This document discusses lessons learned from implementing cloud automation at scale over multiple years at McGraw Hill Education. Some key lessons include: establishing centralized security configuration and response; using centralized account configuration for development, testing, and production environments; automating cost optimization techniques; developing networking automation while separating responsibilities between developers and network engineers; and integrating security practices into the DevOps toolchain and AMI management process. The benefits of these practices include increased speed, safety, accessibility, productivity, depth and breadth of cloud operations.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud DevSecOps masterclass:
Lessonslearnedfromamulti-yearimplementation
ofcloudautomationatscale
Chinmay Tripathi
Director, Cloud Operations
McGraw Hill Education
S D D 3 3 5
Nathan Wallace
CEO
Turbot

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
About McGraw-Hill
We are a learning science company
• We deliver educational technology for both K-12 and higher education
• We partner with 14,000+ authors, educators, and higher education institutions
• Our students have answered 11.8 billion questions!
Our technology scale
• 200+ million interactions per month
• 80+ development teams
• 100+ AWS accounts
• 10+ Kubernetes clusters
• 4,000+ Amazon Elastic Compute Cloud (Amazon EC2) instances

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolution to multi-account architecture
Share house
Multiple teams sharing an
account for different projects
Innovator
Small team working on a
shared goal
Multi-tenant
Projects operate with
independence and isolation
within agreed rules and services
Hosted services
Handful of centrally managed
accounts (dev, prod, etc.) are
shared by multiple teams

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key lessons learned
Security
NetworkingDevOps & SecOps
Cost management

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Root credential management
Service accounts vs. named users
Automated account configuration
- Flow Logs
- AWS CloudTrail
- Amazon GuardDuty
Automated security response

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Development
Accounts
Testing
Accounts
Centralized configuration of accounts
Shared Service Accounts
Corporate Identity Federation
Networking Centralized Logging
& SEIM
Guardrail
Automation
Production
Accounts
AD/LDAP/SAML-MFA

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost management
Continuously monitor for Reserved Instance opportunities
Automate discovery and disposition of unused volumes
Remove old snapshots based on data classification requirements
Monitor for unused resources and automate removal:
- Elastic Load Balancing
- Elastic IP addresses
- Internet/NAT gateways
Automated instance scheduling for dev and sandbox

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Networking
Developers are not network engineers!
Automate VPC creation
Automate shutdown of instances in public
subnets
Automate deletion of default VPCs, and
ensure VPC CIDRs don’t overlap

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevOps
Professionals practice like it’s real!
Bundle security tooling into your DevOps
toolchain
- Ensure development accounts run under same
security rules as production
- Static code analysis
Develop a process to manage, approve, and
publish AMIs
- Automate discovery and enforcement of
unapproved AMIs

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized AMI publishing
Shared AMI Publishing Account
Build VPC Approved AMI
Repository
Testing VPC
Production
Accounts
Testing
Accounts
Development
Accounts
Deprecated & Non-
Standard AMIs
VPCVPC VPC

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud governance?
Network, data protection, identity
Operational status, change discovery
Guardrails & automated remediation
Compliance frameworks/standards
Self-service & isolation

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
- Speed
- Safety
- Accessibility
- Productivity
- Depth
- Breadth

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Free cloud operations that enable you to focus on your
business
• Architecture
• AMI publishing & CI/CD pipeline
• Cost & security insights
• Flow Logs configuration
• AWS CloudTrail configuration
• Amazon GuardDuty & AWS Config setup
• Amazon S3 bucket encryption
• Remove unused resources
• Instance scheduling
• VPC/subnet/routing setup
• Hardening of Amazon EC2 instances
• Deletion of default VPCs
• Deletion of insecure security groups
• Stop Amazon EC2/Amazon RDS instances in public
subnets
App Team
Application
SELF-SERVICE
APIS
DB OS …
Cloud Configuration
IaaS PaaS SaaS
Cloud
Team
CONFIGURE
AUTOMATE
SECURE
MONITOR
AUTOMATE
HELP
LEARN

17. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Nathan Wallace
nathan@turbot.com
Chinmay Tripathi
chinmay.tripathi@mheducation.com