AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Philadelphia 2019

1© 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved.A W S O M E D A Y © 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved.A W S O M E D A Y
Security OF the Cloud
Security IN the Cloud
AWS Identity and Access Management (IAM)
AWS CloudTrail

2© 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved.A W S O M E D A Y
SSL Endpoints
VPC
Secure Transmission
Use secure endpoints
to establish secure
communication
sessions (HTTPS).
Instance Firewalls
Use security groups
to configure firewall
rules for instances.
SSL Endpoints Security Groups
Network Control
Use public and
private subnets,
NAT, and VPN
support in your
virtual private cloud
to create low-level
networking
constraints for
resource access.
SSL Endpoints

Security Groups
SSL Endpoints Security Groups
Instance Firewalls
Use security groups
VPC
Secure Transmission
to establish secure
communication
sessions (HTTPS).
Network Control
Use public and
private subnets,
NAT, and VPN
support in your
to create low-level
networking
constraints for
resource access.

AWS Multi-Tier Security Groups
www server
www server
www server
app server
app server
app server
Database Tier
security group
Application Tier
security group
Web Tier
security group
db server
db server
db server
Internet
Corporate
Admin Network
ssh/rdp
api api
(all other ports are blocked)

Amazon Virtual Private Cloud (VPC)
VPCSSL Endpoints Security Groups
Network Control
Use public and
private subnets,
NAT, and VPN
support in your
to create low-level
networking
constraints for
resource access.
Instance Firewalls
Use security groups
Secure Transmission
to establish secure
communication
sessions (HTTPS).

AWS CloudTrail

Interacting With AWS
AWS
service API
endpoint
API interface
SDKAWS SDKs
C:

AWS CLI
AWS
Management
Console
Another
AWS service

API Request Flow
HTTP/HTTPS
client
API interface
IAM
AWS
CloudTrail
AWS service
API endpoint
API request

AWS IAM
3
Manage federated users
and their permissions
2
Manage AWS IAM roles
and their permissions
1
Manage AWS IAM users
and their access

AWS IAM Authentication
Authentication
AWS Management Console
User Name and Password
IAM User

AWS IAM Authentication
Authentication
AWS CLI or SDK API
Access Key and Secret Key
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
IAM User

AWS IAM User Management - Groups
User D
DevOps Group
User C
AWS Account
TestDev Group
User BUser A

AWS IAM Authorization
Authorization
Policies:
Are JSON documents to describe
permissions.
Are assigned to users, groups or
roles.
IAM User IAM Group
IAM Roles

AWS IAM Policy Elements
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1453690971587",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances”
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.64.34.65/32”
}
}
},
{
"Sid": "Stmt1453690998327",
"Action": [
"s3:GetObject*”
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket/*”
}
]
}
IAM Policy

AWS IAM Policy Assignment
IAM User
IAM Group
Assigned Assigned
IAM Policy

IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy

AWS IAM Roles
An IAM role uses a policy.
An IAM role has no associated credentials.
IAM users, applications, and services may assume IAM roles.
IAM Roles

IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy
IAM User
Assumed Assumed
AWS Resources

Example: Application Access to AWS Resources
Python application hosted on an Amazon EC2 Instance
needs to interact with Amazon S3.
AWS credentials are required:
Option 1: Store AWS Credentials on the Amazon EC2 instance.
Option 2: Securely distribute AWS credentials to AWS Services
and Applications.
IAM Roles

AWS IAM Roles - Instance Profiles
Amazon EC2
App &
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S3
1
2
3
4
Create Instance
SelectIAMRole
ApplicationinteractswithS3

AWS IAM Roles – Assume Role
IAM Restricted Policy
IAM User A-1
AWS Account A
IAM Admin RoleIAM Admin Policy
Assigned
Assume
Assigned
1
2
IAM User B-1
AWS Account B
Amazon S3
Assume
4
Access
53
Access
1

Temporary Security Credentials (AWS STS)
Use Cases
Cross account access
Federation
Mobile Users
Key rotation for Amazon EC2-based apps
Session
Access Key ID
Secret Access Key
Session Token
Expiration
Temporary Security Credentials
15 minutes to 36 hours

Application Authentication
AWS IAM Application
No Support No Support
OS

AWS IAM Authentication and Authorization
Authentication
AWS Management Console
 User Name and Password
AWS CLI or SDK API
 Access Key and Secret Key
Authorization
Policies
IAM User IAM Group
IAM Roles
IAM Policy

AWS IAM Best Practices
Delete AWS account (root) access keys.
Create individual IAM users.
Use groups to assign permissions to IAM users.
Grant least privilege.
Configure a strong password policy.
Enable MFA for privileged users.

