Best Practices for Getting Started with AWS

Best Practices for
Getting Started with AWS
ianmas@amazon.com
@IanMmmm
Ian Massingham — Technical Evangelist

Getting Started with AWS: Agenda
Eight best practices you should focus on when getting started
Resources you can use to learn more

http://aws.amazon.com/getting-started/

Choose Your First
Use Case Well
1

Chose Your First Use Case Well
Make your first project a S.M.A.R.T one

Dev & Test
Spin environments up
and down on demand
Decouple development
and test environments
from operations
constraints
Explore elasticity in a
sandboxed environment

Dev & Test
and down on demand
from operations
constraints
Backup & DR
Take part of your data or
business applications
step- by-step into non-
production DR use
Understand cloud
dynamics and test during
controlled failover

Dev & Test
and down on demand
from operations
constraints
Backup & DR
production DR use
Understand cloud
controlled failover
Greenfield Project
Embody best practice of
cloud computing in
unconstrained greenfield
projects
Self contained web
projects, document
archiving etc

Dev & Test
and down on demand
from operations
constraints
Backup & DR
production DR use
Understand cloud
controlled failover
Greenfield Project
Embody best practice of
cloud computing in
unconstrained greenfield
projects
Self contained web
projects, document
archiving etc
Pain point
Move specific service
aspects causing undue
cost or management
burden
Workflows, search
indexing, media
streaming, document
archiving, constrained
databases

Plan Evolution and Set Goals
Understand services
Test performance
Architect for scale
Develop team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective actions
Auto-scaling
Zero downtime deployments
System backup and recovery
Proof of Concept Production Automation
SampleActivities

Accounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Lay Out Your Foundations

BillingAccounts
that makes sense
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when
billing reaches a point and output
csv reports to S3 for analysis

Enable delivery of billing reports
with resources & tags
Billing preferences
Billing Settings

Billing
Master Account
aws.invoices@mycompany.com

Billing
Consolidated Billing Relationship
Master Account
Division B
admin@divisionB.com
User2

Dev2

Admin2
IAM

Billing
Consolidated Billing Relationship
Master Account
Division B
admin@divisionB.com
User2

Dev2

Admin2
IAM
Tags:
Own=Div

Proj=P
Tags:
Own=Div

Proj=Q
Tags:
Own=Div

Proj=R
Tags: (key-value)
e.g Own=Div

Proj=R

Billing
Consolidated Billing Relationships
Master Account
Business Unit C
admin@busUnitC.com
User3

Dev3

Admin3
IAM
Tags:
Own=BusC

Proj=X
Tags:
Own=BusC

Proj=Y
Tags:
Own=BusC

Proj=Z
Division B
admin@divisionB.com
User2

Dev2

Admin2
IAM
Tags:
Own=Div

Proj=P
Tags:
Own=Div

Proj=Q
Tags:
Own=Div

Proj=R
Operating Co. A
admin@opcoA.com
User1

Dev1

Admin1
IAM
Tags:
Own=OpCo

Proj=A
Tags:
Own=OpCo

Proj=B
Tags:
Own=OpCo

Proj=C

Billing
Master Account
Business Unit C
admin@busUnitC.com
User3

Dev3

Admin3
IAM
Tags:
Own=BusC

Proj=X
Tags:
Own=BusC

Proj=Y
Tags:
Own=BusC

Proj=Z
Division B
admin@divisionB.com
User2

Dev2

Admin2
IAM
Tags:
Own=Div

Proj=P
Tags:
Own=Div

Proj=Q
Tags:
Own=Div

Proj=R
Operating Co. A
admin@opcoA.com
User1

Dev1

Admin1
IAM
Tags:
Own=OpCo

Proj=A
Tags:
Own=OpCo

Proj=B
Tags:
Own=OpCo

Proj=C
Alert:
Reached $500 Alert:
Reached $3500
Alert:
Reached $1250

S3CSV
Billing
ANALYSIS
Programmatic Billing Access
Master Account
Business Unit C
admin@busUnitC.com
User3

