mark johnson's aws chicago healthcare slides - 2016

Healthcare and Life Sciences DaysChicago, IL

Mark Johnston, Director of Global Business Development,

Healthcare and Life SciencesJune 28, 2016

05:00 PM – 06:30 PMClosing Remarks, Q&A and Networking6

04:15 PM – 05:00 PMLeveraging Amazon Echo and AWS to build IoT Applications5

03:30 PM – 04:15 PMCognizant: Managing Cloud Infrastructure at Scale4

02:45 PM – 03:30 PMHealthcare Analytics and Prediction using Amazon Machine Learning3

02:30 PM – 02:45 PMBreak

01:30 PM – 02:30 PMEmbracing DevOps with Improving Compliance and Security Agility and Posture2

01:00 PM – 01:30 PMIntroduction and Opening Remarks1

Agenda

12 Regions

33 Availability Zones

54 Edge Locations

Coming Soon:

5 Regions

11 Availability Zones

AWS global infrastructure

* As of 1 Feb 2016

2009

48

280

722

82

2011 2013 2015

AWS has been continually expanding its services to support virtually

any cloud workload and it now has more than 50 services that range

from compute, storage, networking, database, analytics, application

services, deployment, management and mobile. Since inception AWS

has launched 776 new features and/or services for a total of 1,950

new features and/or services since inception in 2006.

AWS Rapid Pace of Innovation

ENTERPRISE

APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

Data

Warehousin

g

Hadoop

/Spark

Streaming

Data Collection

Machine

Learning

Elastic

Search

Virtual

Desktops

Sharing &

Collaboration

Corporate

Email

Backup

Queuing &

Notifications

Workflow

Search

Email

Transcoding

One-click

App

Deployment

Identity

Sync

Single Integrated

Console

Push

Notifications

DevOps

Resource

Management

Application

Lifecycle

Management

Containers

Triggers

Resource

Templates

TECHNICAL &

BUSINESS

SUPPORT

Account

Management

Support

Professional

Services

Training &

Certification

Security

& Pricing

Reports

Partner

Ecosystem

Solutions

Architects

MARKETPLACE

Business

Apps

Business

IntelligenceDatabases

DevOps

ToolsNetworkingSecurity Storage

RegionsAvailability

Zones

Points of

Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling,

& Load Balancing

StorageObject, Blocks,

Archival, Import/Export

DatabasesRelational,

NoSQL, Caching,

Migration

NetworkingVPC, DX,

DNS

CDN

Access

Control

Identity

Management

Key

Management

& Storage

Monitoring

& Logs

Assessment

and reporting

Resource &

Usage Auditing

SECURITY & COMPLIANCE

Configuration

Compliance

Web

application

firewall

HYBRID

ARCHITECTURE

Data

Backups

Integrated

App

Deployments

Direct

Connect

Identity

Federation

Integrated

Resource

Management

Integrated

Networking

API

Gateway

IoT

Rules

Engine

Device

Shadows

Device

SDKs

Registry

Device

Gateway

Streaming

Data Analysis

Business

Intelligence

Mobile

Analytics

Why AWS?

Scalable

Flexible

Agile

Alex Dickinson

SVP, Strategic Initiatives

Working with AWS lets us focus

on what we’re good at, which is

doing sequencing

William H. Morris

Associate CIO

The cloud can lower the operating

cost, and actually allow us to

focus on what we do well, which

is taking care of patients.

David Bennett

EVP of Healthier Populations

The market acceptance of healthcare

running on AWS is pretty exciting to us

New technologies are emerging throughout

the industry

Data exchange

throughout your

healthcare network

New innovations in

care delivery

Consumer

applications and

personalized

medicine

Use Case: AWS for Precision Medicine

All the compute you need to deal with large,

complex data sets

Easily deploy to physicians throughout your

network

Cost-effective short-term and long-term

storage

Jason Gillman

Director of Precision Genomics

we wanted to provide information

to the oncologist as quickly as we

can. These new services ….

powered by AWS, helps provide

that.

Innovation in medication adherence

• Medication adherence for depression

and schizophrenia

• Therapeutic has an ingestible sensor

linked to a wearable patch

• Patch talks to the application

• Patient data (or lack of) is

communicated to care managers and

or physicians

Innovation in chronic care management

• Sensor attaches to existing inhaler

• Tracks therapeutic utilization

• Application allows environmental

condition capture

• Patient gets feedback regarding

their condition – Asthma and COPD

Jeroen Tas

CEO, Healthcare Informatics Solutions and Services

We combine data to make it

actionable….We’re doing that together with

Amazon, because there is only one company

that we can do this with which gives us the

reliability, scale, and performance we need.

Healthcare IoT – Philips HSDP

Torsten Kablitz

Vice President, IT Business Services

[Just one] of our customers…..500,000

transactions a day….AWS allows us to

bring up and bring down servers just as we

need them.

Security is foundational at AWS

Architected to be one of the most flexible and secure cloud

computing environments available today

AWS secures the

infrastructure....

