20180729 JTF2018 AWS Management Toolsの使いどころ
- 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.2018/07/29
AWS Management Tools の使いどころ
July Tech Festa 2018
- 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
•
• Amazon DevOps
Amazon
• AWS
Management Tools
- 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Amazon
• Amazon Management Tools
• AWS Management Tools
• AWS
- 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ロード バイ ク BBQ& キャ ンプ
娘×2
ダイ エッ ト
En g lish
アジャ イ ル⽇本酒⿇婆⾖腐 担々麺
唐揚げ カ レ ー
関⻄弁
ト ロンボーン
( )
•
• Management Tools & DevOps
• JAWS-UG
• qpstudy
AWS AWS CLI
Twitter: @yktko / Facebook: yukitaka.ohmura
- 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazonのビジョン
5
- 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Vision:
- 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1997
focus relentlessly on our
customers
make investment decision in
light of long-term market
leadership consideration
- 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
amazon is innovating across many domains
Drone Development Fire OS Kindle In-house Entertainment
Grocery Delivery Video Streaming Cross Site ShoppingCloud Computing
- 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
customer obsession ownership
invent and simplify
are right, a lot
hire and develop the best
insist on highest standards
think big
bias for action
frugality
learn & be curious
earn trust
dive deep
have backbone; disagree & commit
deliver results
amazon leadership principles
- 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
#1
FAQ#2
#3
Launch,
#4
- 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ビジョンを実現するために
15
- 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1994
Books…
Journey
2018
E-commerce, Kindle, Prime, …
- 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
17
- 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
releasetestbuild
- 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Microservice
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
- 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Microservices
HTTP API
- 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2001
Amazon : 2001-2009
2009
+
- 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
-
Agile
- 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You build it, you run it. in 2006
The traditional model is that you take your software to
the wall that separates development and operations, and
throw it over and then forget about it. Not at Amazon. You
build it, you run it.
http://queue.acm.org/detail.cfm?id=1142065
- 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
90%
AWS Code Pipeline
Pipelines
- 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
AWS CodeDeploy
- 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CustomerObsession
1.
• MicroServices
2.
• Two Pizza Team
3.
• Continuous Integration / Continuous Deploy
•
4.
• Apollo / Pipelines
•
- 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mechanism
27
- 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Good intentions don't work
Good mechanisms work
to make everything happen
28
Jeff Bezos
- 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
• : Customer Obsession
• :
• Mechanisms:
• Two Pizza Team
• Microservices
• Cloud Services
• Leadership Principle
29
- 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mechanisms
• Two Pizza Team
•
• Microservices
• End to End Ownership
• Cloud Services
•
• Leadership Principle
•
30
- 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Two Pizza Team
Software Development Manager 1
Software Development Engineer(SDE) n
31
- 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Two Pizza Team
• / / /
•
• &
•
•
•
32
- 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Software Development Engineer
• / /
•
• End-to-End Ownership
•
33
- 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Software Development Manager
• SDE
• Product Manager
•
• Wiki
•
• "Done"
• 1on1
•
34
- 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
•
•
• Two Pizza
•
• Two Pizza Team Tools
•
• Customer
35
- 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS
516
24 48 61 82
159
280
722
1,017
LAUNCHES
2008 2009 2010 2011 2012 2013 2014 2015 2016
1,300+
2017
1,430
- 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
コラム
37
- 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
vs
(@ryuzee)
• Infrastructure as Code
• https://slide.meguro.ryuzee.com/slides/75
• DevOps
38
- 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Amazon users
AWS Management Tools
39
- 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The challenge
40
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
- 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS enables you to do both
41
- Define
- Discover
- Monitor
- Manage
- Report
- Respond
- Agility
- Innovation
Governance
Developmentspeed
- 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Management Tools
AWS CloudFormation
AWS Service Catalog
AWS OpsWorks
AWS Systems Manager
Amazon CloudWatch
AWS CloudTrail
AWS Config
AWS Trusted Advisor
- 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
43
https://www.youtube.com/watch?v=IBvsizhKtFk
- 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2
チーム別アカウント共有アカウント
- 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
- 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
Amazon RDS Instance
- 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
Amazon RDS Instance
- 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
Upgrade DB
Engine Version
Amazon RDS Instance
- 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access Control
Amazon RDS Instance
Delete Instance
- 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
-
- 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
-
- 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1 -
- 53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2 -
"Action":[ ”rds:*” ],
"Effect":"Allow",
"Resource":"*",
"Condition":{
"StringEquals":{
”rds:db-tag/team-name":
[”finance"]
}
}
- 54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- IAM
•
• IAM Role
•
- 56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM -
1. Authenticate + Authorize 2. Assume Role
3. STS Token
4. URL
5. Launch Console
Identity Broker
I am: Bob Roberts
I want to: Manage-RDS
On: AWS Account 1234367
- 57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM -
•
•
•
- 58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 59. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
SNS Topic
AWS ConfigAWS Cloudtrail
AWS Account
Amazon
Cloudwatch
Events
- 60. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
SNS Topic
SQS
Notification
Queue
Event Dispatcher Rule Evaluators
AWS ConfigAWS Cloudtrail
ASAP
AWS Account
Describe state
Amazon
Cloudwatch
Events
- 61. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
SNS Topic
SQS
Notification
Queue
Event Dispatcher Rule Evaluators
Reactor
SNS Topics
AWS ConfigAWS Cloudtrail
ASAP
AWS Account
Describe state
Reactors
Amazon
Cloudwatch
Events
- 62. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• 設定変更があったリソースの記録
• 設定のベースラインと差異の検出
• 変更内容の通知
AWS Config
AWS Account
SNS Topic
AWS Config
- 63. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudWatch Events
• 発生したイベントの検知
• ユーザ起因のイベントだけはでない
• スケジューリング+カスタムイベント
SNS Topic
AWS Account
Amazon
Cloudwatch
Events
- 64. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• ユーザおよびアプリケーションの
アクティビティを記録
• すべてのAPI呼び出しが記録される
• ほぼ全てのAWSサービスをカバー
• CloudWatch Eventと組み合わせ
(クローラ不要)
AWS Cloudtrail
SNS Topic
AWS Account
AWS Cloudtrail
Amazon
Cloudwatch
Events
- 65. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
Amazon RDS
Instance
- 66. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
AWS Cloudtrail
[{ ...
"arn:aws:iam::123456789012:user/Mike",
"eventTime": "2017-11-10T21:22:54Z",
"eventSource": ”rds.amazonaws.com",
"eventName": ”CreateDbInstance",
"awsRegion": "us-east-2",
"requestParameters": {
”dbInstanceId": ”mine-all-mine”,
“MultiAZ” : “false” }
...
Amazon RDS
Instance
- 67. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
AWS Cloudtrail
Amazon
Cloudwatch
Events
Amazon RDS
Instance
- 68. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
AWS Cloudtrail
SNS Topic
Amazon
Cloudwatch
Events
Amazon RDS
Instance
- 69. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
AWS Cloudtrail
SNS Topic
ASAP
SQS
Notification
Queue
Event Dispatcher Rule Evaluators
Amazon
Cloudwatch
Events
Amazon RDS
Instance
- 70. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
Reactor
AWS Cloudtrail
SNS Topic
ASAP
SQS
Notification
Queue
Event Dispatcher Rule Evaluators Reactor
SNS TopicsAmazon
Cloudwatch
Events
Amazon RDS
Instance
- 71. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
AWS Account
Reactor
AWS Cloudtrail
SNS Topic
ASAP
SQS
Notification
Queue
Event Dispatcher Rule Evaluators Reactor
SNS Topics
Ticket / Notification
Amazon
Cloudwatch
Events
Amazon RDS
Instance
- 72. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ASAP
SNS Topic
SQS
Notification
Queue
Event Dispatcher Rule Evaluators Reactor
SNS TopicsAmazon
Cloudwatch
Events
AWS Cloudtrail
ASAP
AWS Account
Reactor
Amazon RDS
Instance
Ticket / Notification
- 73. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
•
•
•
•
•
- 74. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Takeaways
•
•
•
• AWS
•
• ASAP
•
- 75. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Management Toolsの使い方
77
- 76. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
マルチアカウント管理
セキュリティオートメーション
78
- 77. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lock
AWS
(“Root Account”)
Enable
AWS CloudTrail
Define
Federate
Establish
InfoSec
Identify
- 78. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS VPC内のAWS
サービス
Amazon S3用のVPCエ
ンドポイント
DNS in-VPC with
Amazon Route 53
VPCフローログでのV
トラフィックロギング
- 79. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
マルチアカウントストラクチャ
開発
準本番
BU/プロダクト/リソース アカウント
開発者アカウント
セキュリ
ティ
コアアカウント
AWS Organizations アカウント
課金ツール
共有
サービス
Sandbox
ネットワー
キング
内部監査 ロギング
本番
共有サービス
開発者
Sandbox
データセンター
Orgs:
:
: AWS Config
Rules,
: ,
DNS,
:
Sandbox:
:
:
:
- 80. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
H
• AWSのベストプラクティスに基づいた構成済み、セキュア、ス
ケーラブルなマルチアカウントのAWS環境
• 全く新規の開発や実験の出発点
• クラウドへのマイグレーションジャーニーの出発点
• 時間経過とともに反復と拡張が可能な環境
- 81. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone
新しいAWS環境のセットアップを自動化する easy-to-deploy ソリューション
AWSのベストプラク
ティスと推奨に基づく
初期のセキュリティと
ガバナンスのコント
ロール
ベースラインアカウン
トとアカウントベン
ディングマシン
自動化された
デプロイメント
- 82. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone
• 複数アカウント環境の作成とベースライン確保のフレームワーク
• セキュリティ、監査、必要な共有サービスを含む
初期マルチアカウント構成
• 一連のセキュリティベースラインを持つ追加アカウントの
デプロイメントを自動化するアカウントベンディングマシン
Account
Management
• AWS SSOフェデレーションを利用したユーザーアカウントアクセス管理
• 中央集中管理を実現するクロスアカウントロール
Identity & Access
Management
• 責務の分離を可能にする複数アカウント
• 初期のアカウントセキュリティとAWS Config rules ベースライン
• ネットワークベースライン
Security &
Governance
- 83. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Landing Zone Organizations アカウント:
• アカウントプロビジョニング
• アカウントアクセス (SSO)
共有サービスアカウント:
• Active Directory
• ログ分析
ロギングアカウント:
• CloudTrail/Config logs
セキュリティアカウント:
• Audit/緊急アクセス
AWS
Organizations
AWS SSMAWS
Service Catalog
Core OU
SharedServices account Logging account Security account
AWS Organizations account
Network
Baseline
Account Baseline Account Baseline
Account Baseline Security Cross-
Account Roles
AWS Microsoft
AD
Aggregate CloudTrail
and Config Logs
Log
Reporting
Amazon S3 bucket
(manifest file)
AWS
CodePipeline
Stacksets
AWS
SSO
- 84. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Service
Catalog
Account Vending
Machine
New AWS Account
Network Baseline
Account Baseline
AWS
Organizations
OUCore
Security Account
Security Roles
Logging Account
Audit Bucket
Shared Services Account
Shared
Network
• アカウントベンディングマシン
(AWS Service Catalog)
• アカウント作成UI
• アカウントベースラインのバージョン管理
• 起動制限
• AWSアカウントの作成/アップデート
• アカウントベースラインStackSetの適用
• ネットワークベースラインの作成
• アカウントセキュリティコントロールポ
リシーの適用
- 85. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 86. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webiner
aws.amazon.com/answers/aws-landing-zone
- 87. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CI/CD
構成管理
89
- 88. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
デプロイ対象による管理範囲の違い
EC2
OS
M/W
App
Fargate
コンテナ
Lambda
App
デプロイ
デプロイ
デプロイ
AWS管理
ユーザ管理
- 89. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWSのDevOps関連サービスの全体像
MonitorProvisionDeployTestBuildCode
Elastic Beanstalk
OpsWorks for Chef Automate
OpsWorks Stacks
Cloud
Watch
Cloud
Formation
Code
Deploy
Code
Commit
Code Pipeline
Code Build
AWS Cloud9 AWS CodeStar
- 90. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2のプロビジョニング&デプロイ対応範囲
92
Cloud
Formation
Elastic
Beanstalk*
OpsWorks
Stacks**
Code
Deploy
*) AWS
**) Chef
ELB/SQS/RDS
EC2
OS
M/W
App
デプロイ
他のサービス
- 91. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager によるサーバ運用
AWS cloud
data center
Run Command
Automation
Patch Manager
Lambda
Step Functions
AWS CLI
AWS Config CloudWatch EventS3
S3
CloudWatchLogs
SNS
CloudWatch
&
Inspector
CloudWach
Agent
Inspector
Agent
SSM
Agent
IAM
Role
Athena&Quicksight CFn CLI Lambda ECS
tag: xxx
tag: xxx
tag: yyy
- 92. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2
AWS
CodePipeline
Source Build Deploy
AWS
CodeCommit
AWS
CodeBuild
Amazon RDS Amazon S3Developer
Control plane
Data plane
Backing service
Registry
CI/CD pipeline
AWSのコンテナサービスとCI/CD
- 93. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless ApplicationのCI/CD
SAM CLI + SAM & CloudFormation + CodeDeploy
95
SAM+CFn
CodeDeploy
SAM CLI https://github.com/awslabs/aws-sam-cli
- 94. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
参考資料
• AWS BlackBelt Online Seminar - AWS Systems Manager
• https://www.slideshare.net/AmazonWebServicesJapan/20180723-aws-black-belt-online-seminar-aws-systems-manager
• AWS BlackBelt Online Seminar - Amazon Container Services
• https://www.slideshare.net/AmazonWebServicesJapan/20180214-aws-black-belt-online-seminar-amazon-container-services
• AWS Well-Architected (AWSのベストプラクティス)
• https://aws.amazon.com/jp/blogs/news/aws-black-belt-online-seminar-well-architected-framework-cost/
• AWS Summit Tokyo 2018資料
• https://summitregist.smktg.jp/public/application/add/59
• AWS BlackBelt (オンラインセミナー) 過去資料
• https://aws.amazon.com/jp/aws-jp-introduction/
• AWS オフィシャルドキュメント
• https://aws.amazon.com/jp/documentation/
• AWS の各種サンプルコード
• https://github.com/aws-samples
• AWSが提供するオフィシャルツール
• https://github.com/awslabs/
- 95. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
まとめ
• Amazonはどのようにサービスを作り提供しているか
• AmazonはどのようにManagement Toolsを使っているか
• AWS が提供する Management Tools の使い方
- 96. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Join Us!
https://aws.amazon.com/jp/careers/
98
- 97. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you