SlideShare a Scribd company logo

Build on AWS: Building & Modernizing

Amazon Web Services
Amazon Web Services

Danny Mak, Partner Solutions Architect, APAC shares how to modernize with containers and build using DevOps on AWS during the AWS ASEAN Partner Techshift.

1 of 34
Build on AWS: Building & Modernizing Danny Mak Partner Solutions Architect, APAC
Be Agile: SaaS Reference Architecture Landscape
Modernizing your applications • Go service oriented architecture (and to microservices and beyond!) • Modernize with containers! • Build with DevOps! • Offload security considerations!
UI Shipping Service UIShipping UI Shipping Service Order UI User UI Order Service Service Order UI Order UI User UI Order ServiceOrder Service Service Service Service ServiceUser Service Scaling on monolithic vs SOA applications
Characteristics of Service Oriented Architectures Do one thing wellIndependent Decentralized Black box Polyglot You build it, you run it
Containers are Natural for SOA • Simple to model • Any app, any language • Image is the version • Test & deploy same artifact • Stateless servers decrease change risk
Amazon ECS • Fully managed, elastic service – you don’t need to run anything, and the service scales as your microservices architecture grows • Shared state optimistic scheduling • Integration with Amazon CloudWatch for monitoring and logging • Integration with AWS DevOps services for continuous integration and delivery (CI/CD)
Deploying Containers on ECS – Choose a Scheduler Batch Jobs (Monthly reporting, consolidated shipping) ECS task scheduler Run tasks once Batch jobs RunTask (random) StartTask (placed) Long-Running Apps (CRM web interface, content management module) ECS service scheduler Health management Scale-up and scale-down AZ aware Grouped containers
Example Architecture on ECS Amazon ECR Amazon RDS Application Load Balancer ECS Cluster ECS Cluster IAM Amazon API Gateway* Amazon Route 53 Amazon CloudWatch
Automatic Service Scaling Publish metrics Auto Scaling ECS service Availability Zone A Availability Zone B Order Module Add/Remove ECS tasks Order Module ReportingScaling Policies Amazon CloudWatch Amazon ECS Application Load Balancer
Blue-Green Deployments TaskTask Route 53 record set with weighted routing policy 0% 100%
Service Discovery with Route 53 and Application Load Balancers Application Load Balancer i-aaa i-bbb i-ccc i-aaa i-bbb i-ccc oAuth Target Group 8080 8081 Portal Target Group Reporting Target Group 8090 8001 8002 8080 Amazon Route 53 ECS Cluster PandaCRM.com PandaCRM.com PandaCRM.com/report PandaCRM.com/order
What about DevOps?
The DevOps Stack Continuous Deployment Delivery Pipelines Deployment Automation Continuous Integration Automated Testing Configuration Management Agile Communication
DevOps Practices • Infrastructure as code • Application and Infrastructure version management • Continuous Integration • Test Automation • Continuous Deployment • Monitoring and logging
Release processes levels Source Build Test Production Continuous integration Continuous delivery Continuous deployment
DevOps Stack on AWS 17 MonitorProvisionDeployTestBuildCode AWS Elastic Beanstalk CloudWatchCloudFormationCodeDeploy CodeCommit CodePipeline AWS Opsworks AWS Elastic Container Service CodeBuild
Where do I go from here? • Collect Metrics. Graph anything that moves • Log everything, Centralize logging, Log Analytics • Infrastructure as Code • Automated configuration management • One click environment creation • CI-CD pipelines • Automated testing
We have a strong partner list, and it’s growing Source Build Test Deploy *beta
Continuous Deployment AWS CodeCommit AWS CodePipeline AWS CodeBuild Amazon ECR Amazon ECS instance Spot Instance AWS CloudFormation 1. Commit Code 2. Trigger Pipeline 3.Build Artifact 5.Update Stack 6. Update Service 4. Push Image
Don’t forget security Don’t forget security
Beyond the Front Door Injecting Tenant Context Security & Isolation Tenant Access Roles Tenant Provisioning
First, We Need A Tenant New Tenant On-Boarding Tenant Identity Broker Identity Provider Tenant Management Billing • User: bob@test.com • TenantID: 491048735 • TenantID: 491048735 • Domain: abc.com • Tier: Platinum • Status: Active Domain Provisioning SSL Certificate IAM Policy
Key Tenant Provisioning Considerations • Find a seamless model for binding tenant to identities • Consider fault tolerance for 3rd Party integrations • Need to factor in tenant lifecycle management • Allow for tenant level variation in identity policies • Let identity providers do the heavy lifting • Lean on automation and repeatability
Identity & Isolation: Many Levels, One Goal Full Stack Isolation Web Tier App Tier Tenant 1 Web Tier App Tier Tenant 2 Resource-Level Isolation Tenant 1 Tenant 2 Tenant 1 Tenant 2 Tenant 1 Tenant 2 Application-Level Isolation Tenant1 Tenant2 Tenant1 Tenant2 Tenant1 Tenant3 Key
IAM Policies Scope Tenant Access Web Tier App Tier Tenant1 Access Policy CustomerTable Tenant2 Access Policy T1-Bucket T2-Bucket
Binding Policies to Tenants Web Application Tenant Identity Broker Identity Provider AWS cloud • Identity resolved to AWS Security Token Services (STS) • Acquire token with tenant-scoped access • Leverage a temporary token • No need for separate AWS identity
Key Security & Isolation Considerations • Applying isolation may require a hybrid of AWS and application strategies • Avoid having separate IAM users for each tenant • Automate testing of isolation policies/strategy • Consider the scale, management, and automation impacts of managing access policies • Let IAM enforce your tenant level scoping
Applying Tenant Context Tenant Access Control Homepage Access Control Catalog Service Access Control Cart Service TenantContext { UserID: “bob@abc.com” Role: “Admin”, TenantID: “93194942” } JWT Token Authorization: Bearer<JWT> Authorization: Bearer<JWT> Authorization: Bearer<JWT> Access Control Auth ServiceTenant Service
SaaS Identity Flow Web Application Tenant Identity Broker Identity Provider Multi-Factor Authentication AWS cloud IAM Policy UserID: bob@abc.com TenantID: “93194942” Role: “Admin”
SaaS Identity Considerations • SaaS identity is bigger than authentication • Use identity broker pattern to decouple from identity providers • Leave the heavy lifting, risk, and innovation to someone else • Automate role and policy provisioning/management • Add tenant context to identity token to limit bottlenecks
Recap: Be Agile Elastic Container Services has modernize applications in SOA. With DevOps and offloading identity, AWS services provides the agility needed in the SaaS world.
Takeaways • Modernize the app with SOA on ECS • DevOps with AWS Code* services for agility • Offload SaaS identity and focus on app innovation
Build on AWS: Building & Modernizing