AWS IAM Best Practices (cont.)
Use roles for applications that run on Amazon EC2
instances.
Delegate by using roles instead of by sharing credentials.
Rotate credentials regularly.
Remove unnecessary users and credentials.
Use policy conditions for extra security.
Monitor activity in your AWS account.

AWS CloudTrail

API Request Flow
HTTP/HTTPS
client
API interface
IAM
AWS
CloudTrail
AWS service
API endpoint
API request

AWS CloudTrail
Records AWS API calls for accounts.
Delivers log files with information to an Amazon S3 bucket.
Makes calls using the AWS Management Console, AWS
SDKs, AWS CLI and higher-level AWS services.
AWS CloudTrail Amazon S3 Bucket
Logs

Questions?
A W S O M E D A Y © 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved.

© 2019 Amazon Web Services, Inc. and its affiliates. All rights reserved.A W S O M E D A Y
Create IAM Role & Assign to Web Server
Demo 6

Demo 6: Create IAM Role & Assign to Web Server
Region
Availability Zone A
AWSTE-Demo-VPC (10.10.0.0/16)
Availability Zone B
AWSTE-Demo-Public-Subnet-1 (10.10.0.0/24)
AWSTE-Demo-Internet-Gateway
AWSTE-Demo-Private-Subnet-1 (10.10.2.0/23) AWSTE-Demo-Private-Subnet-2 (10.10.4.0/23)
AWSTE-Demo-Web-Server
AWSTE-Demo-Web-Server-Security-Group
m5.large
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Snapshot
AWSTE-Demo-WS-Image
SSH
AWSTE-Demo-WS-Role
awste-demo

Login to Web Server
Create User and Access Keys
Create Role
Examine Instance Meta Data

• Try to list S3 buckets
• Error: No credentials

Login to Web Server
Create Role

• Use search to find IAM
• Click on IAM link

• User name*: AWSTE-Demo-User
• Check Programmatic access
• Click on Next: Permissions button

• Click Attach existing policies directly
• Type S3 in search
• Check AmazonS3ReadOnlyAccess
• Click on Next: Review button

• User aws configure to install keys
• Try to list S3 buckets

• Don’t want long term credentials on EC2
• Go to IAM to deactivate the keys

• Credentials now fail
• Do it the right way, create an IAM role

Login to Web Server
Create Role

• Click AWS service box
• Click EC2 for service that will use this role
• Click Next: Permissions button

• Search for S3
• Select AmazonS3ReadOnlyAccess
• Click Next: Review button

• Role Name*: AWSTE-Demo-WS-Role
• Click Create role button

• Role created
• Click on EC2 Icon in the shortcut menu

• Click on Actions button
• Select Instance Settings
• Select Attach/Replace IAM Role

• IAM Role*: AWSTE-Demo-WS-Role
• Click on Apply button

• Role assigned to EC2 instance
• Try to list S3 buckets from EC2 Instance

Login to Web Server
Create Role

• There is the role.
• Use metadata URL to examine credentials

• There are the credentials.
• Use metadata URL to get IPv4 Public IP

• There is the IP address.
• The end.

Demo 6: Create IAM Role & Assign to Web Server
Region
Availability Zone A
Availability Zone B
AWSTE-Demo-Web-Server-Security-Group
m5.large
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
SSH
AWSTE-Demo-WS-Role
awste-demo

Questions?

