aws account best practices

AWS Account Best PracticesSteven Bryen

Manager, Solutions Architecture, AWS

@steven_bryen

[email protected]

• Account Management & Billing

• Network Infrastructure & Connectivity

• Security & Compliance

• Optimizing for Cost

• Managing & Auditing Access

AGENDA

ACCOUNT MANAGEMENT &

BILLING

AWS ACCOUNTS

Accounts act as the main billing entity for AWS Resources

Also a security boundary for environments, applications and organisational units.

BILLING

Different billing options are available including invoicing

Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’

Set up billing alerts, AWS Budgets and automated bill reporting for better insight.

Utilise tagging for better cost allocation.

AWS Budgets & Cost Management Tools

Fully Centralized Model

[email protected]

Master Account

• Centrally managed business and IT

• Centralised Governance

Autonomous Model

[email protected]

Division A Master Account

• Autonomous Business and IT functions (Geographic, Departmental, Project)

• Independent Business and IT Governance

[email protected]

Division B Master Account

Single Master Hierarchical Model

[email protected]

Division A

• Central Governance

• Devolved IT Function

[email protected]

Division B

[email protected]

Master Account

Consolidated billing information

Multi-Master Hierarchical Model

• Multiple Autonomous Governance Bodies

• Multiple IT Functions

[email protected]

Division A

[email protected]

Division B

[email protected]

Master Account


[email protected]

Division A

[email protected]

Division B

[email protected]

Master Account


Resource Tagging

[email protected]

Division A

[email protected]

Division B

[email protected]

Master Account


Tags

Proj=x

Tags

Proj=yTags

Proj=z

Tags

Proj=x

Tags

Proj=yTags

Proj=z

Billing Alerts & Programmatic Access

[email protected]

Division A

[email protected]

Division B

[email protected]

Master Account


Tags

Proj=x

Tags

Proj=yTags

Proj=z

Tags

Proj=x

Tags

Proj=yTags

Proj=z

S3 CSV

What can I share between Accounts?

EC2 Virtual Machine Template

Pre-configured, templated Amazon

Machine Images, can be used to

package together the following

elements

Operating SystemApplication Code

Configuration

EC2 AMIs

S3 Bucket Policies

Amazon Simple Storage Service is

organized into buckets. You can

control access to S3 buckets using

bucket polices

Bucket Policies can also integrate with

IAM to give access to all users in

different accounts, or a subset of

users

S3 Buckets

Block File system Snapshot

As with a traditional SAN storage

infrastructure, EBS volumes can be

snapshotted and the data shared.

EBS Volumes and Snapshots support a

wide range of file systems

e.g.NTFS

EXT2/3/4

EBS Snapshots

Sign up for AWS Accounts

• Sign up with a real, monitored email address

• Create accounts with the same domain

• Populate the alternate contacts for billing, operations and security

• AWS accounts and Amazon retail accounts are linked

• Leverage consolidated billing to simplify payments and make use of volume discounts

• Move to invoicing payment

• Enable support

• Enable Billing Alerts

VPCs

VPC is a private, isolated section of the AWS cloud where YOU define the networ

king within it. A VPC spans all AZ’s in a region.

VPC Peering allows you to peer multiple VPCs across AWS accounts in a single

region.

Route Table Elastic Network

InterfaceAmazon VPC Router

Internet

Gateway

Customer

GatewayVirtual

Private

Gateway

VPN

ConnectionSubnet

Connectivity Options

Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon

VPC providing dedicated bandwidth between your site and AWS

Configure redundant, secure VPN connections between your VPC and your site

Alternatively you can connect directly to your VPC using a secured internet chan

nel (SSH, RDP etc).

Basic VPC

10.1.0.0/16

Availability Zone A Availability Zone B

Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)

Private & Public Subnets

10.1.0.0/16


Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)

Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)

Segregate Environments into VPCs










Staging

(10.1.0.0/16)

Test/Dev

(10.0.0.0/16)

Production

(10.2.0.0/16)

Shared Services Model










Application B

(10.0.80.0/20

Application A

(10.0.64.0/20)

Shared Services

(10.0.0.0/18)

VPC Peer VPC Peer

(10.0.0.0/16)

Putting it all together

Production Account

[email protected]

Master Account


Dev/Test Account










Application B

(10.0.80.0/20

Application A

(10.0.64.0/20)

Shared Services

(10.0.0.0/18)

VPC Peer VPC Peer










Application B

(10.0.80.0/20

Application A

(10.0.64.0/20)

Shared Services

(10.0.0.0/18)

VPC PeerVPC Peer










Application B

(10.0.80.0/20

Application A

(10.0.64.0/20)

Shared Services

(10.0.0.0/18)

VPC PeerVPC Peer

Consider using CloudFormation to manage VPCs

"Public2Subnet" : {

"Type" : "AWS::EC2::Subnet",

"Properties" : {

"VpcId" : { "Ref" : "VPC" },

"AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region"

},"2"]},

"CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]},

"Tags" : [

{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} },

{"Key" : "Name", "Value" : "Public2Subnet" }

]

}

},

"Private1Subnet" : {

"Type" : "AWS::EC2::Subnet",

"Properties" : {

"VpcId" : { "Ref" : "VPC" },

"CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]},

"AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region"

},"1"]},

"Tags" : [

{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} },

{"Key" : "Name", "Value" : "Private1Subnet" }

]

}

},

Template your Environments

• Version Control your datacenter with

Cloudformation!

