 Example tag set for an ELB Application
Name cc-prod-release
aws:autoscaling:groupName - awseb-e-kecpdckigr-stack-AWSEBAutoScalingGroup-17J41
aws:cloudformation:logical-id - AWSEBAutoScalingGroup
aws:cloudformation:stack-id - arn:aws:cloudformation:us-east-1:949195593353:stack/
aws:cloudformation:stack-name - awseb-e-kecpdckigr-stack
elasticbeanstalk:environment-id - e-kecpdckigr
elasticbeanstalk:environment-name - cc-prod-release

10. Security & Compliance
 Setup AWS Identity and Access Management (IAM) access controls
 Setting up IAM administrator group
 Include users in group/roles and don’t allow policies/permissions to users
 Ensuring IAM access is revoked from terminated employees
 Use Federation with IAM instead of IAM users and passwords
 Enable AWS CloudTrail
 Turn on AWS CloudTrail across all AWS regions
 https://aws.amazon.com/blogs/aws/aws-cloudtrail-update-turn-on-in-all-regions-use-multiple-trails/
 Encrypt log files with AWS Key Management Service (KMS)
 Log file integrity validation process
Controlling the AWS Management Plane
IAM controls access, CloudTrail monitors access through IAM

11. Security & Compliance
 Configure VPCs securely
 Setup Subnets/Route Tables
 Least privileges in Security Groups
 Reduced attack surface with Network ACLs
 Setup ELBs/ALBs
 Setup VPC Endpoints
 Don’t forget about resources not in VPCs
 SNS, SQS, DynamoDB
 Watch for VPC Endpoints for these services
Controlling Access to Workload
Reduce attack surface, limit access to minimum ports and IPs necessary

12. Security & Compliance
 Encryption of Data-At-Rest
 S3 Encryption
 EBS Encryption
 RDS Encryption
 Encryption of Data-In-Motion
 Limit use of Non-SSL Protocols in ELBs
 Using SSL to Encrypt a Connection to a DB Instance
 Requires some setup but it a really good best practice
 "Each DB engine has its own process for implementing SSL."
 http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Encryption in AWS
Attack Vectors: Understand what encryption does and does not protect

13. Inventory/Change Monitoring
 First job for security is to inventory and discover what is running in the environment
 Can't run ping sweeps, IP scans against my networks
 Against the terms of service in AWS
 Works differently (how does ARP work, how do UDP packets responding, broadcast
packets, how do closed IPs/ports respond to packets)
 Using the AWS API for inventory
 The security holes are what you don't even know about
 Can I see what resources are running
 Can I see who has access to what
 Can I see what applications are running
 Can I see what people are doing
You can't protect what you can't see

14. What CloudCheckr Does
Cost
Management
Security &
Compliance
Inventory
Management
Automation

15. delivers performance monitoring of AWS environments, providing enterprise
and MSP customers with advanced cost optimization, security monitoring,
performance management, and automation capabilities.
WE SATISFY ENTERPRISE TEAMS:
IT, SECURITY, & FINANCE

16. Aaron Newman
Co-Founder & CEO
aaron.newman@cloudcheckr.com