Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

AWSome Day 2019 - Mexico City

1.334 visualizaciones

Publicado el

This free, one-day training will provide a step-by-step introduction to the core AWS services for compute, storage, database, and networking. AWS technical experts will explain key features and use cases, share best practices, walk through technical demos, and be available to answer your questions one-on-one. Who should attend? AWSome Day is ideal for IT managers, system engineers, system administrators, and architects who are eager to learn more about cloud computing and how to get started on the AWS Cloud.

  • Sé el primero en comentar

AWSome Day 2019 - Mexico City

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Session Outline Course Overview AWS Cloud Concepts AWS Technology AWS Security AWS Architecting AWS Pricing and Support
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Hernan Garcia / Technical Trainer @hernangarcia
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to the AWS Cloud Cloud Computing P On-demand delivery of IT resources and applications via the internet with pay-as- you-go pricing
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to the AWS Cloud Cloud Computing P On-demand delivery of IT resources and applications via the internet with pay-as- you-go pricing
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to the AWS Cloud Cloud Computing P On-demand delivery of IT resources and applications via the internet with pay-as- you-go pricing
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to the AWS Cloud Cloud Computing P On-demand delivery of IT resources and applications via the internet with pay-as- you-go pricing
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Cloud Computing Trade capital expense for variable expense. Benefit from massive economies of scale. Stop guessing capacity. Go global in minutes. Increase speed and agility. Stop spending money on running and maintaining data centers.
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Cloud Computing Infrastructure Regions Edge locationsAvailability Zones Foundation Services Compute (Virtual, Auto Scaling, and load balancing) Networking Applications Virtual Desktops Collaboration and Sharing Platform Services Databases Relational NoSQL Caching Analytics Cluster Computing Real-time Data Warehouse Data Workflows App Services Queuing Orchestration App Streaming Transcoding Email Search Deployment and Management Containers DevOps Tools Resource Templates Usage Tracking Monitoring and Logs Mobile Services Identity Sync Mobile Analytics Notifications Storage (Object, block, and archive)
  16. 16. AWSOME DAY AWS Global Infrastructure
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Services At The Edge Amazon Route 53 Amazon CloudFront AWS WAF AWS Shield AWS Lambda@Edge AWS Global Accelerator
  24. 24. AWSOME DAY Compute Services
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compute Services AWS P Flexible P Cost effective Amazon Lightsail P Launch virtual private server P Manage simple web and application servers Amazon EC2 P Flexible configuration and control
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compute Services Amazon ECS P Managed containers P Highly scalable, high performance Amazon EKS AWS Fargate AWS Lambda P Pay only for what you use P No administration
  27. 27. AWSOME DAY Amazon Elastic Compute Cloud (EC2)
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is Amazon EC2? ü Application Server ü Web Server ü Database Server ü Game Server ü Mail Server ü Media Server ü Catalog Server ü File Server ü Computing Server ü Proxy Server Elastic Compute Cloud
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is an Amazon Machine Image (AMI)? Provides the information required to launch an instance: Root volume template Block device mapping Launch permissions
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing an AMI AWS Quick Start AWS Marketplace
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Right Compute For The Right Application
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Instances 175 instance types for virtually every workload and business need
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Instances FamiliesCapabilities Choice of processor Fast processors High memory footprint (up to 64 TiB) Instance storage (HDD and NVMe) Networking (up to 100 Gbps) Accelerated computing (GPUs and FPGA) Bare Metal + + Compute intensive Memory intensive Burstable Storage (High I/O) Dense storage GPU compute Graphics intensive General purpose 175 instance types for virtually every workload and business need
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instance Types Families Description Example Use Cases t3, m5, m4 General Purpose Balanced Performance Websites, web applications, Dev, code repos, micro services, business apps c4, c5, cc2 Compute Optimized High CPU Performance Front-end fleets, web-servers, batch processing, distributed analytics, science and engineering apps, ad serving, MMO gaming, video-encoding g2, p2 GPU Optimized High-end GPU Amazon AppStream 2.0, video encoding, machine learning, high perf databases, science r3, r4, x1, cr1 Memory Optimized Large RAM footprint In-memory databases, data mining d2, i2, i3, hi1, hs1 Storage Optimized High I/O, High density NAS, data warehousing, NoSQL
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Much Do You Need?
