Contenu connexe Similaire à AWSome Day 2019 - Mexico City (20) Plus de Amazon Web Services (20) AWSome Day 2019 - Mexico City1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Outline
Course Overview
AWS Cloud Concepts
AWS Technology
AWS Security
AWS Architecting
AWS Pricing and Support
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to the AWS Cloud
Cloud Computing
P On-demand delivery of IT resources and applications via the internet with pay-as-
you-go pricing
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to the AWS Cloud
Cloud Computing
P On-demand delivery of IT resources and applications via the internet with pay-as-
you-go pricing
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to the AWS Cloud
Cloud Computing
P On-demand delivery of IT resources and applications via the internet with pay-as-
you-go pricing
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to the AWS Cloud
Cloud Computing
P On-demand delivery of IT resources and applications via the internet with pay-as-
you-go pricing
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Cloud Computing
Infrastructure Regions Edge locationsAvailability Zones
Foundation
Services
Compute
(Virtual, Auto Scaling, and
load balancing)
Networking
Applications Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Relational
NoSQL
Caching
Analytics
Cluster
Computing
Real-time
Data
Warehouse
Data Workflows
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment and Management
Containers
DevOps Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Storage
(Object, block, and archive)
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Services At The Edge
Amazon Route 53
Amazon CloudFront
AWS WAF
AWS Shield
AWS Lambda@Edge
AWS Global Accelerator
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute Services
AWS
P Flexible
P Cost effective
Amazon Lightsail
P Launch virtual private server
P Manage simple web and application servers
Amazon EC2
P Flexible configuration and control
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compute Services
Amazon ECS
P Managed containers
P Highly scalable, high performance
Amazon EKS
AWS Fargate
AWS Lambda
P Pay only for what you use
P No administration
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Amazon EC2?
ü Application Server
ü Web Server
ü Database Server
ü Game Server
ü Mail Server
ü Media Server
ü Catalog Server
ü File Server
ü Computing Server
ü Proxy Server
Elastic Compute Cloud
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is an Amazon Machine Image (AMI)?
Provides the information required to launch an instance:
Root volume template
Block device mapping
Launch permissions
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Choosing an AMI
AWS Quick Start AWS Marketplace
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Right Compute For The Right Application
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Instances
175
instance types
for virtually every workload and business need
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Instances
FamiliesCapabilities
Choice of processor
Fast processors
High memory footprint
(up to 64 TiB)
Instance storage
(HDD and NVMe)
Networking
(up to 100 Gbps)
Accelerated computing
(GPUs and FPGA)
Bare Metal
+ +
Compute intensive
Memory intensive
Burstable
Storage (High I/O)
Dense storage
GPU compute
Graphics intensive
General purpose
175
instance types
for virtually
every workload
and business need
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Instance Types
Families Description Example Use Cases
t3, m5, m4
General Purpose
Balanced Performance
Websites, web applications, Dev, code repos, micro
services, business apps
c4, c5, cc2
Compute Optimized
High CPU
Performance
Front-end fleets, web-servers, batch processing,
distributed analytics, science and engineering apps, ad
serving, MMO gaming, video-encoding
g2, p2
GPU Optimized
High-end GPU
Amazon AppStream 2.0, video encoding, machine
learning, high perf databases, science
r3, r4, x1, cr1
Memory Optimized
Large RAM footprint
In-memory databases, data mining
d2, i2, i3, hi1, hs1
Storage Optimized
High I/O, High density
NAS, data warehousing, NoSQL
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Much Do You Need?
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
C5: Compute Optimized Instances
Based on 3.0 GHz Intel Xeon
Scalable Processors (Skylake)
Up to 72 vCPUs and 144GiB of
memory
25Gbps NW bandwidth
Support for Intel AVX-512
25% price/performance
improvement over C4
C4 C5
“We saw significant performance improvement on
Amazon EC2 C5, with up to a 140% performance
improvement in industry standard CPU benchmarks
over C4.”
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia
Demo time!
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia
Let’s take a break
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EBS: Built For Dynamic Workloads
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3
Features
P Fully managed cloud storage service
P Rich security controls
P Designed for 99.999999999% durability and 99.99% availability of objects over a
given year
Functionality
P Store virtually unlimited number of objects
P Access any time, from anywhere
45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3 Use Cases
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s build a web site/application
Automatically scalable
Automatically elastic
Highly available
Fault tolerant
47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Demo time!
Hernan Garcia / Technical Trainer
@hernangarcia
49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
RouterPublic subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Public subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
Destination Target
10.0.0.0/16 local
51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Public subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Public subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 ngw_id
NAT GW NAT GW
53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Public subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 ngw_id
NAT GW NAT GW
Corporate
data center
VPN GW
55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Public subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers
Private subnet 10.0.4.0/24
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 ngw_id
NAT GW NAT GW
Corporate
data center
VPN GW
56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS VPC Security Groups Chain
Web Tier
security group
Application Tier
security group
Database Tier
security group
internet
Corporate
Admin Network
app serverwww server
http/https
api
db serverapiwww server
www server app server
app server
db server
db server
ssh/rdp
(all other ports are blocked)
57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia
Let’s take a break
59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to ELB
60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Elastic Load Balancing Products
Application Load Balancer (ALB) Network Load Balancer (NLB) Classic Load Balancer (CLB)
PREVIOUS GENERATION
for HTTP, HTTPS, and TCP
• Flexible application management
• Advanced load balancing of
HTTP and HTTPS traffic
• Operates at the request level
(Layer 7)
• Extreme performance and static
IP for your application
• Load balancing of TCP traffic
• Operates at the connection level
(Layer 4)
• Existing application that was
built within the EC2-Classic
network
• Operates at both the request
level and connection level
HTTP
HTTPS
TCPT
61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Load Balancer Use Cases
63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Is Auto Scaling?
Dynamically react to changing demand, optimize cost
64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Adjust Capacity With Auto Scaling
65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling and Predictive Scaling
66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring Resource Performance
Amazon CloudWatch to monitor performance
Auto Scaling to add or remove EC2 instances
67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Alarm for Auto Scaling
68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling Out and Scaling In
Elastic
Load
Balancing
Auto Scaling group Auto Scaling groupAuto Scaling group
Base Configuration Scaling Out Scaling In
Launch Instances Terminate Instances
69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling Components
Launch Configuration
Auto Scaling groups
Auto Scaling Policy
70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling Components
Launch Configuration: What will be scaled?
Launch settings
P AMI
P Instance type
P Security groups
P Roles
71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling Components
Auto Scaling Group: Where will it take place?
Deployment settings
P VPC and subnets
P Load balancer
P Minimum instances
P Maximum instances
P Desired capacity
72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Auto Scaling Components
Auto Scaling Policy: When will it take place?
Policy settings
P Scheduled
P On-demand
P Scale-out policy
P Scale-in policy
73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dynamic Auto Scaling
Latency
Utilization
CloudWatchAuto
Scaling
Elastic Load
Balancing
Auto Scaling group
Execute AS
Policy
75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS
Managed service that sets up and operates a relational database in
the Cloud
Users Application
servers Amazon RDS
AWS Cloud
76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS DB Instances
DB Instance Class
• CPU
• Memory
• Network Performance
DB Instance Storage
• Magnetic
• General Purpose (SSD)
• Provisioned IOPS
Amazon
RDS
RDS DB
master
instance
DB Engines
M
Amazon
RDS
RDS DB
master
instance
DB Engines
77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS
Customer manages:
P Application Optimization
P Database schema
P Data
AWS manages:
P OS installation and patches
P Database software installation and patches
P Database backups
P High availability
P Scaling
P Power, rack and stack
P Server maintenance
78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS In a Virtual Private Cloud
VPC
M
App
Public subnet
Private subnet
internet
gateway
Amazon
EC2
instance
RDS
DB
instance
Availability Zone 1
Users
79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High Availability with Multi-AZ
SYNCHRONOUS
Public subnet
Amazon
EC2
instance
RDS DB
instance
App
RDS DB
standby
instance
Private subnet Private subnet
M S
Availability Zone 1 Availability Zone 2
VPC
80. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High Availability with Multi-AZ
Public subnet
Amazon
EC2
instance
RDS DB
instance
VPC
App
RDS DB
standby
instance
Private subnet Private subnet
M S
Availability Zone 1 Availability Zone 2
FAILOVER
81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS Read Replicas
Features
Asynchronous replication
Promote to master if necessary
Functionality
Read-heavy database workloads
Offload read queries
Public subnet
Amazon
EC2
instance
RDS DB
instance
VPC
App
Private subnet
M
Availability Zone 1
RDS DB
read
replica
instanceR
83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Is Amazon DynamoDB?