Recommended

Building Serverless Websites with Lambda@Edge - AWS Online Tech Talks
Building Serverless Websites with Lambda@Edge - AWS Online Tech TalksBuilding Serverless Websites with Lambda@Edge - AWS Online Tech Talks
Building Serverless Websites with Lambda@Edge - AWS Online Tech TalksAmazon Web Services
 
Automating Amazon Inspector Assessments and Findings Remediation
Automating Amazon Inspector Assessments and Findings RemediationAutomating Amazon Inspector Assessments and Findings Remediation
Automating Amazon Inspector Assessments and Findings RemediationAmazon Web Services
 
Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Amazon Web Services
 
Getting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceGetting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceAmazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Amazon Web Services
 
Introduction to Microsoft Workloads on AWS - AWS Online Tech Talks
Introduction to Microsoft Workloads on AWS - AWS Online Tech TalksIntroduction to Microsoft Workloads on AWS - AWS Online Tech Talks
Introduction to Microsoft Workloads on AWS - AWS Online Tech TalksAmazon Web Services
 
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Amazon Web Services
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSAmazon Web Services
 

Recommended

Building Serverless Websites with Lambda@Edge - AWS Online Tech Talks
Building Serverless Websites with Lambda@Edge - AWS Online Tech TalksBuilding Serverless Websites with Lambda@Edge - AWS Online Tech Talks
Building Serverless Websites with Lambda@Edge - AWS Online Tech TalksAmazon Web Services
 
Automating Amazon Inspector Assessments and Findings Remediation
Automating Amazon Inspector Assessments and Findings RemediationAutomating Amazon Inspector Assessments and Findings Remediation
Automating Amazon Inspector Assessments and Findings RemediationAmazon Web Services
 
Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Build on AWS: Delivering and Modernizing.
Build on AWS: Delivering and Modernizing. Amazon Web Services
 
Getting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceGetting Started with Amazon EC2 Container Service
Getting Started with Amazon EC2 Container ServiceAmazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...
Using AWS CloudTrail and AWS Config to Enhance the Governance and Compliance ...Amazon Web Services
 
Introduction to Microsoft Workloads on AWS - AWS Online Tech Talks
Introduction to Microsoft Workloads on AWS - AWS Online Tech TalksIntroduction to Microsoft Workloads on AWS - AWS Online Tech Talks
Introduction to Microsoft Workloads on AWS - AWS Online Tech TalksAmazon Web Services
 
