3. What will we cover this morning?
09:30 Registration
10:00 An Introduction to AWS
10:45 Skill Pages & AWS
11:00 Break
11:15 Tricks & Tips for Getting Started with AWS
6. Deep experience in
building and
operating global web
scale systems
About Amazon
Web Services
?
…get into cloud computing?
How did Amazon…
7. Consumer
Business
Tens of millions of active
customer accounts
8 countries:
US, UK, Germany, Japan,
France, Canada, China,
Italy
Seller
Business
Sell on Amazon
websites
Use Amazon technology
for your own retail
website
Leverage Amazon’s
massive fulfillment
center network
IT Infrastructure
Business
Cloud computing
infrastructure for hosting
web-scale solutions
Hundreds of thousands
of registered customers
in over 190 countries
8. AWS Mission
Enable businesses and
developers to use web
services* to build scalable,
sophisticated applications.
*What people now call “the cloud”
12. Powering the Most Popular Internet Businesses
Find out more at : aws.amazon.com/solutions/case-studies
Enterprises on AWS
Find out more at : aws.amazon.com/solutions/case-studies
13. Each day AWS adds the equivalent server
capacity to power Amazon when it was a
global, $7B enterprise
14. Objects in S3
Trillions of Objects
(000,000,000,000s)
Servicing over 2 million
requests per Second
19. Utility computing
Compute
Storage
Security
Scaling
Database
Networking
Monitoring
Messaging
Workflow
DNS
Load
Balancing
Backup
CDN
On demand
Pay as you go
Uniform
Available
20. On
a
global
footprint
Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
21. At the end of a web service
aws ec2 run-instances
--image-id ami-a813fadf
--count 3
--placement AvailabilityZone=eu-west-1a
--instance-type m1.small
aws ec2 run-instances
--image-id ami-a813fadf
--count 5
--placement AvailabilityZone=eu-west-1c
--instance-type m1.medium
41. Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Reference Model
security
42. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Global infrastructure
Regions
An independent collection of AWS resources in a defined
geography
A solid foundation for meeting location-dependent privacy
and compliance requirements
43. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Global infrastructure
Availability Zones
Designed as independent failure zones
Physically separated within a typical metropolitan region
44. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Global infrastructure
Edge Locations
To deliver content to end users with lower latency
A global network of edge locations Supports global DNS
infrastructure (Route53) and Cloud Front CDN
Dallas(2)
St.Louis
Miami
JacksonvilleLos Angeles (2)
Palo Alto
Seattle
Ashburn(3)
Newark
New York (3)
Dublin
London(2)
Amsterdam
(2)
Stockholm
Frankfurt(2)
Paris(2)
Singapore(2)
Hong Kong
(2)
Tokyo (2)
Sao Paulo
South Bend
San Jose
Osaka
Milan
Sydney
Madrid
Seoul
Mumbai
Chennai
45. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Networking
Direct Connect
Dedicated connection to AWS
VPN Connection
Secure internet connection to AWS
Virtual Private Cloud
Private, isolated section of the AWS Cloud
Route 53
Highly available and scalable Domain Name Service
46. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Compute
Vertical Scaling
From $0.02/hr
Elastic Compute Cloud (EC2)
Basic unit of compute capacity
Range of CPU, memory & local disk options
13 Instance types available, from micro to cluster compute
Feature
Details
Flexible
Run
windows
or
linux
distribuKons
Scalable
Wide
range
of
instance
types
from
micro
to
cluster
compute
Machine
Images
ConfiguraKons
can
be
saved
as
machine
images
(AMIs)
from
which
new
instances
can
be
created
Full
control
Full
root
or
administrator
rights
Secure
Full
firewall
control
via
Security
Groups
Monitoring
Publishes
metrics
to
Cloud
Watch
Inexpensive
On-‐demand,
Reserved
and
Spot
instance
types
VM
Import/Export
Import
and
export
VM
images
to
transfer
configuraKons
in
and
out
of
EC2
47. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Compute
Auto-scaling
Automatic provisioning of compute resources based upon
demand, configuration or schedule
Trigger auto-
scaling policy
Feature
Details
Control
Define
minimum
and
maximum
instance
pool
sizes
and
when
scaling
and
cool
down
occurs
Integrated
to
CloudWatch
Use
metrics
gathered
by
CloudWatch
to
drive
scaling
Instance
types
Run
auto
scaling
for
on-‐demand
instances
and
spot.
