With cloud maturity comes operational efficiencies and endless potential for innovation and business growth. However, the complexities of governing cloud infrastructure are impeding without the right strategy. Visibility, accountability, and actionable insights are some of the most invaluable considerations. The AWS cloud clearly enables convenience and cost savings for organizations that know how to leverage its full potential. Amazon EC2 Reserved Instances (RIs), in particular, present a tremendous opportunity when scaling to save significantly on capacity but there are many considerations to fully reaping the benefits of RIs. In this session, CloudCheckr CTO Patrick Gartlan will present issues that every organization runs into when scaling, provide best practices for how to combat them and help you show your boss how RIs help you save money and move faster.
This session is brought to you by AWS Summit Chicago sponsor, CloudCheckr.
4. Having effective visibility
and control
Turning data into action to
maximize agility and
eliminate waste
Clarity and accountability
across all key stakeholders
Maintaining secure
configurations
Security state + activity
visibility across the IaaS attack
surface
Inability to rapidly assess
security & compliance posture
Mismanaged spend
without an actionable
way to track,
manage & optimize
Visibility across
an organization’s
multiple accounts
Managing cost
allocation
efficiently
Right sizing on
instances and being
notified of idle or
unused resources
Customer challenges
6. Configure Amazon VPCs securely
Reduced attack surface with network ACLs
Setup subnets/route tables
Least privileges in security groups
Set up ELB balancers/ALBs
Set up VPC endpoints
Don’t forget about resources not in VPCs
Amazon SNS, Amazon SQS, DynamoDB
Watch for VPC endpoints for these services
Controlling Access to Workload
Reduce attack surface; limit access to minimum ports and IPs necessary
Security & compliance – best practices
7. First job for security is to inventory and discover what is running in the environment
Can't run ping sweeps, IP scans against my networks
Against the terms of service in AWS
Works differently (how does ARP work, how do UDP packets responding, broadcast
packets, how do closed IPs/ports respond to packets)
Using the AWS API for inventory
The security holes are what you don't even know about
Can I see what resources are running?
Can I see who has access to what?
Can I see what applications are running?
Can I see what people are doing?
You can't protect what you can't see
Inventory/change monitoring – best practices