© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dean Samuels, Solutions Architecture Manager, Amazon Web Services

AWS Black Belt Tips

Technical 401

Business

101 Technical

201 Technical

301 Technical

401 Technical

Session Depth

What do I Expect You to Know?

Cloud Computing AWS Admin

API Services Operations Best Practices

What Should You Expect From Me?

Integration Automation Invisible IT Ops Demos and Audience

Participation

AWS Tips – You’re Choice

Ops & Management Security Cost Optimisation

3029282726252423222120191817161514131211109876543210Choose your preferred topic…

Text your vote for A, B, or C

to +61400087860

OR

Submit your vote online via

http://bit.ly/summit-bbt

Operations & Management – General Recommendations

Foundation Transient

Environments

Change

Management

Failure

Management

Key Services Recent Feature Releases

AWS Config Amazon CloudWatch AWS CloudTrail

AWS CloudFormation AWS Identity and

Access Management

AWS Service Catalog

Compelling Reasons for Tagging

Operations Security Cost Allocation Reporting

Automating EBS Snapshots

AWS Lambda

scheduled event:

daily snapshots

EC2

instances

Backup

Retention30 days

Search for instances

tagged “Backup”

EC2 Run commands to

fsfreezeSnapshot all

attached volumes

Tag snapshots with

expire date

1. 2. 3. 4.

Quiesce I/O

1. Database: FLUSH and LOCK tables

2. Filesystem: sync and fsfreeze

3. EBS: snapshot all volumes

When CreateSnapshot API returns success, it is

safe to resume

Automating EBS Snapshots

AWS Lambda

scheduled event:

daily expire

Search for snapshots

tagged to “DeleteOn”

today

Delete expired

snapshots

1. 2.

EBS

snapshots

BackupDeleteOn

Date

Extra Tip: Use AWS CloudFormation and

AWS Service Catalog to setup a self-

service Snapshot Lifecycle Management

System

Dynamic DNS for Route 53

Amazon

Route 53

Private

Hosted Zone

Auto Scaling group

Notice No Internet/NAT required!

AWS

LambdaAmazon

CloudWatch

Event

Tags:

ZONE=ddnslambda.com

CNAME=svr1.ddnslambda.com

Tags:

ZONE=ddnslambda.com

CNAME=asg-svr##.ddnslambda.com

Tags:

ZONE=ddnslambda.com

CNAME=tst1.ddnslambda.com

Tags:

ZONE=ddnslambda.com

CNAME=svr4.ddnslambda.com Tags:

ZONE=ddnslambda.com

CNAME=svr7.ddnslambda.com

Amazon

DynamoDB

Direct ConnectVPN Gateway

DNS Client DNS Forwarder

Simple ADSimple AD

Dynamic Compliance Checking for Cloud Resources

Resource

stack

Actors

AWS CloudTrail

Amazon S3

Captures all API

interaction

AWS

CloudWatch

AWS Config

Actions onCaptures resource

changes

Level 1: Log

Level 2: Alarm

Level 3: Aggregate

monitors

Monitors AWS

& application

alarm

initiates

AWS Config rules

alarm

Aggregate/analyze

Admin

AWS Config Rules Repo

https://github.com/awslabs/aws-config-rules

AdminService Logs (VPC, ELB, S3, CloudFront, etc)