....so you can

secure your

patient dataCustomer

Security: A Shared Responsibility

• Environment built for the most security sensitive organizations

• AWS manages 1800+ security controls so you don’t have to

• Certified and regularly audited

AWS secures the

infrastructure....


• You retain ownership of your IP and content – AWS does not have access

• You control where your data is stored

• Enabling end-to-end compliance

....so you can

secure your

patient dataCustomer


In the Cloud, Infrastructure Security is Code

Templates determine what

infrastructure is deployed

and how it is deployed

Built-in tools to monitor

your environment

Automatic logging for audit

support

The AWS Cloud Improves your Compliance Posture

Controllable Infrastructure Repeatable Testing Automatic Traceability

AWS and Validated Systems

Major companies run GxP on AWS today

We have GxP resources available to help you

migrate GxP systems to the AWS Cloud

Developed with input from Lachman

Consultants

Multiple partners with solutions available: Sparta,

TraceLink, Waters, Medidata, etc.

Build HIPAA-compliant applications that store, process and transmit PHI

Business Associate Agreement (BAA) addendum available

HIPAA-eligible services for broad range of applications:

Compute Storage DatabaseManaged

Big DataArchiving

Data

Warehousing

Enabling Compliance

Networking

Lee Kim

Director, Privacy and Security

HIMSS North America

Most healthcare institutions don’t have

the time and resources

to devote to cybersecurity that an

established cloud provider

might have

Embracing DevSecOps while improving your

compliance and security agility and posture

Scott Paddock

Security Solutions Architect

Gerry Miller

Founder & CTO, Cloudticity

Agenda

• DevOps to DevSecOps Primer

• Observed industry cloud techniques with AWS• Tools, processes and frameworks to assist

• Example Compliance Workflows

DevOps ToolchainPlan

Configure

Verify

Preprod

Monitor

Create

Release

Define and plan; business value, application requirements and metrics

Building, coding and configuration

Ensuring quality; acceptance, regression testing

Infrastructure and application

Approval/certification, triggered releases, release staging and holding

Process, application and infrastructure

Release coordination, promotion, scheduling, rollback and recovery

DevOps Principles

• Collaborate with all stakeholders

• Codify everything

• Test everything

• Automate everything

• Measure and monitor everything

• Deliver business value with continual feedback

Manual Hacking

Drivers for DevSecOps

Embedding Security into DevOps was not successful because…

• Compliance checklists didn’t take us far before we stopped scaling…

• We couldn’t keep up with deployments without automation…

• Standard Security Operations did not work…

• And we needed far more data than we expected to help the business make decisions…

DevSecOps: Security as Code

Establishing these principles…

• Customer focused mindset

• Scale, scale, scale

• Objective criteria

• Proactive hunting

• Continuous detection and response

DevOps ToolchainPlan

Configure

Verify

Preprod

Monitor

Create

Release

Define and plan; business value, application requirements, security, compliance

and metrics

Build, code and configuration

Ensuring quality; acceptance, regression, security and compliance testing

Infrastructure and application

Approval/certification, triggered releases, release staging and holding

Process, application, infrastructure, security and compliance

Release coordination, promotion, scheduling, rollback and recovery

Amazon

EC2

Amazon

EMR

Amazon

GlacierAmazon

S3

Amazon

DynamoDB

Amazon

RDS (MySQL

and Oracle)

Amazon

Redshift

Amazon

EBS

Elastic Load

Balancing

Amazon ECS AWS Elastic

Beanstalk

AWS

CodeCommit

AWS

CodeDeploy

AWS

CodePipeline

SQSSNS

AWS Config

AWS

Device Farm

AWS HIPAA Eligible Services (as of 4/21)

AWS Non-HIPAA Eligible Services

Consult with compliance and security organizations before implementing

Observed industry cloud techniques with AWS

Let’s start at the end…

How do we achieve this?

Automate everything (CloudFormation)

Automate everything (Scripting)

Automate everything (Chef)

Log everything

Monitor everything (ELK)

Monitor everything (AWS Config)

Monitor everything (Compliance as a Service)

Monitor everything (Other Suggestions)

Act on (and automate workflow)

Actual workflow (diagram)

Post-commit hook


Post-commit hook

• Build & test

• Notify if failure - or

• Package manifest on success

• Executables

• Required resources

• Any other necessary

metadata


Post-commit hook Put to S3 bucket Triggers Lambda

Cloud-

Formation

Dynamic

cf-init

• Install and configure any

packages or roles

• OS configuration and updates

• Download any required static

files



Cloud-

Formation

Dynamic

cf-init

• CloudFormation wait conditions

• CloudWatch events (uses tags)



Cloud-

Formation

Dynamic

cf-init

SSM

Route53

“Old” Stack

“New” Stack



Cloud-

Formation

Dynamic

cf-init

SSM

Route53

“Old” Stack – 90%

“New” Stack – 10%



Cloud-

Formation

Dynamic

cf-init

SSM

Route53

“Old” Stack – 50%




Cloud-

Formation

Dynamic

cf-init

SSM

Route53

“Old” Stack


Variations on workflow

Gitflow pull request approvals

Stack per branch

• Variation – naming conventions

Stage gates (human intervention) using Slack

Blue/green vs. destructive deployments

Deployment dashboards

Some practical considerations

Consult internally before implementing

These slides have been practices we have

used in industry – but security and compliance

is determined by YOU, the customer. So

please, please:

• Consult with your internal best practices

• Consult with with your Cloud Center of

Excellence

• Consult with your Information Security

group

• Consult with your Compliance organization

• Do your due diligence

Thank You

Any questions?

