This presentation was made at the AWS Community Day Bangalore 2019 and talks about some of the automation developed by Tensult.

1. Infrastructure Provisioning &
Automation For Large Enterprises
Presented By
Anirudh Baskaran,Tensult CEO, Founder
Dilip Kola, Tensult Co-Founder & CTO

2. • About Tensult
• Design Considerations
• Solutions
• Centralized Management
• Security
• Networking
• Automation

3. • Tensult is a AWS Advanced Consulting Partner
• Started by passionate ex-AWS employees
• In-depth cloud knowledge and expertise
• Automation First approach
About

4. Design Considerations

5. Security and
Compliance
Centralized Policy
Management
Automation
Approach
Centralized
Billing
Design Considerations

6. Centralized Policy Management

7. AWS Organisations
A configured environment with standard set of secured cloud
infrastructure, policies, best practices, guidelines and centrally
managed services.
Service Control Policies (SCP’s)
SCP’s are written for multiple Organisational Units (OU’s) to
restrict access to users, groups and roles at an account level.

8. AWS Organisations

9. Security and Compliance

10. The building block of networking in Landing Zone concept is ‘Transit
VPC’. Transit VPC acts as an intermediary for routing between two
different places, in this case different VPC’s.
Transit VPC
- Advanced filtering and protection is enabled using Nextgen FortiGate
Firewall
- Setup in active-active mode with failover for VPN connectivity to ensure
business continuity.
Networking

11. Access Mgmt &
Compliance
• IAM Policies
For delegating access to different type of users based on their roles,
IAM policies are written hand-in-hand with SCP’s
• SAML based Single Sign-On (SSO)
For seamless access, ADFS is integrated using SAML and users can
continue using their existing credentials
• AWS Config
Configuration History and Inventory
Automated Monitoring of Policy Violations

12. AUTOMATION

13. AWS Systems Manager
• AWS Systems Manager (SSM) provides an easier way to automate
instance actions with minimal setup.
• We can automate both Data plane (Instance level using SSM Run
Commands) and Control plane (AWS API level using SSM
Automations).
• SSM Automation provides rich features like branching, waits and error
handling and integrate with SSM Run commands, Cloud Formation,
Lambda, Step functions, most of the AWS APIs and many more.
• SSM Run command provides powerful ways to execute commands
based on OS Types and other instance level information.
• SSM provides logs and history of the all executions so it is easy to
debug and audit and most importantly it avoids logging into the
instance directly.

14. SSM
Trigger
Automation
Automation
DocumentLambda
Function
CloudWatc
h Event
Invokes
Automation Workflow

15. Automation Workflow
Amazon Systems Manager (SSM)
• Capabilities of SSM are leveraged to automate management tasks such as
automated VM creation, patch management, Application installation, AD
joining etc.
Amazon Lambda
• Lambda is used for triggering SSM scripts in response to specified events.
Amazon CloudWatch
• CloudWatch event rules are used for triggering the lambda functions.
The most challenging part was automation in which multiple scripts were
written to achieve the desired output, without logging into the instances

16. Automated AD join
SSM
Automation
SSM Automation Workflow
1. Install Dependencies
2. Fetch AD credentials from Parameter
Store
3. Fetch Hostname Tag using Instance ID
4. Change the hostname
5. Execute Domain Joining Script
Instance

17. Application Installation
SSM
Automation
SSM Automation Workflow
1. Check for OS version
2. Document is selected based on OS type.
3. Application Binary is downloaded from S3
bucket
4. Binary is installed and verified
Instance

18. Virus Definitions updates
SSM
Automation
SSM Automation Workflow
1. Start the stopped instances
2. Wait for them to come to running state
3. Execute SSM Run Command to update the
virus definitions.
4. Stop the instances.
Instance
• This workflow is to update the virus definitions on stopped instance periodic
• This will be triggered using Cron based CloudWatch Event rules.

19. Self-Service Infrastructure
Provisioning

20. Standardised Deployments
• Create standardized landscapes for the organisation with controls to restrict
product deployment including type of instances, AMI, Security Group port
opening etc.
Easy to Deploy
• Based on the access user has, available products can be found under the
listing and can be provisioned on their own.
Fine-grain Access Control
• Administrators can create portfolios for products and can grant access to the
portfolios leveraging IAM.
Version Control
• Products can be added to any number of portfolios, updating a product
version will update the products across all the portfolios where the product is
AWS Service Catalog

21. Image caption 3
Easy to Design: Infrastructure as a code, supports both JSON
and YAML.
Modularization: Split the infrastructure into modules. E.g. Nested
Stacks
Wait Conditions: Breakpoints can be added to the template with
wait conditions. E.g. Wait for an EC2 instance or service to start
Automated Rollback: If there are any issues with the code, it rolls
back to the previous working state automatically.
AWS CloudFormation

22. Service Catalog Architecture
Source : https://tinyurl.com/y4e7d487

23. Single and Two Tier Stack:
It can be deployed over few mouse clicks using Service
Catalog products with pre-approved AMIs.
Multiple OS Support:
Cloud Formation stack with 6 OS support namely Amazon
Linux, CentOS, Ubuntu, RedHat, Windows 2012 and
Windows 2016.
Multiple DB Support:
CloudFormation stack supports 2 RDS DB’s namely
MYSQL and MSSQL
Service Catalog Stacks

24. ANY QUESTIONS ?

25. Thank You
Sample our Work Follow Us
https://medium.com/tensult https://linkedin.com/company/tensult
https://github.com/tensult https://twitter.com/tensultdotcom
https://www.facebook.com/tensult