pre-launch checklist for going production on aws

Pre-Launch Checklist

What to do Before Going Production on AWS

Sami Zuhuruddin

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

01. Security

• Gather internal feedback– Compliance and regulatory requirements– Data classification implications

• Involve security owners from the start– Environment validation and testing

01. Security

Shared Security Model

Foundation Services

Compute Storage Database Network

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection(Encryption/Integrity/Identity)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Am

azo

nC

ust

om

erCustomers are responsible for their security IN

the Cloud

AWS is responsible for the security OF

the Cloud

01. Security

• Understand Platform Capabilities– MFA– Encryption – CloudHSM– Network Controls

Amazon Redshift

AWS CloudHSM

AWS CloudHSM

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

02. Accounts

• Master Account – Email Alias– what happens when [email protected] leaves?– make it something meaningful like

‘[email protected]’

– make sure relevant owners are in that alias• i.e. department director, finance owner

– secure it with MFA– this account is ‘root’

• don’t use it & don’t generate API credentials

02. AccountsConsolidated Billing

• Receive a single bill for all charges incurred across all linked accounts

• Share RI discounts• Combine tiering benefits

• Facilitates a company wide strategy for accounts

• No resources under the payer account

Payer BillAccounts 1-4

Account 1Regular Bill




Share RI Discounts Combine Tiering

• Invoicing– Major convenience – no more credit cards– make sure you setup AWS as a vendor BEFORE switching to

invoicing (hint hint - check with accounting first)

• Get in touch– Your account manager and solution architect are here to help– not a must if you’re self-sufficient, but if you’re planning on doing

something and want a second pair of eyes or understand best practices, please get in touch

02. Accounts

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

03. SupportFour Levels of support

• Opt-In Model– But that doesn’t mean you should go without it

• When should you add support?– Development - not getting the expected results or simply want to

get help with a problem– Production - extremely / highly recommended if you have a

service where people might complain if it’s down (most of us do)

03. Support

03. Support

Infrastructure AuditsSaves moneyImproves availabilityCloses security gapsIncreases performance

Recent Performance1,700,000+ recommendations$300M+ in annualized savings

Trusted Advisor

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

04. Cost

• Model your costs– http://calculator.s3.amazonaws.com/index.html

Share estimates via link and revise as needed

04. Cost

• Billing Insight– Invoices via email– Billing Alerts– Billing Reports– Cost Allocation

Reports

04. Cost

• Reserved Instances– Significant discount on the hourly rate– Low, one-time upfront fee – Available in one or three year reservations– Implement as soon as usage can be trended– Choose optimal reservation type based on

expected usage:• Light: between 11% - 19%• Medium: between 19% - 35%• Heavy: running > 35% of the time

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

04. Cost

• Spot Market– Bid on unused EC2 Capacity– Great option for resumable workloads– Checkpoint often (to S3 or external db)– Test and then test again– Instances can be taken back anytime

(when bid is exceeded)– Savings over on-demand can be very

compelling

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

05. Multi-Factor Authentication

• Supplements user name and password to require a one-time code for authentication

• Two types: physical and virtual• Enable for master account • Also enable for all privileged

users … no reason not to

05. Multi-Factor Authentication

• Can be used for more than just logging in:

– Protecting objects or buckets in S3 from accidental deletion

– Changing rules in a Security Group

– Adding users in IAM– Terminating a

CloudFormation stack– Almost anything…

{ "Statement":[{ "Effect":"Deny", "Action":["ec2:TerminateInstances"], "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"}}}]}

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

06. CloudTrail

• Records API calls in your account and delivers a log file to your S3 bucket.

• Typically, delivers an event within 15 minutes of the API call.

• Log files are delivered approximately every 5 minutes.

• Multiple partners offer integrated solutions to analyze log files.

Image Source: Jeff Barr

06. CloudTrail

Image Source: Jeff Barr

• Who made the API call?

• When was the API call made?

• What was the API call?

• What were the resources that were acted up on in the API call?

• Where was the API call made from?

{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:Alice", "accountId": "123456789012" }, "eventTime": "2014-07-08T17:36:04Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "AWS Console Access", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "MobileVersion": "No", "LoginTo": "https://console.aws.amazon.com/sns", "MFAUsed": "Yes" }, "eventID": "example-even-tide-xamp-123456789012"}

06. CloudTrail

Partner Solutions …in addition

to Amazon CloudWatch

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

07. IAM

• Grant Least Privilege Policies– Use policy templates– Avoid assigning *:* policy– Easier to relax than to tighten up– Less chance of people making mistakes– Use conditions where feasible– Test your policies in the Policy Simulator

07. IAM

• Use Roles for EC2 instances– No more hard-coded credentials– Automatic credential rotation– Simply launch instance with role– Rule of least privilege still applies– Fully integrated with AWS SDKs

07. IAM

• SSO Federation– Support SAML 2.0– AWS Management Console login– Pre-packaged samples:

• Windows Active Directory• Shibboleth

– Enterprise controlled onboarding and offboarding of AWS users

– Makes use of IAM roles– Can be leveraged across several

AWS accounts

Enterprise

SSO

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

08. Network

• Planning is everything– VPCs will represent data centers in

your environment– Choose an RFC1918 scheme that

fits in your enterprise and can scale across many VPCs

– Connectivity options:• VPN • AWS Direct Connect • None (Bastion Host)

Internet

08. Network

Traffic Filtering – what does what?

Network ACLs Security Groups

• Applied to Subnets (1 per)

• Stateless inspection

• Create allow & deny rules

• Are processed in order

• Applied at the instance ENI level (5 per)

• Stateful Inspection

• Create ‘allow’ rules

• Are evaluated as a whole

• Can reference other Security Groups in the same VPC

08. Network

• VPC Peering– Connect two VPCs in the

same Region– Non-overlapping IP space– Bridged by routing table

entries (both sides of peering relationship)

– Offer & Accept model– Can be used for ‘shared

services VPC’

10.1.0.0/16

10.0.0.0/16

PeerRequest

PeerAccept

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

09. Tagging

• Tag Everything– User-defined metadata – 10 tags per resource– Create tags relevant to you:

• Department• Owner• Cost Center• Expiration Date• Data Sensitivity

09. TaggingCarried through to billing reports…

Cost Allocation Report

– Monthly granularity– Product, tag key aggregation

– Hourly granularity– Grouped by resource– Has tags– Lots and lots of data!

Detailed Billing Report w/ Resources

and Tags

What is my cost by department? How do I do

charge-backs?

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

10. Automate

Command Line Interface (CLI)

Windows Powershell and Python on Linux

Software Development Kits (SDK)

REST API

AWS Console (GUI)

API

API Driven Infrastructure

10. Automate

Android iOS Java nodeJS .NET PHP Python Ruby

Rich set of APIs for your programming platform or language

and specialized cloud tools integrated in your development environment

Eclipse Visual Studio CLI Powershell

{ "AWSTemplateFormatVersion" : "2010-09-09",

"Description" : "This template creates a CloudFormation stack that uses Amazon CloudFront and an Amazon EC2 AMI for Adobe Flash Media Server 4.5 to enable HTTP streaming of your live event.",

"Parameters" : { "InstanceType" : { "Type" : "String", "Description" : "The type of Amazon EC2 instance to launch. Valid values are: m1.large, m1.xlarge, m2.xlarge, m2.2xlarge, m2.4xlarge, c1.xlarge.", "Default" : "m1.xlarge", "AllowedValues" : [ "m1.large","m1.xlarge","m2.xlarge","m2.2xlarge","m2.4xlarge","c1.xlarge" ], "ConstraintDescription" : “

10. Automate

Elastic Beanstalk OpsWorks CloudFormation EC2

Convenience Control

Higher-level services Do it yourself

01. Security

02. Accounts

03. Support

04. Cost

05. MFA


06. CloudTrail

07. IAM

08. Network

09. Tag

10. Automate

pre-launch checklist for going production on aws

Technology