Scott Paddock Gerry Miller

[email protected] [email protected]

Advanced Analytics & Machine

Learning on AWS

Ujjwal RatanHealthcare and Life Sciences Solutions Architect

Amazon Web Services

This Talk Will Cover

Analytics on AWS overview

Reference architectures

Amazon Machine Learning (AML) Overview

Application of AML to a real world problem - patient readmission

A look at the end user application

Q&A

Gartner: User Survey Analysis: Key Trends Shaping the Future of Data Center Infrastructure Through 2011

IDC: Worldwide Business Analytics Software 2012–2016 Forecast and 2011 Vendor Shares

Available for analysis

Generated data

Data volume - Gap

1990 2000 2010 2020

A growing gap…

Amazon S3

Amazon Kinesis

Amazon DynamoDB

Amazon RDS (Aurora)

AWS Lambda

KCL Apps

Amazon

EMRAmazon

Redshift

Amazon Machine

Learning

Collect Process Analyze

Store

Data Collection

and StorageData

Processing

Event

Processing

Data

Analysis

Data Answers

Analytical pipeline on AWS

Lets rewind to the 90s…. Familiar with this?

https://en.wikipedia.org/wiki/Data_warehouse#/media/File:Data_warehouse_overview.JPG

Fast-forward to the present day – Data Lakes

Amazon S3

Application data

Server logs

Internet APIsCustom Apps

Amazon EMR Amazon RDS

Data Mart

Amazon Redshift

Dashboards

Amazon Machine Learning

Amazon

S3Amazon

Redshift

Amazon Machine

Learning Amazon

EC2

Amazon

EMR

users

Internet

corporate data center

Redshift used to

enrich/transform the

data set to make it

suitable for acting as a

ML data source.

An ML model is created with

Redshift as the data source

EC2 used as a web

server to host a

website to act as a

frontend for AML end

point

Use EMR to process

unstructured/semi-structured data

and store it back as objects on S3.

S3 acts as a scalable

object store for all forms

of data. It is used as a

data lake.

Amazon

S3

Amazon

QuickSightAmazon

RDS users

A batch prediction can be generated using AML and the

result file stored back in S3. An RDS schema acts as a

source for Amazon QuickSight that generates BI repots on

prediction data.

DB Schemas

CSV Files

Unstructured files

A reference architecture to build smart

applications on AWS

Real world problem – Hospital Readmissions

• Hospital Readmission Reduction

Program (HRRP) part of the Affordable

Care Act.

• CMS is required to reduce payments to

hospitals with excess readmissions.

• Not all readmissions can be prevented

as some of them are a part of an

overall care plan for the patient.

• Facilities with high readmission rates

had their Medicare payment cut by 1%

in 2013 which rose to 2% in 2014.

Machine Learning

Wouldn’t it be great to proactively predict

patient’s risk of readmission based on some

generic features?

Patient

Demographics

Patient History

Admission

Attributes

Other features

Patient

High Risk Patient

Low Risk Patient

Moderate Risk

Patient

Amazon

S3Amazon

Redshift

Amazon Machine

Learning

users

Internet

CSV Files

1

2

3

5

Amazon

Cognito

S3 Static

Website

Internet

4

A machine learning application to predict

readmissions

The data set

The accuracy of ML models become better when more data is used to train it. This is a very limited dataset to build a

comprehensive ML model but this methodology can be replicated with larger data sets as well.

https://archive.ics.uci.edu/ml/datasets/Diabetes+130-US+hospitals+for+years+1999-2008

Public Data Set from UCI

consists of 101,766 rows and represents 10 years of clinical care records

130 US hospitals and integrated delivery networks

includes over 50 features (attributes) representing Diabetes patient and hospital outcomes.

https://archive.ics.uci.edu/ml/datasets/Diabetes+130-US+hospitals+for+years+1999-2008

Ingesting Data Into S3 - Staging

Table Name Table Type

admission_source.csv Master

admission_type.csv Master

discharge_dispoition.cs

v

Master

Diabetic_data.csv Transaction

aws s3 cp /tmp/foo/ s3://bucket/ --recursive \

Schema In RedshiftFact

create table admission_type (

admission_type_id INTEGER NOT NULL,

description varchar(100)

);

create table discharge_disposition (

discharge_disposition_id INTEGER NOT NULL,

description VARCHAR(500)

);

create table admission_source (

admission_source_id INTEGER NOT NULL,

description VARCHAR(500)

);

create table diabetes_data (

// ~50 attributes

);

Dim2

Dim3

Dim1

Data Load and Standardization

COPY<Redshift_Table_Name> FROM's3://<file_path.csv>' CREDENTIALS

'aws_access_key_id=<>;aws_secret_access_key=<>' DELIMETER',' IGNOREHEADER 1;

Data Load

• Update NULL values

• Change attributes values which do not comply with standard patterns. Ex: SSN =

XXX-XX-XXXX

• Complete geographical data where possible

• Add timeline values if possible

• Group granular attributes in sets. Ex: Ages 0 to 20 as young, 20 to 40 as Adult

and so on.

