AWS Fundamentals for DoD, Immersion Day Huntsville 2019

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Immersion Day

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Schedule
Time Agenda Item
9:00 AM Introduction & Opening Remarks
9:15 AM AWS Fundamentals
10:00 AM Break
10:15 AM AWS Core Services Overview
11:45 PM Lunch
12:30 PM Cybersecurity: A Driving Force Behind Cloud Adoption
2:00 PM Break
2:15 PM VMware Cloud on AWS
3:00 PM High Performance Computing in AWS
3:45 PM Closing Remarks

What is Cloud Computing?
The on-demand delivery of IT resources over
public or private networks with zero up-front
costs, no long-term contracts, and pay-as-you-go
pricing

No Up Front Expense
Pay for what you Use
Improve Agility
Scale Up and
Down
Self-Service
Infrastructure
AWS Cloud
Equipment
Resources and
Administration
Contracts Cost
Traditional
Infrastructure

Millions of Active Customers
2012 2013 2015 Today2014 20162008 2009 2010 2011

Pace of Innovation
5 1 6
2 4 4 8 6 1 8 2
1 5 9
2 8 0
7 2 2
1 , 0 1 7
LAUNCHES
2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6
1 , 4 0 0 +
2 0 1 7
New capabilities daily

Lower
Cost
Higher
Reliability
Scale
Better
Capacity
Virtuous cycle

AWS Global Infrastructure

AWS Global Infrastructure
• 22 Regions with 69 Availability Zones
• 3 Regions coming soon: Cape Town, Milan
and Jakarta

180 CloudFront PoPs
• 169 Edge Locations
• 11 Regional Edge Caches
Multiple Edge Locations

89 Direct Connect
Locations

AWS Global Network
• Redundant 100 GbE network
• Private network capacity between
all AWS Region, except China

AWS Regions are comprised of multiple AZs for high availability, high scalability, and
high fault tolerance. Applications and data are replicated in real time and consistent in
the different AZs
AWS Region Design
AWS Availability Zone (AZ)
A Region is a physical location in the
world where we have multiple Availability
Zones.
Availability Zones consist of one or more discrete data
centers, each with redundant power, networking, and
connectivity, housed in separate facilities.
AZ
AZ
AZ AZ
Transit
Transit
AWS Region

Architected for Government Security Requirements
And many more: https://aws.amazon.com/compliance/

DoD Information Impact Levels
SRG v1r2
Impact
Level
Maximum
Data Type
Information Characterization
2
Non-Controlled
Unclassified
Information
Unclassified information approved for public release
Unclassified, not designated as controlled unclassified information (CUI) or critical mission data,
but requires some minimal level of access control
4
Controlled
Unclassified
Information
Requires protection from unauthorized disclosure as established by Executive Order 13556 (Nov
2010); Education, Training, SSN, Recruiting (if medical is not included), Credit card information for
individuals (i.e., PX or MWR events)
PII, PHI, SSN, Credit card information for individuals, Export Control, FOUO, Law Enforcement
Sensitive, Email
5
Controlled
Unclassified
Information +
NSS
National Security Systems and other information requiring a higher level of protection as deemed
necessary by the information owner, public law, or other government regulations
6 Classified up to
SECRET
Pursuant to EO 12958 as amended by EO 13292; classified national security information or
pursuant to the Atomic Energy Act of 1954, as amended to be Restricted Data (RD)
DoD Cloud Computing Security Requirements Guide (SRG): http://iase.disa.mil/cloud_security/Pages/index.aspx

US AWS Regions
# Commercial Region and Number of Availability Zones
3
3
3
6
3
3
3
3
# GovCloud Region and Number of Availability Zones
# Classified Region and Number of Availability Zones
HIGH MOD
DoD
IL
2/4/5
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
MOD
DoD
IL
2
ICD
503
TS/SCIICD
503
SECRET
DoD
IL 6
HIGH MOD
DoD
IL
2/4/5

AWS Services in
Scope
✓ This service is currently in scope and
is reflected in current reports
https://aws.amazon.com/com
pliance/services-in-scope/

Shared Responsibility Model

Inheritance
Personnel
Incident Response
Boundary Protection
Identity & Access Control
Disaster Recovery
Configuration Management
High Availability Architecture
System Mgmt. & Monitoring
Log Management & Monitoring
Compute & Storage
Networking
Virtualization
Data Center
Specific
Mission
Owner
Controls
Controls fully
inherited
Mission
Owner
on Prem
Mission
Owner
Controls
Hybrid
Controls
Mission
Owner
on AWS
+
Mission
Owner
Mission
Owner
Controls
ATO
Package

DoD Secure Cloud Computing Architecture
• Secure Cloud Computing Architecture Functional
Requirements Document (SCCA FRD)
• Released March 9th 2017
• Provides implementation flexibility
• Freedom to architect and manage
as a shared services enclave
The SCCA provides a standard approach for boundary and application
level security for impact level 4 and 5 data hosted in commercial cloud
environments.