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Amazon Web Services
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
 
Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeAmazon Web Services
 
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017Amazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
STG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier ArchitectureSTG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier ArchitectureAmazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWSAmazon Web Services
 
Introduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL MeetupIntroduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL MeetupBoaz Ziniman
 
AWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayAWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayEitan Sela
 
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Amazon Web Services
 
Serverless - State Of the Union
Serverless - State Of the UnionServerless - State Of the Union
Serverless - State Of the UnionAmazon Web Services
 
Preparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security TrainingPreparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security TrainingAmazon Web Services
 
Microservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL MeetupMicroservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL MeetupBoaz Ziniman
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017Amazon Web Services
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural PatternsAmazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSAmazon Web Services
 
How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWS How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWSAmazon Web Services
 
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...Amazon Web Services
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWSShiva Narayanaswamy
 

More Related Content

What's hot

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...Amazon Web Services
 
Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Amazon Web Services
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeAmazon Web Services
 
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017Amazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
STG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier ArchitectureSTG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier ArchitectureAmazon Web Services
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWSAmazon Web Services
 
Introduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL MeetupIntroduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL MeetupBoaz Ziniman
 
AWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayAWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayEitan Sela
 
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Amazon Web Services
 
Preparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security TrainingPreparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security TrainingAmazon Web Services
 
Microservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL MeetupMicroservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL MeetupBoaz Ziniman
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017Amazon Web Services
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural PatternsAmazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSAmazon Web Services
 
How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWS How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWSAmazon Web Services
 

What's hot (20)

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
 
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
GPSTEC323-SaaS and OpenID Connect The Secret Sauce Multi-Tenant Identity and ...
 
Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...
 
Detective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record ChangeDetective Controls: Gain Visibility and Record Change
Detective Controls: Gain Visibility and Record Change
 
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
Serverless DevOps to the Rescue - SRV330 - re:Invent 2017
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
 
STG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier ArchitectureSTG301_Deep Dive on Amazon S3 and Glacier Architecture
STG301_Deep Dive on Amazon S3 and Glacier Architecture
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
 
Introduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL MeetupIntroduction to Serverless Computing and AWS Lambda - AWS IL Meetup
Introduction to Serverless Computing and AWS Lambda - AWS IL Meetup
 
AWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayAWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-Ray
 
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands-on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
 
Serverless - State Of the Union
Serverless - State Of the UnionServerless - State Of the Union
Serverless - State Of the Union
 
Preparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security TrainingPreparing for AWS Certification/ Advanced Security Training
Preparing for AWS Certification/ Advanced Security Training
 
Microservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL MeetupMicroservices and Serverless for Mega Startups - DevOps IL Meetup
Microservices and Serverless for Mega Startups - DevOps IL Meetup
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural Patterns
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWS
 
How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWS How to Achieve PCI DSS Compliance on AWS
How to Achieve PCI DSS Compliance on AWS
 

Similar to Build on AWS: Building & Modernizing

Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...Amazon Web Services
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWSShiva Narayanaswamy
 
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)Amazon Web Services
 
HSBC and AWS Day - Microservices and Serverless
HSBC and AWS Day - Microservices and ServerlessHSBC and AWS Day - Microservices and Serverless
HSBC and AWS Day - Microservices and ServerlessAmazon Web Services
 
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016Amazon Web Services
 
AWS Summit Singapore - More Containers, Less Operations
AWS Summit Singapore - More Containers, Less OperationsAWS Summit Singapore - More Containers, Less Operations
AWS Summit Singapore - More Containers, Less OperationsAmazon Web Services
 
Introduction to DevOps and the AWS Code Services
Introduction to DevOps and the AWS Code ServicesIntroduction to DevOps and the AWS Code Services
Introduction to DevOps and the AWS Code ServicesAmazon Web Services
 
Microservices: Architecting for Innovation - Level 300
Microservices: Architecting for Innovation - Level 300Microservices: Architecting for Innovation - Level 300
Microservices: Architecting for Innovation - Level 300Amazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Amazon Web Services
 
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...Amazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyPragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyAmazon Web Services
 
Breaking the Monolith Road to Containers
Breaking the Monolith Road to ContainersBreaking the Monolith Road to Containers
Breaking the Monolith Road to ContainersAmazon Web Services
 
DevOps on AWS - Accelerating Software Delivery
DevOps on AWS - Accelerating Software DeliveryDevOps on AWS - Accelerating Software Delivery
DevOps on AWS - Accelerating Software DeliveryAmazon Web Services
 
Build an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million UsersBuild an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million UsersAmazon Web Services
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSContinuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSAmazon Web Services
 

Similar to Build on AWS: Building & Modernizing (20)

Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
Managing Your Application Lifecycle on AWS: Continuous Integration and Deploy...
 
Continuous delivery and deployment on AWS
Continuous delivery and deployment on AWSContinuous delivery and deployment on AWS
Continuous delivery and deployment on AWS
 
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)
AWS re:Invent 2016: Running Microservices on Amazon ECS (CON309)
 
HSBC and AWS Day - Microservices and Serverless
HSBC and AWS Day - Microservices and ServerlessHSBC and AWS Day - Microservices and Serverless
HSBC and AWS Day - Microservices and Serverless
 
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016
Running Microsoft Workloads on AWS | AWS Public Sector Summit 2016
 
AWS Summit Singapore - More Containers, Less Operations
AWS Summit Singapore - More Containers, Less OperationsAWS Summit Singapore - More Containers, Less Operations
AWS Summit Singapore - More Containers, Less Operations
 
Introduction to DevOps and the AWS Code Services
Introduction to DevOps and the AWS Code ServicesIntroduction to DevOps and the AWS Code Services
Introduction to DevOps and the AWS Code Services
 
Microservices: Architecting for Innovation - Level 300
Microservices: Architecting for Innovation - Level 300Microservices: Architecting for Innovation - Level 300
Microservices: Architecting for Innovation - Level 300
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
Managing Your Cloud Assets
Managing Your Cloud AssetsManaging Your Cloud Assets
Managing Your Cloud Assets
 
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...
AWS Summit Singapore Webinar Edition | More Containers, Less Operations & Mig...
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit SydneyPragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
Pragmatic Container Security (Sponsored by Trend Micro) - AWS Summit Sydney
 
Breaking the Monolith Road to Containers
Breaking the Monolith Road to ContainersBreaking the Monolith Road to Containers
Breaking the Monolith Road to Containers
 
DevOps on AWS - Accelerating Software Delivery
DevOps on AWS - Accelerating Software DeliveryDevOps on AWS - Accelerating Software Delivery
DevOps on AWS - Accelerating Software Delivery
 
Build an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million UsersBuild an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million Users
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWSContinuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Build on AWS: Building & Modernizing

  • 1. Build on AWS: Building & Modernizing Danny Mak Partner Solutions Architect, APAC
  • 2. Be Agile: SaaS Reference Architecture Landscape
  • 3. Modernizing your applications • Go service oriented architecture (and to microservices and beyond!) • Modernize with containers! • Build with DevOps! • Offload security considerations!
  • 4. UI Shipping Service UIShipping UI Shipping Service Order UI User UI Order Service Service Order UI Order UI User UI Order ServiceOrder Service Service Service Service ServiceUser Service Scaling on monolithic vs SOA applications
  • 5. Characteristics of Service Oriented Architectures Do one thing wellIndependent Decentralized Black box Polyglot You build it, you run it
  • 6. Containers are Natural for SOA • Simple to model • Any app, any language • Image is the version • Test & deploy same artifact • Stateless servers decrease change risk
  • 7. Amazon ECS • Fully managed, elastic service – you don’t need to run anything, and the service scales as your microservices architecture grows • Shared state optimistic scheduling • Integration with Amazon CloudWatch for monitoring and logging • Integration with AWS DevOps services for continuous integration and delivery (CI/CD)
  • 8. Deploying Containers on ECS – Choose a Scheduler Batch Jobs (Monthly reporting, consolidated shipping) ECS task scheduler Run tasks once Batch jobs RunTask (random) StartTask (placed) Long-Running Apps (CRM web interface, content management module) ECS service scheduler Health management Scale-up and scale-down AZ aware Grouped containers
  • 9. Example Architecture on ECS Amazon ECR Amazon RDS Application Load Balancer ECS Cluster ECS Cluster IAM Amazon API Gateway* Amazon Route 53 Amazon CloudWatch
  • 10. Automatic Service Scaling Publish metrics Auto Scaling ECS service Availability Zone A Availability Zone B Order Module Add/Remove ECS tasks Order Module ReportingScaling Policies Amazon CloudWatch Amazon ECS Application Load Balancer
  • 11. Blue-Green Deployments TaskTask Route 53 record set with weighted routing policy 0% 100%
  • 12. Service Discovery with Route 53 and Application Load Balancers Application Load Balancer i-aaa i-bbb i-ccc i-aaa i-bbb i-ccc oAuth Target Group 8080 8081 Portal Target Group Reporting Target Group 8090 8001 8002 8080 Amazon Route 53 ECS Cluster PandaCRM.com PandaCRM.com PandaCRM.com/report PandaCRM.com/order
  • 14. The DevOps Stack Continuous Deployment Delivery Pipelines Deployment Automation Continuous Integration Automated Testing Configuration Management Agile Communication
  • 15. DevOps Practices • Infrastructure as code • Application and Infrastructure version management • Continuous Integration • Test Automation • Continuous Deployment • Monitoring and logging
  • 16. Release processes levels Source Build Test Production Continuous integration Continuous delivery Continuous deployment
  • 17. DevOps Stack on AWS 17 MonitorProvisionDeployTestBuildCode AWS Elastic Beanstalk CloudWatchCloudFormationCodeDeploy CodeCommit CodePipeline AWS Opsworks AWS Elastic Container Service CodeBuild
  • 18. Where do I go from here? • Collect Metrics. Graph anything that moves • Log everything, Centralize logging, Log Analytics • Infrastructure as Code • Automated configuration management • One click environment creation • CI-CD pipelines • Automated testing
  • 19. We have a strong partner list, and it’s growing Source Build Test Deploy *beta
  • 20. Continuous Deployment AWS CodeCommit AWS CodePipeline AWS CodeBuild Amazon ECR Amazon ECS instance Spot Instance AWS CloudFormation 1. Commit Code 2. Trigger Pipeline 3.Build Artifact 5.Update Stack 6. Update Service 4. Push Image
  • 22. Beyond the Front Door Injecting Tenant Context Security & Isolation Tenant Access Roles Tenant Provisioning
  • 23. First, We Need A Tenant New Tenant On-Boarding Tenant Identity Broker Identity Provider Tenant Management Billing • User: bob@test.com • TenantID: 491048735 • TenantID: 491048735 • Domain: abc.com • Tier: Platinum • Status: Active Domain Provisioning SSL Certificate IAM Policy
  • 24. Key Tenant Provisioning Considerations • Find a seamless model for binding tenant to identities • Consider fault tolerance for 3rd Party integrations • Need to factor in tenant lifecycle management • Allow for tenant level variation in identity policies • Let identity providers do the heavy lifting • Lean on automation and repeatability
  • 25. Identity & Isolation: Many Levels, One Goal Full Stack Isolation Web Tier App Tier Tenant 1 Web Tier App Tier Tenant 2 Resource-Level Isolation Tenant 1 Tenant 2 Tenant 1 Tenant 2 Tenant 1 Tenant 2 Application-Level Isolation Tenant1 Tenant2 Tenant1 Tenant2 Tenant1 Tenant3 Key
  • 26. IAM Policies Scope Tenant Access Web Tier App Tier Tenant1 Access Policy CustomerTable Tenant2 Access Policy T1-Bucket T2-Bucket
  • 27. Binding Policies to Tenants Web Application Tenant Identity Broker Identity Provider AWS cloud • Identity resolved to AWS Security Token Services (STS) • Acquire token with tenant-scoped access • Leverage a temporary token • No need for separate AWS identity
  • 28. Key Security & Isolation Considerations • Applying isolation may require a hybrid of AWS and application strategies • Avoid having separate IAM users for each tenant • Automate testing of isolation policies/strategy • Consider the scale, management, and automation impacts of managing access policies • Let IAM enforce your tenant level scoping
  • 29. Applying Tenant Context Tenant Access Control Homepage Access Control Catalog Service Access Control Cart Service TenantContext { UserID: “bob@abc.com” Role: “Admin”, TenantID: “93194942” } JWT Token Authorization: Bearer<JWT> Authorization: Bearer<JWT> Authorization: Bearer<JWT> Access Control Auth ServiceTenant Service
  • 30. SaaS Identity Flow Web Application Tenant Identity Broker Identity Provider Multi-Factor Authentication AWS cloud IAM Policy UserID: bob@abc.com TenantID: “93194942” Role: “Admin”
  • 31. SaaS Identity Considerations • SaaS identity is bigger than authentication • Use identity broker pattern to decouple from identity providers • Leave the heavy lifting, risk, and innovation to someone else • Automate role and policy provisioning/management • Add tenant context to identity token to limit bottlenecks
  • 32. Recap: Be Agile Elastic Container Services has modernize applications in SOA. With DevOps and offloading identity, AWS services provides the agility needed in the SaaS world.
  • 33. Takeaways • Modernize the app with SOA on ECS • DevOps with AWS Code* services for agility • Offload SaaS identity and focus on app innovation