getting started with aws

Getting started with AWS

adhorn@amazon.com

@adhorn

Adrian Hornsby — Technical Evangelist

Getting Started with AWS: Agenda

Seven best practices you should focus on when getting started

Resources you can use to learn more

Getting Started with AWS

http://aws.amazon.com/getting-started/

Getting Started with AWS

Choose Your First

Use Case Well

1

Chose Your First Use Case

Well

Make your first project a S.M.A.R.T one

Chose Your First Use Case

Well

Dev & Test

Spin environments up

and down on demand

Decouple development

and test environments

from operations

constraints

Explore elasticity in a

sandboxed environment

Make your first project a S.M.A.R.T one

Chose Your First Use Case

Well

Dev & Test

Spin environments up

and down on demand

Decouple development

and test environments

from operations

constraints

Explore elasticity in a

sandboxed environment

Backup & DR

Take part of your data or

business applications

step- by-step into non-

production DR use

Understand cloud

dynamics and test

during controlled failover

Make your first project a S.M.A.R.T one

Chose Your First Use Case

Well

Dev & Test

Spin environments up

and down on demand

Decouple development

and test environments

from operations

constraints

Explore elasticity in a

sandboxed environment

Backup & DR

Take part of your data or

business applications

step- by-step into non-

production DR use

Understand cloud

dynamics and test

during controlled failover

Greenfield Project

Embody best practice of

cloud computing in

unconstrained greenfield

projects

Self contained web

projects, document

archiving etc

Make your first project a S.M.A.R.T one

Chose Your First Use Case

Well

Dev & Test

Spin environments up

and down on demand

Decouple development

and test environments

from operations

constraints

Explore elasticity in a

sandboxed environment

Backup & DR

Take part of your data or

business applications

step- by-step into non-

production DR use

Understand cloud

dynamics and test

during controlled failover

Greenfield Project

Embody best practice of

cloud computing in

unconstrained greenfield

projects

Self contained web

projects, document

archiving etc

Pain point

Move specific service

aspects causing undue

cost or management

burden

Workflows, search

indexing, media

streaming, document

archiving, constrained

databases

Make your first project a S.M.A.R.T one

Plan Evolution and Set Goals

Understand services

Test performance

Architect for scale

Develop team capabilities

Implement monitoring

Change control and management

Security management

Scalability

Automate corrective actions

Auto-scaling

Zero downtime deployments

System backup and recovery

Proof of Concept Production Automation

Sam

ple

Activitie

s

Lay Out Your

Foundations

2

Accounts

Create an account structure

that makes sense

Use accounts like environments

where you need separation and

control

e.g. Dev Sandboxes

Test Environments

Business Units

Products & Services

Lay Out Your Foundations

BillingAccounts

Create an account structure

that makes sense

Use accounts like environments

where you need separation and

control

e.g. Dev Sandboxes

Test Environments

Business Units

Products & Services

Control access to billing

information

Use IAM users to keep billing

information in the master account

Consolidate billing into a

single account

Let one account pick up the bill for

multiple ‘sub accounts’

Setup billing alerts and

automated bill reporting

Get CloudWatch notifications when

billing reaches a point and output

csv reports to S3 for analysis

Lay Out Your Foundations

Enable delivery of billing reports

with resources & tags

Billing

preferences

Billing Settings

BillingMaster Account

aws.invoices@mycompany.com

Billing

Consolidated Billing Relationship

Master Account

aws.invoices@mycompany.com

Division Badmin@divisionB.com

User2

Dev2

Admin2

IAM

Billing

Consolidated Billing Relationship

Master Account

aws.invoices@mycompany.com

Division Badmin@divisionB.com

User2

Dev2

Admin2

IAM

Tags:

Own=DivProj=P

Tags:

Own=DivProj=Q

Tags:

Own=DivProj=R

Tags: (key-value)e.g Own=Div

Proj=R

Billing

Consolidated Billing Relationships

Master Account

aws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3

Dev3

Admin3

IAM

Tags:

Own=BusCProj=X

Tags:

Own=BusCProj=Y

Tags:

Own=BusCProj=Z

Division Badmin@divisionB.com

User2

Dev2

Admin2

IAM

Tags:

Own=DivProj=P

Tags:

Own=DivProj=Q

Tags:

Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1

Dev1

Admin1

IAM

Tags:

Own=OpCoProj=A

Tags:

Own=OpCoProj=B

Tags:

Own=OpCoProj=C

Billing

Consolidated Billing Relationships

Master Account

aws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3

Dev3

Admin3

IAM

Tags:

Own=BusCProj=X

Tags:

Own=BusCProj=Y

Tags:

Own=BusCProj=Z

Division Badmin@divisionB.com

User2

Dev2

Admin2

IAM

Tags:

Own=DivProj=P

Tags:

Own=DivProj=Q

Tags:

Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1

Dev1

Admin1

IAM

Tags:

Own=OpCoProj=A

Tags:

Own=OpCoProj=B

Tags:

Own=OpCoProj=C

S3CSV

Billing

ANALYSIS

Programmatic Billing Access

Consolidated Billing Relationships

Master Account

aws.invoices@mycompany.com

Business Unit Cadmin@busUnitC.com

User3

Dev3

Admin3

IAM

Tags:

Own=BusCProj=X

Tags:

Own=BusCProj=Y

Tags:

Own=BusCProj=Z

Division Badmin@divisionB.com

User2

Dev2

Admin2

IAM

Tags:

Own=DivProj=P

Tags:

Own=DivProj=Q

Tags:

Own=DivProj=R

Operating Co. Aadmin@opcoA.com

User1

Dev1

Admin1

IAM

Tags:

Own=OpCoProj=A

Tags:

Own=OpCoProj=B

Tags:

Own=OpCoProj=C

3rd Party Cost Management

Tools

Access KeysBillingAccounts

Create an account structure

that makes sense

Use accounts like environments

where you need separation and

control

e.g. Dev Sandboxes

Test Environments

Business Units

Products & Services

Control access to billing

information

Use IAM users to keep billing

information in the master account

Consolidate billing into a

single account

Let one account pick up the bill for

multiple ‘sub accounts’

Setup billing alerts and

automated bill reporting

Get CloudWatch notifications when

billing reaches a point and output

csv reports to S3 for analysis

Decide upon a key

management strategy

Control access to EC2 instances

via SSH and embedded public key:

e.g. EC2 Key Pair per group of

instances, EC2 Key Pair per

account

Consider SSH key rotation &

automation

Limit exposure to private key

compromise by rotating keys and

replacing authorized_keys listings

on running instances

Consider bootstrap automation to

grant developer access with

developer unique keypairs

Lay Out Your Foundations

Groups & RolesAccess KeysBillingAccounts

Create an account structure

that makes sense

Use accounts like environments

where you need separation and

control

e.g. Dev Sandboxes

Test Environments

Business Units

Products & Services

Control access to billing

information

Use IAM users to keep billing

information in the master account

Consolidate billing into a

single account

Let one account pick up the bill for

multiple ‘sub accounts’

Setup billing alerts and

automated bill reporting

Get CloudWatch notifications when

billing reaches a point and output

csv reports to S3 for analysis

Decide upon a key

management strategy

Control access to EC2 instances

via SSH and embedded public key:

e.g. EC2 Key Pair per group of

instances, EC2 Key Pair per

account

Consider SSH key rotation &

automation

Limit exposure to private key

compromise by rotating keys and

replacing authorized_keys listings

on running instances

Consider bootstrap automation to

grant developer access with

developer unique keypairs

Use IAM Groups to manage

console users and API

access

Provide developers with IAM user

login and unique API access

credentials

Control & restrict what IAM users

can do by placing them in groups

with associated policies

Assign EC2 Instances IAM

roles

Let AWS manage API access

credentials on running instances

by assigning a system entitlement

to an instance

e.g. instance can only read S3

bucket

Lay Out Your Foundations

Identity & Access Management - IAM

Account

ApplicationsAdministrators Developers

Identity & Access Management - IAM

Account

ApplicationsAdministrators Developers

Groups

Multi-factor

Authentication

Identity & Access Management - IAM

Account

ApplicationsAdministrators Developers

Groups Roles

Multi-factor

Authentication

AWS API

Credentials

IAM Policies

{"Statement": [

{"Effect": "Allow","Action": [

"elasticbeanstalk:*","ec2:*","elasticloadbalancing:*","autoscaling:*","cloudwatch:*","s3:*","sns:*"

],"Resource": "*"

}]

}

Create a policy to assign permissions to a

user, group, role or resource.

