aws summit auckland - black belt tips
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dean Samuels, Solutions Architecture Manager, Amazon Web Services
AWS Black Belt Tips
Technical 401
Business
101 Technical
201 Technical
301 Technical
401 Technical
Session Depth
What do I Expect You to Know?
Cloud Computing AWS Admin
API Services Operations Best Practices
What Should You Expect From Me?
Integration Automation Invisible IT Ops Demos and Audience
Participation
AWS Tips – You’re Choice
Ops & Management Security Cost Optimisation
3029282726252423222120191817161514131211109876543210Choose your preferred topic…
Text your vote for A, B, or C
to +61400087860
OR
Submit your vote online via
http://bit.ly/summit-bbt
Operations & Management – General Recommendations
Foundation Transient
Environments
Change
Management
Failure
Management
Key Services Recent Feature Releases
AWS Config Amazon CloudWatch AWS CloudTrail
AWS CloudFormation AWS Identity and
Access Management
AWS Service Catalog
Compelling Reasons for Tagging
Operations Security Cost Allocation Reporting
Automating EBS Snapshots
AWS Lambda
scheduled event:
daily snapshots
EC2
instances
Backup
Retention30 days
Search for instances
tagged “Backup”
EC2 Run commands to
fsfreezeSnapshot all
attached volumes
Tag snapshots with
expire date
1. 2. 3. 4.
Quiesce I/O
1. Database: FLUSH and LOCK tables
2. Filesystem: sync and fsfreeze
3. EBS: snapshot all volumes
When CreateSnapshot API returns success, it is
safe to resume
Automating EBS Snapshots
AWS Lambda
scheduled event:
daily expire
Search for snapshots
tagged to “DeleteOn”
today
Delete expired
snapshots
1. 2.
EBS
snapshots
BackupDeleteOn
Date
Extra Tip: Use AWS CloudFormation and
AWS Service Catalog to setup a self-
service Snapshot Lifecycle Management
System
Dynamic DNS for Route 53
Amazon
Route 53
Private
Hosted Zone
Auto Scaling group
Notice No Internet/NAT required!
AWS
LambdaAmazon
CloudWatch
Event
Tags:
ZONE=ddnslambda.com
CNAME=svr1.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=asg-svr##.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=tst1.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=svr4.ddnslambda.com Tags:
ZONE=ddnslambda.com
CNAME=svr7.ddnslambda.com
Amazon
DynamoDB
Direct ConnectVPN Gateway
DNS Client DNS Forwarder
Simple ADSimple AD
Dynamic Compliance Checking for Cloud Resources
Resource
stack
Actors
AWS CloudTrail
Amazon S3
Captures all API
interaction
AWS
CloudWatch
AWS Config
Actions onCaptures resource
changes
Level 1: Log
Level 2: Alarm
Level 3: Aggregate
monitors
Monitors AWS
& application
alarm
initiates
AWS Config rules
alarm
Aggregate/analyze
Admin
AWS Config Rules Repo
https://github.com/awslabs/aws-config-rules
AdminService Logs (VPC, ELB, S3, CloudFront, etc)
Efficient Multi-Region Deployments
Amazon
S3
Tokyo
user
Amazon
S3
Oregon
Cross-Region
S3 Replication
Upload
Lambda.zip file
AWS
Lambda
AWS
Lambda
Deployment
Function
Deployment
FunctionCloudFormation
Stack
Custom
Resource
User or deploy
tools
CloudFormation
Stack
Custom
Resource
Amazon
S3
Frankfurt
AWS
Lambda
Deployment
Function Custom
Resource
CloudFormation
Stack
Cross-Region
S3 Replication
AWS Tips – You’re Choice
Ops & Management Security Cost Optimisation
3029282726252423222120191817161514131211109876543210Choose your preferred topic…
Text your vote for A, B, or C
to +61400087860
OR
Submit your vote online via
http://bit.ly/summit-bbt
Security – General Recommendations
