pre-launch checklist for going production on aws
DESCRIPTION
Today’s IT Enterprises are leveraging AWS for a variety of workloads. Many talks focus on technical outcomes and how to achieve them, but in this talk we’re going to take a step back. When we’re thinking about moving our major production workloads to a new home on AWS, we reserve the right to be a little paranoid. We’ll take a look at the appropriate technical and non-technical account management strategies to ensure that the same well-established IT governance and controls cannot only be met but exceeded when you run production on AWS.TRANSCRIPT
Pre-Launch Checklist
What to do Before Going Production on AWS
Sami Zuhuruddin
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
01. Security
• Gather internal feedback– Compliance and regulatory requirements– Data classification implications
• Involve security owners from the start– Environment validation and testing
01. Security
Shared Security Model
Foundation Services
Compute Storage Database Network
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
Am
azo
nC
ust
om
erCustomers are responsible for their security IN
the Cloud
AWS is responsible for the security OF
the Cloud
01. Security
• Understand Platform Capabilities– MFA– Encryption – CloudHSM– Network Controls
Amazon Redshift
AWS CloudHSM
AWS CloudHSM
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
02. Accounts
• Master Account – Email Alias– what happens when [email protected] leaves?– make it something meaningful like
– make sure relevant owners are in that alias• i.e. department director, finance owner
– secure it with MFA– this account is ‘root’
• don’t use it & don’t generate API credentials
02. AccountsConsolidated Billing
• Receive a single bill for all charges incurred across all linked accounts
• Share RI discounts• Combine tiering benefits
• Facilitates a company wide strategy for accounts
• No resources under the payer account
Payer BillAccounts 1-4
Account 1Regular Bill
Account 3Regular Bill
Account 2Regular Bill
Account 4Regular Bill
Share RI Discounts Combine Tiering
• Invoicing– Major convenience – no more credit cards– make sure you setup AWS as a vendor BEFORE switching to
invoicing (hint hint - check with accounting first)
• Get in touch– Your account manager and solution architect are here to help– not a must if you’re self-sufficient, but if you’re planning on doing
something and want a second pair of eyes or understand best practices, please get in touch
02. Accounts
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
03. SupportFour Levels of support
• Opt-In Model– But that doesn’t mean you should go without it
• When should you add support?– Development - not getting the expected results or simply want to
get help with a problem– Production - extremely / highly recommended if you have a
service where people might complain if it’s down (most of us do)
03. Support
03. Support
Infrastructure AuditsSaves moneyImproves availabilityCloses security gapsIncreases performance
Recent Performance1,700,000+ recommendations$300M+ in annualized savings
Trusted Advisor
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
04. Cost
• Model your costs– http://calculator.s3.amazonaws.com/index.html
Share estimates via link and revise as needed
04. Cost
• Billing Insight– Invoices via email– Billing Alerts– Billing Reports– Cost Allocation
Reports
04. Cost
• Reserved Instances– Significant discount on the hourly rate– Low, one-time upfront fee – Available in one or three year reservations– Implement as soon as usage can be trended– Choose optimal reservation type based on
expected usage:• Light: between 11% - 19%• Medium: between 19% - 35%• Heavy: running > 35% of the time
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
04. Cost
• Spot Market– Bid on unused EC2 Capacity– Great option for resumable workloads– Checkpoint often (to S3 or external db)– Test and then test again– Instances can be taken back anytime
(when bid is exceeded)– Savings over on-demand can be very
compelling
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
05. Multi-Factor Authentication
• Supplements user name and password to require a one-time code for authentication
• Two types: physical and virtual• Enable for master account • Also enable for all privileged
users … no reason not to
05. Multi-Factor Authentication
• Can be used for more than just logging in:
– Protecting objects or buckets in S3 from accidental deletion
– Changing rules in a Security Group
– Adding users in IAM– Terminating a
CloudFormation stack– Almost anything…
{ "Statement":[{ "Effect":"Deny", "Action":["ec2:TerminateInstances"], "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"}}}]}
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
06. CloudTrail
• Records API calls in your account and delivers a log file to your S3 bucket.