Databases
Module 4a

SQL and NoSQL Databases
SQL NoSQL
Data Storage Rows and Columns Key-Value
Schemas Fixed Dynamic
Querying Using SQL Focused on collection of
documents
Scalability Vertical Horizontal
ISBN Title Author Format
9182932465265 Cloud Computing
Concepts
Wilson,
Joe
Paperback
3142536475869 The Database
Guru
Gomez,
Maria
eBook
SQL NoSQL
{
ISBN: 9182932465265,
Title: “Cloud Computing Concepts”,
Author: “Wilson, Joe”,
Format: “Paperback”
}

Data Storage Considerations
No one size fits all.
Analyze your data requirements by considering:
 Data formats
 Data size
 Query frequency
 Data access speed
 Data retention period

AWS Managed Database Services
Compute Storage
AWS Global Infrastructure
Database
Application Services
Deployment and Administration
Networking
Amazon DynamoDB
Amazon ElastiCache
Amazon RDS
Amazon Redshift
AWS Database Migration Service
Amazon Aurora
Amazon Neptune
Amazon DocumentDB

Amazon Relational Database Service (RDS)
Cost-efficient and resizable capacity
Manages time-consuming database
administration tasks
Access to the full capabilities of Amazon Aurora,
MySQL, MariaDB, Microsoft SQL Server, Oracle,
and PostgreSQL databases
Deployable on VMware
Amazon
RDS

Amazon RDS
Simple and fast to deploy
Manages common database administrative tasks
Compatible with your applications
Fast, predictable performance
Simple and fast to scale
Secure
Cost-effective

DB Instances
DB Instances are the basic building blocks of Amazon
RDS.
They are an isolated database environment in the
cloud.
They can contain multiple user-created databases.

How Amazon RDS Backups Work
Automatic Backups:
Restore your database to a
point in time.
Are enabled by default.
Let you choose a retention
period up to 35 days.
Manual Snapshots:
Let you build a new
database instance from a
snapshot.
Are initiated by the user.
Persist until the user
deletes them.
Are stored in Amazon S3.

Cross-Region Snapshots
Are a copy of a database
snapshot stored in a
different AWS Region.
Provide a backup for
disaster recovery.
Can be used as a base for
migration to a different
region.

Amazon RDS Security
Run your DB instance in an Amazon VPC.
Use IAM policies to grant access to RDS resources.
Use Security Groups.
Use Secure Socket Layer (SSL) connections with DB instances
(Amazon Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft SQL Server).
Use RDS encryption to secure instances and snapshots at rest.
Use network encryption and transparent data encryption (TDE)
with Oracle DB and Microsoft SQL Server instances.
Use security features of your DB engine to control access to DB
instance.

A Simple Application Architecture
Amazon RDS database
instance
Amazon EC2
Application Servers
Elastic Load Balancing
load balancer instance
DB snapshots in
Amazon S3

Multi-AZ RDS Deployment
With Multi-AZ operation, your database is
synchronously replicated to another Availability
Zone in the same AWS Region.
Failover to the standby automatically occurs in case
of master database failure.
Planned maintenance is applied first to standby
databases.

A Resilient, Durable Application Architecture
Amazon RDS database instances:
Master and Multi-AZ standby
Application, in Amazon
EC2 instances
load balancer instance
DB snapshots in
Amazon S3

Amazon RDS Best Practices
Monitor your memory, CPU, and storage usage.
Use Multi-AZ deployments to automatically provision and maintain a
synchronous standby in a different Availability Zone.
Enable automatic backups.
Set the backup window to occur during the daily low in WriteIOPS.
To increase the I/O capacity of a DB instance:
 Migrate to a DB instance class with high I/O capacity.
 Convert from standard storage to provisioned IOPS storage and use a DB
instance class optimized for provisioned IOPS.
 Provision additional throughput capacity (if using provisioned IOPS storage).
If your client application is caching the DNS data of your DB instances, set a
TTL of less than 30 seconds.
Test failover for your DB instance.

Questions?

