AWSome Day 2019 - Mexico City

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWSOME DAY

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Outline
Course Overview
AWS Cloud Concepts
AWS Technology
AWS Security
AWS Architecting
AWS Pricing and Support

AWSOME DAY
Hernan Garcia / Technical Trainer
@hernangarcia

Introduction to the AWS Cloud
Cloud Computing
P On-demand delivery of IT resources and applications via the internet with pay-as-
you-go pricing

Benefits of AWS Cloud Computing
Trade capital expense
for variable expense.
Benefit from massive
economies of scale.
Stop guessing
capacity.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data
centers.

AWS Cloud Computing
Infrastructure Regions Edge locationsAvailability Zones
Foundation
Services
Compute
(Virtual, Auto Scaling, and
load balancing)
Networking
Applications Virtual Desktops Collaboration and Sharing
Platform
Services
Databases
Relational
NoSQL
Caching
Analytics
Cluster
Computing
Real-time
Data
Warehouse
Data Workflows
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment and Management
Containers
DevOps Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Storage
(Object, block, and archive)

AWSOME DAY
AWS Global Infrastructure

Services At The Edge
Amazon Route 53
Amazon CloudFront
AWS WAF
AWS Shield
AWS Lambda@Edge
AWS Global Accelerator

Compute Services
AWS
P Flexible
P Cost effective
Amazon Lightsail
P Launch virtual private server
P Manage simple web and application servers
Amazon EC2
P Flexible configuration and control

Compute Services
Amazon ECS
P Managed containers
P Highly scalable, high performance
Amazon EKS
AWS Fargate
AWS Lambda
P Pay only for what you use
P No administration

AWSOME DAY
Amazon Elastic Compute Cloud
(EC2)

What is Amazon EC2?
ü Application Server
ü Web Server
ü Database Server
ü Game Server
ü Mail Server
ü Media Server
ü Catalog Server
ü File Server
ü Computing Server
ü Proxy Server
Elastic Compute Cloud

What is an Amazon Machine Image (AMI)?
Provides the information required to launch an instance:
Root volume template
Block device mapping
Launch permissions

Choosing an AMI
AWS Quick Start AWS Marketplace

Right Compute For The Right Application

Amazon EC2 Instances
175
instance types
for virtually every workload and business need

Amazon EC2 Instances
FamiliesCapabilities
Choice of processor
Fast processors
High memory footprint
(up to 64 TiB)
Instance storage
(HDD and NVMe)
Networking
(up to 100 Gbps)
Accelerated computing
(GPUs and FPGA)
Bare Metal
+ +
Compute intensive
Memory intensive
Burstable
Storage (High I/O)
Dense storage
GPU compute
Graphics intensive
General purpose
175
instance types
for virtually
every workload
and business need

Instance Types
Families Description Example Use Cases
t3, m5, m4
General Purpose
Balanced Performance
Websites, web applications, Dev, code repos, micro
services, business apps
c4, c5, cc2
Compute Optimized
High CPU
Performance
Front-end fleets, web-servers, batch processing,
distributed analytics, science and engineering apps, ad
serving, MMO gaming, video-encoding
g2, p2
GPU Optimized
High-end GPU
Amazon AppStream 2.0, video encoding, machine
learning, high perf databases, science
r3, r4, x1, cr1
Memory Optimized
Large RAM footprint
In-memory databases, data mining
d2, i2, i3, hi1, hs1
Storage Optimized
High I/O, High density
NAS, data warehousing, NoSQL

How Much Do You Need?

C5: Compute Optimized Instances
Based on 3.0 GHz Intel Xeon
Scalable Processors (Skylake)
Up to 72 vCPUs and 144GiB of
memory
25Gbps NW bandwidth
Support for Intel AVX-512
25% price/performance
improvement over C4
C4 C5
“We saw significant performance improvement on
Amazon EC2 C5, with up to a 140% performance
improvement in industry standard CPU benchmarks
over C4.”

AWSOME DAY
@hernangarcia
Demo time!

AWSOME DAY
@hernangarcia
Let’s take a break

AWSOME DAY
Amazon Elastic Block Store (EBS)

EBS: Built For Dynamic Workloads

AWSOME DAY
Amazon Simple Storage Service
(S3)

Amazon S3
Features
P Fully managed cloud storage service
P Rich security controls
P Designed for 99.999999999% durability and 99.99% availability of objects over a
given year
Functionality
P Store virtually unlimited number of objects
P Access any time, from anywhere

Amazon S3 Use Cases

Let’s build a web site/application
Automatically scalable
Automatically elastic
Highly available
Fault tolerant

AWSOME DAY
Demo time!
@hernangarcia

AWSOME DAY
Amazon Virtual Private Cloud
(VPC)

VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
RouterPublic subnet 10.0.1.0/24
Web
servers
10.0.0.0/16
Private subnet 10.0.2.0/24
Availability zone 2
App servers
Public subnet 10.0.3.0/24
Web
servers

VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Web
servers
10.0.0.0/16
Availability zone 2
App servers
Web
servers
Destination Target
10.0.0.0/16 local

VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Web
servers
10.0.0.0/16
Availability zone 2
App servers
Web
servers
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet

VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Web
servers
10.0.0.0/16
Availability zone 2
App servers
Web
servers
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 ngw_id
NAT GW NAT GW

VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router
Web
servers
10.0.0.0/16
Availability zone 2
App servers
Web
servers
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
Internet
Gateway
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 ngw_id
NAT GW NAT GW
Corporate
data center
VPN GW

AWSOME DAY
AWS Security Groups

AWS VPC Security Groups Chain
Web Tier
security group
Application Tier
security group
Database Tier
security group
internet
Corporate
Admin Network
app serverwww server
http/https
api
db serverapiwww server
www server app server
app server
db server
db server
ssh/rdp
(all other ports are blocked)

AWSOME DAY
Elastic Load Balancing (ELB)

Introduction to ELB

Elastic Load Balancing Products
Application Load Balancer (ALB) Network Load Balancer (NLB) Classic Load Balancer (CLB)
PREVIOUS GENERATION
for HTTP, HTTPS, and TCP
• Flexible application management
• Advanced load balancing of
HTTP and HTTPS traffic
• Operates at the request level
(Layer 7)
• Extreme performance and static
IP for your application
• Load balancing of TCP traffic
• Operates at the connection level
(Layer 4)
• Existing application that was
built within the EC2-Classic
network
• Operates at both the request
level and connection level
HTTP
HTTPS
TCPT

Application Load Balancer Use Cases

What Is Auto Scaling?
Dynamically react to changing demand, optimize cost

Adjust Capacity With Auto Scaling

Auto Scaling and Predictive Scaling

Monitoring Resource Performance
Amazon CloudWatch to monitor performance
Auto Scaling to add or remove EC2 instances

CloudWatch Alarm for Auto Scaling

Scaling Out and Scaling In
Elastic
Load
Balancing
Auto Scaling group Auto Scaling groupAuto Scaling group
Base Configuration Scaling Out Scaling In
Launch Instances Terminate Instances

Auto Scaling Components
Launch Configuration
Auto Scaling groups
Auto Scaling Policy

Launch Configuration: What will be scaled?
Launch settings
P AMI
P Instance type
P Security groups
P Roles

Auto Scaling Group: Where will it take place?
Deployment settings
P VPC and subnets
P Load balancer
P Minimum instances
P Maximum instances
P Desired capacity

Auto Scaling Policy: When will it take place?
Policy settings
P Scheduled
P On-demand
P Scale-out policy
P Scale-in policy

Dynamic Auto Scaling
Latency
Utilization
CloudWatchAuto
Scaling
Elastic Load
Balancing
Auto Scaling group
Execute AS
Policy

AWSOME DAY
Amazon Relational Database Service
(RDS)

Amazon RDS
Managed service that sets up and operates a relational database in
the Cloud
Users Application
servers Amazon RDS
AWS Cloud

Amazon RDS DB Instances
DB Instance Class
• CPU
• Memory
• Network Performance
DB Instance Storage
• Magnetic
• General Purpose (SSD)
• Provisioned IOPS
Amazon
RDS
RDS DB
master
instance
DB Engines
M
Amazon
RDS
RDS DB
master
instance
DB Engines

Amazon RDS
Customer manages:
P Application Optimization
P Database schema
P Data
AWS manages:
P OS installation and patches
P Database software installation and patches
P Database backups
P High availability
P Scaling
P Power, rack and stack
P Server maintenance

Amazon RDS In a Virtual Private Cloud
VPC
M
App
Public subnet
Private subnet
internet
gateway
Amazon
EC2
instance
RDS
DB
instance
Availability Zone 1
Users

High Availability with Multi-AZ
SYNCHRONOUS
Public subnet
Amazon
EC2
instance
RDS DB
instance
App
RDS DB
standby
instance
Private subnet Private subnet
M S
Availability Zone 1 Availability Zone 2
VPC

High Availability with Multi-AZ
Public subnet
Amazon
EC2
instance
RDS DB
instance
VPC
App
RDS DB
standby
instance
Private subnet Private subnet
M S
Availability Zone 1 Availability Zone 2
FAILOVER

Amazon RDS Read Replicas
Features
Asynchronous replication
Promote to master if necessary
Functionality
Read-heavy database workloads
Offload read queries
Public subnet
Amazon
EC2
instance
RDS DB
instance
VPC
App
Private subnet
M
Availability Zone 1
RDS DB
read
replica
instanceR