Data Standardization

Introducing Amazon ML

Easy to use, managed machine learning service built for developers

Robust, powerful machine learning technology based on Amazon’s internal systems

Create models using your data already stored in the AWS cloud

Deploy models to production in seconds

Create AML Model with Redshift as the source

CreateDataSourceFromRedshift API

Console

Real-time predictions

Synchronous, low-latency, high-throughput prediction generation

Request through service API or server or mobile SDKs

Best for interaction applications that deal with individual data records

>>> import boto

>>> ml = boto.connect_machinelearning()

>>> ml.predict(

ml_model_id=’my_model',

predict_endpoint=’example_endpoint’,

record={’key1':’value1’, ’key2':’value2’})

{

'Prediction': {

'predictedValue': 13.284348,

'details': {

'Algorithm': 'SGD',

'PredictiveModelType': 'REGRESSION’

}

}

}

Real-time Predictions Using AML

Create a real-time endpoint using the console of the CreateRealTimeEndpoint

API. Once enabled, the model can be queried in real time using the end point

Target Attribute for the Binary Classification Model : Readmission_Result

Application website hosted on S3

var machinelearning = new AWS.MachineLearning({apiVersion: '2014-12-12'});var params = {

MLModelId: ‘<AML Model ID>',PredictEndpoint: ‘<AML Model Real Time End Point>',Record: <Selected Attributes record set>

};var request = machinelearning.predict(params);

Application calls the Predict() API using necessary parameters

Website hosting feature of S3 allows us to host websites without any web servers

and takes away the complexities of scaling hardware based on traffic routed to your

application.

Thank You.. Any Questions?

Before we end, here’s a look at the application

http://predictreadmission.s3-website-us-west-2.amazonaws.com

http://predictreadmission.s3-website-us-west-2.amazonaws.com/

© 2016 Cognizant © 2016 Cognizant

June 28, 2016

Managing Cloud Infrastructure at ScaleShashank JoshiPrinciple Architect – Cognizant Cloud Services

AWS Certified Solution Architect - Professional

© 2016 Cognizant 88

Agenda

Managing Cloud Infrastructure at Scale

• What is different at scale?

• Examples & Case studies


What is different at scale?

Provisioning & Orchestration

• Manual vs automated provisioning

• Provisioning entire application stacks

• Complex scenarios

Global Deployment

• Multi-geography requirements

• Hybrid scenarios

• Disaster Recover & Business

Continuity

User Access Management

• Number of users & roles

• Multiple accounts

• AD Federation

Monitoring & Tools Solution

• Integrated monitoring solution

• IT Service management

• Build vs Buy

Cloud Operations Service

• Manual vs automated activities

• Pricing models

• Skill development and management

Cost Management & Optimization

• Tracking & reporting

• Manual vs automated policy

enforcement


Example 1 – DR Automation, Multi-region deployment

Background:

The application, GeoLocus, is a telematics solution including in-car device option,

smartphone apps, configurable scoring and user portals. Application is hosted in the AWS

Cloud and contains the following:

• Application servers hosted on Amazon EC2

• MySQL server hosted using Amazon RDS

• PostgreSQL server hosted using Amazon RDS

Objective:

Automate steps in multi-region DR


Example 1 – AWS Products and Services Used

Amazon CloudWatch

• Monitor deployment logs

• Raise an event once a pre-specified keyword appears in the monitored log file

AWS Lambda

• Invoke Python scripts based on different events

AWS SDK for Python

• Perform automation activities such as AMI build, copy etc.

Amazon S3

• Store CloudFormation templates

• Amazon S3 Events are used to trigger Lambda functions once an action is completed

AWS CloudFormation

• Deployment Stack for the DR region, which can be triggered in case of a disaster

© 2016 Cognizant

Example 1 – Bringing it all togetherEU Frankfurt EU Ireland

Production server

CloudWatch Log Monitoring

Create Image Function

Production web server AMI

Pending-AMI-Id.txt

Pending AMI Event

Check A

MI

Sta

tus

Fu

nctio

n

Pending AMI Event

Available AMI Event

Copied Production Image

Pending-AMI-Id.txt/

Available-AMI-Id.txt

Copy Image Function


Example 1 – Bringing it all togetherEU Frankfurt EU Ireland

Copied Production ImageCopy Image Function

CloudFormation JSON

with copied AMI ID

MySQL Snapshot Event

Copy RDS Snapshot

Function

Copy RDS Snapshot

Function

CloudFormation JSON

with copied MySQL

Snapshot ID

CloudFormation JSON

with copied PostgreSQL

Snapshot ID

PostgreSQL Snapshot Event

Latest PostgreSQL Snapshot

Latest MySQL Snapshot


Example 1 – Key Takeaways for Managing at Scale

Provisioning

• Custom AMIs

• AMI vs Dynamic configuration

Automation

• Event-based and scheduled tasks

• Region-dependent services

Cost optimization

• Pick the right DR model

• Design for the RPO/RTO

• Use Serverless compute


Example 2 – Multi-region, multi-environment automated build & deployment

Background:

A multi-tenant SaaS solution deployed in three regions US, EU & APAC. US region consists

of multiple lower environments. Microservices architecture with multiple applications and

services consisting of the following:

• Multi-tier architecture

• AWS Elastic Beanstalk, Amazon EC2 Container Registry

• Amazon RDS PostgreSQL, Amazon DynamoDB

Objective:

Automated code deployment in multiple environments and regions and other tasks


Example 2 – Products and Services Used

Amazon EC2 Container Registry

• Manage Docker images

• Managed private repository with IAM integration

AWS CodeCommit

• Store source code

AWS Elastic Beanstalk

• High availability, auto-scaling, health check, monitoring for the deployed environments

• Docker Support

Jenkins

• Continuous Integration, run various jobs

Docker

• Containerize the applications/services


Example 2 – Bringing it all together

EC2 Container

Registry

Dockerrun.aws.json

Deploy Docker

Image and run

containers

EB Dev environment EB testing/QA environment EB Prod environment

Continuous Deployment

Continuous Integration

Poll SCMBuild Docker

Image

Export Unit test

result XML file from

container

Tag Docker image

and push to

repository

Docker File

CodeCommit

Jenkins


Example 2 – Bringing it all togetherParameterized environment, region and application version for deploy jobs



Provisioning

• Multi-region & multi-environment deployment

• AWS Elastic Beanstalk & AWS CloudFormation

• Rapid feature delivery with CI/CD pipeline

Automation

• Automated deployment, upgrade & operations

• IAM Roles

Cost optimization

• Optimal resource utilization with Docker

• Automated scaling with AWS Elastic Beanstalk


Example 3 – Cloud360 Policies

Background:

Cognizant Cloud360 is an Enterprise Cloud Management & Governance solution. It has

core features such as provisioning & orchestration, policy-driven automation, metering &

showback and analytics.

Objective:

Demonstrate use cases for policy-driven automation for cost optimization and compliance.


Example 3 – Cloud360 PoliciesMonitoring Policy

• Automate monitoring and take immediate action on events

• Auto-healing policies can resolve events impacting application availability

Provisioning Policy

• Control provisioning-related tasks

• Define a set of conditions for managing provisioning tasks

Placement Policy

• Set rules that defines the location where the Compute Instances will be created, to use the available

resources in an efficient way

• Set rules to select these datacenters, hosts, and networks and to ensure their optimum allocation &

usage

Compliance Policy

• Define policies to meet compliance requirements

• Notifications & approval workflow based on the rules defined


Example 3 – Cost Optimization Policy - Cloud360

IfLIST (Event ((Status = Open AND Severity = Critical AND Device = CPU), Instance (“Deployment Name” = production AND “Instance Group Name” = webserver)) > 70

DoSCALEOUT(“app profile.scaleout”)

Performs scale out when more than 70% of VMs in a Webserver resource pool of production environment are in critical CPU state

IfCOUNT (Instance (“Deployment Name” != Production AND “Instance Group Name” = Webserver)) >= 20

AND

OPERATION (Instance (“Deployment Name” != Production AND “Instance Group Name” = Webserver), “Create Instance”) = TRUE

Do“Restrict the operation”

Restricts any user from creating or powering on webserver VMs, in non-production environment, if number of powered on VMs is greater than 20

IfLIST (EBSVolume (“Provider Name” = myAWS AND “Volume ID” = vol-12345 AND “Snapshot Count” > 10)) is NOT EMPTY

Do“Retain EBS Snapshots” (latest 10)

Ensures retention of only the latest 10 Snapshots of a specific volume in AWS environment

IfLIST (EBSSnapshot (“Creation Date”< -10d)) =! EMPTY

Do“Delete EBS Snapshots”

Delete Snapshots older than 10 days for any EBS volume

If Consumption metering (“Compute Date” > -24h AND Usage (“Compute Date” = -30d) > 50)

DoNotify the Owner (Usage (Top 5))Restrict any provisioning operation

If the consumption metering in last 24 hours is 50% over the last 30-day average, notify the user and also the top 5 users with highest burn rate



