Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, Training and Certification – Virtual AWSome Day June 2018

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Topics
Introduction to AWS Security
The AWS Shared Responsibility Model
AWS Access Control and Management
AWS Security Resources

Security is of the utmost importance to AWS.
Approach to security
AWS environment controls
AWS offerings and features

Keep Your Data Safe
Resilient infrastructure
High security
Strong safeguards

Continual Improvement
Rapid innovation
Constantly evolving security services

Pay For What You Need
Advanced security services
Address real-time emerging risks
Meeting needs at a lower operational cost

Meet Compliance Requirements
Governance-enabled features
 Additional oversight
 Security control
 Central automation

Security Products and Features
Tools
 Access from AWS and partners
 Use for monitoring and logging

Network Security
Built-in firewalls
Encryption in transit
Private/dedicated connections
Distributed denial of service (DDoS) mitigation

Inventory and Configuration Management
Deployment tools
Inventory and configuration tools
Template definition and management tools

Data Encryption
Encryption capabilities
Key management options
 AWS Key Management Service
Hardware-based cryptographic key storage options
 AWS CloudHSM

Access Control and Management
Identity and Access Management (IAM)
Multi-factor authentication (MFA)
Integration and federation with corporate directories
Amazon Cognito
AWS Single Sign-On

Monitoring and Logging
Tools and features to reduce your risk profile:
 Deep visibility into API calls
 Log aggregation and options
 Alert notifications

AWS Marketplace
Qualified partners to market/sell software to AWS
customers
Online software store that can run on AWS

The AWS Shared Responsibility
Model

Shared Responsibility Model

Security of the Cloud
Protection of the AWS global infrastructure is top priority
Availability of third-party reports

Amazon EC2
Amazon EBS
AWS Foundation Services
Unmanaged services Managed Services
Amazon DynamoDB
Amazon RDS
Amazon Redshift
Amazon EMR
Amazon WorkSpaces

Inherited Controls
 Physical
 Environmental
Shared Controls
 Patch Management
 Configuration Management
 Awareness and Training
AWS Foundation Services
Unmanaged services
(such as EC2, EBS)
Managed Services
Customer Specific
 Service/Communication
Protection
 Zone Security

Security in the Cloud
What to store
Which AWS services
In what location
In what content format and
structure
Who has access

Customers retain control
Changes to model depend on services

AWS Service Catalog
Virtual Machine Images
Servers
Software
Databases

Benefits
Centrally manage common IT services
Achieve consistent governance
Meet compliance requirements
Quickly deploy approved IT services

Example
Customer Responsibility:
 Guest OS
 Application
 Security group
Amazon
S3
Amazon
EC2 Amazon
Workspaces

Summary
AWS and the customer share security responsibilities
 AWS: Security of the cloud
 Customer: Security in the cloud
Customer has full control over security measures
Customer can use AWS Service Catalog
“Infrastructure” Service

AWS Access Control and
Management

AWS IAM
Control access to AWS resources
 Authentication
 Authorization
Controls access to services such as:
Compute
Storage
Database
Application services

AWS IAM
Create users and groups
Grant permissions
User Group Permissions Role

AWS IAM
Functionality
Manage
 Users and their access
 Roles and their permissions
 Federate users and their permissions
IAM Corp

AWS Account Root User
Account root user has complete access to
all AWS Services.

AWS Account Root User
Recommendations
1. Delete root user access keys.
2. Create an IAM user.
3. Grant administrator access.
4. Use IAM credentials to
interact with AWS.
IAM

AWS IAM: Authentication
Programmatic access
 Enables access key ID and secret access key
Management console access
 Uses AWS account name and password
 MFA prompts for code

AWS IAM: Authorization
Access AWS services
 Grant authorization
Assign permissions
 Create an AWS IAM policy

AWS IAM: Policy Assignment
IAM Policy
IAM User IAM Group IAM Roles

IAM Best Practices
Delete AWS root account access keys
Activate multi-factor authentication (MFA)
Give IAM users only the permissions they must have
Use IAM groups
Apply an IAM password policy

