7. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days/weeks/months
• Service Catalogue of components
• Often process-heavy Service
Management
11. Account Structure
• Don’t overdo on Day One
• Use separate accounts for
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
13. Account Structure
Opportunity to create linked Accounts
Create Linked Account (CLA) API
• The payer account can programmatically access and manage the new accounts
using cross account access and administrative privileges automatically
configured during account creation.
• Currently available on whitelisting basis
- Connect with your AWS Account Manager or SA
- Public API will be rolled out in future, you need to use these new APIs then
16. Analyze your CloudTrail Logs
AWS
CloudTrail
AWS
Management
Console
AWS CLI
SDK
Your Central Amazon
S3 logging bucket
Analysis
&
Action
AWS Services
You make
API calls …
…to AWS
Services,
logged by
CloudTrail
delivered to
your S3 bucket
21. Network
Direct Connect for connecting on-prem and AWS environment
Customer
Gateway
VPN backup
Direct Connect Location
Virtual
Interface #1
Virtual
Interface #2
Secondary Direct
Connect Location
`
`
Partner
Network
22. Network
Central Services in a central VPC
Central common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
• Internet Proxy
Production
Generic
Production
Business Critical
Central
Services
Non-production
24. You get to control who can do what in your AWS
environment when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing LDAP / Active directory
using federation and single sign-on
You can use AWS managed policies or customer
generated policies using the policy generator and
test with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
25. Identities and Access Control
Sample Access Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": “arn:aws:ec2:::instance/*”,
"Condition": {
"StringEquals": {
"ec2:ResourceTag" : "Dev"
}
}
}
]
}
Allow or Deny access to resource
Service calls allowed to be performed
Resource object or objects that the
statement covers
Conditions to satisfy:
EC2 resources must be tagged with
“Dev”
26. Identities and Access Control
Example user types with corresponding access policies
IAM Master
Create policies
IAM Manager
Assign Policies
Audit
Read-Only
Access
Managers
Architect
Create landscapes
Storage
Design and Build
Network
Design and Build
Design
DevOps
API Access
App Owner
Landscape owner
Application
Owners
Support
Account policy
Empty Role
No policy
Support and
Operations
Typical Access Policy
Administrator
Landscape Mgt
Administrator
Service Catalog
Administrators
27. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Federation with on-prem directory
AD Group
Identity and
Authentication
Mapping to specific
IAM Role with
Access Policy
Access to AWS
29. Cloud Consumers
AWS Service Catalog
AWS Service Catalog allows organizations to create and manage catalogs of IT
services. It enables users to quickly deploy approved IT services they need in a
self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
30. Product =
Template
CloudFormation Running Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator Interaction
CloudFormation to create products
31. Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grant access
and add tags
4
2 Creates
product
Authors
template
Administrator Interaction
Managing products
ProductX
Versions
Portfolio BPortfolio A
• Users and Roles
• Constraints
• Tags
Service Catalog
3
Landscape
Architect
32. Agility and Control
Opportunities to strengthen the handshake
User generated
products to foster
innovation
Back-end micro-services
acting on the stacks
Administrator
Products
39. AWS Service Catalog
Announcing today
• End User APIs are Generally Available w/SDK and CLI support
• CloudTrail support for End User actions in UI and API
• Product version default limit raised to 50 per product