NoSQL database tables
Virtually unlimited storage
Items may have differing attributes
Low-latency queries
Scalable read/write throughput
84. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common Use Cases
Web
Mobile apps
Internet of Things
Ad tech
Gaming
85. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Items in a Table Must Have a Key
86. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Let’s take a break
Hernan Garcia / Technical Trainer
@hernangarcia
88. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction to AWS Security
Security is of the utmost importance to AWS.
Approach to security
AWS environment controls
AWS offerings and features
90. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & Content
Customers
Customers are
responsible for
security IN the cloud
AWS is responsible
for the security OF
the cloud
91. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security of the Cloud
Protection of the AWS global infrastructure is top priority
Availability of third-party reports
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
92. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security in the Cloud
What to store
Which AWS services
In what location
In what content format and
structure
Who has access
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & Content
Customers
93. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & Content
Customers
Customers are
responsible for
security IN the cloud
AWS is responsible
for the security OF
the cloud
94. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assurance Programs
95. AWS Identity and Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
Amazon Virtual Private
Cloud (Amazon VPC) flow
logs
Amazon EC2
Systems Manager
AWS Shield
AWS WAF
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (AWS KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
(ACM)
Server side encryption
AWS Secrets Manager
AWS Config rules
AWS Lambda
Amazon EC2 Systems
Manager
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
97. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM
Create users and groups
Grant permissions
User Group Permissions Role
98. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Account Root User
Account root user has complete access to
all AWS Services.
99. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Account Root User
Recommendations
1. Delete root user access keys.
2. Create an IAM user.
3. Grant administrator access.
4. Use IAM credentials to interact
with AWS.
IAM
100. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM
Control access to AWS resources
P Authentication
P Authorization
Controls access to services such as:
Compute
Storage
Database
Application services
101. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM: Authentication
Management console access
P Uses AWS account name and password
P MFA prompts for code
Programmatic access
P Enables access key ID and secret access key
102. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Authentication
Authentication
AWS Management Console
P User Name and Password
IAM User
103. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Authentication
Authentication
AWS CLI or SDK API
P Access Key and Secret Key
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
IAM User
104. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Authorization
Authorization
Policies:
P Are JSON documents to describe permissions.
P Are assigned to users, groups or roles.
IAM User IAM Group
IAM Roles
105. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Policy Elements
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1453690971587",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances”
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.64.34.65/32”
}
}
},
{
"Sid": "Stmt1453690998327",
"Action": [
"s3:GetObject*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket/*"
}
]
}
IAM Policy
106. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Policy Assignment
IAM User
IAM Group
Assigned Assigned
IAM Policy
107. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Policy Assignment
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy
108. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Roles
An IAM role uses a policy.
An IAM role has no associated credentials.
IAM users, applications, and services may assume IAM roles.
IAM Roles
109. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Policy Assignment
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM User
Assumed Assumed
AWS Resources
IAM Policy
110. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Application Access to AWS Resources
Python application hosted on an Amazon EC2 Instance needs to
interact with Amazon S3.
AWS credentials are required:
P Option 1: Store AWS Credentials on the Amazon EC2 instance.
P Option 2: Securely distribute AWS credentials to AWS Services and Applications.
IAM Roles
111. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Roles - Instance Profiles
Amazon EC2
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S31
3
4
App &
Create Instance
Application
interacts
with S3
Select IAM Role2
112. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Roles – Assume Role
IAM Restricted Policy
IAM User A-1
AWS Account A
IAM Admin RoleIAM Admin Policy
Assigned
Assume
Assigned
1
2
IAM User B-1
AWS Account B
Amazon S3
Assume
4
Access
53
Access
1
113. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Best Practices
Roles
P Use roles for applications
P Use roles instead of sharing credentials
Credentials
P Rotate credentials regularly
P Remove unnecessary users and credentials
Use policy conditions for extra security
Monitor activity in your AWS account
114. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring and Logging
Tools and features to reduce your risk profile:
P Deep visibility into API calls
P Log aggregation and options
P Alert notifications
115. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Records AWS API calls for accounts.
Delivers log files with information to an Amazon S3 bucket.
Makes calls using the AWS Management Console, AWS SDKs, AWS
CLI and higher-level AWS services.
AWS CloudTrail Amazon S3 Bucket
Logs
117. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
Best practice and recommendation engine.