Data Protection Privilege
Management
Infrastructure
Protection
Detective Controls
Key Services and Recent Feature Releases
AWS Key Amazon Inspector AWS Certificate
Manager
AWS Web Application
Firewall
AWS Key
Management Service
AWS CloudHSM
Reducing Your Attack Surface Area
Region
Static Assets
Amazon S3
Custom Origin
AWS WAF
RDS DB
instance
Amazon S3
ip-ranges.json
object
AWS
Lambda
Amazon
SNS
Legitimate
Users
Bad
Actors
1. Use AWS WAF
2. Amazon S3 Origin Access Identities
3. Whitelist a pre-shared secret origin header
4. Whitelisting CloudFront IP range- Subscribe to Amazon SNS notifications on changes to IP ranges
Security
Group
AWS
Lambda
CloudFront
Logs
Bad
Actors
Amazon
CloudFront
Third-party
IP reputation lists
S3 Event Notification
Automating Object Processing for Security
Amazon API
Gateway
Amazon API
Gateway
User Amazon
S3
AWS
Lambda
3rd Party or
DIY malware
scanning
AWS
Lambda
Object Created
Fanout S3 Event
Notifications S3 Object detailsAPI Call
Result Callback
Delete or Retain
ObjectAPI Event
AWS
Lambda
AWS
Lambda
Amazon
DynamoDB
Amazon
ElastiCache
Amazon
Elasticsearch
Secondary Lists
Amazon
SNS
Use Short Lived Credentials Where Possible
AWS STS
temporary
security
credential
AssumeRole
EC2/ECS
instance
role
Identity Provider
client
bob
alice
carol
getSigninToken&Session=###...
login&SigninToken=###...
Console Federation
Endpoint
No IAM Users!
No long-term security credentials!
Service APIs
Cross-Account API
Access
AWS Tips – You’re Choice
Ops & Management Security Cost Optimisation
3029282726252423222120191817161514131211109876543210Choose your preferred topic…
Text your vote for A, B, or C
to +61400087860
OR
Submit your vote online via
http://bit.ly/summit-bbt
Cost Optimisation – General Recommendations
On-Demand, Reserved
and Spot Instances
Amazon EC2 RI
Marketplace
Appropriate Storage
Class Based on Reqs
Measure and Monitor Evolve Architecture
with New Services
Consolidated Billing
Key Services Recent Feature Releases
AWS Trusted
Advisor
AWS Lambda Amazon Database
Migration Service
AWS Service
Catalog
Offload Functions to Other Services
Amazon
DynamoDB
Table
DynamoDB Streams AWS
Lambda
Amazon
Elasticsearch Service
users
Amazon
ElastiCacheAmazon
SQS
AWS
Lambda
API
Data throughput
exceeded
Data
Data
Uncovering Cost Optimisation Opportunities
✔
✔
✔
✔✘
✘
✘
✘
$
$
$
$
$
Set up metrics to define
success and track progress
Auto-Tag resources with AWS Config
Rules, CloudTrail or CloudWatch Events
Schedule or set policy to downsize
resources with AutoScaling, Lambda and
CloudWatch
Report on savings
Recommend RIs to
purchase
Server-less Architectures – Voting App
Amazon API
Gateway
AWS
Lambda
Amazon
DynamoDBAWS
Lambda
Amazon
DynamoDB
Amazon
S3
You
SMS to API
Gateway Provider
Amazon
S3
Amazon
Route 53
1 2 3 4 5
61
2 3
Amazon
Cognito
4
AWS
Lambda
AWS Tips – You’re Choice
Ops & Management Security Cost Optimisation
3029282726252423222120191817161514131211109876543210Choose your preferred topic…
Text your vote for A, B, or C
to +61400087860
OR
Submit your vote online via
http://bit.ly/summit-bbt
Key Takeaways…
“Invisible IT Ops”
“No server is easier to manage
than no server”
“Server-less IT isn’t just for
business applications”
AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
Your Training Next Steps:
Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
Register & attend AWS instructor led training
Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training
Thank You!