Create MySQL RDS DB
Demo 7

Demo 7: Create MySQL RDS DB
Region
Availability Zone A
Availability Zone B
AWSTE-Demo-Private-Subnet-1 (10.10.2.0/23) AWTE-Demo-Private-Subnet-2 (10.10.4.0/23)
AWSCTE-Demo-Web-Server-Security-Group
AWSTE-Demo-DB-Server-Security-Group
AWSTE-Demo-DB-Subnet-Group
awste-demo-db-instance
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
Browser
http://IPv4PublicIP
awste-demo

Create a Security Group for the Database
Create a Database Subnet Group
Create a Multi-AZ MySQL RDS Instance
Configure Web Server

• Name: AWSTE-Demo-DB-Server-Security-Group
• Group Name: AWSTE-Demo-DB-Server-Security-Group
• Description: Allow 3306
• VPC: AWSTE-Demo-VPC
• Click Yes, Create button

• Type: MySQL/Aurora
• Protocol: TCP
• Port: 3306
• Source: AWSTE-Demo-Web-Server-Security-Group
• Click Save button

Region
Availability Zone A
Availability Zone B
SSH
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
awste-demo

• Name: AWSTE-Demo-DB-Subnet-Group
• Description: AWSTE-Demo-DB-Subnet-Group
• Scroll down to assign subnets

• Add both private subnets to subnet group
• Click Create button

Region
Availability Zone A
Availability Zone B
SSH
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
awste-demo

• Select MySQL
• Click Next button

• Select Production - MySQL

• DB instance class: db.t2.medum
• Page down for more options

• DB instance identifier: awste-demo-db-instance
• Master username: demomaster
• Master password: *******
• Confirm password: *******

• Subnet Group: awste-demo-db-subnet-group
• VPC Security Group: AWSTE-Demo-DB-Server-Security-Group
• Scroll down for more options

• Database name: awstedemodb

Region
Availability Zone A
Availability Zone B
SSH
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
awste-demo

• Copy IPv4 Public IP
• Open new tab to web server

• Click Services
• Click RDS

• Scroll down to the Connect section
• Copy Endpoint

• Fill in values
• Click Submit button

• Address book from DB
• Add and delete entries

Region
Availability Zone A
Availability Zone B
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
Browser
http://IPv4PublicIP
awste-demo

Questions?

Databases
Module 4b

Amazon DynamoDB
Allows you to store any amount of data with no limits.
Provides fast, predictable performance using SSDs.
Allows you to easily provision and change the
request capacity needed for each table.
Is a fully managed, NoSQL database service.
Accommodate changing workloads with on-demand
mode
Amazon
DynamoDB

DynamoDB Data Model
Table:
Music
Items
Attributes (name-value pairs)
Artist Song
Title
Album
Title
Year Genre

Primary Keys
Partition Key
Sort Key
Table: Music
Partition Key: Artist
Sort Key: Song Title
(DynamoDB maintains a sorted index for both keys)
Table:
Music
Artist
Song
Title
Album
Title Year Genre

Provisioned Throughput
You specify how much provisioned throughput capacity
you need for reads and writes.
Amazon DynamoDB allocates the necessary machine
resources to meet your needs.

Supported Operations
Query:
Query a table using the partition key and an optional sort key
filter.
If the table has a secondary index, query using its key.
It is the most efficient way to retrieve items from a table or
secondary index.
Scan:
You can scan a table or secondary index.
Scan reads every item – slower than querying.
You can use conditional expressions in both Query and Scan
operations.

Simple Application Architecture
Elastic Load
Balancing Amazon EC2
app instances
Clients
Amazon
DynamoDB
Business logic

Amazon RDS and Amazon DynamoDB
Factors Relational (Amazon RDS) NoSQL (Amazon DynamoDB)
Application Type
• Existing database apps
• Business process–centric apps
• New web-scale applications
• Large number of small writes and reads
Application
Characteristics
• Relational data models,
transactions
• Complex queries, joins, and
updates
• Simple data models, transactions
• Range queries, simple updates
Scaling
Application or DBA–architected
(clustering, partitions, sharding)
Seamless, on-demand scaling based on
application requirements
QoS
• Performance–depends on data
model, indexing, query, and
storage optimization
• Reliability and availability
• Durability
• Performance–Automatically optimized
by the system
• Reliability and availability
• Durability

Database Considerations
If You Need Consider Using
A relational database
service with minimal
administration
Amazon RDS
• Choice of Amazon Aurora, MySQL, MariaDB, Microsoft
SQL Server, Oracle, or PostgreSQL database engines
• Scale compute and storage
• Multi-AZ availability
A fast, highly scalable
NoSQL database
service
Amazon DynamoDB
• Extremely fast performance
• Seamless scalability and reliability
• Low cost
A database you can
manage on your own
Your choice of AMIs on Amazon EC2
and Amazon EBS that provide scale compute and
storage, complete control over instances, and more.

