This document provides an overview of Amazon Web Services (AWS) and its capabilities. It describes AWS's global consumer and seller businesses as well as its cloud infrastructure business. It then discusses why researchers love using AWS due to benefits like time to science, global accessibility, low costs, security, and elasticity. Popular high-performance computing workloads on AWS are also listed.

1. Alex Coqueiro
Solutions Architect, Amazon Web Services

4. Consumer Business
Milhões de clientes ativos
Operações globais em
diversos paises ao redor
do mundo
Seller"
Business
Vendas nos sites da
Amazon
Tecnologia baseada na
sua própria rede de
varejo
Alavancagem de
centros integrados de
fulfillment
Cloud
Business
Infraestrutura de nuvem
para host de aplicações
corporativass
Centenas de milhares
de clientes em mais de
190 paises

5. Amplo conjunto de recursos
computacionais que
permitem as empresas
moverem mais rapidamente
CLOUD

7. Why do researchers love using AWS?
Time to Science
Access research
infrastructure in minutes
Globally Accessible
Easily Collaborate with
researchers around the world
Low Cost
Pay-as-you-go pricing
Secure
A collection of tools to
protect data and privacy
Elastic
Easily add or remove capacity
Scalable
Access to effectively
limitless capacity

8. Popular HPC workloads on AWS
Genome
processing
Modeling and
Simulation
Government and
Educational Research
Monte Carlo
Simulations
Transcoding and
Encoding
Computational
Chemistry

10. A marketplace for software in the Cloud
Over 1,900 listings across
23 categories
Customers run over 70M
hours of software per month

11. AWS Marketplace – HPC category
aws.amazon.com/marketplace

12. AWS Public Data Sets
aws.amazon.com/marketplace
Free for everyone

13. AWS Curriculum
http://aws.amazon.com/certification/

15. Over 1 million active customers across
190 countries
800+ government agencies
3,000+ educational institutions
11 regions
28 availability zones
52 edge locations
Everyday, AWS adds enough new server capacity to support
Amazon.com when it was a $7 billion global enterprise.

16. Availability
Zone A
Availability
Zone B
Availability
Zone C
Region
Customer Decides Where Applications and Data Reside
Note: Conceptual drawing only. The number of Availability Zones may vary.

17. Enterprise
Applications
Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Caching
Relational
No SQL
Analytics
Hadoop
Real-time
Data
Workflows
Data
Warehouse
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Foundation
Services
Compute
(VMs, Auto-scaling
and Load Balancing)
Storage
(Object, Block
and Archive)
Security &
Access Control
Networking
Infrastructure Regions CDN and Points of PresenceAvailability Zones

18. Compute AnalyticsDatabasesStorage
Imaging
data
Phenotypes
& comparative
analysis
Upstream
analysis
Data mining

20. Enterprise
Applications
Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Caching
Relational
No SQL
Analytics
Hadoop
Real-time
Data
Workflows
Data
Warehouse
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Foundation
Services
Compute
(VMs, Auto-scaling
and Load Balancing)
Storage
(Object, Block
and Archive)
Security &
Access Control
Networking
Infrastructure Regions CDN and Points of PresenceAvailability Zones

21. Amazon EC2

23. • Resizable compute capacity in >25 instance types
• Reduces the time required to obtain and boot new server
instances to minutes or seconds
• Scale capacity as your computing requirements change
• Pay only for capacity that you actually use
• Choose Linux or Windows
• Deploy across Regions and Availability Zones for reliability
• Support for virtual network interfaces that can be attached to
EC2 instances in your VPC

24. General
Purpose
(Burstable or Fixed
Performance)
Compute
Optimized
Memory
Optimized
GPU
Instances
Storage
Optimized

25. Compute Optimized
Name
vCPU
Memory
(GiB)
Network
c4.large
2
3.75
Moderate
c4.xlarge
4
7.5
Moderate
c4.2xlarge
8
15
High
c4.4xlarge
16
30
High
c4.8xlarge
36
60
10 Gbps

26. Storage Optimized
Name
vCPU
Memory (GiB)
Network
HDD
d2.xlarge
4
30.5
Moderate
3 x 2000
d2.2xlarge
8
61
High
6 x 2000
d2.4xlarge
16
122
High
12 x 2000
d2.8xlarge
36
244
10Gb
24 x 2000

27. Intel Xeon E5-2670 (Sandy Bridge)
15GB or 60GB RAM
1 NVIDIA Grid k520 GPU
1,536 Cores
4GB Mem
GPU Optimized
Name
GPU
vCPU
Memory
(GiB)
Network
SSD
g2.2xlarge
1
8
15
High
1 x 60
g2.8xlarge
4
32
60
10 Gb
2 x 120