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. C5: Compute Optimized Instances Based on 3.0 GHz Intel Xeon Scalable Processors (Skylake) Up to 72 vCPUs and 144GiB of memory 25Gbps NW bandwidth Support for Intel AVX-512 25% price/performance improvement over C4 C4 C5 “We saw significant performance improvement on Amazon EC2 C5, with up to a 140% performance improvement in industry standard CPU benchmarks over C4.”
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Hernan Garcia / Technical Trainer @hernangarcia Demo time!
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Hernan Garcia / Technical Trainer @hernangarcia Let’s take a break
  41. 41. AWSOME DAY Amazon Elastic Block Store (EBS)
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EBS: Built For Dynamic Workloads
  43. 43. AWSOME DAY Amazon Simple Storage Service (S3)
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 Features P Fully managed cloud storage service P Rich security controls P Designed for 99.999999999% durability and 99.99% availability of objects over a given year Functionality P Store virtually unlimited number of objects P Access any time, from anywhere
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 Use Cases
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s build a web site/application Automatically scalable Automatically elastic Highly available Fault tolerant
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Demo time! Hernan Garcia / Technical Trainer @hernangarcia
  48. 48. AWSOME DAY Amazon Virtual Private Cloud (VPC)
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers RouterPublic subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers Router Public subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24 Destination Target 10.0.0.0/16 local
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers Router Public subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24 Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id Internet Gateway Internet
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers Router Public subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24 Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id Internet Gateway Internet Destination Target 10.0.0.0/16 local 0.0.0.0/0 ngw_id NAT GW NAT GW
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers Router Public subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24 Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id Internet Gateway Internet Destination Target 10.0.0.0/16 local 0.0.0.0/0 ngw_id NAT GW NAT GW Corporate data center VPN GW
  54. 54. AWSOME DAY AWS Security Groups
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability zone 1 AWS Region App servers Router Public subnet 10.0.1.0/24 Web servers 10.0.0.0/16 Private subnet 10.0.2.0/24 Availability zone 2 App servers Public subnet 10.0.3.0/24 Web servers Private subnet 10.0.4.0/24 Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id Internet Gateway Internet Destination Target 10.0.0.0/16 local 0.0.0.0/0 ngw_id NAT GW NAT GW Corporate data center VPN GW
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS VPC Security Groups Chain Web Tier security group Application Tier security group Database Tier security group internet Corporate Admin Network app serverwww server http/https api db serverapiwww server www server app server app server db server db server ssh/rdp (all other ports are blocked)
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Hernan Garcia / Technical Trainer @hernangarcia Let’s take a break
  58. 58. AWSOME DAY Elastic Load Balancing (ELB)
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to ELB
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Elastic Load Balancing Products Application Load Balancer (ALB) Network Load Balancer (NLB) Classic Load Balancer (CLB) PREVIOUS GENERATION for HTTP, HTTPS, and TCP • Flexible application management • Advanced load balancing of HTTP and HTTPS traffic • Operates at the request level (Layer 7) • Extreme performance and static IP for your application • Load balancing of TCP traffic • Operates at the connection level (Layer 4) • Existing application that was built within the EC2-Classic network • Operates at both the request level and connection level HTTP HTTPS TCPT
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Application Load Balancer Use Cases
  62. 62. AWSOME DAY Auto Scaling
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Is Auto Scaling? Dynamically react to changing demand, optimize cost
  64. 64. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adjust Capacity With Auto Scaling
  65. 65. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling and Predictive Scaling
  66. 66. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring Resource Performance Amazon CloudWatch to monitor performance Auto Scaling to add or remove EC2 instances
  67. 67. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CloudWatch Alarm for Auto Scaling
  68. 68. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling Out and Scaling In Elastic Load Balancing Auto Scaling group Auto Scaling groupAuto Scaling group Base Configuration Scaling Out Scaling In Launch Instances Terminate Instances
  69. 69. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling Components Launch Configuration Auto Scaling groups Auto Scaling Policy
  70. 70. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling Components Launch Configuration: What will be scaled? Launch settings P AMI P Instance type P Security groups P Roles
  71. 71. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling Components Auto Scaling Group: Where will it take place? Deployment settings P VPC and subnets P Load balancer P Minimum instances P Maximum instances P Desired capacity
  72. 72. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auto Scaling Components Auto Scaling Policy: When will it take place? Policy settings P Scheduled P On-demand P Scale-out policy P Scale-in policy
  73. 73. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dynamic Auto Scaling Latency Utilization CloudWatchAuto Scaling Elastic Load Balancing Auto Scaling group Execute AS Policy
  74. 74. AWSOME DAY Amazon Relational Database Service (RDS)
  75. 75. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS Managed service that sets up and operates a relational database in the Cloud Users Application servers Amazon RDS AWS Cloud
  76. 76. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS DB Instances DB Instance Class • CPU • Memory • Network Performance DB Instance Storage • Magnetic • General Purpose (SSD) • Provisioned IOPS Amazon RDS RDS DB master instance DB Engines M Amazon RDS RDS DB master instance DB Engines
  77. 77. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS Customer manages: P Application Optimization P Database schema P Data AWS manages: P OS installation and patches P Database software installation and patches P Database backups P High availability P Scaling P Power, rack and stack P Server maintenance
  78. 78. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS In a Virtual Private Cloud VPC M App Public subnet Private subnet internet gateway Amazon EC2 instance RDS DB instance Availability Zone 1 Users
  79. 79. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High Availability with Multi-AZ SYNCHRONOUS Public subnet Amazon EC2 instance RDS DB instance App RDS DB standby instance Private subnet Private subnet M S Availability Zone 1 Availability Zone 2 VPC
  80. 80. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. High Availability with Multi-AZ Public subnet Amazon EC2 instance RDS DB instance VPC App RDS DB standby instance Private subnet Private subnet M S Availability Zone 1 Availability Zone 2 FAILOVER
  81. 81. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS Read Replicas Features Asynchronous replication Promote to master if necessary Functionality Read-heavy database workloads Offload read queries Public subnet Amazon EC2 instance RDS DB instance VPC App Private subnet M Availability Zone 1 RDS DB read replica instanceR
  82. 82. AWSOME DAY Amazon DynamoDB
  83. 83. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Is Amazon DynamoDB? NoSQL database tables Virtually unlimited storage Items may have differing attributes Low-latency queries Scalable read/write throughput
  84. 84. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common Use Cases Web Mobile apps Internet of Things Ad tech Gaming
  85. 85. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Items in a Table Must Have a Key
  86. 86. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Let’s take a break Hernan Garcia / Technical Trainer @hernangarcia
  87. 87. AWSOME DAY Introduction to AWS Security
  88. 88. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introduction to AWS Security Security is of the utmost importance to AWS. Approach to security AWS environment controls AWS offerings and features
  89. 89. AWSOME DAY The AWS Shared Responsibility Model
  90. 90. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity, and Access Management Operating System, Network, and Firewall Configuration Customer Applications & Content Customers Customers are responsible for security IN the cloud AWS is responsible for the security OF the cloud
  91. 91. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security of the Cloud Protection of the AWS global infrastructure is top priority Availability of third-party reports AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  92. 92. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security in the Cloud What to store Which AWS services In what location In what content format and structure Who has access Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity, and Access Management Operating System, Network, and Firewall Configuration Customer Applications & Content Customers
  93. 93. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity, and Access Management Operating System, Network, and Firewall Configuration Customer Applications & Content Customers Customers are responsible for security IN the cloud AWS is responsible for the security OF the cloud
  94. 94. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assurance Programs
  95. 95. AWS Identity and Access Management (IAM) AWS Organizations Amazon Cognito AWS Directory Service AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty Amazon Virtual Private Cloud (Amazon VPC) flow logs Amazon EC2 Systems Manager AWS Shield AWS WAF Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (AWS KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager (ACM) Server side encryption AWS Secrets Manager AWS Config rules AWS Lambda Amazon EC2 Systems Manager Identity Detective control Infrastructure security Incident response Data protection AWS Security Solutions © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  96. 96. AWSOME DAY AWS Access Control and Management
  97. 97. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Create users and groups Grant permissions User Group Permissions Role
  98. 98. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Root User Account root user has complete access to all AWS Services.