Questions?

AWS Elasticity and Management Tools
Module 5

Triad of Services
Latency
Utilization
CloudWatchAuto Scaling
Elastic Load
Balancing
Auto Scaling group
Execute AS
Policy

AWS Elastic Load Balancing (ELB)
Amazon CloudWatch
Amazon EC2 Auto Scaling
AWS Trusted Advisor

Distributes traffic across multiple EC2 instances,
in multiple Availability Zones
Supports health checks to detect unhealthy
Amazon EC2 instances
Supports the routing and load balancing of
HTTP, HTTPS, SSL, and TCP traffic to Amazon EC2
instances, containers, IP addresses and Lambda
Elastic Load
Balancing

Elastic Load Balancing Products
Application Load Balancer
(ALB)
• Flexible application management
• Advanced load balancing of HTTP
and HTTPS traffic
• Operates at the request level
(layer 7)
Network Load Balancer
(NLB)
• Extreme performance and static IP
for your application
• Load balancing of TCP traffic
• Operates at the connection level
(Layer 4)
Classic Load Balancer
(CLB)
PREVIOUS GENERATION
for HTTP, HTTPS, and TCP
• Existing application that was built
within the EC2-Classic network
• Operates at both the request level
and connection level
HTTP
HTTPS
TCP

Classic Load Balancer - How It Works
Register
instances with
your load
balancer.
Availability Zone A Availability Zone B
load balancer
X

Target Group /mobile
Application Load Balancer – How It Works
Register instances
as targets in a
target group, and
route traffic to a
target group.
load balancer
Listener ListenerRule Rule Rule
Target Group Target Group /api
Target Target Target Target Target Target Target
Health
Check
Health
Check
Health
Check

Network Load Balancer: How it Works
Register instances as targets
in a target group, and route
traffic to a target group.
Load balancer routes request
at the Transport layer (TCP).
load balancer
ListenerRule
Target Group
Target Target
Health
Check

Why Choose Elastic Load Balancing?
Elastic Load Balancing provides the following common features:
 Health checks
 CloudWatch Metrics
 Logging
 Zonal fail-over
 Connection draining
 Cross-zone load balancing
 Resource-based IAM permissions

Elastic Load Balancer Comparison (1 of 3)
Feature Application Network Classic
Protocols HTTP, HTTPS TCP TCP, SSL, HTTP, HTTPS
Platforms VPC VPC EC2-Classic, VPC
Balance to multiple
ports
 
Web sockets  
IP address as targets  
Deletion protection  
Path-based routing 
Host-based routing 
Native HTTP/2 

Configurable idle
timeout
 
SSL offloading  
Server Name Indication
(SNI)

Sticky sessions  
Back-end server
encryption
 
Static IP 
Elastic IP address 
Preserve source IP
address


Tag-based IAM
permissions
 
Slow start 
User authentication 
Redirects 
Fixed response 
Web Application
Firewall


Amazon CloudWatch
AWS Trusted Advisor

Amazon CloudWatch
A monitoring service for AWS cloud resources
and the applications you run on AWS
Visibility into resource utilization, operational
performance, and overall demand patterns
Custom application-specific metrics of your own
Accessible via AWS Management Console, APIs,
SDK, or CLI
Amazon
CloudWatch

Amazon CloudWatch Facts
Monitor other AWS resources
 View graphics and statistics
Set Alarms

Amazon CloudWatch Architecture
AWS resources
that support
CloudWatch
Amazon
CloudWatch
Amazon
CloudWatch
Alarm
SNS Email
Notification
Auto Scaling
Available
Statistics
Statistics
Consumer
AWS Management
Console
CloudWatch Metrics
CPUUtilization
StatusCheckFailed
Custom
Application-
Specific Metrics
PageViewCount

CloudWatch Metrics Examples

Amazon CloudWatch
AWS Trusted Advisor

Scale your Amazon EC2 capacity
automatically
Well-suited for applications that experience
variability in usage
Available at no additional chargeAuto
Scaling

Auto Scaling Benefits
Better Cost
Management
Better
Availability
Better Fault
Tolerance

Launch Configurations
A launch configuration is a template that an Auto
Scaling group uses to launch EC2 instances.
When you create a launch configuration, you can specify:
AMI ID
Instance type
Key pair
Security groups
Block device mapping
User data

Auto Scaling Groups
Contain a collection of EC2 instances that share similar
characteristics.
Instances in an Auto Scaling group are treated as a logical
grouping for the purpose of instance scaling and management.
Auto Scaling group
Minimum size
Desired capacity
Maximum size
Scale out as needed

EC2 Auto Scaling
Auto
Scaling
Minimum
Health Check
monitors running
instances within
an Auto Scaling
group.
If an unhealthy
instance is found,
it can be
replaced.
Manual
Scaling
Specify a new
minimum for
your Auto
Scaling group.
Manually invoke
Auto Scaling
policies.
Scheduled
Scaling
Scaling functions
are performed as
a function of
time and date.
On Demand
Scaling
Create a policy to
scale your
resources.
Define when to
scale using
CloudWatch
Alarms.
Predictive
Scaling
Automatically
forecast load
Proactively
schedule capacity

Auto Scaling Basic Lifecycle
instances
Auto Scaling group
Scale Out
Amazon CloudWatch
Scheduled Event
Scale In
Amazon CloudWatch
Scheduled Event
Launch
Instance
Attach to Group
Detach from
Group
Terminate
Instance X

Amazon CloudWatch
AWS Trusted Advisor

AWS Trusted Advisor
Best practice and recommendation engine.
Provides AWS customers with performance and
security recommendations in five categories:
 Cost optimization
 Security
 Fault tolerance
 Performance improvement
 Service Limits
AWS Trusted
Advisor

AWS Trusted Advisor?
A service providing guidance to help you reduce cost,
increase performance, and improve security

Trusted Advisor: Core vs. Full
Core Checks and Recommendations
(included)
• Seven core checks around
security and performance
• Service Limits
Full Trusted Advisor Benefits
(With Business or Enterprise support)
• Full set of checks
• Notifications
• Programmatic Access via API

Questions?

Create an Elastic Application
Demo 9

Demo 9: Create an Elastic Application
Region
Availability Zone A
Availability Zone B
Browser
http://DNSname
AWSTE-Demo-Web-App-Server-Security-Group
AWSTE-Demo-Auto-Scaling-Group
AWSTE-Demo-Web-ELB-Security-Group
AWSTE-Demo-ALB
AWSTE-Demo-Target-Group
AWSTE-Demo-LC
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

Create and Modify Security Groups
Create Application Load Balancer and Target Group
Create a Launch Configuration
Create a Auto Scaling Group and Scaling Policies
Test Elastic Application

• Name tag: AWSTE-Demo-ELB-Security-Group
• Group Name: AWSTE-Demo-ELB-Security-Group
• Description: AWSTE-Demo-ELB-Security-Group

• Type: HTTP
• Protocol: TCP
• Port: 80
• Source: 0.0.0.0/0

• Name tag: AWSTE-Demo-Web-App-Security-Group
• Group Name: AWSTE-Demo-Web-App-Security-Group
• Description: AWSTE-Demo-Web-App-Security-Group

• Type: HTTP
• Protocol: TCP
• Port: 80
• Source: AWSTE-Demo-ELB-Security-Group

• Type: MySQL/Aurora
• Protocol: TCP
• Port: 3306
• Source: AWSTE-Demo-Web-App-Security-Group

• Creating AWSTE-Demo-Web-ELB-Security-Group
• CLI equivalent

• Creating AWSTE-Demo-Web-App-Security-Group
• Modifying AWSTE-Demo-DB-Server-Security-Group
• CLI equivalent

Region
Availability Zone A
Availability Zone B
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

• Name: AWSTE-Demo-ALB

• Availability Zones: us-east-1a & us-east-1b
• Key: Name, Value: AWS-Demo-ALB
• Click Next: Configure Security Settings button

• Select AWSTE-Demo-ELB-Security-Group
• Click Next: Configure Routing button

• Name: AWSTE-Demo-Target-Group
• Click Next: Register Targets button

• Creating AWSTE-Demo-Web-ALB
• CLI equivalent

• Creating AWSTE-Demo-Target-Group
• Creating Listener
• CLI equivalent

Region
Availability Zone A
Availability Zone B
AWSTE-Demo-ALB
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

• Click My AMIs in left menu
• Click Select button for AWSTE-Demo-WS-Image

• Select t2.micro
• Click Next: Configure details button

• Name: AWSTE-Demo-Launch-Configuration
• Click Next: Add Storage button

• Select AWSTE-Demo-Web-App-Security-Group
• Click Review button

• Key Pair: AWSTE-Demo-Key-Pair
• Check acknowledgement
• Click Create launch configuration button

• Creating AWSTE-Demo-Launch-Configuration
• CLI equivalent

Region
Availability Zone A
Availability Zone B
AWSTE-Demo-ALB
AWSTE-Demo-LC
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

• Group name: AWSTE-Demo-Auto-Scaling-Group
• Group size: 2
• Network: AWSTE-Demo-VPC
• Subnet: Both Private Subnets
• Scroll down and expand Advance Details

• Load Balancing: Check box
• Target Group: AWSTE-Demo-Target-Group
• Health Check Type: ELB
• Click Configure scaling policies button

• Scale between: 2 and 6
• Name: AWSTE-Demo-Scale-Out-Policy
• Click Add new alarm link

• Uncheck Send notification
• CPU Is: Greater than or equal to 60 percent
• For at Least: 1 period of 1 minute
• Name: AWSTE-Demo-Scale-Out-Alarm
• Click Create Alarm link

• Take the Action: Add 1 Instance
• Instances need: 300 seconds
• Scroll down for Scale in Policy

• Name: AWSTE-Demo-Scale-In-Policy
• Click Add new alarm link

• Uncheck Send notification
• CPU Is: Less than 20 percent
• For at Least: 1 period of 1 minute
• Name: AWSTE-Demo-Scale-In-Alarm
• Click Create Alarm link

• Take the action: Remove 1 Instances
• Click Next: Configure Notification button

• Key: Name
• Value: AWSTE-Demo-Auto-Scaling-Group
• Click Review button

• Click Instances tab
• Wait until both instances are healthy

• Creating AWSTE-Demo-Auto-Scaling-Group
• CLI equivalent

• Creating AWSTE-Demo-Scale-Out-Step-Policy
• Creating AWSTE-Demo-High-CPU-Utilization-Alarm
• Creating AWSTE-Demo-Scale-In-Step-Policy
• Creating AWSTE-Demo-Low-CPU-Utilization-Alarm
• CLI equivalent

Region
Availability Zone A
Availability Zone B
AWSTE-Demo-ALB
AWSTE-Demo-LC
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

• Copy DNS name
• Test load balancer in new window

• Click Instances tab
• Scale Out alarm triggers Scale Out policy

Region
Availability Zone A
Availability Zone B
Browser
http://DNSname
AWSTE-Demo-ALB
AWSTE-Demo-LC
AWSTE-Demo-Key-Pair
AWSTE-Demo-WS-Image
AWSTE-Demo-WS-Role
awste-demo

Questions?

Course Wrap-Up
Module 6

What Did We Learn?
What’s Next?
Need Support?

Learning Path
AWS Introduction
• The AWS Cloud
• History
• Global
Infrastructure
• AWS Management
Console
AWS Foundational
Services
• Compute:
• Amazon EC2
• Networking:
• Amazon VPC
• Storage:
• Amazon EBS
• Amazon S3
• Amazon Glacier
• Security
• IAM
• Databases:
• Amazon
DynamoDB
• Amazon RDS
AWS Management
Tools
• Triad of
Services:
• Auto Scaling
• ELB
• Amazon
CloudWatch
• AWS Trusted
Advisor

What Did We Learn?
What’s Next?
Need Support?

Certification
aws.amazon.com/certification
Demonstrate your skills,
knowledge, and
expertise with the AWS
platform.
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies.
aws.amazon.com/training
Training
Skill up and gain
confidence to design,
develop, deploy, and
manage your
applications on AWS.
AWS Training and Certification

Self-Paced Labs
Learn an individual AWS Service topic
Follow a Learning Quest by AWS Service
Area or Use Case
Practice working with AWS as you prepare
for an exam
For more information, see aws.amazon.com/training/self-paced-labs/.

Operations Learning Path

Architecting Learning Path

Developing Learning Path

Specialty Learning Paths

Storage Learning Path

AWS Media Services Learning Path

AWS No-Cost Online Training
Coursera
 https://www.coursera.org/aws
• AWS Fundamentals: Going Cloud-Native
edX
 https://www.edx.org/school/aws
• AWS Developer: Building on AWS
• AWS Developer: Deploying on AWS
• AWS Developer: Optimizing on AWS
• Amazon SageMaker: Simplifying Machine Learning Application Development
AWS Digital Training
 https://www.aws.training/LearningLibrary
• 300+ courses
• Exam Readiness Courses are now available for no cost!

Our Certification Roadmap

Preparing for AWS Certification
Practice ExamsSelf-Paced Labs on qwikLABS
AWS Whitepapers &
FAQs
AWS Documentation &
Reference Architectures
For resources to help you prepare for the
certification exam, see
aws.amazon.com/certification.
Exam Guides &
Sample Questions
AWS-Authored Study Guide
AWS Technical Training

AWS Conferences
AWS Summits
 Washington, DC - Jun 11-12, 2019
 New York, NY - Jul 11, 2019
AWS re:Inforce
 Boston, MA - Jun 25-26, 2019
AWS re:Invent
 Las Vegas, NV - Dec 2-6, 2019

What Did We Learn?
What’s Next?
Need Support?

Support Options
The Technical Account Manager provides...
 A dedicated voice within AWS to serve as
your advocate.
 Proactive guidance and insight into ways to
optimize AWS through business and
performance reviews.
 Orchestration and access to the full breadth
and depth of technical expertise across the
full range of AWS.
 Access to resources and best practice
recommendations.
Infrastructure Event Management provides...
 A common understanding of event objectives
and use cases through pre-event planning
and preparation.
 Resource recommendations and deployment
guidance based on anticipated capacity
needs.
 Dedicated attention of the your AWS
Support team during your event.
 The ability to immediately scale down
resources to normal operating levels post-
event.

Support Options
AWS Trusted Advisor provides...
 Insight into how and where you can get the
most impact for your AWS spend.
 Opportunities to reduce your monthly spend
and retain or increase productivity.
 Guidance on getting the optimal
performance and availability based on your
requirements.
 Confidence that your environment is secure.
The Concierge Service provides...
 A primary contact to help manage AWS
resources.
 Personalized handling of billing inquiries, tax
questions, service limits, and bulk reserve
instance purchases.
 Direct access to an agent to help optimize
costs, and identify underutilized resources.

Support Comparison
Basic Developer Business Enterprise
Customer Service and
Communities
24x7 access to
customer service, documentation,
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
Best
Practices
Access to 7 core
Trusted Advisor checks
Access to 7 core
Access to full set of
Access to full set of
Technical
Support
Business hours access
to Cloud Support Associates
via email
24x7 access
to Cloud Support Engineers
via email, chat & phone
24x7 access
to Sr. Cloud Support Engineers
via email, chat & phone
Case Severity/
Response Times
Production system impaired:
< 4 hours
Production system down:
< 1 hour
Production system impaired:
< 4 hours
Production system down:
< 1 hour
Business-critical system down:
< 15 minutes
Pricing Included Starts at $29 per month Starts at $100 per month Starts at $15k per month

Thank You!

AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Philadelphia 2019

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Philadelphia 2019

Ähnlich wie AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Philadelphia 2019 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Philadelphia 2019