28. Demo

30. Time:+00h
Scale using Elastic Capacity
<10 cores

31. Time: +24h
Scale using Elastic Capacity
>1500 cores

32. Time:+72h
Scale using Elastic Capacity
<10 cores

33. Time: +120h
Scale using Elastic Capacity
>600 cores

34. Demo

36. Reserved
Make a low, one-time
payment and receive
a significant discount
on the hourly charge
For committed
utilization
Free Tier
Get Started on AWS
with free usage &
no commitment
For POCs and
getting started
On-Demand
Pay for compute
capacity by the hour
with no long-term
commitments
For spiky workloads,
or to define needs
Spot
Bid for unused
capacity, charged at
a Spot Price which
fluctuates based on
supply and demand
For time-insensitive
or transient
workloads
Dedicated
Launch instances
within Amazon VPC
that run on hardware
dedicated to a single
customer
For highly sensitive or
compliance related
workloads

38. On
On-demand
Reserved capacity
100%
Capacity Over Time
AWS Spot Market
Achieving economies of scale
Spot
0%

42. * Prices on April 17, 2015

43. * Prices on April 17, 2015

44. * Prices on April 17, 2015

45. * Prices on April 17, 2015

47. aws autoscale create-launch-configuration
--launch-configuration-name spotlc-5cents
--image-id ami-e565ba8c
--instance-type d2.2xlarge
--spot-price “0.25”
aws autoscale create-auto-scaling-group
--auto-scaling-group-name spotasg
--launch-configuration spotlc-5cents
--availability-zones “us-east-1a,us-east-1b”
--max-size 16
--min-size 1
--desiredcapacity 3
http://aws.amazon.com/cli/

48. Demo

50. Compute AnalyticsDatabasesStorage
Imaging
data
Phenotypes
& comparative
analysis
Upstream
analysis
Data mining

52. Enterprise
Applications
Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Caching
Relational
No SQL
Analytics
Hadoop
Real-time
Data
Workflows
Data
Warehouse
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Foundation
Services
Compute
(VMs, Auto-scaling
and Load Balancing)
Storage
(Object, Block
and Archive)
Security &
Access Control
Networking
Infrastructure Regions CDN and Points of PresenceAvailability Zones

56. AWS region
AZ - B
VPC 10.0.0.0/16
SN 10.0.1.0/24
M
E
E
E
VPC Endpoint
AZ - A
Internet GW Service
SN 10.0.2.0/24
E
E
E

57. M
E
E
E
S S S

58. Demo

59. Enterprise
Applications
Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Caching
Relational
No SQL
Analytics
Hadoop
Real-time
Data
Workflows
Data
Warehouse
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Foundation
Services
Compute
(VMs, Auto-scaling
and Load Balancing)
Storage
(Object, Block
and Archive)
Security &
Access Control
Networking
Infrastructure Regions CDN and Points of PresenceAvailability Zones

61. Enterprise
Applications
Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Caching
Relational
No SQL
Analytics
Hadoop
Real-time
Data
Workflows
Data
Warehouse
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Foundation
Services
Compute
(VMs, Auto-scaling
and Load Balancing)
Storage
(Object, Block
and Archive)
Security &
Access Control
Networking
Infrastructure Regions CDN and Points of PresenceAvailability Zones

63. Demo

64. Demo

65. StorageDatabaseCompute

67. Cloud automation allows for security agility
“Programmable infrastructure” allows
you to automate every aspect your
environment.
Security properties are “baked in,”
constantly checked via logging and
auditing, and deviations / alarms are
actionable via code
Change and speed of change become
an asset, not a liability

68. aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 replace-route --route-table-id $ROUTE_TABLE_ID
--destination-cidr-block 0.0.0.0/0
--instance-id $INSTANCE_ID
aws ec2 attach-network-interface --network-interface-id $ENI
--instance-id $INSTANCE_ID
--device-index 1
aws ec2 assign-private-ip-addresses --network-interface-id $ENI
--private-ip-addresses 10.0.0.100
• AWS CLI

69. #!/bin/sh
export AWS_DEFAULT_REGION="us-east-1"
VPC_ID=`aws ec2 create-vpc --cidr-block 10.0.0.0/16 --output text | awk '{print $6;}'`
SUBNET_ID=`aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --output
text | awk '{print $6;}'`
echo "Created $VPC_ID & $SUBNET_ID"
#Clean up
aws ec2 delete-subnet --subnet-id $SUBNET_ID
aws ec2 delete-vpc --vpc-id $VPC_ID