  99. 99. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Root User Recommendations 1. Delete root user access keys. 2. Create an IAM user. 3. Grant administrator access. 4. Use IAM credentials to interact with AWS. IAM
  100. 100. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Control access to AWS resources P Authentication P Authorization Controls access to services such as: Compute Storage Database Application services
  101. 101. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM: Authentication Management console access P Uses AWS account name and password P MFA prompts for code Programmatic access P Enables access key ID and secret access key
  102. 102. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Authentication Authentication AWS Management Console P User Name and Password IAM User
  103. 103. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Authentication Authentication AWS CLI or SDK API P Access Key and Secret Key Access Key ID: AKIAIOSFODNN7EXAMPLE Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Java Python .NET AWS SDK & APIAWS CLI IAM User
  104. 104. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Authorization Authorization Policies: P Are JSON documents to describe permissions. P Are assigned to users, groups or roles. IAM User IAM Group IAM Roles
  105. 105. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Policy Elements { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1453690971587", "Action": [ "ec2:Describe*", "ec2:StartInstances", "ec2:StopInstances” ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "54.64.34.65/32” } } }, { "Sid": "Stmt1453690998327", "Action": [ "s3:GetObject*" ], "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket/*" } ] } IAM Policy
  106. 106. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group Assigned Assigned IAM Policy
  107. 107. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy
  108. 108. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Roles An IAM role uses a policy. An IAM role has no associated credentials. IAM users, applications, and services may assume IAM roles. IAM Roles
  109. 109. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM User Assumed Assumed AWS Resources IAM Policy
  110. 110. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: Application Access to AWS Resources Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. AWS credentials are required: P Option 1: Store AWS Credentials on the Amazon EC2 instance. P Option 2: Securely distribute AWS credentials to AWS Services and Applications. IAM Roles
  111. 111. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Roles - Instance Profiles Amazon EC2 EC2 MetaData Service http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename Amazon S31 3 4 App & Create Instance Application interacts with S3 Select IAM Role2
  112. 112. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Roles – Assume Role IAM Restricted Policy IAM User A-1 AWS Account A IAM Admin RoleIAM Admin Policy Assigned Assume Assigned 1 2 IAM User B-1 AWS Account B Amazon S3 Assume 4 Access 53 Access 1
  113. 113. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Best Practices Roles P Use roles for applications P Use roles instead of sharing credentials Credentials P Rotate credentials regularly P Remove unnecessary users and credentials Use policy conditions for extra security Monitor activity in your AWS account
  114. 114. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring and Logging Tools and features to reduce your risk profile: P Deep visibility into API calls P Log aggregation and options P Alert notifications
  115. 115. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Records AWS API calls for accounts. Delivers log files with information to an Amazon S3 bucket. Makes calls using the AWS Management Console, AWS SDKs, AWS CLI and higher-level AWS services. AWS CloudTrail Amazon S3 Bucket Logs
  116. 116. AWSOME DAY AWS Security Resources
  117. 117. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Trusted Advisor Best practice and recommendation engine. Provides AWS customers with performance and security recommendations in four categories: P Cost optimization P Security P Fault tolerance P Performance improvement AWS Trusted Advisor
  118. 118. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Trusted Advisor (Security) Security groups AWS IAM use Amazon S3 bucket permissions MFA on Root Account AWS IAM password policy Amazon RDS security group access risk 120
  119. 119. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty Managed threat detection Continuously monitors for malicious or unauthorized behavior Intelligent threat detection and actionable alerts
  120. 120. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Can Amazon GuardDuty Detect Known Malicious IP (Potentially) Unusual Ports DNS Exfiltration RDP Brute Force Unusual Traffic VolumeConnect to Blacklisted Site (Potentially) Recon Anonymizing Proxy Temp credentials Used off-instance Unusual ISP Caller Bitcoin Activity Unusual Instance Launch RDP Brute Force RAT Installed Exfiltrate temp IAM creds over DNS Probe api with temp creds Attempt to compromise account