Policies are created using JSON. A policy

consists of one or more statements, each of

which describes one set of permissions.

Policies control access to AWS APIs

Identity and Access Management -

IAM

For more details on IAM, visit:

aws.amazon.com/iam

Think Security

3

Foundation Services

Compute Storage Database Networking

AWS Global

Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption

(File System and/or Data)Network Traffic Protection

(Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Am

azo

nY

ou

Shared Security Responsibility

Understand your customer & determine your security stance

Leverage AWS Security

External

Audience

Regulatory

Audience

Internal

Audience

Architecture

Administration

IAM

Certifications

White Papers

QSA Process

Your Processes

Your Certifications Penetration Test Results

Understand your customer & determine your security stance

Engage with security assessors early in your adoption cycle

Leverage AWS Security

Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001)

Security assessments take time, so allow for this in your planning

Undertake architecture reviews early in your design/deployment process

Understand your customer & determine your security stance

Engage with security assessors early in your adoption cycle

Use comprehensive materials and certifications provided by AWS

Leverage AWS Security

For more details on AWS Security, visit:

aws.amazon.com/security

Risk and compliance white paper

AWS security processes white paper

CSA consensus assessments initiative questionnaire

(requires NDA)

Services not

Software

4

AWS Cloud

Infrastructure & Services

Your

Business

More Time to Focus on

Your Business

Configuring

Cloud Services

70%

30%70%

Self Managed Software

& Infrastructure

30%

Managing All of the

“Undifferentiated Heavy Lifting”

Services Not Software

Relational Database ServiceEasy to set up, operate, and scale

Handles time-consuming database management tasks,

such as backups, patch management, and replication

Supports MySQL, MariaDB, Oracle, Microsoft SQL

Server, PostgreSQL & Amazon Aurora

NoSQL Database ServiceFast, predictable performance

Supports document & key-value data models

Fully distributed, fault tolerant architecture

Amazon RDS

Amazon DynamoDB

Services Not Software

Amazon SQS

Processing

task/processing

trigger

Processing results

Simple Queue ServiceFast, reliable, scalable, fully managed

message queuing service

Transmit any volume of data, at any level

of throughput

Amazon SQS

Amazon EMR

Elastic MapReduceUses Hadoop, an open source

framework, to distribute your data and

processing across EC2 instances

Integrates with other AWS services, such

S3 & DynamoDB

Supports the broad Hadoop tools

ecosystem

Services Not Software

Optimise Your Costs

5

Use the Right Instance Types

Use Auto Scaling

Turn Off Unused Instances

Use Reserved Instances

1

2

3

4

Use Spot Instances 5

Use Storage Classes6

Offload Your Architecture7

Use Services, Not Software8

Use Consolidated Billing9

Use Cost Management Tools10

Use Tools &

Frameworks

6

Access everything via CLI, API or Console

Use one of 9 (soon to be 10) fully supported

SDKs to create or make use of existing AWS

resources within your own code

Leverage a broad ecosystem of open source,

free and commercially licensed tools to work

with AWS Services

Achieve the highest levels of automation to

support continuous deployment, define your

infrastructure-as-code or automate your

development, operations or DevOps processes

Find out more at: aws.amazon.com/developers/getting-started/

Everything is Programmable

AWS Deployment & Management

Tools

AWS Elastic Beanstalk

AWS OpsWorks

AWS CloudFormation

AWS CodeDeploy

Get Supported

7

Get Supported: AWS Support Options

Four Support Tiers are Available.

Chose from:

Basic

Developer

Business

Enterprise

For more details on AWS Support, visit:

aws.amazon.com/premiumsupport

Get Supported: Trusted Advisor

Resources You Can Use to Learn More

aws.amazon.com/getting-started/

aws.amazon.com/premiumsupport

aws.amazon.com/architecture

aws.amazon.com/security

aws.amazon.com/campaigns/emea-getting-started

@AWScloud for Global AWS News & Announcements

@adhorn

Adrian Hornsby — Technical Evangelist