CompaKble
with
VPC
aws autoscaling create-auto-scaling-group
--auto-scaling-group-name MyGroup
--launch-configuration-name MyConfig
--availability-zones eu-west-1a
--min-size 4
--max-size 200
48. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Compute
Elastic Load Balancing
Create highly scalable applications
Distribute load across EC2 instances in multiple
availability zones
Feature
Details
Auto-‐scaling
AutomaKcally
scales
to
handle
request
volume
Available
Load
balance
across
instances
in
mulKple
availability
zones
Health
checks
AutomaKcally
checks
health
of
instances
and
takes
them
in
or
out
of
service
Session
sEckiness
Route
requests
to
the
same
instance
Secure
sockets
layer
Supports
SSL
offload
from
web
and
applicaKon
servers
with
flexible
cipher
support
Monitoring
Publishes
metrics
to
Cloud
Watch
49. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Storage
S3 - Durable storage, any object
99.999999999% durability of objects
Unlimited storage of objects of any type
Up to 5TB size per object
Feature
Details
Flexible
object
store
Buckets
act
like
drives,
folder
structures
within
Access
control
Granular
control
over
object
permissions
Server-‐side
encrypEon
256bit
AES
encrypKon
of
objects
MulE-‐part
uploads
Improved
throughput
&
control
Object
versioning
Archive
old
objects
and
version
new
ones
Object
expiry
AutomaKcally
remove
old
objects
Access
logging
Full
audit
log
of
bucket/object
acKons
Web
content
hosEng
Serve
content
as
web
site
with
built
in
page
handling
NoEficaEons
Receive
noKficaKons
on
key
events
Import/Export
Physical
device
import/export
service
50.
51. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Storage
Elastic Block Store
High performance block storage device
1GB to 1TB in size
Mount as drives to instances
Feature
Details
High
performance
file
system
Mount
EBS
as
drives
and
format
as
required
Flexible
size
Volumes
from
1GB
to
1TB
in
size
Secure
Private
to
your
instances
Available
Replicated
within
an
Availability
Zone
Backups
Volumes
can
be
snapsho`ed
for
point
in
Kme
restore
Monitoring
Detailed
metrics
captured
via
Cloud
Watch
52. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Database
Relational Database Service
Database-as-a-Service
No need to install or manage database instances
Scalable and fault tolerant configurations
Feature
Details
PlaMorm
support
Create
MySQL,
PostgreSQL,
Microsob
SQL
Server
and
Oracle
RDBMS
Preconfigured
Get
started
instantly
with
sensible
default
secngs
Automated
patching
Keep
your
database
plaeorm
up
to
date
automaKcally
Backups
AutomaKc
backups
and
point
in
Kme
recovery
and
full
DB
backups
Backups
Volumes
can
be
snapsho`ed
for
point
in
Kme
restore
Failover
Automated
failover
to
slave
hosts
in
event
of
a
failure
ReplicaEon
Easily
create
read-‐replicas
of
your
data
and
seamlessly
replicate
data
across
availability
zones
53. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Database
Amazon
RelaKonal
Database
Service
(Amazon
RDS)
databases
stores
forum
threads,
site
content,
and
project
configuraKon
data.
High
availability
MulE-‐AZ
database
deployment
to
handle
live
game
metadata
and
user-‐generated
content.
Enterprise-‐grade
fault
tolerance
for
protecKng
customer
data.
By
managing
Eme-‐consuming
database
administraEon
tasks,
Amazon
RDS
allows
SEGA
to
focus
on
business
criKcal
applicaKons.
54. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Database
DynamoDB
Provisioned throughput NoSQL database
Fast, predictable performance
Fully distributed, fault tolerant architecture
Feature
Details
Provisioned
throughput
Dial
up
or
down
provisioned
read/write
capacity
Predictable
performance
Average
single
digit
millisecond
latencies
from
SSD
backed
infrastructure
Strong
consistency
Be
sure
you
are
reading
the
most
up
to
date
values
Fault
tolerant
Data
replicated
across
availability
zones
Monitoring
Integrated
to
Cloud
Watch
Secure
Integrates
with
AWS
IdenKty
and
Access
Management
(IAM)
ElasEc
MapReduce
Integrates
with
ElasKc
MapReduce
for
complex
analyKcs
on
large
datasets
55. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Database
Redshift
Managed Massively Parallel Petabyte Scale Data Warehouse
Streaming Backup/Restore to S3
Extensive Security
2 TB -> 1.6 PB
RDS Dynamo
DB
Redshift
56. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Application Services
CloudFront
World-wide content distribution network
Easily distribute content to end users
with low latency, high data transfer
speeds, and no commitments.
