Is there such a thing as too much data, too many tools, too many alerts and too many tasks? To really take your IT operations to the next level to maximise your business innovation you need to embrace automation, operational analytics, and take advantage of a software defined IT infrastructure. This advanced technical session continues its theme of the last 5 years and takes you through real world customer tips and tricks, including demos. We will dive into topics such as server and event driven computing, automated security and compliance, managed management tools and even Machine Learning to help you supercharge your IT operations with AWS. Speaker: Dean Samuels, Solutions Architect Manager

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Black Belt Tips for IT Operations
Dean Samuels
Solutions Architect Manager
Amazon Web Services
Level 400

2. Meet Michael…Michael Lowd...
Call Me
Mike!

3. Laying the Foundation
Day 1

4. Multi-Account Strategy
AWS Account Management
Cross-Account Manager
users
AWS Directory
Service
Master
Account
role
AWS STS
ninjas
switch
role
AssumeRole
Master Account
Sub-Accounts

5. Root
OU
Prod
AWS
Account
OU
Group1
AWS
Account
OU
App1
AWS
Account
AWS
Account
AWS
Account
OU
Test
AWS
Account
OU
Dev
AWS
Account
OU
App1
AWS
Account
AWS
Account
Multi-Account Setup
new user AWS
Service Catalog
CloudFormation
Stack AWS Step
Functions
authoriser
AWS
CloudTrail
S3 Bucket
New
AWS
Account
AWS
Organizations
Request New
AWS Account
Launch
Stack
Seek
Approval
Request
Approved
Notify
User
AWS Organizations Provision New AWS Accounts
CloudWatch
Events
SNS
Topicadministrator

6. Cross-Account Manager
master account
sub-account(s)
users
administrator
AWS KMS
S3 bucket
(configuration files)
AWS Directory
Service
AWS Lambda
file handler
functions
managed
roles
Amazon SNS
topics
Amazon
DynamoDB
S3 bucket
(access links)
AWS Lambda
event handler
functions
managed
role
managed
permissions
Create IAM role
and permissions
add/remove
account(s)
and role(s)
navigate to sub-
accounts/roles
process publish notify
master account
stack
sub-account
stack
access uses

7. Insights
Day 2

8. Centralised Logging
Insights
Service Limit Management
users
flow logs Amazon
CloudWatch
Logs
AWS
CloudTrail
Amazon
Elasticsearch Service
Amazon
EC2

9. Centralised Logging
Kibana Client
virtual private cloud
Availability Zone 1
Availability Zone 2
Elastic Load
Balancing
flow logs
security group
proxy
server
proxy
server
web
server
app
server
Instance with
CloudWatch
Logs/Inspector agent
Instance with
CloudWatch
Logs/Inspector agent
Amazon
Elasticsearch
Service
AWS
Lambda
Amazon
CloudWatch
Amazon S3
bucket
AWS
CloudTrail
On-premise
infrastructure

10. Service Limit Management
Amazon
CloudWatch
Master
Lambda
Child
Lambda
function
Amazon SNS
topic
Support-call
Lambda
function
administrators
AWS
CloudFormation
AWS Trusted
Advisor
Amazon
EC2
Amazon
RDS
Amazon
SES
Amazon
VPC
Amazon
DynamoDB
AWS Limit
API calls
AWS
Support API
DynamoDB
Table of
Support
requests

11. Autonomous IT
Day 3

12. Automated Infrastructure
Autonomous IT
Security Automation

13. Automated Infrastructure Management
Amazon
CloudWatch
Lambda
function
alarm
SNS Topic
administrators
Amazon EBS
Tags::
resize=true
instance with custom
metrics and EC2
Systems Manager
agents
Tags::
backup=true
EC2 Systems Manager
run-command
gp2
1TB
Amazon
EC2
Dynamic Resize
and/or
Change Volume Type
Notify administratorsLaunch Lambda Function
publishgenerate alarmput metrics
io1
2TB