Efficient Multi-Region Deployments

Amazon

S3

Tokyo

user

Amazon

S3

Oregon

Cross-Region

S3 Replication

Upload

Lambda.zip file

AWS

Lambda

AWS

Lambda

Deployment

Function

Deployment

FunctionCloudFormation

Stack

Custom

Resource

User or deploy

tools

CloudFormation

Stack

Custom

Resource

Amazon

S3

Frankfurt

AWS

Lambda

Deployment

Function Custom

Resource

CloudFormation

Stack

Cross-Region

S3 Replication

AWS Tips – You’re Choice

Ops & Management Security Cost Optimisation

3029282726252423222120191817161514131211109876543210Choose your preferred topic…

Text your vote for A, B, or C

to +61400087860

OR

Submit your vote online via

http://bit.ly/summit-bbt

Security – General Recommendations

Data Protection Privilege

Management

Infrastructure

Protection

Detective Controls

Key Services and Recent Feature Releases

AWS Key Amazon Inspector AWS Certificate

Manager

AWS Web Application

Firewall

AWS Key

Management Service

AWS CloudHSM

Reducing Your Attack Surface Area

Region

Static Assets

Amazon S3

Custom Origin

AWS WAF

RDS DB

instance

Amazon S3

ip-ranges.json

object

AWS

Lambda

Amazon

SNS

Legitimate

Users

Bad

Actors

1. Use AWS WAF

2. Amazon S3 Origin Access Identities

3. Whitelist a pre-shared secret origin header

4. Whitelisting CloudFront IP range- Subscribe to Amazon SNS notifications on changes to IP ranges

Security

Group

AWS

Lambda

CloudFront

Logs

Bad

Actors

Amazon

CloudFront

Third-party

IP reputation lists

S3 Event Notification

Automating Object Processing for Security

Amazon API

Gateway

Amazon API

Gateway

User Amazon

S3

AWS

Lambda

3rd Party or

DIY malware

scanning

AWS

Lambda

Object Created

Fanout S3 Event

Notifications S3 Object detailsAPI Call

Result Callback

Delete or Retain

ObjectAPI Event

AWS

Lambda

AWS

Lambda

Amazon

DynamoDB

Amazon

ElastiCache

Amazon

Elasticsearch

Secondary Lists

Amazon

SNS

Use Short Lived Credentials Where Possible

AWS STS

temporary

security

credential

AssumeRole

EC2/ECS

instance

role

Identity Provider

client

bob

alice

carol

getSigninToken&Session=###...

login&SigninToken=###...

Console Federation

Endpoint

No IAM Users!

No long-term security credentials!

Service APIs

Cross-Account API

Access

AWS Tips – You’re Choice

Ops & Management Security Cost Optimisation

3029282726252423222120191817161514131211109876543210Choose your preferred topic…

Text your vote for A, B, or C

to +61400087860

OR

Submit your vote online via

http://bit.ly/summit-bbt

Cost Optimisation – General Recommendations

On-Demand, Reserved

and Spot Instances

Amazon EC2 RI

Marketplace

Appropriate Storage

Class Based on Reqs

Measure and Monitor Evolve Architecture

with New Services

Consolidated Billing

Key Services Recent Feature Releases

AWS Trusted

Advisor

AWS Lambda Amazon Database

Migration Service

AWS Service

Catalog

Offload Functions to Other Services

Amazon

DynamoDB

Table

DynamoDB Streams AWS

Lambda

Amazon

Elasticsearch Service

users

Amazon

ElastiCacheAmazon

SQS

AWS

Lambda

API

Data throughput

exceeded

Data

Data

Uncovering Cost Optimisation Opportunities

✔

✔

✔

✔✘

✘

✘

✘

$

$

$

$

$

Set up metrics to define

success and track progress

Auto-Tag resources with AWS Config

Rules, CloudTrail or CloudWatch Events

Schedule or set policy to downsize

resources with AutoScaling, Lambda and

CloudWatch

Report on savings

Recommend RIs to

purchase

Server-less Architectures – Voting App

Amazon API

Gateway

AWS

Lambda

Amazon

DynamoDBAWS

Lambda

Amazon

DynamoDB

Amazon

S3

You

SMS to API

Gateway Provider

Amazon

S3

Amazon

Route 53

1 2 3 4 5

61

2 3

Amazon

Cognito

4

AWS

Lambda

AWS Tips – You’re Choice

Ops & Management Security Cost Optimisation

3029282726252423222120191817161514131211109876543210Choose your preferred topic…

Text your vote for A, B, or C

to +61400087860

OR

Submit your vote online via

http://bit.ly/summit-bbt

Key Takeaways…

“Invisible IT Ops”

“No server is easier to manage

than no server”

“Server-less IT isn’t just for

business applications”

AWS Training & Certification

Intro Videos & Labs

Free videos and labs to

help you learn to work

with 30+ AWS services

– in minutes!

Training Classes

In-person and online

courses to build

technical skills –

taught by accredited

AWS instructors

Online Labs

Practice working with

AWS services in live

environment –

Learn how related

services work

together

AWS Certification

Validate technical

skills and expertise –

identify qualified IT

talent or show you

are AWS cloud ready

Learn more: aws.amazon.com/training

Your Training Next Steps:

Visit the AWS Training & Certification pod to discuss your

training plan & AWS Summit training offer

Register & attend AWS instructor led training

Get Certified

AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag

Learn more: aws.amazon.com/training

Thank You!