2. A typical “Cloud Journey” shows workloads moving at
different speed
Stages of Adoption
Ø Project stage
Ø Foundation stage
Ø Migration stage
Ø Reinvention
Tipping points
Ø Cloud-First ‘intent’
Ø All-in ‘intent’
2
3. Your recommended 1st 90 days
Create Cloud
‘Minimum Viable
product’
Create ‘Cloud
Centre of
Excellence’
Get Proof-of-Concepts and
Early adopters onto platform
ASAP
Iterative
development
Use continuous feedback
and cycles of learning to
develop MVP
Tiger team of IT and
business SMEs to plan,
develop and build cloud
capability
Critical to delivering
value ASAP
Hold Cloud
Discovery
Workshop
Executive Sponsor, Key
Business Stakeholders, IT
Leadership Build out your initial cloud
capability
Create Cloud
Operations
Model, Business
Case & Roadmap• Use the AWS CAF to
guide your planning
• Understand Business
Drivers, expected
outcomes and current
environment
• Overview of AWS
services & identification
of POC workloads
• Identify AWS services
and partners to
accelerate adoption
• Roadmap to establishing
AWS cloud foundation
• Creates and drives
a compelling vision
and business case
for the adoption
and use of cloud
capabilities
• Minimal set of
AWS capabilities
required to deliver
clear business
value
• Creation of the
Cloud Operating
Model, Business
Case and
Transformation
Roadmap
4. An example Customer cloud journey…
The First Year
1.0 MVP Month 0-3 1.1 Iteration-1 Month 4-6 1.2 Iteration-2 Month 7-9
Platform
Build
SDLC
CCoE
Application Migration
(Business risk appetite)
Demonstrate
high value apps
on AWS
Network, IAM &
Security
Financial
Reporting
Basic EC2, RDS, EBS Templates
Standard Pipelines & Developer
Tools
Standard Cloud SOE
AMI Baking Process
Standard
Release, Change, Event
Management
Self-
Service
Service
Catalog
Move simple,
low-risk apps
Non-critical apps
move using
CI/CD
Critical apps
move using
CI/CD
Legacy apps
move using lift &
shift
SDLC Security,
Resilience &
Compliance
Production ITIL workflow
automation
Incident, Problem,
Management
Production
Assurance
Testing
Value
Time
Usage spike as
Self-Service
becomes available
5. The Adoption Journey Continued
Year 1 Year 2 Year 3 Year 4
• Early Discovery
• Learning
• POCs
• TCO/ROI Analysis
• Security & Risk Preparation
• Cloud Strategy
• Foundational Architecture
• New Application
Patterns (MSA, CI/CD)
• Dev/Test
• Production
Application Migration
• Operational Integration
• Billing Optimization
Value
• Portfolio Mass
Migration
• DC Shutdown
• Horizontal Solutions
(VDI, Back-
up/Archive, Broad
storage)
• Advanced
Operational Patterns
(CI/CD)
• Optimization
• Infrastructure fully automated
• App/Dev owns full solution stack with
tools and service catalogs
Time
Year 5
6. What is a Landing Zone and do I need one?
H
- A configured secure enterprise multi-account AWS
environment based on best practices
- A starting point for your application migration journey
- An environment that allows for iteration & extension over time
7. Our Journey Today
Domains Direct
Connect
Start Accounts
End User
Interaction
AutomationService
Catalog
Central
Services
Migrate
Iterate
Operate &
Optimize
Logging Config Access Identities Federation
Network Security
Identity &
Access
Cloud
Users
What’s
Next ?
image
8. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service catalogue of components
• Often process-heavy service
management
9. Agility versus Control
How to choose?
We want agility,
so we can
innovate in our
business
I need control,
so I can protect
our business
Business & Business IT Central IT?
10. Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current State
Opportunity to achieve agility and control
Automation
Lines of
Business
Central IT Opportunities
• Lead times in minutes
• Service catalogue of
landscapes
• Automated service
management
13. Account Structure
• Don’t overdo on Day One
• Use separate accounts for:
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
18. Our Landing Zone needs to be safe and secure
Insight is the first step
• Who is accessing our Amazon accounts and what
are they doing?
• How will we know if anyone breaks our security
policy?
• What does the traffic on our infrastructure look like
and are all of our resources isolated?
• How can we easily analyze our logs?
19. AWS CloudTrail records who is accessing APIs
Store/archive
Central logging
account
Troubleshoot
Monitor & alarm
AWS
accounts
make API
call
On a growing
set of AWS
services around
the world..
CloudTrail is
continuously
recording
API calls
Amazon
EBS
20. AWS Config informs you of policy violations
Compliance
Guideline
Non-compliance
Action
All storage
volumes should
be encrypted
Automatically
encrypt storage
volumes
Instances must
not have
unrestricted
Internet access
on Port 22
Remove Port 22
access from any
Internet host
Instances must
be tagged with
environment type
Notify developer
(email, page,
SNS)
Pre-configured rules:
https://github.com/awslabs/aws-config-rules
21. Log everything centrally for analysis
The AWS centralized logging
solution makes it easy for
security teams to consolidate
AWS logs and analyze them to
detect incidents
Amazon
EC2
flow
logs
VPC subnet
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS
Lambda
Amazon
Elasticsearch
Service
You can do this by simply using:
• Amazon ElasticSearch Service
• CloudTrail logs
• VPC flow logs
• EC2 server logs
Log Transform Search
https://aws.amazon.com/answers/
logging/centralized-logging
22. Launch
instance
EC2
AMI catalogue Running instance
Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Two options to create or import your own ‘gold’ images
1. Import existing VMs to AWS
2. Procure partner AMI from AWS Marketplace
3. Create and save your own custom images
On 3: choose how to build your standard host security
environment
Choose how to start your compute
Private images or import your current ones
CIS AMI: https://aws.amazon.com/marketplace/seller-profile?id=6b3b0dc2-c6f4-487b-8f29-9edba5f39eed
24. You get to control who can do what in your AWS environment when and
from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing corporate directory and provide SSO to
your customers. Support for SAML 2.0 (like your existing Active Directory)
and OpenID compatible Identity Providers (IdPs).
You can use AWS managed policies, policies for typical job functions
or customer-generated policies using the policy generator and test
with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
25. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Federation with on-prem directory
AD Group
Identity and
authentication
Mapping to specific
IAM role with
access policy
Access to AWS
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/manage_apps_services.html
27. Customers want to:
• Define the resources and
landscapes where software and
applications are deployed
• ‘Approve once and deploy many’
• Enable self-service, deploy with
confidence
• Automate deployments
Agility and Control
What do customers tell us about asset management deployment?
28. Agility and Control
AWS Service Catalog
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy approved IT
services they need in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
29. Product =
Template
CloudFormation Running stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event-aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator Interaction
CloudFormation to create products