• One click deployments

• Reproduce anywhere in the globe in

minutes

• Segregation of Duties between infra

structure and application owners.

Plan your VPC IP space before creating it

Consider future AWS region expansion

Consider how date will need to flow between VPCs

Consider future connectivity to corporate networks

VPC can be /16 down to /28

CIDR cannot be modified once created

Overlapping IP spaces = future headache

SECURITY & COMPLIANCE

Shared Responsibility ModelA

maz

on

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Availability Zones Regions Edge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection(Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

You

Security Tools & Techniques

Granular network filtering

“This instance can only receive HTTP traffic on port 80”

Applied to instance ENI (up to 5 per)

Stateful

Allow Only (whitelist)

Rules evaluated as a whole

SGs can reference other SGs in same VPC

Security Groups

Control access to S3 buckets

“Allow read access to all but put access

from a restricted list of IP addresses”

Bucket Policies can also integrate with

IAM to give access to all users in different

accounts, or a subset of users

S3 Bucket Policies

Enforcing baseline security policy

“No TFTP, NetBIOS or SMTP shall egress this subnet”

Applied to subnets (1 per)

Stateless

Allow & Deny (blacklist)

Rules processed in order

ACLs

Security Tools & Techniques cont.

Notification on changes to resources

“Tell me when changes are made to my AWS resources”

Integration with 3rd Party Tools

Notification via SNS

Config Rules allows you to take action based on rules.

e.g. If instances are not tagged with an ’owner’ notify me

AWS Config

Automated Security Assesment

“Can I assess my Application in AWS for

known vulnerabilities or best practices”

Pre built assessments for known

compliance programmes.

Agent based, API driven and delivered as

a service.

Enforce Security Standards for your AWS

Applications

AWS Inspector

Auditing of AWS Account Usage

“Who did what in my account at a specific time”

Capture logs of all AWS API invocations.

Logs are sent to S3 or Cloudwatch Logs

Integration with 3rd Party Tools

AWS CloudTrail

Security Best Practices

Use ACLs sparingly, keep it simple

Utilise Security Groups for fine grained control

Utilise security groups to manage access to instances that have similar functions

and security requirements

Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices.

pdf

http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

CIS Foundations Benchmark

OPTIMISING FOR COST

Many pricing options available

Reserved

Make a low, one-time

payment and receive

a significant discount

on the hourly charge

For committed

utilization

Free Tier

Get Started on

AWS with free

usage & no

commitment

For POCs and

getting started

On-Demand

Pay for compute

capacity by the hour

with no long-term

commitments

For spiky workloads,

or to define needs

Spot

Bid for unused

capacity, charged at

a Spot Price which

fluctuates based on

supply and demand

For time-insensitive

or transient

workloads

Dedicated

Launch instances

within Amazon VPC

that run on hardware

dedicated to a single

customer

For highly sensitive

or compliance

related workloads

Run the right instances at the right time

Stop or terminate instance when they’re not required

Utilise CloudFormation to tear down and recreate whole environments on demand

Use CloudWatch to monitor instance load and scale vertically and/or horizontally to

maximise instance utilisation

Utilise Reserved Instances to lower TCO

MANAGING & AUDITING ACCESS

Identity & Access Management

Account

Administrators Developers Applications

Bob

Tomcat

Jim Brad

Mark

Susan

Reporting

Console

IAM Groups IAM Roles

IAM Policies

Policy Driven

• Declarative definition of rights for g

roups

• Policies control access to AWS APIs

{

"Statement": [

{

"Effect": "Allow",

"Action": [

"elasticbeanstalk:*",

"ec2:*",

"elasticloadbalancing:*",

"autoscaling:*",

"cloudwatch:*",

"s3:*”

],

"Resource": "*"

}

]

}

Audit User Actions

AWS CloudTrail is a web service that records AWS API calls

for your account and delivers log files to you.

With CloudTrail, you can get a history of AWS API calls for

your account, including API calls made via:

• AWS Management Console

• AWS SDKs

• Command line tools

• Higher-level AWS services (such as CloudFormation).

Control access through fine grained policies

Use multi factor authentication for console access

Use groups to define access levels and assign IAM policies to groups

Even the superuser group should have some explicit denies

Utilise IAM roles to ensure no API credentials are places onto EC2 instances

Utilise tagging to define fine grained control to resources

Consider IAM federation into AD to simplify user management

Thank You

@steven_bryen

[email protected]

awsloft.london

closing.party && startup.showcase

28 April :: 18:00 >> 22:00

aws account best practices

Technology