Provides AWS customers with performance and security
recommendations in four categories:
P Cost optimization
P Security
P Fault tolerance
P Performance improvement
AWS Trusted
Advisor
118. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor (Security)
Security groups
AWS IAM use
Amazon S3 bucket permissions
MFA on Root Account
AWS IAM password policy
Amazon RDS security group access risk
120
119. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Managed threat detection
Continuously monitors for malicious or
unauthorized behavior
Intelligent threat detection and
actionable alerts
120. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Can Amazon GuardDuty Detect
Known Malicious IP
(Potentially)
Unusual Ports
DNS Exfiltration
RDP Brute Force
Unusual Traffic VolumeConnect to Blacklisted Site
(Potentially)
Recon
Anonymizing Proxy
Temp credentials
Used off-instance
Unusual ISP Caller
Bitcoin Activity
Unusual Instance Launch
RDP Brute
Force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe api
with temp
creds
Attempt to
compromise
account
121. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie
Understand Your
Data
Natural Language
Processing (NLP)
Understand Data
Access
Predictive User
Behavior Analytics
(UBA)
122. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie – User Behavioral Analysis
0. Feature
extraction from
event data
1. Map into user
time-series
2. Cluster peer
groups
3. Predict user
activity. Update
models.
4. Identify
anomalies.
5. Attempt to
explain
statistically.
6. Alert and
narrative
explanation
created
123. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Account Teams
Are first point of contact
Guide deployment
Point toward the right resources to resolve security issues
124. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Enterprise Support*
15-minute response time
24/7, by phone, chat, or email
Dedicated Technical Account Manager
*for details, see:
https://aws.amazon.com/premiumsupport/enterprise-support/
125. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Support Plans
AWS Support offers four support plans:
Basic Support
Developer Support
Business Support
Enterprise Support
126. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Professional Services and AWS Partner Network
APN has hundreds of certified AWS Consulting Partners worldwide
P Help develop security policies
P Help meet compliance requirements
127. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace
Qualified partners to market/sell software to AWS
customers
Online software store that can run on AWS
129. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Pricing Model
Pay-as-you-go
Pay less when you reserve
Pay even less per unit by using more
Pay even less as AWS grows
130. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
No Extra Charge
AWS services for no additional charge:
Amazon VPC
AWS Elastic Beanstalk
AWS CloudFormation
AWS IAM
Auto Scaling
131. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Free Tier
AWS Free Tier helps customer get started in the cloud
Limitations:
P Up to one year
P Certain services and options
For more details, see: http://www.aws.amazon.com/free
132. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom Pricing
Meet varying needs through custom pricing
Available for high-volume projects with unique
requirements
133. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Purchasing Options
157
On-Demand
Instances
Pay by the
hour.
Reserved
Instances
Purchase, at a
significant
discount,
instances that
are always
available.
1-year to 3-
year terms.
Scheduled
Instances
Purchase
instances that
are always
available on
the specified
recurring
schedule, for a
one-year term.
Spot
Instances
Bid on unused
instances,
which can run
as long as they
are available
and your bid is
above the
Spot price.
Dedicated
Hosts
Pay for a
physical host
that is fully
dedicated to
running your
instances.
Dedicated
Instances
Pay, by the
hour, for
instances that
run on single-
tenant
hardware.
134. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon S3
Storage:
The number and size of objects
Requests:
Pricing based on
Number of requests
Type of requests
P Different rates for GET requests
Data Transfer:
Pricing based on the amount of data transferred out of the Amazon S3
region
135. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EBS: Volumes and IOPS
Volumes
All volume types are charged by the amount provisioned per
month
IOPS
General Purpose (SSD) and Magnetic
P Included in price
Provisioned IOPS (SSD)
P Charged by the amount you provision in IOPS
136. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon RDS: Clock-Hour Billing and Database Characteristics
Clock-Hour Billing
Resources incur charges when running
Database Characteristics
Physical capacity of database:
P Engine
P Instance Type
P Instance Size
137. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Simple Monthly Calculator
Estimate the cost of running your application or solution in the AWS
cloud based on usage.
https://calculator.aws
139. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Total Cost of Ownership (TCO)
Calculator
PEstimate cost savings when using AWS
PUse a detailed set of reports that can be used in executive presentations
PModify assumptions that best meet your business needs
1. Describe your infrastructure in four
steps, or enter detailed configurations
2. Get an instant summary report 3. Download a full report including
detailed cost breakdowns
140. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
141. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
142. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Beauty of Serverless
143. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Want to know more?
https://aws.training
144. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia