(dvo303) scaling infrastructure operations with aws
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prashant Prahlad, Product Manager
Abhishek Lal, Product Manager
October 2015
DVO303
Scaling Infrastructure Operationswith AWS Service Catalog, AWS Config, and AWS CloudTrail
What to Expect from the Session
Scale infrastructure administration using standardization
Codify your business policies to promote compliance
Improve security, ops posture without sacrificing developer
productivity
Troubleshoot issues in a timely manner
Growth is good
2 devsFew instances
1 app100s of API
actions
3 devsTens of instances
Few services100s of API actions
10s of devsSeveral apps and
services1000s API actions10s of customers
Several teams of devs10s of apps/services100,000 API actions100s of customers
Experimenting Product launch 6 months 12 months
Growth is good…
Enable new users to
experiment and
make mistakes
Various devices
access or use the
cloud
Self-service access
to infrastructure
Global workforce
…..but make good investments early to scale well
Growth is also challenging
Several new developers (some new to AWS)
Mistakes can be very expensive
Keeping developers productive becomes harder
Operating and troubleshooting numerous flavors
Noisy #slack channel
Traditional options
Decentralize and hope:
• Self serve, experiment,
innovate
• Promote agility
• Well-intentioned, but
dangerous
• Compliance subject to
interpretation by new users
Lock down and approve:
• Full control, reduced
experimentation
• Reduced agility
• Scales to number of
approvers
• Unappealing to developers
Or self serve, self govern at scale…..
Goals
• Agility
• Innovation
• Compliance
• Risk mitigation
• Cost control
Culture
• DevOps culture
• Continuous deployments
• Automation
• Measurement
• Sharing
Tooling
• Infrastructure-as-code
• Self service
• Auditing
• Change tracking
Browse and launch
AWS ConfigAWS CloudTrail
Use and modify
Users Admin
Using AWS management services
AWS Service Catalog
Provision with Tags
API calls Configuration checks
Troubleshoot and Audit
What is AWS Service Catalog?
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy the approved
IT services they need in a self-service manner.
Organizations Developers
Control
Standardization
Governance
Agility
Self-service
Time to market
Creates portfolio
Adds constraints
and grant access
1
4
5
AdministratorPortfolio
Users
Browse Products
6Launch ProductsAWS CloudFormation
template
Creates
product3Authors template2ProductX ProductY ProductZ
7Deploys
stacks
EventsEvents
88
Service Catalog flow
Create custom
services
and grant access
Use a
personalized
portal to find and
launch services
Demo: AWS Service Catalog
Self-service provisioning and standardization
• Increase agility with self-
service provisioning
• Promote standardization
and compliance
• Tag resources for cost
tracking and chargeback
AWS Service Catalog
AWS CloudTrailStore/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously
recording API calls
Use cases enabled by CloudTrail
Security analysis
Track API calls to AWS resources
Troubleshoot operational issues
Demonstrate compliance
Look up API calls
Look up by user, resource type, API, or resource name
Track user activity and API usage
AWS CloudTrail• Complete log of API
actions
• Answer Who, What,
When, Where quickly
• Enables faster resolution
of issues
• Set up alerts on APIs
AWS Config
• Get inventory of AWS resources
• Create Rules to check recorded configurations
• Audit historical configurations
• Notifies you when configurations change
NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
Component Description Contains
Metadata Information about this configuration item
Version ID, Configuration item ID,Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN)Availability Zone, etc.
Relationships How the resource is related to other resources associated with the account
EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to the Describe or List API of the resource
e.g. for EBS VolumeState of DeleteOnTermination flagType of volume. For example, gp2, io1, or standard
Related Events The AWS CloudTrail events that are related to the current configuration of the resource
AWS CloudTrail event ID
Configuration Item
Sample Config Item
"configurationItemVersion": "1.0",
"configurationItemCaptureTime": "2014…",
"configurationStateID": “….",
"configurationItemStatus": "OK",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-………",
"accountId": "12345678910",
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02..",
"tags": {},
"relatedEvents": [
"06c12a39-eb35-11de-ae07-db69edbb1e4",
],
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-……",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
Config RuleA rule that will check the validity of configurations recorded
• AWS Managed Config RulesRules defined by AWS and require minimal (or no) configuration to enable. Rules
are managed by AWS
• Customer Managed Config RulesRules created in your account, and require authoring or reusing AWS Lambda
functions. Rules execute in your account.
Report evaluation of {Rule, ResourceType, ResourceID} directly from the rule itself
Why track change events using Config?
Security Analysis: Am I safe?
Audit Compliance: Where is the evidence?
Change Management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?
Demo: Set up and use Config
Rules
Track resource inventory and changes
AWS Config
• Continuous compliance
with Config Rules
• Set up Config Rules for
ideal configurations
• Record Configuration
changes
• Stream change
notifications
Browse and launch
AWS ConfigAWS CloudTrail
Use and modify
Users Admin
Using AWS management services
AWS Service Catalog
Provision with Tags
API calls Configuration checks
Troubleshoot and Audit
Try the AWS management services
AWS Service Catalog
Self-service
Standardization
Control
AWS Config
Config Rules PREVIEW
Record Changes
Stream notificationsSign up:
https://aws.amazon.com/config/preview
AWS CloudTrail
Track user activity
Audit log of API calls
Troubleshoot issues
Thank you!
Prashant Prahlad, Product Manager
Abhishek Lal, Product Manager
Remember to complete
your evaluations!