70. #!/usr/bin/python
import boto.vpc
Region=“us-east-1”
conn = boto.vpc.VPCConnection(Region)
vpc = conn.create_vpc(‘10.0.0.0/16’)
subnet = conn.create_subnet(vpc.id ‘10.0.1.0/24’)
Print "Created “+vpc.id+” & “+subnet.id
#Clean up
conn.delete_subnet(subnet.id)
conn.delete_vpc(vpc.id)
• Amazon SDK

71. "Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : “10.0.0.0/16”,
"Tags" : [ { "Key" : “Name", "Value" : “VPCName“ } ]
}
},
"PublicSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : “10.0.1.0/24”,
"Tags" : [ { "Key" : "Network", "Value" : "Public" } ]
}
}
• AWS CloudFormation

72. Demo

73. Try out our HPC CloudFormation-based demo
CfnCluster (“CloudFormation
cluster”)
Command Line Interface Tool
Deploy and demo an HPC cluster
For more info:
https://aws.amazon.com/hpc/
cfncluster

75. Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
Auth & acct management
Authorization policies
+ =
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation
Customer/Partner Audited

76. Web Tier
Application Tier
Database TierPorta 80 e 443
Time de Engenharia
com ssh
Todos os demais
acessos bloqueados
Acesso analítico de dados Amazon EC2
Security Group
Firewall

77. Rich control with AWS’s powerful
Identity & Access Management capabilities
Authentication:
• Multiple options including rich SAML
federation capabilities, MFA, web
identities
• Clean separation of identity from
proof of identity
• Roles are powerful and flexible
pseudo-principals that can be
assumed by other identities
• Federation scenarios
• Cross-account access

78. Network isolation with Virtual Private Cloud
Define your own address space as
extension of private network
Connect to private network with VPN
tunnel or Direct Connect
Configure Security Groups (virtual
firewalls) for all EC2 instances; update
fleet firewall rules with a single API call
Configure Network Access Control Lists
for subnet level isolation and control

79. Enhanced isolation and control with encryption
Automatic encryption with managed keys
(Key Management Service)
Dedicated hardware security modules
(Cloud HSM)
Bring and use your own keys

80. Encrypt your data prior to sending to AWS
Your applications in your
data center
Your applications in
Amazon EC2Encrypted
Data
AWS Services
S3 Glacier RedshiftEBS

81. Encryption Primer
Plaintext
PHI
Hardware/
Software
Encrypted
PHI
Symmetric
Data Key
Encrypted
Data Key
Master KeySymmetric
Data Key
?
Encrypted
Data in Storage
Key Hierarchy
?

82. S3 Client-Side Encryption
AmazonS3EncryptionClientwithAWSSDKs
Your key management
infrastructure
Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your Encrypted Data in Amazon S3
Your application in
Amazon EC2
AWS SDK with
S3 Encryption Client

83. S3 SSE with Customer Provided Keys Works
Plaintext
PHI
Encrypted
Data
Customer
Provided KeyS3 Web Server
HTTPS
Customer
PHI
S3 Storage
Fleet
• Key is used at S3 server, then deleted
• Customer must provide same key when
downloading to allow S3 to decrypt data
Customer
Provided Key

84. S3 SSE with AWS fully managed keys
Plaintext
PHI
Encrypted
PHI
Symmetric
Data KeyS3 Web Server
HTTPS
Customer
PHI
Encrypted
Data Key
Master KeySymmetric
Data Key
S3 Storage
Fleet
A master key managed by the S3 service and
protected by systems internal to AWS in a
distinct system

85. Amazon EBS
Amazon S3
• HTTPS
• AES-256 server-side encryption
• AWS or customer provided or customer managed keys
• Each object gets its own key
• End-to-end secure network traffic
• Whole volume encryption
• AWS or customer managed keys
• Encrypted incremental snapshots
• Minimal performance overhead (utilizes Intel AES-NI)

88. Integrated with AWS IAM Console

89. Integrated with Amazon EBS

90. How AWS Services Integrate with KMS
• 2-tiered key hierarchy using envelope
encryption
• Data keys encrypt customer data
• KMS customer master keys encrypt data
keys
• Benefits:
• Limits blast radius of compromised
resources and their keys
• Better performance
• Easier to manage a small number of master
keys than billions of resource keys
Master Key(s)
Data Key 1
S3 Object EBS
Volume
RDS
Instance
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4 Data Key 5
Your
Application
Keys encrypted
Data encrypted
KMS

91. bit.ly/aws-dbgap

92. aws.amazon.com/hpc

93. http://bit.ly/aws-dbgap
Architecting for Genomic Data Security and
Compliance in AWS