Feature
Details
Fast
MulKple
world-‐wide
edge
locaKons
to
serve
content
as
close
to
your
users
as
possible
Integrated
with
other
services
Works
seamlessly
with
S3
and
EC2
origin
servers
Dynamic
content
Supports
staKc
and
dynamic
content
from
origin
servers
Streaming
Supports
rtmp
from
S3
and
includes
support
for
live
streaming
from
Adobe
FMS
and
Microsob
Media
Server
London
Paris
NY
Served from S3
/images/*
3
Served from EC2
*.php
2
Single CNAME
www.mysite.com
1
57. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Application Services
Amazon SQS
Processing task/
processing trigger
Processing results
Amazon SQS
Reliable, highly scalable, queue
service for storing messages as they
travel between instances
Feature
Details
Reliable
Messages
stored
redundantly
across
mulKple
availability
zones
Simple
Simple
APIs
to
send
and
receive
messages
Scalable
Unlimited
number
of
messages
Secure
AuthenKcaKon
of
queues
to
ensure
controlled
access
58. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Deployment & Admin
Elastic Beanstalk
One-click deployment from Eclipse, Visual Studio and Git
Rapid deployment of applications
All AWS resources automatically created
Feature
Details
PlaMorm
support
Containers
for
Java,
.net
and
PHP
Resource
creaEon
Creates
load
balancer,
instances,
autoscaling
and
monitoring
automaKcally
Monitoring
&
Logs
Integrated
with
Cloud
Watch
and
consolidates
server
logs
Versioning
Manage
versions
of
applicaKons
and
easily
rollback
deployments
NoEficaEons
Receive
alerts
on
key
events
Full
resource
access
Access
all
underlying
AWS
resources
as
necessary
59. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Deployment & Admin
OpsWorks
DevOps focused managed application stacks
Underlying Chef recipes allow for complete customisation
Feature
Details
PlaMorm
support
Chef
recipes
allows
for
community
expansion
for
plaeorm
components
such
as
Solr,
NgniX
etc
Resource
creaEon
Customizable
deployments,
rollback,
parKal
deployments,
patch
management,
automaKc
instance
scaling,
and
auto
healing
Layered
Manage
logical
applicaKon
layers
and
combine
into
stacks.
60. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Cloud Formation
Automate creation of ‘stacks’ in a repeatable way
Scripting framework for AWS resource creation
Feature
Details
PlaMorm
support
Support
for
AWS
resources
from
EC2
to
IAM
Resource
creaEon
Creates
AWS
resources
behind
the
scenes
and
reports
on
progress
DeclaraEve
Specify
stacks
in
JSON
format
and
source
control
your
environments
Customizable
Drive
stack
creaKon
with
parameters
Deployment & Admin
61. Compute
Storage
AWS
Global
Infrastructure
Database
App
Services
Deployment
&
AdministraKon
Networking
Deployment & Admin
Identity & Access Management
Granular control of user rights with AWS
Automated granting of EC2 service rights
Software Developer Kits
Comprehensive support of programming models for using AWS
services
62. + others
WorkSpaces
Cloud Search
Simple Email Service
Simple Workflow Service
Simple Notification Service
ElastiCache (Memcache & Redis)
Elastic MapReduce
CloudWatch
…and more to come!
64. Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Amazon
Shared responsibility
65. Foundation Services
Compute Storage Database Networking
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
Amazon
Shared responsibility
You
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
66. Certifications
SOC 1 Type 2 (formerly
SAS-70)
ISO 27001
PCI DSS for EC2, S3, EBS,
VPC, RDS, ELB, IAM
FISMA Moderate Compliant
Controls
HIPAA & ITAR Compliant
Architecture
Physical Security
Datacenters in nondescript
facilities
Physical access strictly
controlled
Must pass two-factor
authentication at least twice for
floor access
Physical access logged and
audited
HW, SW, Network
Systematic change
management
Phased updates deployment
Safe storage decommission
Automated monitoring and self-
audit
Advanced network protection
Security standards
http://aws.amazon.com/security
68. One Place to Find Skilled People
Find Skilled People!