14. Dynamic DNS
Amazon
Route 53
Private
Hosted
Zone
Auto Scaling group Notice No Internet/NAT required!
AWS
Lambda
Amazon
CloudWatch
Event
Tags:
ZONE=ddnslambda.com
CNAME=svr1.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=asg-svr##.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=tst1.ddnslambda.com
Tags:
ZONE=ddnslambda.com
CNAME=svr4.ddnslambda.com Tags:
ZONE=ddnslambda.com
CNAME=svr7.ddnslambda.com
Amazon
DynamoDB
Direct ConnectVPN Gateway
DNS Client DNS Forwarder
AWS Directory ServiceAWS Directory Service
Similar concept can be applied to ECS

15. Security Automation – AWS WAF Rules
valid users
attackers
Amazon
CloudFront
AWS WAF
Amazon S3
bucket
Amazon API
Gateway
AWS Lambda
Access Handler
AWS Lambda
Log Parser
AWS Lambda
IP Lists Parser
Amazon
CloudWatch
event
web application resources
application requests
(static & dynamic)
new access log files
requests to the
honeypot endpoint
hourly
third-party IP
reputation lists
Bad bot and scraper
protection
SQL injection protection
Cross-site scripting
protection
HTTP flood, scanner and
probe protection
IP address
whitelist/blacklist
known-attacker protection
×

16. Security Automation with Machine Learning
valid users
attackers
AWS WAF DGA Protection
×Amazon
CloudFront
Amazon
Kinesis
Access Log
Bucket
AML Result
AML Batch
payload bucket
Log Parser
Feature
Engineering
AML Caller
Rule Updater
(String matching)
AML
DGAProtection
Other Web
Apps

17. Global Expansion
Day 4

18. Infrastructure Code Distribution
Global Expansion
Global Transit Network

19. Content Replication
Amazon
S3
Tokyo
Developer
Amazon
S3
Oregon
Deployment
Function
Deployment
Function
Production
CloudFormation
Stack
Production
CloudFormation
Stack
Amazon
S3
Frankfurt
Deployment
Function
Production
CloudFormation
Stack
Source/Artif
act Bucket
AWS
CodeCommit
Test
CloudFormation
Stack
AWS
CodePipeline
SNS topic
Lambda
function
Lambda
function
Lambda
function

20. Transit VPC
• Move the 2x EC2 instances to the
‘hub’ – make them CGWs
• Use the VGW in the ‘spokes’ –
single route table target
• CloudHub on a detached VGW –
takes DX private VIF or VPN and
re-advertises routes in both
directions

21. Global Transit VPC

22. Helpful Resources
Laying the Foundation
• AWS Organizations
– https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/
• Cross-Account Manager
– http://docs.aws.amazon.com/solutions/latest/cross-account-manager/welcome.html
Insights
• Service Limit Monitor:
– https://aws.amazon.com/answers/account-management/limit-monitor/
• http://docs.aws.amazon.com/solutions/latest/limit-monitor/welcome.html
• Centralised Logging
– https://aws.amazon.com/answers/logging/centralized-logging/
– http://docs.aws.amazon.com/solutions/latest/centralized-logging/welcome.html
Autonomous IT
• Automated Infrastructure Management
– https://aws.amazon.com/answers/infrastructure-management/
– https://aws.amazon.com/blogs/aws/amazon-ebs-update-new-elastic-volumes-change-everything/
Global Expansion
• Infrastructure as Code Distribution
– https://aws.amazon.com/blogs/compute/a-data-sharing-platform-based-on-aws-lambda/
– https://aws.amazon.com/blogs/aws/codepipeline-update-build-continuous-delivery-workflows-for-cloudformation-stacks/
• Global Transit Network:
– https://aws.amazon.com/answers/networking/transit-vpc/
– http://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/welcome.html

23. Thank you!

24. Overtime

25. Thank you!