• Typically, delivers an event within 15 minutes of the API call.
• Log files are delivered approximately every 5 minutes.
• Multiple partners offer integrated solutions to analyze log files.
Image Source: Jeff Barr
06. CloudTrail
Image Source: Jeff Barr
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:Alice", "accountId": "123456789012" }, "eventTime": "2014-07-08T17:36:04Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "AWS Console Access", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "MobileVersion": "No", "LoginTo": "https://console.aws.amazon.com/sns", "MFAUsed": "Yes" }, "eventID": "example-even-tide-xamp-123456789012"}
06. CloudTrail
Partner Solutions …in addition
to Amazon CloudWatch
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
07. IAM
• Grant Least Privilege Policies– Use policy templates– Avoid assigning *:* policy– Easier to relax than to tighten up– Less chance of people making mistakes– Use conditions where feasible– Test your policies in the Policy Simulator
07. IAM
• Use Roles for EC2 instances– No more hard-coded credentials– Automatic credential rotation– Simply launch instance with role– Rule of least privilege still applies– Fully integrated with AWS SDKs
07. IAM
• SSO Federation– Support SAML 2.0– AWS Management Console login– Pre-packaged samples:
• Windows Active Directory• Shibboleth
– Enterprise controlled onboarding and offboarding of AWS users
– Makes use of IAM roles– Can be leveraged across several
AWS accounts
Enterprise
SSO
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
08. Network
• Planning is everything– VPCs will represent data centers in
your environment– Choose an RFC1918 scheme that
fits in your enterprise and can scale across many VPCs
– Connectivity options:• VPN • AWS Direct Connect • None (Bastion Host)
Internet
08. Network
Traffic Filtering – what does what?
Network ACLs Security Groups
• Applied to Subnets (1 per)
• Stateless inspection
• Create allow & deny rules
• Are processed in order
• Applied at the instance ENI level (5 per)
• Stateful Inspection
• Create ‘allow’ rules
• Are evaluated as a whole
• Can reference other Security Groups in the same VPC
08. Network
• VPC Peering– Connect two VPCs in the
same Region– Non-overlapping IP space– Bridged by routing table
entries (both sides of peering relationship)
– Offer & Accept model– Can be used for ‘shared
services VPC’
10.1.0.0/16
10.0.0.0/16
PeerRequest
PeerAccept
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
09. Tagging
• Tag Everything– User-defined metadata – 10 tags per resource– Create tags relevant to you:
• Department• Owner• Cost Center• Expiration Date• Data Sensitivity
09. TaggingCarried through to billing reports…
Cost Allocation Report
– Monthly granularity– Product, tag key aggregation
– Hourly granularity– Grouped by resource– Has tags– Lots and lots of data!
Detailed Billing Report w/ Resources
and Tags
What is my cost by department? How do I do
charge-backs?
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate
10. Automate
Command Line Interface (CLI)
Windows Powershell and Python on Linux
Software Development Kits (SDK)
REST API
AWS Console (GUI)
API
API Driven Infrastructure
10. Automate
Android iOS Java nodeJS .NET PHP Python Ruby
Rich set of APIs for your programming platform or language
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell
{ "AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "This template creates a CloudFormation stack that uses Amazon CloudFront and an Amazon EC2 AMI for Adobe Flash Media Server 4.5 to enable HTTP streaming of your live event.",
"Parameters" : { "InstanceType" : { "Type" : "String", "Description" : "The type of Amazon EC2 instance to launch. Valid values are: m1.large, m1.xlarge, m2.xlarge, m2.2xlarge, m2.4xlarge, c1.xlarge.", "Default" : "m1.xlarge", "AllowedValues" : [ "m1.large","m1.xlarge","m2.xlarge","m2.2xlarge","m2.4xlarge","c1.xlarge" ], "ConstraintDescription" : “
10. Automate
Elastic Beanstalk OpsWorks CloudFormation EC2
Convenience Control
Higher-level services Do it yourself
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
Pre-Launch Checklist
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate