AWS Deployment Best Practices - AWS Symposium 2014 - Washington D.C.

AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
tbixler@amazon.com
AWS Best Practices
Tim Bixler

Choose your use
case well
1

Dev & Test
Spin environments up and
down on demand
Decouple development and test
environments from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications step-
by-step into non-production
DR use
Understand cloud dynamics
and test during controlled
failovers
Greenfield
Project
Embody best practice of cloud
computing in unconstrained
greenfield projects
Self contained web projects,
document archiving etc
Low hanging fruit can be easiest to pick
Pain point
Move specific service aspects
causing undue cost or
management burden
Workflows, search indexing,
media streaming, document
archiving, constrained
databases
Choose appropriate use cases

Enterprise Apps
Launch enterprise software
solutions from Microsoft, Oracle,
SAP and others on demand
Customize environments to meet
your specific security and
operational requirements
Deploy repeatable and consistent
deployments in minutes
Big Data & HPC
Solve challenge of increasing
volume, variety, and velocity
of digital information
Deploy large scale compute
clusters in minutes
Accelerate innovation, enable
deep analytics, and scale
without limits
Virtual Desktops
Workspaces fully managed
desktop accessed from choice
of device – laptop computer
(Mac OS or Windows), iPad,
Kindle Fire, or Android tablet.
No-upfront investment, secure
data storage, corp. directory
integration and PCoIP
technology from Teradici
Low hanging fruit can be easiest to pick
Web, Mobile &
Social Apps
Deliver on scalable web and
application servers, storage,
databases, content delivery,
cache, search, and other
application services that make it
easier to build and run apps that
deliver a great customer
experience.
Choose appropriate use cases
Common Government and Education workloads

PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals

PoC Production Automation
Understand services
Test performance
Architect for scale
Build cross functional team
capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective measures
Auto-scaling
Zero downtime deployments
System backup and recovery
Examples Plan evolution & set goals
Amazon Beanstalk
AWS Test Drive
AWS Free Usage Tier
Amazon Beanstalk
Amazon OpsWorks
Amazon Cloud Formation
Amazon Cloud Watch
Amazon IAM
APIs
CLI
Amazon Auto Scaling

AWS app store for business/IT software
• Broad selection
• Instant fulfillment, support of 1-Click and
CloudFormation
• Integrated AWS procurement and payments
• Seamless license management and
‘compliance by default’
Software for Testing, PoC and Production
• IT and business titles for Enterprise
production workloads
• Free, limited, and enterprise versions of
titles – customer can perform a low cost
pilot, then migrate seamlessly to production
• Customers of all sizes – F500 and SMB
• No overprovisioning, use only what you
need
Easy Deployments via AWS Marketplace
http://aws.amazon.com/partners/aws-marketplace/

AWS Architecture Center
Reference Architectures
 Web Application Hosting
 Content and Media Serving
 Batch Processing
 Fault tolerance and High Availability
 Large Scale Processing and Huge Data sets
 Ad Serving
 Disaster Recovery for Local Applications
 File Synchronization
 Media Sharing
 Online Games
 Log Analysis
 Financial Services Grid Computing
 E-Commerce Websites
 Time Series Processing
http://aws.amazon.com/architecture

Govern deployments
2

Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Govern deployments
Accounts

that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use Amazon IAM users to keep
billing information in the master
account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get Amazon CloudWatch
notifications when billing reaches a
point and output csv reports to
Amazon S3 for analysis
Accounts Billing
Govern deployments

Enable CSV &
Programmatic Access
Billing
Preferences
Billing settings

Dev 1
Dev 2
Test Master Account
Consolidated Billing
Data labeled by
source in Amazon S3
Production
Internal
Systems
Billing Alerts
Bill reached $x
Cost accounting in
favorite package
Billing settings

