20171015-flynn-webscale-tales from the amazon · 2017-10-18 · – aws re:inventsessions •...

TALES FROM THE AMAZONOne Traveler’s Struggles to Create a Centrally-Managed AWS Environment

BOB FLYNNManager, Cloud Technology Support, Indiana University

[ 2 ]

Expedition ItineraryTales from the Amazon

• Your Guide• Our Mission• The Journey• Way Station• Our Haul• Taking Stock• The Search for our El Dorado Continues

[ 3 ]

Your Guide

[ 4 ]

Bob Flynn: Manager, Cloud Technology Support – Indiana University

• Indiana University– Experimental/Opportunistic Cloud

– “Cloud as a Service”• MS Azure• Amazon Web Services

– NET+ AWS Service Advisory Board• Google Cloud Platform (Service Validation)• Box

– Largest HED customer (145K user accounts and 1PB stored)

– Higher Education and Product Advisory Boards• Adobe

– Adobe Education Leader

[ 5 ]

Our Mission: To create a managed AWS environment

[ 6 ]

What does a “managed” AWS environment look like?

• Take the positives from the Azure model• Single Sign On• Security team access• Log aggregation• Shared services availability• Billing monitoring

– Direct invoicing– Reports

• Desire to be as equivalent to the data center as possible

[ 7 ]

Why does a “managed” AWS environment matter?

• Conservative and cautious approach to the public cloud• Bringing all accounts under a single contract

– Cost monitoring– Discounts– Catalog use cases

• Account support– New accounts and transfers– “Hold my hand” accounts– “Get out of my way” accounts

• Incident response

[ 8 ]

Our Mission: To create a manageable AWS environment

[ 9 ]

The Journey

[ 10 ]

The journey starts with optimism

• Early victory– NET+ AWS contract took care of billing

• Encouraging signs and false hopes– AWS re:Invent sessions

• SAC319 Architecting Security and Governance Across a Multi-Account Strategy

• SAC323 Centrally Manage Multiple AWS Accounts with AWS Organizations

[ 11 ]

Architecting Security and Governance Across a Multi-Account Strategy

[ 12 ]

The jungle closes in around us

• API access

– SSO

– IAM for cross-account work• Account transfers• Alexa development• AWS Educate• The price of being a linked account

– Organizations unavailable

– Research credits

– Tagging limitations

– Others to come as we scale

[ 13 ]

Way Station

[ 14 ]

Way Station: resupply and reflect – IU AWS account basics

1. Sign a Cloud Acceptable Usage Agreement2. Follow emailed instruction for selected provider(s)

– Project amount they will spend– Get a quote from the reseller– Submit quote and “signed” AUA with purchase request

3. PO kicks off provisioning workflow– Questions for DLT (HIPAA, GovCloud, Data Egress, business-level support, etc.)– Questions for IU (requestor campus/dept/project, technical contact, etc.)– Set up of AD groups for SSO (readOnly, PowerUser, Admin)– Configuration of account (SAML, CloudFormation, extra hoops for transfers)– Identity team maps AD groups to AWS accounts– Account handoff to requestor (AD group control, login page, SSO boundaries)

[ 15 ]

Our Haul

[ 16 ]

What have we learned from all of this? – Account management

• Root accounts– Storing credentials– Transfer account owners (log in, email, Alexa)

• Email addresses– +addresses for mailing lists– AWS spam

• The limits of and on the PowerUser– PowerUser does not have IAM– IAM needed behind the scenes for some services– Continuing to test those limits, particularly with transfers

[ 17 ]

What have we learned from all of this? – Bulk provisioning

• Account configuration is time-consuming• Manual account configuration more so• Bulk provisioning for rapid provisioning

– Set email and password– Upload SAML.xml– Apply CloudFormation Template– Deal with the spam

• Transfer or bulk-provisioned account– Change email– Change PO

• Use your network

[ 18 ]

Taking Stock

[ 19 ]

What have we hacked out of the clearing so far?

ü DLT is our billing accountü We have a security account collecting logs

X Do not yet have security team access for incident responseX Do not yet have shared services accountü New account setup

ü Automation with CloudFormation Templates for policy groups and loggingü Manual setting of SSO and account alias

ü Bulk provisioning saves request turn-around time

[ 20 ]

The Search for our El Dorado Continues

[ 21 ]

Where do we go from here? Can we find the elusive EMCE?

• EMCE = Enterprise-Manageable Cloud Environment• More automation in onboarding workflow

– Get Procurement to cut off p-card purchases• More automation in template management

– CloudFormation Stacks?• Set up shared services account• Survey customers about

– onboarding process– Using SSO– Unmet needs?

• Sponsor training• Determine how much local documentation to create? • Establish a Cloud Center of Excellence• Someday… Virtual Data Center

[ 22 ]

Thank you for putting your faith in your guide. I’ll see you on our next adventure!

reflynn@iu.edu

TALES FROM THE AMAZONOne Traveler’s Struggles to Create a Centrally-Managed AWS Environment

BOB FLYNNManager, Cloud Technology Support — Indiana University