Tools solution

• Build vs Integrate vs Buy

Automation

• Operational activities

• Policy enforcement

Cost optimization

• Analytics & reporting

• Implement cost optimization best practices


Summary – Tools & levers to manage at scale

Provisioning & Orchestration

• AMIs vs Dynamic configuration

• Docker, CloudFormation, Ops Work

• 3rd party tools, Cloud360

Global Deployment

• Multi-region deployments

• Hybrid connectivity options

• Replication and reuse

User Access Management

• IAM strategies & best practices

• AD Federation

Monitoring & Tools Solution

• Cloud Watch, Cloud Trail, Config

• OS & Application monitoring

• ITSM Tool integration

Cloud Operations Service

• Org structure

• Managed Service Partners

Cost Management & Optimization

• Consolidated billing

• Cognizant Cloud 360, 3rd Party tools

© 2016 Cognizant

Thank You!Shashank Joshi

http://www.cognizant.com/cloud

http://www.aws-partner-directory.com/PartnerDirectory/PartnerDetail?Name=cognizant

Leveraging Amazon Echo and AWS to build IoT

Applications

Chris McCurdy

AWS Healthcare and Life Sciences Specialist Solutions Architect

Agenda

• What is IoT

• Build an example of an AWS IoT system

What is IoT?

The internet of things (IoT) is the network of physical objects—devices,

vehicles, buildings and other items—embedded with electronics, software,

sensors, and network connectivity that enables these objects to collect and

exchange data.https://en.wikipedia.org/wiki/Internet_of_things

Why AWS IoT?

AWS IoT can support billions of devices and trillions of messages, and can

process and route those messages to AWS endpoints and to other devices

reliably and securely. With AWS IoT, your applications can keep track of and

communicate with all your devices, all the time, even when they aren’t

connected.

Grove IoT Kit from Seeed Studio

http://www.seeedstudio.com/wiki/images/d/d0/Aws_kit_edison.JPG

Use-Case: Medication Status

Scenario:Button is pressed by a technician to dispense medication

Requirements:• Simple example (one of many ways)

• Data stored in queriable repository

• Notification via SMS if medication is not distributed for a day

• Accessible from Amazon Echo/Alexa

AWS

Medication Status architecture

IoT MQTT

protocol

IoT

certificateIoT

ruleIoT

topic

Amazon

Kinesis

AWS

Lambda Amazon

DynamoDB

Amazon

SNS

Alexa

Medication Status

monitoring device

Medication Status Backend

Node.js

AWS

LambdaAWS

Lambda

Elephant in the room

http://nos.twnsnd.co/post/104252656546/elephants-tea-party-robur-tea-room-24-march

Amazon

Kinesis

AWS

Lambda

Amazon

DynamoDB

Amazon

SNS

Alexa

AWS IoT

HIPAA Eligible Not HIPAA Eligible

What does AWS IoT Consist of?

Device Gateway

The managed backbone of communication between

connected devices and the cloud which supports

the pub/sub messaging pattern, enabling scalable, low-

latency, and low-overhead communication.

IoT Rule Engine

The AWS IoT Rules Engine enables continuous processing

of inbound data from devices connected to the AWS IoT

service in a SQL-like syntax.

What doe AWS IoT Consist of? (Part 2)

Device Registry

Allows you to organize and track devices using a logical

handle.

Device Shadow

Used to store and retrieve current state information for a

thing whether it is connected to the internet or not.

HTTPS, WebSockets and MQTTS

Supported Protocols

HTTPS, Websockets, Secure MQTT

What is MQTT?

A lightweight pub/sub protocol, designed to minimize network bandwidth and device

resource requirements. MQTT supports TLS for encryption.

MQTTS vs HTTPS:

• 93x faster throughput

• 11.89x less battery to send

• 170.9x less battery to receive

• 50% less power to keep connected

• 8x less network overheadSource: http://stephendnicholas.com/archives/1217

http://stephendnicholas.com/archives/1217

Installing the SDKs

Install jsupm_grove and AWS IoT SDK

$ npm install [email protected]

$ npm install aws-iot-device-sdk

AWS Generated Certificates

Creating a certificate (option 1)$ aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile

certificate.pem --public-key-outfile public_key.pem --private-key-outfile private_key.pem

{

"certificateArn":

"arn:aws:iot:us-east-

1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f",

"certificatePem":

"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",

"keyPair": {

"PublicKey":

"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",

"PrivateKey":

"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"

},

"certificateId":

"d7677b0…SNIP…026d9"

}

IoT

certificate

Certificate Signing Request

Dear Certificate Authority,

I’d really like a certificate for %NAME%, as identified by

the key pair with public key %PUB_KEY%. If you could sign

a certificate for me with those parameters, it’d be super

spiffy.