Dev 1
Dev 2
Test Master Account
Production
Internal
Systems
Dev 1 reached $100
Dev 2 reached $250
Test reached $1,000
Prod reached $1,200
Internal reached $400
Billing settings

that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and embedded
public key:
e.g. Amazon EC2 Key Pair per group
of instances, Amazon EC2 Key Pair
per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings on
running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Accounts Billing Access Keys
Govern deployments
information
account
single account

that makes sense
control
e.g.
Dev Sandboxes
Test Environments
Business Units
Products & Services
Accounts Billing Access Keys
Use Amazon IAM Groups to
manage console users and API
access
Provide developers with Amazon IAM
user login and unique API access
credentials
Control & restrict what Amazon IAM
users can do by placing them in groups
with policies
Assign Amazon EC2 Instances
Amazon IAM Roles
Let AWS manage API access credentials
on running instances by assigning a
system entitlement to an instance
e.g. instance can only read Amazon S3
bucket
Groups & Roles
Govern deployments
information
account
single account
Decide upon a key
management strategy
Control access to Amazon EC2
instances via SSH and embedded
public key:
e.g. Amazon EC2 Key Pair per group
of instances, Amazon EC2 Key Pair
per account
Consider SSH key rotation &
automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings on
running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs

Account
Administrators Developers Applications
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Identity & access management

Account
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups

AWS system entitlements
RolesAccount
Bob
Kevin
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
Multi-factor authentication
Groups

IAM policies
{
"Statement": [
{
"Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
Policy driven
Declarative definition of rights for groups
Policies control access to AWS APIs

3
Ensure security

Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer/Partner
• Re-focus your security professionals on a subset of the problem
• Take advantage of high levels of uniformity and automation
Security is a Shared Responsibility

• Apply Your Information Management Program -
that integrates Information Assurance
• Standardize Machine Images – create gold copy
images for production deployment/to launch new
instances
• Build and test in a sandbox environment – work
out the bugs, figure out how to break it, architect to
be resilient
• Do the same stuff you do in-house – quarterly
patch management, IDS/IPS, logging, tripwire, etc.
• Conduct a Risk Assessment - to determine level of
security controls you require
• Role Based Access Controls – restrict access to
system components based upon need to know
• Use Encryption – for data in transit, for data at rest,
filesystem
• Key Management – rotate keys used to access your
resources (AWS does not hold these…you do)
• Setup Monitoring/Alerting – collect metrics and
enable alerting for when events occur
• Vulnerability Scans – allowed via a permission
process (else we will kill/block the source of scans)
• Prepare for Failure – create backups, store data in
more than one location, test backups, have a
contingency system ready
Examples of Customer Responsibilities

Engage with security assessors early in adoption cycle
Leverage shared security model
• Don’t fear assessment – AWS meets high standards
(FedRAMP, DoD CSM, PCI, ISO27001, SOC1…)
• As with any infrastructure provider, security assessments
take time
• Derive value from architecture reviews early in
deployment cycle

Use comprehensive materials and certifications provided by AWS
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
CSA consensus assessments initiative
questionnaire

Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment

Build upon AWS features
Amazon IAM
Control users and allow AWS to
manage credentials in running
instances for service access
(allocation, rotation)
APIs vs. Instance
Provide developer API credentials
and control access to SSH keys
Temporary Credentials
Provide developer API credentials
and control access to SSH keys
Instance firewalls
Firewall control on instances via
Security Groups
CLIs and APIs
Instantly audit your entire AWS
infrastructure from scriptable APIs –
generate an on-demand IT inventory
enabled by programmatic nature of
AWS
Subnet control
Create low level networking
constraints for resource access, such
as public and private subnets,
internet gateways and NATs
Bastion hosts
Only allow access for management
of production resources from a
bastion host. Turn off when not
needed
Tiered Access Security Groups Amazon VPC

Build upon AWS features
Store your cryptographic keys
Use your most sensitive and
regulated data on Amazon EC2
without giving applications direct
access to your data's encryption
keys.
Migrate cryptographic
applications
Use AWS CloudHSM in conjunction
with your compatible on-premise
HSMs to replicate keys among on-
premise HSMs and CloudHSMs.
Amazon CloudHSM
Private connections to
Amazon VPC
Secured access to resources in AWS
over software or hardware VPN and
dedicated network links
Amazon Direct Connect &
VPN

Architect to use
cloud strengths
4

Architect to use cloud strengths
e.g. Application performance improvement by migration of static content to Amazon S3/CloudFront
Review application architectures early – assess fit for cloud
Can cloud benefits be leveraged with minimum effort outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
*http://aws.amazon.com/architecture
?
?
?
?
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield cost savings & agility improvements?
e.g. fully scripted deployments, Amazon IAM & EC2 instance roles, rolling deployments
Can automation lead to a more agile & secure service?