AWS communicates security and control environment
 Certifications and attestations
 Whitepapers and web content
 Compliance reports provided under NDA

AWS Trusted Advisor
Is a “customized cloud expert”
Helps you follow best practices
Inspects your AWS environment
Helps close security gaps
Finds opportunities and best practices in:
 Cost optimization
 Performance
 Security
 Fault Tolerance
 Service Limits

AWS Account Teams
Are first point of contact
Guide deployment
Point toward the right resources to resolve security issues

AWS Enterprise Support*
15-minute response time
24/7, by phone, chat, or email
Dedicated Technical Account Manager
*for details, see:
https://aws.amazon.com/premiumsupport/enterprise-support/

AWS Professional Services and
AWS Partner Network
APN has hundreds of certified AWS Consulting Partners
worldwide
 Help develop security policies
 Help meet compliance requirements

AWS Advisories and Bulletins
Advisories/bulletins provided on current vulnerabilities and
threats
Customers work with experts to address:
 Reporting abuse
 Vulnerabilities
 Penetration testing

AWS Auditor Learning Path
Understand how internal operations gain
compliance on AWS
Visit the compliance website:
 Recommended training
 Self-paced labs
 Auditing resources

AWS Compliance Solutions Guide
Understand the Shared Responsibility Model
Request a compliance report
Complete a security questionnaire
Services in Scope
AWS Security Blog
Case Studies
FAQs
*for details, see:
https://aws.amazon.com/compliance/resources/

Introduction to the Well-
Architected Framework

Introduction
Assess and improve architectures
Understand how design decisions impact business
Learn the five pillars and design principles

5 Pillars
Security
Reliability
Performance efficiency
Cost optimization
Operational excellence

Security Pillar
Identity and access management (IAM)
Detective controls
Infrastructure protection
Data protection
Incident response

Security Pillar: Design Principles
Implement security at all layers
Enable traceability
Apply principle of least privilege
Focus on securing your system
Automate

Reliability Pillar
Recover from issues/failures
Apply best practices in:
 Foundations
 Change management
 Failure management
Anticipate, respond, and prevent failures

Reliability Pillar: Design Principles
Test recovery procedures
Automatically recover
Scale horizontally
Stop guessing capacity
Manage change in automation

Performance Efficiency Pillar
Select customizable solutions
Review to continually innovate
Monitor AWS services
Consider the trade-offs

Performance Efficiency Pillar: Design Principles
Democratize advanced technologies
Go global in minutes
Use a serverless architectures
Experiment more often
Have mechanical sympathy

Cost Optimization Pillar
Use cost-effective resources
Matching supply with demand
Increase expenditure awareness
Optimize over time

Cost Optimization Pillar: Design Principles
Adopt a consumption model
Measure overall efficiency
Reduce spending on data center operations
Analyze and attribute expenditure
Use managed services

Operational Excellence Pillar
Manage and automate changes
Respond to events
Define the standards

Summary
Five pillars and their associated design principles
 Security
 Reliability
 Performance Efficiency
 Cost Optimization
 Operational Excellence

Reference Architecture –
Fault Tolerance and High Availability

Fault Tolerance
Ability of a system to remain operational
Built-in redundancy of an application’s components

High Availability
High availability is designed to keep
Systems generally functioning and accessible
Downtime minimized
Minimal human intervention required
Minimal up-front financial investment

High Availability: On Premises vs AWS
Traditional (on premises)
 Expensive
 Only mission-critical
applications
AWS
 Multiple servers
 Availability zones
 Regions
 Fault-tolerant services