Signed (Cryptographically),

- The holder of the private key

Client Generated Keypairs

CSR

Create a certificate from the CSR (option 2)

$ aws iot create-certificate-from-csr \

--certificate-signing-request file://Thing.csr \

--set-as-active --certificate-pem-outfile certificate.pem

{

"certificateArn":

"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",

"certificatePem":

"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",

"certificateId":

"b5a396e…SNIP…400877b"

}

IoT

certificate

Private Key Protection

Protect from Software Threats

• chroot

• Security Enhanced Linux (SELinux)

• One-Time Programmable (OTP) Fuses

Protect from Hardware Threats

• Trusted Platform Modules

• Smartcards

• Locks and Boxes

• FIPS-style hardware

IoT Button Node

Medication Status architecture (AWS side)

IoT MQTT

protocol

IoT

certificateIoT

ruleIoT

topic

Amazon

Kinesis

AWS

Lambda Amazon

DynamoDB

Amazon

SNS

Alexa

Medication Status

monitoring device


Node.js

AWS

LambdaAWS

Lambda

Creating Things

$ aws iot create-thing --thing-name medication_button_12016de3-794a-4c91-99ee-

7b64851f4961

{

"thingArn": "arn:aws:iot:us-east-

1:789539825478:thing/medication_button_12016de3-794a-4c91-99ee-7b64851f4961",

"thingName": “medication_button

}

IoT

thing

Create Policy

$ aws iot create-policy --policy-name medication_button_policy --policy-

document file://iot.policy.js

{

…

} IoT

policy

Attach Thing and Policy

$ aws iot attach-thing-principal \

-–thing-name medication_button_12016de3-794a-4c91-99ee-7b64851f496 \

-–principal arn:aws:iot:us-east-

1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f

$ aws iot attach-principal-policy \

--policy-name medication_button_policy \

--principal arn:aws:iot:us-east-

1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f

IoT

certificateIoT

policy

IoT Thing

Creating Kinesis Role and Stream

$ aws kinesis create-stream –-stream-name medication_status_stream –-shard-count 2

Amazon

Kinesis

• Streams are made of Shards

• Each Shard ingests data up to 1MB/sec,

and up to 1000 TPS

• Each Shard emits up to 2 MB/sec

• All data is stored for 24 hours – 7 days

• Scale Kinesis streams by splitting or

merging Shards

• Replay data inside of 24Hr -7days

Window

Define IoT Kinesis Policy and Role

IoT

rule

IoT Kinesis Policy

IoT Kinesis Trust Policy

Add IoT Kinesis Policy and Role

$ aws iam create-policy --policy-name lambda_medication_status_kinesis_policy --policy-

document file://kinesis.policy.js

{

"Policy": {

…

"Arn": "arn:aws:iam::789539825478:policy/lambda-medication-status-kinesis-policy",

}

$ aws iam create-role --role-name medication_status_kinesis_role --assume-role-policy-

document file://lambda_medication_iot_trust.policy.js

"Role": {

...

"Arn": "arn:aws:iam::789539825478:role/medication-status-kinesis-role"

}

}

$ aws iam attach-role-policy --role-name medication_status_kinesis_role --policy-arn

arn:aws:iam::789539825478:policy/lambda_medication_status_kinesis_policy

$

IoT

rule

Create IoT Rule

IoT

ruleIoT

topic

Amazon

Kinesis

$ aws iot create-topic-rule --rule-name medication_status_lambda_forwarder --

topic-rule-payload file://iot.rule.js

$

Creating DynamoDB table

Amazon

DynamoDB

ClientID (S-Hash) LastSubmittedDate (N-

Range)

fa99489c-dae3-4a7a-b43c-ee696a883d28 201606261540

74dab686-e04c-4201-8c12-406af33dbdc2 201604051330

Creating DynamoDB table$ aws dynamodb create-table --table-name MedicationStatusTable --attribute-definitions

AttributeName=ClientID,AttributeType=S AttributeName=LastSubmittedDate,AttributeType=N --key-schema

AttributeName=ClientID,KeyType=HASH AttributeName=LastSubmittedDate,KeyType=RANGE --

provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=5

{

"TableDescription": {

"TableArn": "arn:aws:dynamodb:us-east-1:789539825478:table/MedicationStatusTable",

...

}

}

Amazon

DynamoDB

Throughput

• Provisioned at the table level• Write capacity units (WCUs) are measured in 1KB per second

• Read capacity units (RCUs) are measured in 4KB per second

• RCUs measure strictly consistent reads

• Eventually consistent reads cost ½ of constant reads

• Read and write throughput limits are independent

• Increase as necessary, decrease at most 4 times per UTC day

Creating Lambda to Load Dynamo

Amazon

Kinesis

AWS

LambdaAmazon

DynamoDB

Lambda Role Policies

Lambda Role Policy Lambda Role Trust Policy

Amazon

Kinesis

AWS

LambdaAmazon

DynamoDB

Creating Lambda Role and Policies$ aws iam create-policy --policy-name lambda_medication_status_policy --policy-

document file://lambda_medication.policy.js

{

"Policy": {

"PolicyName": "lambda-medication-status",

…

"Arn": "arn:aws:iam::789539825478:policy/lambda_medication_status",

}

$ aws iam create-role --role-name medication_status_role --assume-role-policy-

document file://lambda_medication_status_trust.policy.js

{

"Role": {

...

"Arn": "arn:aws:iam::789539825478:role/medication_status_role"

}

}

$ aws iam attach-role-policy --role-name medication-status-role--policy-arn

arn:aws:iam::789539825478:policy/lambda-lambda-medication-status

$

Amazon

Kinesis

AWS

LambdaAmazon

DynamoDB

Deploying the Medication Status Lambda$ aws lambda create-function --function-name MedicationStatus --runtime python2.7 --

role arn:aws:iam::789539825478:role/medication_status_role --handler

medication_kinesis.lambda_handler --timeout 3 --memory-size 128 --zip-file

fileb://medication_kensis_lambda.zip

{

"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatus",

...

}

Amazon

Kinesis

AWS

LambdaAmazon

DynamoDB

Resource Sizing

• AWS Lambda offers 23 "power levels"

• Higher levels offer more memory and more CPU power

• 128MB, lowest CPU power

• 1.5GB, highest CPU power

• Compute price scales with the power level

• Duration ranging from 100ms to 5 minutes

Attaching Lambda to Kinesis$ aws lambda create-event-source-mapping \

--event-source-arn arn:aws:kinesis:us-east-1:789539825478:stream/medication_status_stream \

--function-name MedicationStatus \

--starting-position LATEST

Amazon

Kinesis

AWS

Lambda

Demo of it all working together!

Medication Status architecture (AWS side)

IoT MQTT

protocol

IoT

certificate IoT

ruleIoT

topic

Amazon

Kinesis

AWS

LambdaAmazon

DynamoDB

Amazon

SNS

Alexa

Medication Status

monitoring device


Node.js

AWS

LambdaAWS

Lambda

Adding SNS and Subscriptions$ aws sns create-topic --name MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-

9cd042cd9a78

{

"TopicArn": "arn:aws:sns:us-east-1:789539825478: MedicationStatusGroupContact-

488dbe6f-0ce0-49f5-9e90-9cd042cd9a78”

}

$ aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:789539825478:

MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --attribute-name

DisplayName --attribute-value "Med Status”

$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:

MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol sms --

notification-endpoint <phone number>

{

"SubscriptionArn": "pending confirmation"

}

$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:

MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol email -

-notification-endpoint [email protected]

{

"SubscriptionArn": "pending confirmation"

}

Amazon

SNS

Create Medication Status Monitor Lambda

AWS

LambdaAmazon

DynamoDB

Deploying Medication Status Monitor Lambda$ aws lambda create-function --function-name MedicationStatusMonitor --runtime python2.7 --role

arn:aws:iam::789539825478:role/medication_status_role --handler medication_sns_lambda.lambda_handler --timeout

3 --memory-size 128 --zip-file fileb://medication_sns_lambda.zip

{

"FunctionName": ”MedicationStatusMonitor ",

"MemorySize": 128,

"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:lambda-medication-status-monitor",

"Role": "arn:aws:iam::789539825478:role/medication_status_role",

"Timeout": 3,

"Handler": "medication_sns_lambda.lambda_handler",

…

}

AWS

Lambda

Adding Polling Lambda Function$ aws lambda add-permission --function-name MedicationStatusMonitor --statement-id

adding_event_handler --action 'lambda:InvokeFunction' --principal events.amazonaws.com --

source-arn arn:aws:events:us-east-1:789539825478:rule/scheduled_medication_status_check

{

…

}

aws events put-rule --name scheduled_medication_status_check --schedule-expression 'rate(1

hour)'

{

"RuleArn": "arn:aws:events:us-east-

1:789539825478:rule/scheduled_medication_status_check"

}

$ aws events put-targets --rule scheduled_medication_status_check --targets '{"Id" : "1", "Arn":

"arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusMonitor"}'

{

…

}AWS

Lambda

Hi Alexa! Please ask Medication Status, did

device 31 dispense medication today?

Alexa

Create Utterances and Intents

GetMedicationStatus has device {DeviceNumber} dispensed medication {Date}

GetMedicationStatus did device {DeviceNumber} dispense medication {Date}

GetMedicationStatus did device {DeviceNumber} deliver medication on {Date}

GetMedicationStatus if device {DeviceNumber} dispense medication on {Date}

Alexa

Utterance

Intents

Create Invocation/Lambda

AWS

Lambda

Alexa

Deploying Medication Status Monitor Lambda

$ aws lambda create-function --function-name MedicationStatusAlexa --runtime python2.7 --role

arn:aws:iam::789539825478:role/medication_status_role --handler medication_alexa.lambda_handler --timeout

3 --memory-size 128 --zip-file fileb://medication_alexa_lambda.zip

{

"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusAlexa ",

…

}

$ aws lambda add-permission --function-name AlexaMedicationStatus –statement-id 1 --action

lambda:invokeFunction --principal alexa-appkit.amazon.com --region us-east-1

{

…

}

AWS

Lambda

Alexa

Adding an Alexa skill

Alexa

Tie it all together

Improvements

• CloudWatch Monitors on all resources

• IoT Shadow

• Viewing Metrics with QuickSight / Elastic Search +

Kibana

• Flush out Alexa Medication Status Monitor python code

Other Use Cases

• Light/Motion Monitor

Thank You

mark johnson's aws chicago healthcare slides - 2016

Technology