What Is Amazon DynamoDB?
NoSQL database tables
Virtually unlimited storage
Items may have differing attributes
Low-latency queries
Scalable read/write throughput

Common Use Cases
Web
Mobile apps
Internet of Things
Ad tech
Gaming

Items in a Table Must Have a Key

AWSOME DAY
Let’s take a break
@hernangarcia

AWSOME DAY
Introduction to AWS Security

Introduction to AWS Security
Security is of the utmost importance to AWS.
Approach to security
AWS environment controls
AWS offerings and features

AWSOME DAY
The AWS Shared Responsibility Model

Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & Content
Customers
Customers are
responsible for
security IN the cloud
AWS is responsible
for the security OF
the cloud

Security of the Cloud
Protection of the AWS global infrastructure is top priority
Availability of third-party reports
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations

Security in the Cloud
What to store
Which AWS services
In what location
In what content format and
structure
Who has access
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & Content
Customers

Assurance Programs

AWS Identity and Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
Amazon Virtual Private
Cloud (Amazon VPC) flow
logs
Amazon EC2
Systems Manager
AWS Shield
AWS WAF
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (AWS KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
(ACM)
Server side encryption
AWS Secrets Manager
AWS Config rules
AWS Lambda
Amazon EC2 Systems
Manager
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions

AWSOME DAY
AWS Access Control and
Management

AWS IAM
Create users and groups
Grant permissions
User Group Permissions Role

AWS Account Root User
Account root user has complete access to
all AWS Services.

AWS Account Root User
Recommendations
1. Delete root user access keys.
2. Create an IAM user.
3. Grant administrator access.
4. Use IAM credentials to interact
with AWS.
IAM

AWS IAM
Control access to AWS resources
P Authentication
P Authorization
Controls access to services such as:
Compute
Storage
Database
Application services

AWS IAM: Authentication
Management console access
P Uses AWS account name and password
P MFA prompts for code
Programmatic access
P Enables access key ID and secret access key

AWS IAM Authentication
Authentication
AWS Management Console
P User Name and Password
IAM User

AWS IAM Authentication
Authentication
AWS CLI or SDK API
P Access Key and Secret Key
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
IAM User

AWS IAM Authorization
Authorization
Policies:
P Are JSON documents to describe permissions.
P Are assigned to users, groups or roles.
IAM User IAM Group
IAM Roles

AWS IAM Policy Elements
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1453690971587",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances”
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.64.34.65/32”
}
}
},
{
"Sid": "Stmt1453690998327",
"Action": [
"s3:GetObject*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket/*"
}
]
}
IAM Policy

AWS IAM Policy Assignment
IAM User
IAM Group
Assigned Assigned
IAM Policy

IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy

AWS IAM Roles
An IAM role uses a policy.
An IAM role has no associated credentials.
IAM users, applications, and services may assume IAM roles.
IAM Roles

IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM User
Assumed Assumed
AWS Resources
IAM Policy

Example: Application Access to AWS Resources
Python application hosted on an Amazon EC2 Instance needs to
interact with Amazon S3.
AWS credentials are required:
P Option 1: Store AWS Credentials on the Amazon EC2 instance.
P Option 2: Securely distribute AWS credentials to AWS Services and Applications.
IAM Roles

AWS IAM Roles - Instance Profiles
Amazon EC2
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S31
3
4
App &
Create Instance
Application
interacts
with S3
Select IAM Role2

AWS IAM Roles – Assume Role
IAM Restricted Policy
IAM User A-1
AWS Account A
IAM Admin RoleIAM Admin Policy
Assigned
Assume
Assigned
1
2
IAM User B-1
AWS Account B
Amazon S3
Assume
4
Access
53
Access
1

IAM Best Practices
Roles
P Use roles for applications
P Use roles instead of sharing credentials
Credentials
P Rotate credentials regularly
P Remove unnecessary users and credentials
Use policy conditions for extra security
Monitor activity in your AWS account

Monitoring and Logging
Tools and features to reduce your risk profile:
P Deep visibility into API calls
P Log aggregation and options
P Alert notifications

AWS CloudTrail
Records AWS API calls for accounts.
Delivers log files with information to an Amazon S3 bucket.
Makes calls using the AWS Management Console, AWS SDKs, AWS
CLI and higher-level AWS services.
AWS CloudTrail Amazon S3 Bucket
Logs

AWSOME DAY
AWS Security Resources

AWS Trusted Advisor
Best practice and recommendation engine.
Provides AWS customers with performance and security
recommendations in four categories:
P Cost optimization
P Security
P Fault tolerance
P Performance improvement
AWS Trusted
Advisor