High Availability: AWS Services
AWS Services and High Availability
 Amazon S3 and Amazon
Glacier
 DynamoDB
 Amazon CloudFront
 Amazon SWF
 Amazon SQS
 Amazon SNS
 Amazon SES
 Amazon Route53
 Elastic Load Balancing
 IAM
 Amazon CloudWatch
 Amazon CloudSearch
 AWS Data Pipeline
 Amazon Kinesis
 Auto Scaling
 Amazon Elastic File System
 AWS CloudFormation
 Amazon WorkMail
 AWS Directory Service
 AWS Lambda
 Amazon EBS
 Amazon RDS
 Amazon EC2
 Amazon VPC
 Amazon Redshift
 Amazon ElastiCache
 AWS Direct Connect
*Not all services are listed here.
Inherently HA services HA with the right architecture

High Availability Service Tools
Elastic load balancers
Elastic IP addresses
Amazon Route 53
Auto Scaling
Amazon CloudWatch

Elastic Load Balancers
Distributes incoming traffic (loads)
Sends metrics to Amazon CloudWatch
Triggers and notifies
 High latency
 Over used

Elastic Load Balancers

Elastic IP Addresses
Are static IP addresses
Mask failures (if they were to occur)
Continues to access applications if an instance fails

Amazon Route 53
Authoritative DNS service
 Translates domain names to IP addresses
Supports:
 Simple routing
 Latency-based routing
 Health checks
 DNS failovers
 Geo-location routing

Auto Scaling
Terminates and launches instances
Assists with adjusting or modifying capacity
Creates new resources on demand

Amazon CloudWatch
Alarm examples:
 If CPU utilization is >60% for 5 minutes…
 If number of simultaneous connections is >10 for one
minute…
 If number of healthy hosts is <5 for 10 minutes…

Fault Tolerant Tools
Amazon Simple Queue Service
Amazon Simple Storage Service
Amazon SimpleDB
Amazon Relational Database Service

Summary
Fault Tolerant and highly available architectures
Services to assist architectures

Reference Architecture:
Web Hosting

Web Hosting
Web hosting on AWS:
 Fast
 Straightforward
 Low cost
Common web applications:
 Company website
 Content management system
 Social media application development
 Internal SharePoint site

Cost Effective Alternative
Leverage on-demand provisioning
Eliminate wasted capacity
Continuously adjust to actual traffic patterns

Scalable
Handle unexpected traffic peaks or unexpected loads
Launch new hosts in minutes
Scale hosts up or down

On-Demand Solution for Various Environments
Provision testing fleets
Develop staging in minutes
Simulate use traffic

Migrating to AWS: Web Hosting Services
Products to assist transition:
 Amazon Virtual Private Cloud
 Amazon Route 53
 Amazon CloudFront
 Elastic load balancing
 Firewalls/AWS Shield
 Auto Scaling
 App servers/EC2 instances
 Amazon ElastiCache
 Amazon RDS/Amazon DynamoDB

Key Architectural Considerations
Replace physical network appliances with software solutions
Deploy firewalls everywhere
Make available multiple data centers
Build an ephemeral and dynamic architecture

Summary
AWS and web hosting
AWS web hosted services
Key considerations for web hosted architectures

Knowledge Check
Which of the following is NOT one of the four areas of the
performance efficiency pillar?
Tradeoffs
Selection
Monitoring
Traceability

Knowledge Check
What tool helps avoid limitations of being able to create new
resources on-demand or scheduled?
Route 53
Elastic load balancer
Auto Scaling
CloudWatch

Knowledge Check
In a physical data center, security is typically considered in what
area?
Only in the perimeter
In an edge location
In the closest region
In the closest availability zones

Knowledge Check
What is defined as the ability for a system to remain operational
even if some of the components of that system fail?
DNS failovers
High durability
High availability
Fault tolerance

Knowledge Check
Which of the following are high availability characteristics of
Amazon Route 53? (Choose 2)
Latency-based routing
Geo-location routing
Collect and track high latency metrics
Mask failure of an instance/software
Terminate instances based on specified conditions

Knowledge Check
What design principles are recommended when considering
performance efficiency? (Choose 2)
Enabling traceability
Democratize advanced technologies
Expenditure awareness
Matching supply and demand
Serverless architecture