!
for anything you need done
Get Found!
by people who need your skills
Collaborate!
with skilled people globally
69. Challenges
Focus on building the best product for our users
avoid overhead of building out core infrastructure
ScalabilityFunction Resources Time
82. Choose use case that suits you
Make your first project a S.M.A.R.T one
83. Choose use case that suits you
Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Make your first project a S.M.A.R.T one
84. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Choose use case that suits you
Make your first project a S.M.A.R.T one
85. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Choose use case that suits you
Make your first project a S.M.A.R.T one
86. Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step- by-
step into non-production DR
use
Understand cloud dynamics
and test during controlled
failovers
Greenfield Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Pain Point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained
databases
Choose use case that suits you
Make your first project a S.M.A.R.T one
87. PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals
88. PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals
Beanstalk
Beanstalk
Cloud Formation
Cloud Watch
IAM
APIs
CLI
Auto scaling
90. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Lay Out Your Foundations
Accounts
91. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Accounts Billing
Lay Out Your Foundations
95. Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Master Account
aws.invoices@mycompany.com
consolidated billing information
Tags: (key-value)
e.g Own=Div
Proj=R
96. Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Master Account
aws.invoices@mycompany.com
consolidated billing information
97. Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Master Account
aws.invoices@mycompany.com
consolidated billing information
98. Master Account
aws.invoices@mycompany.com
consolidated billing information
Programmatic billing access
S3 CSV
Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
99. Master Account
aws.invoices@mycompany.com
consolidated billing information
Programmatic billing access
S3 CSV
Operating Co. A
admin@opcoa.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
100. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Accounts Billing
Lay Out Your Foundations
101. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public
key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys
listings on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Accounts Billing Access Keys
Lay Out Your Foundations
102. Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill
for multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications
when billing reaches a point and
output csv reports to S3 for
analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public
key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys
listings on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Accounts Billing Access Keys
Use IAM Groups to manage
console users and API
access
Provide developers with IAM user
login and unique API access
credentials
Control & restrict what IAM users
can do by placing them in groups
with policies
Assign EC2 Instances IAM
roles
Let AWS manage API access
credentials on running instances
by assigning a system
entitlement to an instance
e.g instance can only read S3
bucket
Groups & Roles
Lay Out Your Foundations
110. Understand your customer & form security stance
Leverage shared security model
Your certifications Your processes
Penetration test requests
External
audience
111. Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal
audience
Your certifications Your processes
Penetration test requests
External
audience
112. Understand your customer & form security stance
Leverage shared security model
IAM
Administration
Architecture
Internal
audience
Your certifications Your processes
Penetration test requests
External
audience
AWS
Certifications
AWS White
Papers
AWS QSA
Process
Regulated
audience
113. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Leverage shared security model
Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC2…)
As with any infrastructure provider, security assessments take time
Derive value from architecture reviews early in deployment cycle
114. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Leverage shared security model
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
CSA consensus assessments
initiative questionnaire
115. Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment
Leverage shared security model
116. Build upon AWS features
IAM
Control users and allow AWS to
manage credentials in running
instances for service access
(allocation, rotation)
APIs vs Instance
Provide developer API credentials
and control access to SSH keys
Temporary Credentials
Provide developer API credentials
and control access to SSH keys
Instance firewalls
Firewall control on instances via
Security Groups
CLIs and APIs
Instantly audit your entire AWS
infrastructure from scriptable
APIs – generate an on-demand
IT inventory enabled by
programmatic nature of AWS
Subnet control
Create low level networking
constraints for resource access,
such as public and private
subnets, internet gateways and
NATs
Bastion hosts
Only allow access for
management of production
resources from a bastion host.
Turn off when not needed
Tiered Access Security Groups VPC
Private connections to VPC
Secured access to resources in
AWS over software or hardware
VPN and dedicated network links
Direct Connect & VPN
118. Architect to use cloud strengths
e.g. Application performance improvement by migration of static content to S3/CloudFront
Review application architectures early – assess fit for cloud
Can cloud benefits be leveraged with minimum effort outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
*http://aws.amazon.com/architecture
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield cost savings & agility improvements?
e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments
Can automation lead to a more agile & secure service?
119. 1 Create instance for your OS choice
2 Configure environment
3 Install software
4 Create AMI from instance
5 Launch fully configured instances from AMI
Bootstrapping – custom AMIs
AMI
Custom machine
image
Instance
Auto-scaling
Manual deployments
Programmatic deployments
121. + user data
Scripts in user-data field of metadata will be executed on launch
e.g.
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
#!/bin/sh
yum
-‐y
install
httpd
chkconfig
httpd
on
/etc/init.d/httpd
start
<powershell>
…
</powershell>
Or:
AMI
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
Custom or standard
machine image
122. + user data
Scripts in user-data field of metadata will be executed on launch
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance AMI
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Bootstrapping – metadata service
Install software e.g. web server, app server, proxy
Pull data and application packages from S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config
Custom or standard
machine image
128. Use at regional level
Combined with autoscaling will
balance requests and resource
capacity across availability zones
Within VPC
Use to loadbalance between
application tiers within an
availability zone
Instance migrations
Easily move instances from dev
environments to test
environments by moving between
ELBs
Leverage SLA
Improve application reliability with
Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Control TTLs and updates
Take absolute control of DNS
updates for more decisive system
updates
Scale databases without
admin overhead
Choose instance size for
databases and scale up over time
Add high availability from
management console
Create master-slave
configurations and read-replicas.
AWS takes care of the failover
and recreation of a new slave in
event of master DB loss
Elastic Load Balancing Route 53 RDS
Dynamically scale
resources & control costs
Only provision the resources that
are required with scale up and
cool down policies that match
demand
Auto-scaling
Architect to use cloud strengths
Find out more at: aws.amazon.com/architecture
130. AWS
Cloud-Based
Infrastructure & Services
Your
Business
More Time to Focus on
Your Business
Configuring Your
Cloud Assets
70%
30%70%
Self Managed
Software &
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Services not software
131. Relational Database Service
Database-as-a-Service
No need to install or manage database instances
Scalable and fault tolerant configurations
DynamoDB
Provisioned throughput NoSQL database
Fast, predictable performance
Fully distributed, fault tolerant architecture
Services not software
Use RDS for
databases
Use DynamoDB for
high performance key-
value DB
132. Amazon SQS
Processing task/
processing trigger
Processing results
Amazon SQS
Reliable, highly scalable, queue service
for storing messages as they travel
between instances
Services not software
Task A
Task B
(Auto-scaling)
Task C
2
3
1
Simple Workflow
Reliably coordinate processing steps
across applications
Integrate AWS and non-AWS
resources
Manage distributed state in complex
systems
Push inter-process
workflows into the
cloud with SWF
Reliable message
queuing without
additional software
133. Cloud Search
Elastic search engine based upon
Amazon A9 search engine
Fully managed service with
sophisticated feature set
Scales automatically
Document
Server
Results
Search
Server
Don’t install search
software, use
CloudSearch
Services not software
Process large volumes
of data cost effectively
with EMR
Elastic MapReduce
Elastic Hadoop cluster
Integrates with S3 & DynamoDB
Leverage Hive & Pig analytics scripts
Integrates with instance types such as
spot
135. Be elastic and cost optimized
Scalability
Availability
Cost Optimization
Elastic Load Balancing Auto-scaling policies
Instance types and sizes
136. Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple Azs
Auto-scaling policies
137. Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple Azs
Auto-scaling policies
Preemptive manual scaling of
capacity
e.g. before a marketing event add 10
more instances
Regular scaling up and down
of instances
e.g. scale from 0 to 2 to process SQS
messages every night or double
capacity on a Friday night
Dynamic scale based upon
custom metrics
e.g. SQS queue depth, Average CPU
load, ELB latency
Maintain capacity across
availability zones
e.g. Instance availability maintained in