Design systems that can suffer
instance loss
Dispose of compute when it is not
required
Disposable compute
✓
✓ ✓
✓

Disposable compute
Flexible capacity
Design for systems that potentially
scale from zero instances to hundreds
Use Auto-scaling (events, schedules
etc) to drive capacity availability
✓
✓ ✓
✓
✓
✓

Utilize 99.999999999% durability of
objects in S3
Scale databases with RDS and use
DynamoDB for high throughput NoSQL
Disposable compute
Flexible capacity
Cost effective & reliable storage
✓
✓ ✓
✓
✓
✓

Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from scaling to
instance recovery from failure
✓ ✓✓

1 Create instance of your OS choice
2 Configure environment
3 Install software
4 Create Amazon Machine Image (AMI) from instance
5 Launch fully configured instances from AMI
Bootstrapping – custom AMIs
AMI
Custom machine
image
Instance
Auto-scaling
Manual deployments
Programmatic deployments

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping
hostname
instance-action
instance-id
Instance-type
kernel-id
local-hostname
local-ipv4
mac
network
placement
profile
public-hostname
public-ipv4
public-keys
reservation-id
http://169.254.169.254/latest/meta-data
Metadata service contains wealth of information about an instance
Bootstrapping – metadata service
AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping

+ user data
Scripts in user-data field of metadata will be executed on launch
e.g.
Metadata service contains wealth of information about an instance
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start
<powershell>
…
</powershell>
Or:
AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping

+ user data
Scripts in user-data field of metadata will be executed on launch
Metadata service contains wealth of information about an instance AMI
Custom or standard
machine image
Instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Install software e.g. web server, app server, proxy
Pull data and application packages from Amazon S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config

1. Use Multiple
Availability Zones

2. Use Amazon RDS with
Replicas and Standby

3. Use Amazon Auto
Scaling groups

4. Use Amazon Elastic
Load Balancing

5. Use Amazon Route53
to host DNS zones

Three Services: Better Together
Amazon CloudWatch
Amazon Elastic Load
Balancer
Amazon Auto Scaling

Use at regional level
Combined with Amazon Auto Scaling
Amazon ELB will balance requests
and resource capacity across
Availability Zones
Within Amazon VPC
Use to loadbalance between
application tiers within an
Availability Zone
Instance migrations
Easily move instances from dev
environments to test environments
by moving between Amazon ELBs
Leverage SLA
Improve application reliability with
Amazon Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Health checks
DNS health checks and
health-based failover
Latency Based Routing
Route end users to lowest-latency
endpoints
Scale databases without
admin overhead
Choose instance size for databases
and scale up over time
Add high availability from
management console
Create Multi-AZ deployments and
Read-Replicas. AWS takes care of
the failover and recreation of a new
standby in event of master DB loss
Amazon Elastic Load
Balancing
Amazon Route 53 Amazon RDS
Dynamically scale resources
& control costs
Only provision the resources that
are required with scale up and cool
down policies that match demand
Easy setup for developers and
administrators via the AWS
Management Console.
Amazon Auto Scaling

Be elastic and cost
optimized
5

PRICING &
COST OPTIMIZATION
(Amazon EC2)

Reserved
Make a low, one-time
payment and receive
a significant discount
on the hourly charge
For committed
utilization
Free Tier
Get Started on AWS
with free usage &
no commitment
For POCs and
getting started
On-Demand
Pay for compute
capacity by the hour
with no long-term
commitments
For spiky workloads,
or to define needs
Spot
Bid for unused
capacity, charged at
a Spot Price which
fluctuates based on
supply and demand
For time-insensitive
or transient
workloads
Dedicated
Launch instances
within Amazon VPC
that run on hardware
dedicated to a single
customer
For highly sensitive or
compliance related
workloads
Many pricing models to support different workloads