Knowledge Check
Which of the following cloud security controls are designed for
only allowing authorized and authenticated users can access
your resources?
Detective controls
Identity and Access Management
Infrastructure protection
Incident response

Knowledge Check
When considering cost optimization, what model allows you to
pay only for what computing resources you actually use?
Consumption model
Economies of scope model
Economies of scale model
Expenditure model

Knowledge Check
Which of the following describes Elastic Load Balancers (ELB)?
Launches or terminates instances based on specified conditions
Creates new resources on-demand
Distributes incoming traffic amongst your instances
Translates domain names into IP addresses

Knowledge Check
Which of the following is NOT considered a fault tolerant tool?
S3
WAF
SQS
RDS

© 2018 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or
in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
Corrections or feedback on the course, please email us at: aws-course-feedback@amazon.com. For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

Module 6: Pricing and
Support Overview

Topics
Fundamentals of Pricing
Pricing Details
Overview of the Total Cost of Ownership Calculator
Overview of AWS Support Plans

Fundamentals of Pricing

AWS Pricing Model
Pay-as-you-go
Pay less when you reserve
Pay even less per unit by using more
Pay even less as AWS grows

Pay-As-You-Go
Pay only for the services you consume, with no large
upfront expenses.
Lower variable costs
Pay only as long as you need the service
Adapt to changing business needs
Redirect focus on innovation and invention

Pay Less When You Reserve
Invest in reserved instances
Save up to 75%
Options
 All Upfront
 Partial Upfront
 No Upfront payments

Pay Less By Using More
Realize volume-based discounts
Savings as usage increases
Tiered pricing for services (for example, Amazon S3,
Amazon EC2)
No charge for inbound data transfer
Storage services options

Pay Even Less as AWS Grows
As AWS grows
Focuses on lowering cost of doing business
Passes savings from economies of scale down to you

Custom Pricing
Meet varying needs through custom pricing
Available for high-volume projects with unique
requirements

AWS Free Tier
AWS Free Tier helps customer get started in the cloud
Limitations:
 Up to one year
 Certain services and options
For more details, see: https://www.aws.amazon.com/free

No Extra Charge
AWS services for no additional charge:
Amazon VPC
AWS Elastic Beanstalk
AWS CloudFormation
AWS IAM
Auto Scaling

Summary
Pay only for what you use
Start and stop anytime
No long-term contracts required

Pricing Details

AWS Fundamentals
Pay for AWS fundamentals:
 Compute
 Storage
 Outbound data transfer
No charge:
 Inbound data transfer
Charge for aggregated outbound

Service Pricing for AWS Offerings
Amazon EC2
Amazon S3
Amazon EBS
Amazon RDS
Amazon CloudFront

Amazon EC2
Provide resizable compute capacity in the cloud
Allows the configuration of capacity with minimal friction
Provides complete control
Charges only for capacity used

Amazon EC2: Billing and Instance Configuration
Clock-Second/Hourly Billing
Resources incur charges only when running
Instance Configuration
Physical capacity of the instance
Pricing varies with:
 AWS region
 OS
 Instance Type
 Instance Size

Amazon EC2: Purchase Types
Ways to pay for Amazon EC2 instances
On-demand instances
 Compute capacity by the hour and second
 Minimum of 60 seconds
Reserved Instances
 Low or no up-front payment instances reserved
 Discount on hourly charge for that instance
Spot Instances
 Bid for unused Amazon EC2 capacity

Amazon EC2: Number of Instances and Load
Balancing
Number of Instances
Provision multiple instances to handle peak loads
Load Balancing
Uses Elastic Load Balancing to distribute traffic
Calculates monthly cost based on
 Hours load balancer runs
 Data load balancer processes

Amazon EC2: Monitoring
Use Amazon CloudWatch to monitor instances.
Basic monitoring (default)
Detailed monitoring
 Fixed monthly rate
 Prorated partial months

Amazon EC2
Auto Scaling
Automatically adjusts number of instances
Incurs no additional charge
Elastic IP Addresses
No charge for one Elastic IP address associated with a running
instance.

