Best Practices for Getting Started with AWS

ianmas@amazon.com@IanMmmm

Ian Massingham — Technical Evangelist

Getting Started with AWS: Agenda

Eight best practices you should focus on when getting started

Resources you can use to learn more

Getting Started with AWS

http://aws.amazon.com/getting-started/

Getting Started with AWS

Choose Your First Use Case Well

1

Chose Your First Use Case Well

Make your first project a S.M.A.R.T one

Chose Your First Use Case Well

Dev & Test

Spin environments up and down on demand

Decouple development and test environments

from operations constraints

Explore elasticity in a sandboxed environment

Make your first project a S.M.A.R.T one

Chose Your First Use Case Well

Dev & Test

Spin environments up and down on demand

Decouple development and test environments

from operations constraints

Explore elasticity in a sandboxed environment

Backup & DR Take part of your data or

business applications step- by-step into non-

production DR use

Understand cloud dynamics and test during

controlled failover

Make your first project a S.M.A.R.T one

Chose Your First Use Case Well

Dev & Test

Spin environments up and down on demand

Decouple development and test environments

from operations constraints

Explore elasticity in a sandboxed environment

Backup & DR Take part of your data or

business applications step- by-step into non-

production DR use

Understand cloud dynamics and test during

controlled failover

Greenfield Project

Embody best practice of cloud computing in

unconstrained greenfield projects

Self contained web projects, document

archiving etc

Make your first project a S.M.A.R.T one

Chose Your First Use Case Well

Dev & Test

Spin environments up and down on demand

Decouple development and test environments

from operations constraints

Explore elasticity in a sandboxed environment

Backup & DR Take part of your data or

business applications step- by-step into non-

production DR use

Understand cloud dynamics and test during

controlled failover

Greenfield Project

Embody best practice of cloud computing in

unconstrained greenfield projects

Self contained web projects, document

archiving etc

Pain point

Move specific service aspects causing undue cost or management

burden

Workflows, search indexing, media

streaming, document archiving, constrained

databases

Make your first project a S.M.A.R.T one

Plan Evolution and Set Goals

Understand services

Test performance

Architect for scale

Develop team capabilities

Implement monitoring

Change control and management

Security management

Scalability

Automate corrective actions

Auto-scaling

Zero downtime deployments

System backup and recovery

Proof of Concept Production Automation

Sam

ple

Act

iviti

es

Lay Out Your Foundations

2

Accounts

Create an account structure that makes sense

Use accounts like environments where you need separation and

control

e.g. Dev Sandboxes Test Environments

Business Units Products & Services

Lay Out Your Foundations

BillingAccounts

Create an account structure that makes sense

Use accounts like environments where you need separation and

control

e.g. Dev Sandboxes Test Environments

Business Units Products & Services

Control access to billing information

Use IAM users to keep billing information in the master account

Consolidate billing into a single account

Let one account pick up the bill for multiple ‘sub accounts’

Setup billing alerts and automated bill reporting

Get CloudWatch notifications when billing reaches a point and output

csv reports to S3 for analysis

Lay Out Your Foundations

Enable delivery of billing reports with resources & tags

Billing preferences

Billing Settings

BillingMaster Account

aws.invoices@mycompany.com

Billing

Consolidated Billing Relationship

Master Accountaws.invoices@mycompany.com

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Billing

Consolidated Billing Relationship

Master Accountaws.invoices@mycompany.com

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Tags: (key-value) e.g Own=Div

Proj=R

Billing

Consolidated Billing Relationships

Master Accountaws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3Dev3Admin3

IAM

Tags: Own=BusCProj=X

Tags: Own=BusCProj=Y

Tags: Own=BusCProj=Z

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1Dev1Admin1

IAM

Tags: Own=OpCoProj=A

Tags: Own=OpCoProj=B

Tags: Own=OpCoProj=C

Billing

Consolidated Billing Relationships

Master Accountaws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3Dev3Admin3

IAM

Tags: Own=BusCProj=X

Tags: Own=BusCProj=Y

Tags: Own=BusCProj=Z

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1Dev1Admin1

IAM

Tags: Own=OpCoProj=A

Tags: Own=OpCoProj=B

Tags: Own=OpCoProj=C

Alert:

Reached $500 Alert:

Reached $3500 Alert:

Reached $1250

S3CSV

Billing

ANALYSIS

Programmatic Billing Access

Consolidated Billing Relationships

Master Accountaws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3Dev3Admin3