Dev3

Admin3
IAM
Tags:
Own=BusC

Proj=X
Tags:
Own=BusC

Proj=Y
Tags:
Own=BusC

Proj=Z
Division B
admin@divisionB.com
User2

Dev2

Admin2
IAM
Tags:
Own=Div

Proj=P
Tags:
Own=Div

Proj=Q
Tags:
Own=Div

Proj=R
Operating Co. A
admin@opcoA.com
User1

Dev1

Admin1
IAM
Tags:
Own=OpCo

Proj=A
Tags:
Own=OpCo

Proj=B
Tags:
Own=OpCo

Proj=C

3rd Party Cost Management Tools

Access KeysBillingAccounts
that makes sense
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
information
single account
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings
on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs

Groups & RolesAccess KeysBillingAccounts
that makes sense
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
information
single account
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings
on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Use IAM Groups to manage
console users and API
access
Provide developers with IAM user
login and unique API access
credentials
Control & restrict what IAM users
can do by placing them in groups
with associated policies
Assign EC2 Instances IAM
roles
Let AWS manage API access
credentials on running instances by
assigning a system entitlement to
an instance
e.g. instance can only read S3
bucket

Identity & Access Management - IAM
Account
ApplicationsAdministrators Developers
Jim
Gavin
Steve
Nigel
Stephen
Ingest
Console
Reporting

Account
Jim
Gavin
Steve
Nigel
Stephen
Ingest
Console
Reporting
Groups
Multi-factor
Authentication

Account
Jim
Gavin
Steve
Nigel
Stephen
Ingest
Console
Reporting
Groups Roles
Multi-factor
Authentication
AWS API
Credentials

IAM Policies
{

"Statement":
[

{

"Effect":
"Allow",

"Action":
[

"elasticbeanstalk:*",

"ec2:*",

"elasticloadbalancing:*",

"autoscaling:*",

"cloudwatch:*",

"s3:*",

"sns:*"

],

"Resource":
"*"

}

]

}
Create a policy to assign permissions to a
user, group, role or resource.
Policies are created using JSON. A policy
consists of one or more statements, each of
which describes one set of permissions.
Policies control access to AWS APIs

Identity and Access Management - IAM
For more details on IAM, visit:
aws.amazon.com/iam

Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption

(File System and/or Data)
Network Traffic Protection

(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
AmazonYou
Shared Security Responsibility

Understand your customer & determine your security stance
Leverage AWS Security
External
Audience
Regulatory
Audience
Internal
Audience
Architecture
Administration
IAM
Certifications
White Papers
QSA Process
Your Processes
Your Certifications Penetration Test Results

Engage with security assessors early in your adoption cycle
Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001)
Security assessments take time, so allow for this in your planning
Undertake architecture reviews early in your design/deployment process

Use comprehensive materials and certifications provided by AWS
For more details on AWS Security, visit:
aws.amazon.com/security
Risk and compliance white paper
AWS security processes white paper
CSA consensus assessments initiative questionnaire
(requires NDA)

Use comprehensive materials and certifications provided by AWS
Build upon the security features of AWS to implement ‘security by design’

Direct Connect & VPNVirtual Private CloudControl & AuditTiered Access
IAM
Control users and allow use IAM
Roles to provide API credentials
for instances to enable access to
AWS resources via APIs
APIs vs Instance
Provide developers with API
credentials with separately
controlled access to SSH keys/
administrative logins
Temporary Credentials
Provide temporary API credentials
for access to AWS resources
Instance firewalls
Firewall control on instances via
Security Groups
AWS CloudTrail
The AWS API call history recorded
by CloudTrail enables security
analysis, resource change
tracking, and compliance auditing
AWS Config
A fully managed service that
provides you with an AWS
resource inventory, configuration
history, and configuration change
notifications to enable security and
governance
Subnet control
Create low level networking
constraints for resource access,
such as public and private
subnets, internet gateways and
NATs
Bastion hosts
Only allow access for
management of production
resources from a bastion host.
Turn off when not needed and
restrict startup via MFA
VPC Peering
Connect privately to other VPCs-
Peer VPCs together to share
resources across multiple virtual
networks owned by your or other
AWS accounts.
Private connections to VPC
Secured access to resources in
AWS over software or hardware
VPN and dedicated network links
Because your VPC can be hosted
behind your corporate firewall, you
can seamlessly move your IT
resources into the cloud without
changing how your users access
these applications.
Build on AWS Security Features