event of AZ becoming unavailable
138. Unix/Linux instances start at $0.02/
hour
Pay as you go for compute power
Low cost and flexibility
Pay only for what you use, no up-front
commitments or long-term contracts
Use Cases:
Applications with short term, spiky, or
unpredictable workloads;
Application development or testing
On-demand instances
1- or 3-year terms
Pay low up-front fee, receive significant
hourly discount
Low Cost / Predictability
Helps ensure compute capacity is available
when needed
Use Cases:
Applications with steady state or
predictable usage
Applications that require reserved capacity,
including disaster recovery
Reserved instances
Bid on unused EC2 capacity
Spot Price based on supply/demand,
determined automatically
Cost / Large Scale, dynamic workload
handling
Use Cases:
Applications with flexible start and end
times
Applications only feasible at very low
compute prices
Spot instances
Instance types
141. Quickly deploy and manage apps in AWS…
Elastic
Beanstalk
CloudFormationOpsWorks
142. CloudFormation components & terminology
Template
CloudFormation
Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
Elastic
Beanstalk
CloudFormationOpsWorks
143. Powerful management framework with Chef support
Stack Layers Management
Managed
environment
Definition of environment
such as production or test
Management
services
Scaling, cloning, user
access, self healing
Collection of
resources
Blueprint for a
collection of resources
(instances, EBS, EIPs
etc)
Apps
Your application
assets
Resources to deploy
and run in layers
Elastic
Beanstalk
CloudFormationOpsWorks
147. Developer
Basic
Business
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Email
Named Contacts 1
Fastest Response Time 12 Hours
Architecture Support Building Blocks
Best Practice ✓
Diagnostics Tools ✓
Find out more at: aws.amazon.com/premiumsupport
148. Business
Basic
Developer
Enterprise
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat, Email
Named Contacts 5
Fastest Response Time 1 Hour
Architecture Support Use Case
Guidance
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Find out more at: aws.amazon.com/premiumsupport
149. Enterprise
Basic
Developer
Business
Offering
24x7x365 ✓
Forum Access ✓
Documentation ✓
Access to support Phone, Chat, Email
Named Contacts Unlimited
Fastest Response Time 15 Minutes
Architecture Support Application
Architecture
Best Practice ✓
Diagnostics Tools ✓
Direct Routing ✓
3rd Party Software ✓
Trusted Advisor ✓
Direct TAM Access ✓
White Glove Case Handling ✓
Management Business Review ✓
Find out more at: aws.amazon.com/premiumsupport
151. Security Fault Tolerance Cost Optimization
Open ports in Security Groups
World access (/0 CIDR)
IAM use
EBS snapshot age
ELB Optimization
Availability Zones
Unused Elastic Ips
Underutilized EC2 instances
Business and Enterprise Support has been enhanced to include best practice
audits via AWS Trusted Advisor
Find out more at: aws.amazon.com/premiumsupport/trustedadvisor
153. Operating Systems 3rd Party Software
3rd Party Software Support Enhancements
Operating Systems including:
Ubuntu Linux
Red Hat Enterprise Linux and Fedora
SUSE Linux (SLES and openSUSE)
CentOS Linux
Microsoft Windows 2003 R2
Microsoft Windows 2008
Microsoft Windows 2008 R2
Microsoft Windows 2012
Common application stack components including:
Amazon SDKs
Apache, Nginx and IIS web servers
Sendmail & Postfix MTAs
SSH, SFTP & FTP
Disk Management tools – LVM & Software RAID
VPN Solutions – OpenVPN, RRAS
Databases – MySQL & SQL Server
155. Choose your use case well
Organize your environments
Think security
Architect to cloud strengths
Services not software
Be elastic & cost optimized
Use frameworks where appropriate
Get supported
156. AWS Training & Certification
CerEficaEon
aws.amazon.com/cerKficaKon
Demonstrate
your
skills,
knowledge,
and
experKse
with
the
AWS
plaeorm
Self-‐Paced
Labs
aws.amazon.com/training/
self-‐paced-‐labs
Try
products,
gain
new
skills,
and
get
hands-‐on
pracKce
working
with
AWS
technologies
aws.amazon.com/training
Training
Skill
up
and
gain
confidence
to
design,
develop,
deploy
and
manage
your
applicaKons
on
AWS
157. Join us for
AWS CloudSchool
Dublin
July 15
#AWS #CloudSchool
158. We typically see customers start by trying our services
Get
started
now
at
:
aws.amazon.com/gecng-‐started
159. Design your application for the AWS Cloud
More
details
on
the
AWS
Architecture
Center
at
:
aws.amazon.com/architecture