SCCA Architecture Approach in AWS
GovCloud Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
VGW
Mission Owner Virtual Private Cloud (VPC)
Virtual Datacenter Security Stack (VDSS)
Availability Zone BAvailability Zone A
Network Firewall Services
Network Intrusion Detection/Prevention Services
Full Packet Capture Services
Web Application Firewall Services
Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services
Availability Zone A
VGW
VGW
Virtual Datacenter Management Stack (VDMS)Inernet

Leveraged Services Supporting Multiple Mission Owners
GovCloud Region
App
Subnet
AZB
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
VGW
Mission Owner Virtual Private Cloud (VPC)
Virtual Datacenter Security Stack (VDSS)
Availability Zone BAvailability Zone A
Network Firewall Services
Network Intrusion Detection/Prevention Services
Full Packet Capture Services
Web Application Firewall Services
Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services
Availability Zone A
VGW
VGW
Virtual Datacenter Management Stack (VDMS)Inernet
App
Subnet
AZA
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
App
Subnet
AZB
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
App
Subnet
AZA
Database
Subnet
DMZ
Subnet
Web
Server
App
Server
DB
Server
primary
Mission Owner A – Application Stack / VPC
Mission Owner B – Application Stack / VPC
VGW

A Full Range of Capabilities for Mission Owners
Key Management
Service
Manage creation and
control of encryption keys
CloudHSM
Hardware-based key
storage
Server-Side
Encryption
Flexible data encryption
options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to
allow on-prem identities
Directory Service
Host and manage
Microsoft Active Directory
Organizations
Manage settings for
multiple accounts
Identity & Access Mgmt
Virtual Private Cloud
Network-isolated cloud
resources
Web Application
Firewall
Filter Malicious Web
Traffic
AWS Shield
DDoS protection
Certificate Manager
Provision, manage, and
deploy SSL/TSL
certificates
Networking
VPC Flow Logs
Comprehensive netflow
data with click of button
AWS Service Catalog
Create and use
standardized products
AWS Config
Track resource inventory
and changes
CloudTrail
Track user activity and
API usage
CloudWatch
Monitor resources and
applications
GuardDuty
Intrusion detection and
analysis
Trusted Advisor
Warning and reports on
proper configuration
Visibility and Control

n
Identity & access
management
Detective
controls
Infrastructure
protection
Incident
response
Data
protection
AWS Security Solutions

AWS Breadth and Depth
CORE SERVICES
Integrated Networking
Rules Engine
Device Shadows
Device SDKs
Device Gateway
Registry
Local Compute
Custom Model
Training & Hosting
Conversational Chatbots
Virtual Desktops
App Streaming
Schema Conversion
Image & Scene
Recognition
Sharing &
Collaboration
Exabyte-Scale
Data Migration
Text to Speech
Corporate Email Application Migration
Database Migration
Regions
Availability Zones
Points of Presence
Data Warehousing
Business Intelligence
Elasticsearch
Hadoop/Spark
Data Pipelines
Streaming Data
Collection
ETL
Streaming Data
Analysis
Interactive SQL
Queries
Queuing & Notifications
Workflow
Email
Transcoding
Deep Learning
(Apache MXNet,
TensorFlow, & others)
Server MigrationCommunications
MARKETPLACE
Business Apps Business Intelligence DevOps Tools Security Networking StorageDatabases
API Gateway
Single Integrated
Console
Identity
Sync
Mobile Analytics
Mobile App Testing
Targeted Push
Notifications
One-clickApp
Deployment
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource Templates
Build & Test
Analyze & Debug
Identity
Management
Key Management
& Storage
Monitoring &
Logs
Configuration
Compliance
Web Application
Firewall
Assessment
& Reporting
Resource & Usage
Auditing
Access Control
Account
Grouping
DDOS
Protection
TECHNICAL & BUSINESS SUPPORT
Support
Professional
Services
Optimization
Guidance
Partner
Ecosystem
Training &
Certification
Solutions Management Account Management
Security & Billing
Reports
Personalized
Dashboard
Monitoring
Manage
Resources
Data Integration
Integrated Identity &
Access
Integrated Resource &
Deployment Management
Integrated Devices
& Edge Systems
Resource
Templates
Configuration
Tracking
Server
Management
Service
Catalogue
Search
MIGRATIONHYBRID ARCHITECTUREENTERPRISE APPSMACHINE LEARNINGIoTMOBILE SERVICESDEV OPSANALYTICS
APP SERVICES
INFRASTRUCTURE SECURITY & COMPLIANCE MANAGEMENT TOOLS
Compute
VMs, Auto-scaling, Load
Balancing, Containers,
Virtual Private Servers,
Batch Computing, Cloud
Functions, Elastic GPUs,
Edge Computing
Storage
Object, Blocks, File, Archivals,
Import/Export, Exabyte-scale
data transfer
CDN
Databases
Relational, NoSQL,
Caching, Migration,
PostgreSQL compatible
Networking
VPC, DX, DNS
Facial Recognition &
Analysis
Facial Search
Patching
Contact Center

Questions?

AWS Fundamentals for DoD, Immersion Day Huntsville 2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a AWS Fundamentals for DoD, Immersion Day Huntsville 2019

Similar a AWS Fundamentals for DoD, Immersion Day Huntsville 2019 (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

AWS Fundamentals for DoD, Immersion Day Huntsville 2019