  121. 121. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie Understand Your Data Natural Language Processing (NLP) Understand Data Access Predictive User Behavior Analytics (UBA)
  122. 122. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie – User Behavioral Analysis 0. Feature extraction from event data 1. Map into user time-series 2. Cluster peer groups 3. Predict user activity. Update models. 4. Identify anomalies. 5. Attempt to explain statistically. 6. Alert and narrative explanation created
  123. 123. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Account Teams Are first point of contact Guide deployment Point toward the right resources to resolve security issues
  124. 124. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Enterprise Support* 15-minute response time 24/7, by phone, chat, or email Dedicated Technical Account Manager *for details, see: https://aws.amazon.com/premiumsupport/enterprise-support/
  125. 125. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Support Plans AWS Support offers four support plans: Basic Support Developer Support Business Support Enterprise Support
  126. 126. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Professional Services and AWS Partner Network APN has hundreds of certified AWS Consulting Partners worldwide P Help develop security policies P Help meet compliance requirements
  127. 127. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Marketplace Qualified partners to market/sell software to AWS customers Online software store that can run on AWS
  128. 128. AWSOME DAY Fundamentals of Pricing
  129. 129. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Pricing Model Pay-as-you-go Pay less when you reserve Pay even less per unit by using more Pay even less as AWS grows
  130. 130. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. No Extra Charge AWS services for no additional charge: Amazon VPC AWS Elastic Beanstalk AWS CloudFormation AWS IAM Auto Scaling
  131. 131. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Free Tier AWS Free Tier helps customer get started in the cloud Limitations: P Up to one year P Certain services and options For more details, see: http://www.aws.amazon.com/free
  132. 132. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom Pricing Meet varying needs through custom pricing Available for high-volume projects with unique requirements
  133. 133. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Purchasing Options 157 On-Demand Instances Pay by the hour. Reserved Instances Purchase, at a significant discount, instances that are always available. 1-year to 3- year terms. Scheduled Instances Purchase instances that are always available on the specified recurring schedule, for a one-year term. Spot Instances Bid on unused instances, which can run as long as they are available and your bid is above the Spot price. Dedicated Hosts Pay for a physical host that is fully dedicated to running your instances. Dedicated Instances Pay, by the hour, for instances that run on single- tenant hardware.
  134. 134. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon S3 Storage: The number and size of objects Requests: Pricing based on Number of requests Type of requests P Different rates for GET requests Data Transfer: Pricing based on the amount of data transferred out of the Amazon S3 region
  135. 135. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EBS: Volumes and IOPS Volumes All volume types are charged by the amount provisioned per month IOPS General Purpose (SSD) and Magnetic P Included in price Provisioned IOPS (SSD) P Charged by the amount you provision in IOPS
  136. 136. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon RDS: Clock-Hour Billing and Database Characteristics Clock-Hour Billing Resources incur charges when running Database Characteristics Physical capacity of database: P Engine P Instance Type P Instance Size
  137. 137. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Simple Monthly Calculator Estimate the cost of running your application or solution in the AWS cloud based on usage. https://calculator.aws
  138. 138. AWSOME DAY Overview of the Total Cost of Ownership Calculator
  139. 139. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Total Cost of Ownership (TCO) Calculator PEstimate cost savings when using AWS PUse a detailed set of reports that can be used in executive presentations PModify assumptions that best meet your business needs 1. Describe your infrastructure in four steps, or enter detailed configurations 2. Get an instant summary report 3. Download a full report including detailed cost breakdowns
  140. 140. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY
  141. 141. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY
  142. 142. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Beauty of Serverless
  143. 143. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Want to know more? https://aws.training
  144. 144. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWSOME DAY Hernan Garcia / Technical Trainer @hernangarcia

×