Manually
Send an API call or use CLI to
launch/terminate instances –
Only need to specify capacity
change (+/-)
By Schedule
Scale up/down based on date
and time
By Policy
Scale in response to changing
conditions, based on user
configured real-time monitoring
and alerts
Auto-Rebalance
Instances are automatically
launched/terminated to ensure
the application is balanced
across multiple AZs
Amazon Auto Scaling policies

0
2
4
6
8
10
12
14
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
On Demand
Light Utilization RI
Medium Utilization RI
Heavy utilization RI
Hours
InstancesOptimizing Costs With RIs

Start
Choose instance that
meets your basic
requirements best
Match memory &
virtual cores
Instance types

Start
meets your basic
requirements best
Match memory &
virtual cores
Tune
Change instance size
up or down based
upon monitoring
Use trusted advisor to
assess
Instance types

Start
meets your basic
requirements best
Match memory &
virtual cores
Tune
Change instance size
up or down based
upon monitoring
Use trusted advisor to
assess
Scale
Run instances across
multiple availability
zones
Smaller sizes equals
greater granularity
Purchase RIs after the application
has been tuned and utilization
patterns are established
Instance types

Cost Explorer
Monthly Spend by Service
AWS Monthly Spend
AWS Cost Explorer

AWS SUPPORT

AWS Support is a Global Organization

• Basic Support - Free
Contact Customer Service for account and billing questions and receive technical support for resources that don’t pass system
health checks.
• Developer-level Support – Starting at $49/month
Get started on AWS – ask technical questions and get a response to your web case within 12 hours during local business hours.
• Business-level Support – Starting at $100/month
24/7/365 real-time assistance by phone and chat, a 1 hour response to web cases, and help with 3rd party software. Access
Trusted Advisor to increase performance, fault tolerance, security, and potentially save money.
• Enterprise-level Support – Starting at $15,000/month
15 minute response to web cases, an assigned technical account manager (TAM) who is an expert in your use case, and white-
glove case handling that notifies your TAM and the service engineering team of a critical issue.
AWS Support Plans

• Since the beginning of the year, customers have viewed over 700K
Trusted Advisor recommendations, and have reduced their AWS
spend by over $140M
• 31 Checks in four categories (Cost Optimizing, Security, Fault
Tolerance, and Performance)
• Recommendations are accessible via the Support API
AWS Trusted Advisor

BOTTOM LINE

Your
Mission
70%
On-Premise
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Cloud computing bottom line

AWS
Cloud-Based
Infrastructure
Your
Mission
More Time to Focus on
Your Mission
Configuring Your
Cloud Assets
70%
30%70%
On-Premise
Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Cloud computing bottom line

Useful Resources & Links
• AWS Products & Services: https://aws.amazon.com/products/
• Documentation: http://aws.amazon.com/documentation
• Economics Center: https://aws.amazon.com/economics/
• Calculator: http://calculator.s3.amazonaws.com/calc5.html
• TCO Calculator: http://aws.amazon.com/tco-calculator/
• Architecture Center: http://aws.amazon.com/architecture/
• Security Center: http://aws.amazon.com/security
• Compliance Center: http://aws.amazon.com/compliance
• Whitepapers: http://aws.amazon.com/whitepapers
• Resources: http://aws.amazon.com/resources
• Case Studies: http://aws.amazon.com/solutions/case-studies
• Solution Providers: http://aws.amazon.com/solutions/global-solution-providers/
• AWS Blog: http://aws.typepad.com/

tbixler@amazon.com
AWS Best Practices
Tim Bixler
Thank You

AWS Deployment Best Practices - AWS Symposium 2014 - Washington D.C.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to AWS Deployment Best Practices - AWS Symposium 2014 - Washington D.C.

Similar to AWS Deployment Best Practices - AWS Symposium 2014 - Washington D.C. (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

AWS Deployment Best Practices - AWS Symposium 2014 - Washington D.C.

Editor's Notes