IAM

Tags: Own=BusCProj=X

Tags: Own=BusCProj=Y

Tags: Own=BusCProj=Z

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1Dev1Admin1

IAM

Tags: Own=OpCoProj=A

Tags: Own=OpCoProj=B

Tags: Own=OpCoProj=C

S3CSV

Billing

ANALYSIS

Programmatic Billing Access

Consolidated Billing Relationships

Master Accountaws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3Dev3Admin3

IAM

Tags: Own=BusCProj=X

Tags: Own=BusCProj=Y

Tags: Own=BusCProj=Z

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1Dev1Admin1

IAM

Tags: Own=OpCoProj=A

Tags: Own=OpCoProj=B

Tags: Own=OpCoProj=C

S3CSV

Billing

ANALYSIS

Programmatic Billing Access

Consolidated Billing Relationships

Master Accountaws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3Dev3Admin3

IAM

Tags: Own=BusCProj=X

Tags: Own=BusCProj=Y

Tags: Own=BusCProj=Z

Division Badmin@divisionB.com

User2Dev2Admin2

IAM

Tags: Own=DivProj=P

Tags: Own=DivProj=Q

Tags: Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1Dev1Admin1

IAM

Tags: Own=OpCoProj=A

Tags: Own=OpCoProj=B

Tags: Own=OpCoProj=C

3rd Party Cost Management Tools

Access KeysBillingAccounts

Create an account structure that makes sense

Use accounts like environments where you need separation and

control

e.g. Dev Sandboxes Test Environments

Business Units Products & Services

Control access to billing information

Use IAM users to keep billing information in the master account

Consolidate billing into a single account

Let one account pick up the bill for multiple ‘sub accounts’

Setup billing alerts and automated bill reporting

Get CloudWatch notifications when billing reaches a point and output

csv reports to S3 for analysis

Decide upon a key management strategy

Control access to EC2 instances via SSH and embedded public key:

e.g. EC2 Key Pair per group of instances, EC2 Key Pair per

account

Consider SSH key rotation & automation

Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings

on running instances Consider bootstrap automation to

grant developer access with developer unique keypairs

Lay Out Your Foundations

Groups & RolesAccess KeysBillingAccounts

Create an account structure that makes sense

Use accounts like environments where you need separation and

control

e.g. Dev Sandboxes Test Environments

Business Units Products & Services

Control access to billing information

Use IAM users to keep billing information in the master account

Consolidate billing into a single account

Let one account pick up the bill for multiple ‘sub accounts’

Setup billing alerts and automated bill reporting

Get CloudWatch notifications when billing reaches a point and output

csv reports to S3 for analysis

Decide upon a key management strategy

Control access to EC2 instances via SSH and embedded public key:

e.g. EC2 Key Pair per group of instances, EC2 Key Pair per

account

Consider SSH key rotation & automation

Limit exposure to private key compromise by rotating keys and replacing authorized_keys listings

on running instances Consider bootstrap automation to

grant developer access with developer unique keypairs

Use IAM Groups to manage console users and API

access Provide developers with IAM user

login and unique API access credentials

Control & restrict what IAM users can do by placing them in groups

with associated policies

Assign EC2 Instances IAM roles

Let AWS manage API access credentials on running instances by assigning a system entitlement to

an instance e.g. instance can only read S3

bucket

Lay Out Your Foundations

Identity & Access Management - IAMAccount

ApplicationsAdministrators Developers

Jim

Gavin

Steve

Nigel

Stephen

Ingest

Console

Reporting

Identity & Access Management - IAMAccount

ApplicationsAdministrators Developers

Jim

Gavin

Steve

Nigel

Stephen

Ingest

Console

Reporting

Groups

Multi-factor Authentication

Identity & Access Management - IAMAccount

ApplicationsAdministrators Developers

Jim

Gavin

Steve

Nigel

Stephen

Ingest

Console

Reporting

Groups Roles

Multi-factor Authentication

AWS API Credentials

IAM Policies{"Statement":[{"Effect":"Allow","Action":["elasticbeanstalk:*","ec2:*","elasticloadbalancing:*","autoscaling:*","cloudwatch:*","s3:*","sns:*"],"Resource":"*"}]}

Create a policy to assign permissions to a user, group, role or resource.

Policies are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions.

Policies control access to AWS APIs

Identity and Access Management - IAM

For more details on IAM, visit:

aws.amazon.com/iam

Think Security3

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection(Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Amaz

onYo

u

Shared Security Responsibility

Understand your customer & determine your security stance

Leverage AWS Security

External Audience

Regulatory Audience

Internal Audience

Architecture

Administration

IAM

Certifications

White Papers

QSA Process

Your Processes

Your Certifications Penetration Test Results

Understand your customer & determine your security stance

Engage with security assessors early in your adoption cycle

Leverage AWS Security

Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001)

Security assessments take time, so allow for this in your planning

Undertake architecture reviews early in your design/deployment process

Understand your customer & determine your security stance

Engage with security assessors early in your adoption cycle

Use comprehensive materials and certifications provided by AWS

Leverage AWS Security

For more details on AWS Security, visit: aws.amazon.com/security

Risk and compliance white paper AWS security processes white paper CSA consensus assessments initiative questionnaire

(requires NDA)

Services not Software4

AWS CloudInfrastructure & Services

YourBusiness

More Time to Focus onYour Business

Configuring Cloud Services

70%

30%70%

Self Managed Software & Infrastructure

30%

Managing All of the “Undifferentiated Heavy Lifting”

Services Not Software

Relational Database ServiceEasy to set up, operate, and scale Handles time-consuming database management tasks, such as backups, patch management, and replication Supports MySQL, MariaDB, Oracle, Microsoft SQL Server, PostgreSQL & Amazon Aurora

NoSQL Database ServiceFast, predictable performance

Supports document & key-value data models Fully distributed, fault tolerant architecture

Amazon RDS

Amazon DynamoDB

Services Not Software

Amazon SQS

Processing task/processing trigger

Processing results

Simple Queue ServiceFast, reliable, scalable, fully managed message queuing service Transmit any volume of data, at any level of throughput

Amazon SQS

Amazon EMR

Elastic MapReduceUses Hadoop, an open source framework, to distribute your data and processing across EC2 instances Integrates with other AWS services, such S3 & DynamoDB Supports the broad Hadoop tools ecosystem

Services Not Software

Optimise Your Costs5

Use the Right Instance Types

Use Auto Scaling

Turn Off Unused Instances

Use Reserved Instances

1234

Use Spot Instances 5

Use Storage Classes6Offload Your Architecture7Use Services, Not Software8Use Consolidated Billing9Use Cost Management Tools10

Use Tools & Frameworks

6

Access everything via CLI, API or Console

Use one of 9 (soon to be 10) fully supported SDKs to create or make use of existing AWS resources within your own code

Leverage a broad ecosystem of open source, free and commercially licensed tools to work with AWS Services

Achieve the highest levels of automation to support continuous deployment, define your infrastructure-as-code or automate your development, operations or DevOps processes

Find out more at: aws.amazon.com/developers/getting-started/

Everything is Programmable

AWS Deployment & Management Tools

AWS Elastic Beanstalk

AWS OpsWorks

AWS CloudFormation

AWS CodeDeploy

Get Supported7

Get Supported: AWS Support Options

Four Support Tiers are Available.

Chose from:

Basic Developer Business Enterprise

For more details on AWS Support, visit: aws.amazon.com/premiumsupport

Greaterof$29-or-3%ofmonthlyAWSusage

Greaterof$100-or-aminimum3%ofmonthlyAWSusage

Greaterof#15,000-or-3%ofmonthlyAWSusage

Get Supported: Trusted Advisor

Get Supported: Trusted Advisor

Get Supported: Trusted Advisor

Operating systems on EC2 instances:

Ubuntu Server Red Hat Enterprise Linux and Fedora SUSE Linux (SLES and openSUSE) CentOS Linux Microsoft Windows Server 2003 R2 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012

Infrastructure components:

Sendmail and Postfix MTAs OpenVPN and RRAS SSH, SFTP, and FTP LVM and Software RAID

Web servers:

Apache IIS Nginx

Databases:

MySQL Microsoft SQL Server

Get Supported: 3rd Party Software

For more details on AWS Support, visit: aws.amazon.com/premiumsupport

Resources You Can Use to Learn More

aws.amazon.com/getting-started/

aws.amazon.com/premiumsupport

aws.amazon.com/architecture

aws.amazon.com/security

aws.amazon.com/campaigns/emea-getting-started

Follow us fo

r more

events

& webina

rs

@AWScloud for Global AWS News & Announcements

@AWS_UKI for local AWS events & news

@IanMmmmIan Massingham — Technical Evangelist