AWS Trusted Advisor (Security)
Security groups
AWS IAM use
Amazon S3 bucket permissions
MFA on Root Account
AWS IAM password policy
Amazon RDS security group access risk
120

Amazon GuardDuty
Managed threat detection
Continuously monitors for malicious or
unauthorized behavior
Intelligent threat detection and
actionable alerts

What Can Amazon GuardDuty Detect
Known Malicious IP
(Potentially)
Unusual Ports
DNS Exfiltration
RDP Brute Force
Unusual Traffic VolumeConnect to Blacklisted Site
(Potentially)
Recon
Anonymizing Proxy
Temp credentials
Used off-instance
Unusual ISP Caller
Bitcoin Activity
Unusual Instance Launch
RDP Brute
Force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe api
with temp
creds
Attempt to
compromise
account

Amazon Macie
Understand Your
Data
Natural Language
Processing (NLP)
Understand Data
Access
Predictive User
Behavior Analytics
(UBA)

Amazon Macie – User Behavioral Analysis
0. Feature
extraction from
event data
1. Map into user
time-series
2. Cluster peer
groups
3. Predict user
activity. Update
models.
4. Identify
anomalies.
5. Attempt to
explain
statistically.
6. Alert and
narrative
explanation
created

AWS Account Teams
Are first point of contact
Guide deployment
Point toward the right resources to resolve security issues

AWS Enterprise Support*
15-minute response time
24/7, by phone, chat, or email
Dedicated Technical Account Manager
*for details, see:
https://aws.amazon.com/premiumsupport/enterprise-support/

Support Plans
AWS Support offers four support plans:
Basic Support
Developer Support
Business Support
Enterprise Support

AWS Professional Services and AWS Partner Network
APN has hundreds of certified AWS Consulting Partners worldwide
P Help develop security policies
P Help meet compliance requirements

AWS Marketplace
Qualified partners to market/sell software to AWS
customers
Online software store that can run on AWS

AWSOME DAY
Fundamentals of Pricing

AWS Pricing Model
Pay-as-you-go
Pay less when you reserve
Pay even less per unit by using more
Pay even less as AWS grows

No Extra Charge
AWS services for no additional charge:
Amazon VPC
AWS Elastic Beanstalk
AWS CloudFormation
AWS IAM
Auto Scaling

AWS Free Tier
AWS Free Tier helps customer get started in the cloud
Limitations:
P Up to one year
P Certain services and options
For more details, see: http://www.aws.amazon.com/free

Custom Pricing
Meet varying needs through custom pricing
Available for high-volume projects with unique
requirements

Amazon EC2 Purchasing Options
157
On-Demand
Instances
Pay by the
hour.
Reserved
Instances
Purchase, at a
significant
discount,
instances that
are always
available.
1-year to 3-
year terms.
Scheduled
Instances
Purchase
instances that
are always
available on
the specified
recurring
schedule, for a
one-year term.
Spot
Instances
Bid on unused
instances,
which can run
as long as they
are available
and your bid is
above the
Spot price.
Dedicated
Hosts
Pay for a
physical host
that is fully
dedicated to
running your
instances.
Dedicated
Instances
Pay, by the
hour, for
instances that
run on single-
tenant
hardware.

Amazon S3
Storage:
The number and size of objects
Requests:
Pricing based on
Number of requests
Type of requests
P Different rates for GET requests
Data Transfer:
Pricing based on the amount of data transferred out of the Amazon S3
region

Amazon EBS: Volumes and IOPS
Volumes
All volume types are charged by the amount provisioned per
month
IOPS
General Purpose (SSD) and Magnetic
P Included in price
Provisioned IOPS (SSD)
P Charged by the amount you provision in IOPS

Amazon RDS: Clock-Hour Billing and Database Characteristics
Clock-Hour Billing
Resources incur charges when running
Database Characteristics
Physical capacity of database:
P Engine
P Instance Type
P Instance Size

AWS Simple Monthly Calculator
Estimate the cost of running your application or solution in the AWS
cloud based on usage.
https://calculator.aws

AWSOME DAY
Overview of the Total Cost of
Ownership Calculator

AWS Total Cost of Ownership (TCO)
Calculator
PEstimate cost savings when using AWS
PUse a detailed set of reports that can be used in executive presentations
PModify assumptions that best meet your business needs
1. Describe your infrastructure in four
steps, or enter detailed configurations
2. Get an instant summary report 3. Download a full report including
detailed cost breakdowns

The Beauty of Serverless

Want to know more?
https://aws.training

Thank you!
AWSOME DAY
@hernangarcia

AWSome Day 2019 - Mexico City

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à AWSome Day 2019 - Mexico City

Similaire à AWSome Day 2019 - Mexico City (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

AWSome Day 2019 - Mexico City