Amazon EC2: OS and Software
Pricing for operating systems and software packages:
Includes OS prices in instance prices
Partners with other vendors for certain software
Requires licenses from vendors for other software
Brings existing license through specific vendor programs

Amazon S3: Storage Classes
Types of storage classes
Standard Storage
 99.999999999% durability
 99.99% availability
Standard-Infrequent Access (S-IA)
 99.999999999% durability
 99.9% availability

Amazon S3: Storage
Considerations for estimating storage cost
 The number and size of objects
 Type of storage

Amazon S3
Requests:
Pricing based on
Number of requests
Type of requests
 Different rates for GET requests
Data Transfer
Pricing based on the amount of data transferred out of the
Amazon S3 region

Amazon EBS
Block-level storage for instances
EBS volumes persist independently from the instance
Analogous to virtual disks in the cloud
Three volume types:
 General Purpose (SSD)
 Provisioned IOPS (SSD)
 Magnetic

Amazon EBS: Volumes and IOPS
Volumes
All volume types are charged by the amount provisioned per month
IOPS
General Purpose (SSD)
 Included in price
Magnetic
 Charged by the number of requests
Provisioned IOPS (SSD)
 Charged by the amount you provision in IOPS

Amazon EBS: Snapshots and Data Transfer
Snapshots
Added cost of EBS snapshots to Amazon S3 is per GB-month of
data stored
Data Transfer
Inbound data transfer has no charge
Outbound data transfer charges are tiered

Amazon RDS
Relational database in the cloud
Cost-efficient and resizable capacity
Management of time-consuming administrative tasks

Amazon RDS: Clock-Hour Billing and Database
Characteristics
Clock-Hour Billing
Resources incur charges when running
Database Characteristics
Physical capacity of database:
 Engine
 Instance Type
 Instance Size

Amazon RDS: DB Purchase Type and Multiple
DB Instances
DB Purchase Type
On-demand database instances
 By the hour
Reserved database instances
 Up-front payment for database instances reserved
Multiple DB Instances
Provision multiple DB instances to handle peak loads

Amazon RDS: Storage
Provisioned Storage
No charge
 Backup storage of up to 100% of database storage
Charge (GB/month)
 Backup storage for terminated DB instances
Additional Storage
Charge (GB/month)
 Backup storage in addition to provisioned storage

Amazon RDS: Deployment Type and Data
Transfer
Storage and I/O charges vary depending on deployment type
Single Availability Zones
Multiple Availability Zones
Data Transfer
No charge for Inbound data transfer
Tiered charges for outbound data transfer

Amazon CloudFront
Web service for content delivery
Integration with other AWS services
 Low latency
 High data transfer speeds
 No minimum commitments

Amazon CloudFront: Traffic Distribution
Pricing
Vary across geographic regions

Amazon CloudFront: Requests and Data
Transfer Out
Requests
Pricing based on
Number/type of requests
Geographic region
Data Transfer Out
Pricing is based on the amount of data transferred out of
Amazon CloudFront edge locations

Summary
Fundamental characteristics of product
Estimate usage
Map usage to prices

Overview of the Total Cost of
Ownership Calculator

AWS TCO Calculator
Use the TCO calculator to
Estimate cost savings
Use detailed reports
Modify assumptions
Accessing the TCO Calculator:
https://awstcocalculator.com

Summary
Estimate cost savings
Use detailed set of reports
Modify assumptions for business needs

Overview of AWS Support Plans

AWS Support
Provide unique combination of tools/expertise
 AWS Support
 AWS Support Plans

AWS Support
Support is provided for
Experimenting with AWS
Production use of AWS
Business critical use of AWS

AWS Support
Proactive guidance
 Technical Account Manager (TAM)
Best practices
 Trusted Advisor
Account assistance
 AWS Support Concierge

Support Plans
AWS Support offers four support plans:
Basic Support
Developer Support
Business Support
Enterprise Support

Summary
AWS Support
AWS Support Plans
 Basic Support plan
 Developer Support plan
 Business Support plan
 Enterprise Support plan

Knowledge Check
When calculating the cost of Amazon EC2, what factors will
impact pricing? (Choose 2)
Number of items in your inbound data transfer
Number and size of objects stored in your Amazon S3 buckets
Number of instances
Number of seconds and hours Elastic Load Balancer runs

Knowledge Check
What charges apply to data transfer across AWS? (Choose 2)
No charge for inbound data transfer across all Amazon Web Services in
all regions
No charge for outbound data transfer across all Amazon Web Services
in all regions
No charge for inbound data transfer for EC2 instances
No charge for outbound data transfer between Amazon Web Services
within the same region
No charge for inbound data transfer between Amazon Web Services
within the same region

Knowledge Check
As AWS grows, the general cost of doing business is reduced and
savings are passed back to the customer in the form of lower
pricing. What is this cost optimization called?
Economies of scope
Economies of labor
Economies of scale
Economies of cost
Economies of optimization

Knowledge Check
What type of applications are recommended for Amazon EC2
reserved instances?
Applications that are only feasible at lower compute prices
Applications that have flexible start and end times
Applications with steady state or predictable usage
Applications being developed or tested for the first time

Knowledge Check
What are the characteristics of the Developer Support Plan?
(Choose 2)
One primary contact may open a case
Unlimited contacts may open a case
Business hours access to cloud support associates via email
24/7 access to cloud support engineers via email, chat, and phone
Assigned to a Technical Account Manager

Knowledge Check
What is NOT a consideration when estimating the cost of
Amazon S3?
Number and size of objects
Storage class
Requests
Input Output Operations per Second (IOPS)
Data transfer

Knowledge Check
With the “Pay as you go” pricing model, how often do you pay
for compute resources from the time you launch a resource until
you terminate it?
Quarterly
Yearly
Monthly
Daily
Secondly and Hourly

Knowledge Check
What AWS tool compares the cost of running your application in
an on-premise data center to AWS?
Total Cost of Operation (TCO) Calculator
Total Cost of Application (TCA) Calculator
Total Cost of Services (TCS) Calculator
Total Cost of Products (TCP) Calculator
Total Cost of Ownership (TCO) Calculator

Knowledge Check
Which of the following is NOT available in the Business Support
Plan?
Access to Personal Health Dashboard and Health API
Access to cloud support engineers for technical issues
Access to Infrastructure Event Management
Access to third-party software support
Access to Well-Architected review delivered by AWS Solution Architects

With deep expertise on AWS, APN Partners can help your
organization at any stage of your Cloud Adoption Journey.
AWS Managed Service Providers
APN Consulting Partners who are skilled at cloud
infrastructure and application migration, and offer
proactive management of their customer’s environment.
AWS Competency Partners
APN Partners who have demonstrated technical
proficiency and proven customer success in specialized
solution areas.
AWS Service Delivery Partners
APN Partners with a track record of delivering specific
AWS services to customers.
Ready to get started with an APN Partner?
Find a partner: https://aws.amazon.com/partners/find/
AWS Marketplace
A digital catalog with thousands of software listings from
independent software vendors that make it easy to find,
test, buy, and deploy software that runs on AWS.

AWS Cloud Practitioner
Essentials Course Summary

Congratulations
You have completed AWS Cloud Practitioner Essentials

Summary
Section 1: AWS Cloud Concepts
Section 2: AWS Core Services
Section 3: AWS Security
Section 4: AWS Architecting
Section 5: AWS Pricing and Support

Course Feedback

Thank you for participating!
© 2018 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or
in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
Corrections or feedback on the course, please email us at: aws-course-feedback@amazon.com. For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.

Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, Training and Certification – Virtual AWSome Day June 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, Training and Certification – Virtual AWSome Day June 2018

Similar to Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, Training and Certification – Virtual AWSome Day June 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, Training and Certification – Virtual AWSome Day June 2018