Build on the Strengths
of the AWS Cloud
4

e.g. Application performance improvement by migration of static content to Amazon S3 & CloudFront
Review application architectures early – assess their fit for the cloud
Can cloud benefits be delivered with minimum effort & outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield top-line growth, cost savings or agility improvements?
e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments
Can automation lead to a more robust, agile & secure services?
Build on the Strengths of the AWS Cloud
1
2
3
4

Disposable compute
Design systems that can tolerate
instance failures
Scalability
Availability
CostOptimisation
✖ ️ ✖ ️
Dispose of compute when it is
not required
✖ ️ ✖ ️

Disposable compute
Flexible capacity
Design systems that can
dynamically scale from zero to
hundreds of instances
Scalability
Availability
CostOptimisation
✖ ️ ✖ ️ ✖ ️
Use Auto-scaling (events, schedules
etc) to drive capacity availability
✖ ️ ✖ ️ ✖ ️

Disposable compute
Flexible capacity
Cost effective storage
Use Amazon S3 for durable &
cost effective storage
Scalability
Availability
CostOptimisation
✖ ️ ✖ ️ ✖ ️
Deploy & scale relational
databases with RDS & use
DynamoDB for high throughput
NoSQL tables
✖ ️ ✖ ️ ✖ ️

Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from
deployment, to scaling, to
instance recovery from failure
Scalability
Availability
CostOptimisation
✖ ️ ✖ ️ ✖ ️

Create instance for your OS choice
Configure environment
Install software
Create AMI from instance
Launch fully configured instances from AMI
AMI
Custom machine
image
Instances
Auto-scaling
Manual deployments
Programmatic deployments
Bootstrapping - Custom AMIs
1
2
3
4
5

ami-id

ami-launch-index

ami-manifest-path

block-device-mapping

hostname

instance-action

instance-id

Instance-type

kernel-id
local-hostname

local-ipv4

mac

network

placement

profile

public-hostname

public-ipv4

public-keys

reservation-id
http://169.254.169.254/latest/meta-data
The metadata service contains & provides information about an instance
Metadata
Service
Receive custom
data to drive
bootstrapping
Custom or standard
machine image
Bootstrapping - Metadata Service
AMI
Instances

Metadata
Service
Receive custom
data to drive
bootstrapping
Custom or standard
machine image
AMI
Instances
+ user data

Scripts in user-data field of metadata will be executed on launch
For example
#!/bin/sh

yum
-‐y
install
httpd

chkconfig
httpd
on

/etc/init.d/httpd
start
<powershell>

…

</powershell>
or

+ user data
Install software e.g. web server, app server, proxy
Pull data and application packages from S3
Publish metadata for instance to other systems e.g. monitoring systems
Setup security profile of instance based upon intended use e.g. pull latest config

1. Use multiple availability zones

2. Use RDS with replicas and slaves

5. Use Route53 to host DNS zones

Auto-ScalingRDSRoute 53Elastic Load Balancing
Use at regional level
Combined with autoscaling will
balance requests and resource
capacity across availability zones
Within VPC
Use to load balance between
application tiers within an
availability zone
Instance migrations
Easily move instances from dev
environments to test environments
by moving between ELBs
Leverage SLA
Improve application reliability with
Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Control TTLs and updates
Take absolute control of DNS
updates for more decisive system
updates
Scale databases without
admin overhead
Choose instance size for
databases and scale up over time
Add high availability from
management console
Create master-slave
configurations and read-replicas.
AWS takes care of the failover and
recreation of a new slave in event
of master DB loss
Dynamically scale
resources & control costs
Only provision the resources that
are required with scale up and
cool down policies that match
demand
For more details, visit the AWS architecture center: aws.amazon.com/architecture

AWS Cloud 
Infrastructure & Services
Your 
Business
More Time to Focus on 
Your Business
Configuring

Cloud Services
70%
30%70%
Self Managed Software
& Infrastructure
30%
Managing All of the  
“Undifferentiated Heavy Lifting”
Services Not Software

Relational Database Service

Easy to set up, operate, and scale
Handles time-consuming database management tasks,
such as backups, patch management, and replication
Supports MySQL, Oracle, Microsoft SQL Server, and
PostgreSQL, with Amazon Aurora in preview
NoSQL Database Service

Fast, predictable performance
Supports document & key-value data models
Fully distributed, fault tolerant architecture
Amazon RDS
Amazon DynamoDB

Amazon SQS
Processing task/
processing trigger
Processing results
Simple Queue Service

Fast, reliable, scalable, fully managed
message queuing service
Transmit any volume of data, at any level
of throughput
Amazon SQS
Amazon EMR
Elastic MapReduce

Uses Hadoop, an open source
framework, to distribute your data and
processing across EC2 instances
Integrates with other AWS services, such
S3 & DynamoDB
Supports the broad Hadoop tools
ecosystem

Use the Right Instance Types
Use Auto Scaling
Turn Off Unused Instances
Use Reserved Instances
1
2
3
4
Use Spot Instances5
Use Storage Classes6
Offload Your Architecture7
Use Services, Not Software8
Use Consolidated Billing9
Use Cost Management Tools10

G2
GPU
enabled
M3
General
purpose
Memory
optimized
R3
CR1M2
Storage and IO
optimized
C4
Compute
optimized
C1 CC2
I2
HI1
HS1
CG1M1 C3
Use the Right Instance Types

Linux from $0.013/hour
Windows from $0.018/hour
Pay as you go for computing capacity
Low cost and flexibility
Pay only for what you use, no up-front
commitments or long-term contracts
Ideal for applications being developed or
tested on EC2 for the fist time
Use Cases:
Applications with short term, spiky, or
unpredictable workloads;
Application development or testing
On-demand Instances
1 or 3 year terms
Three payment options: All Upfront, Partial
Upfront & No Upfront
Cost reduced in comparison to the on-
demand purchasing option
Predictable pricing, plus reserved capacity
helps to ensure that compute capacity is
available when needed
Use Cases:
Applications with steady state or predictable
usage
Applications that require reserved capacity,
including disaster recovery
Reserved Instances
Bid on unused EC2 capacity
Name your own price for EC2 computing
capacity. Instances will run whenever your
bid exceeds to the current Spot Price
Spot Price varies in real-time based on
supply/demand, determined automatically
Cost / Large Scale, dynamic workload
handling
Use Cases:
Applications with flexible start and end
times, or which can be accelerated with
additional computing capacity
Applications only feasible at very low
compute prices
Spot Instances
Instance Purchasing Options
For more details, visit EC2 purchasing options: aws.amazon.com/ec2/purchasing-options/

Access everything via CLI, API or Console
Use one of 9 (soon to be 10) fully supported
SDKs to create or make use of existing AWS
resources within your own code
Leverage a broad ecosystem of open source,
free and commercially licensed tools to work
with AWS Services
Achieve the highest levels of automation to
support continuous deployment, define your
infrastructure-as-code or automate your
development, operations or DevOps processes
Find out more at: aws.amazon.com/developers/getting-started/
Everything is Programmable

AWS Deployment & Management Tools
AWS Elastic Beanstalk
AWS OpsWorks
AWS CloudFormation
AWS CodeDeploy

Get Supported: AWS Support Options
Four Support Tiers are Available.
Chose from:
Basic
Developer
Business
Enterprise
For more details on AWS Support, visit:
aws.amazon.com/premiumsupport

Get Supported: Trusted Advisor

Operating systems on EC2 instances:
Ubuntu Server
Red Hat Enterprise Linux and Fedora
SUSE Linux (SLES and openSUSE)
CentOS Linux
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Infrastructure components:
Sendmail and Postfix MTAs
OpenVPN and RRAS
SSH, SFTP, and FTP
LVM and Software RAID
Web servers:
Apache
IIS
Nginx
Databases:
MySQL
Microsoft SQL Server
Get Supported: 3rd Party Software
For more details on AWS Support, visit:

Resources You Can Use to Learn More
aws.amazon.com/getting-started/
aws.amazon.com/architecture
aws.amazon.com/security
aws.amazon.com/campaigns/emea-getting-started

Certification
aws.amazon.com/certification
Self-Paced Labs
aws.amazon.com/training/ 
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training
Training
Validate your proven skills
and expertise with the
AWS platform
Build technical expertise
to design and operate
scalable, efficient
applications on AWS
AWS Training & Certification

Follow
us
for m
ore
events
&
w
ebinars
@AWScloud for Global AWS News & Announcements
@AWS_UKI for local AWS events & news
@IanMmmm
Ian Massingham — Technical Evangelist

Best Practices for Getting Started with AWS

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Best Practices for Getting Started with AWS

Similar a Best Practices for Getting Started with AWS (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Último

Último (20)

Best Practices for Getting Started with AWS