Pre-launch Checklist for Going Production on AWS

Pre-Launch Checklist
What to do Before Going Production on AWS
Sami Zuhuruddin

Pre-Launch Checklist
01. Security
02. Accounts
03. Support
04. Cost
05. MFA
06. CloudTrail
07. IAM
08. Network
09. Tag
10. Automate

01. Security
• Gather internal feedback
– Compliance and regulatory requirements
– Data classification implications
• Involve security owners from the start
– Environment validation and testing

01. Security
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption &
Data Integrity Authentication
Server-side Encryption
(File System and/or Data)
Foundation Services
Network Traffic Protection
(Encryption/Integrity/Identity)
Compute Storage Database Network
Availability
AWS Global
Zones
Infrastructure Regions
Edge Locations
Shared Security Model
Amazon Customer
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

01. Security
• Understand Platform Capabilities
– MFA
– Encryption
– CloudHSM
– Network Controls
Amazon Redshift
AWS CloudHSM
AWS CloudHSM

02. Accounts
• Master Account – Email Alias
– what happens when joe.user@yourcompany.com leaves?
– make it something meaningful like
‘aws-dev-projectx@yourcompany.com’
– make sure relevant owners are in that alias
• i.e. department director, finance owner
– secure it with MFA
– this account is ‘root’
• don’t use it & don’t generate API credentials

02. Accounts
Consolidated Billing
• Receive a single bill for all
charges incurred across all
linked accounts
• Share RI discounts
• Combine tiering benefits
• Facilitates a company wide
strategy for accounts
• No resources under the
payer account
Account Payer Bill
1
Accounts Regular Bill
1-4
Account 3
Regular Bill
Account 2
Regular Bill
Account 4
Regular Bill
Share RI Discounts Combine Tiering

02. Accounts
• Invoicing
– Major convenience – no more credit cards
– make sure you setup AWS as a vendor BEFORE switching to
invoicing (hint hint - check with accounting first)
• Get in touch
– Your account manager and solution architect are here to help
– not a must if you’re self-sufficient, but if you’re planning on doing
something and want a second pair of eyes or understand best
practices, please get in touch

03. Support
Four Levels of support

03. Support
• Opt-In Model
– But that doesn’t mean you should go without it
• When should you add support?
– Development - not getting the expected results or simply want to
get help with a problem
– Production - extremely / highly recommended if you have a
service where people might complain if it’s down (most of us do)

03. Support
Infrastructure Audits
Saves money
Improves availability
Closes security gaps
Increases performance
Recent Performance
1,700,000+ recommendations
$300M+ in annualized savings
Trusted Advisor

04. Cost
• Model your costs
– http://calculator.s3.amazonaws.com/index.html
Share estimates via link
and revise as needed

04. Cost
• Billing Insight
– Invoices via email
– Billing Alerts
– Billing Reports
– Cost Allocation
Reports

04. Cost
• Reserved Instances
– Significant discount on the hourly rate
– Low, one-time upfront fee
– Available in one or three year reservations
– Implement as soon as usage can be trended
– Choose optimal reservation type based on
expected usage:
• Light: between 11% - 19%
• Medium: between 19% - 35%
• Heavy: running > 35% of the time
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

04. Cost
• Spot Market
– Bid on unused EC2 Capacity
– Great option for resumable workloads
– Checkpoint often (to S3 or external db)
– Test and then test again
– Instances can be taken back anytime
(when bid is exceeded)
– Savings over on-demand can be very
compelling

05. Multi-Factor Authentication
• Supplements user name and
password to require a one-time
code for authentication
• Two types: physical and virtual
• Enable for master account
• Also enable for all privileged
users … no reason not to

05. Multi-Factor Authentication
• Can be used for more
than just logging in:
– Protecting objects or
buckets in S3 from
accidental deletion
– Changing rules in a
Security Group
– Adding users in IAM
– Terminating a
CloudFormation stack
– Almost anything…
{
"Statement":[{
"Effect":"Deny",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"true"}
}}]}

06. CloudTrail
• Records API calls in your account and
delivers a log file to your S3 bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately
every 5 minutes.
• Multiple partners offer integrated
solutions to analyze log files.
Image Source: Jeff Barr

06. CloudTrail
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that
were acted up on in the API call?
• Where was the API call made
from?
Image Source: Jeff Barr
{
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJDPLRKLG7UEXAMPLE",
"arn": "arn:aws:iam::123456789012:Alice",
"accountId": "123456789012"
},
"eventTime": "2014-07-08T17:36:04Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "10.0.0.1",
"userAgent": "AWS Console Access",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"LoginTo":
"https://console.aws.amazon.com/sns",
"MFAUsed": "Yes"
},
"eventID": "example-even-tide-xamp-123456789012"
}

06. CloudTrail
Partner Solutions
…in addition to Amazon CloudWatch

07. IAM
• Grant Least Privilege Policies
– Use policy templates
– Avoid assigning *:* policy
– Easier to relax than to tighten up
– Less chance of people making mistakes
– Use conditions where feasible
– Test your policies in the Policy Simulator

07. IAM
• Use Roles for EC2 instances
– No more hard-coded credentials
– Automatic credential rotation
– Simply launch instance with role
– Rule of least privilege still applies
– Fully integrated with AWS SDKs

07. IAM
• SSO Federation
– Support SAML 2.0
– AWS Management Console login
– Pre-packaged samples:
• Windows Active Directory
• Shibboleth
– Enterprise controlled onboarding
and offboarding of AWS users
– Makes use of IAM roles
– Can be leveraged across several
AWS accounts

08. Network
• Planning is everything
– VPCs will represent data centers in
your environment
– Choose an RFC1918 scheme that
fits in your enterprise and can scale
across many VPCs
– Connectivity options:
• VPN
• AWS Direct Connect
• None (Bastion Host)
Internet

08. Network
Traffic Filtering – what does what?
Network ACLs Security Groups
• Applied to Subnets (1 per)
• Stateless inspection
• Create allow & deny rules
• Are processed in order
• Applied at the instance ENI
level (5 per)
• Stateful Inspection
• Create ‘allow’ rules
• Are evaluated as a whole
• Can reference other Security
Groups in the same VPC

08. Network
• VPC Peering
– Connect two VPCs in the
same Region
– Non-overlapping IP space
– Bridged by routing table
entries (both sides of peering
relationship)
– Offer & Accept model
– Can be used for ‘shared
services VPC’
10.1.0.0/16
10.0.0.0/16
Peer
Request
Peer
Accept

09. Tagging
• Tag Everything
– User-defined metadata
– 10 tags per resource
– Create tags relevant to you:
• Department
• Owner
• Cost Center
• Expiration Date
• Data Sensitivity

09. Tagging
Carried through to billing reports…
Cost Allocation
Report
– Monthly granularity
– Product, tag key aggregation
Detailed Billing
Report w/ Resources
and Tags
– Hourly granularity
– Grouped by resource
– Has tags
– Lots and lots of data!
What is my cost
by department? How do I do
charge-backs?

10. Automate
API Driven Infrastructure
Command Line Interface (CLI)
Windows Powershell and Python
on Linux
Software Development Kits
(SDK)
REST API
AWS Console (GUI)
API

10. Automate
Rich set of APIs for your programming platform or language
Android iOS Java nodeJS .NET PHP Python Ruby
and specialized cloud tools integrated in your development environment
Eclipse Visual Studio CLI Powershell

10. Automate
Higher-level services Do it yourself
Elastic Beanstalk OpsWorks CloudFormation EC2
Convenience Control

Pre-launch Checklist for Going Production on AWS

Pre-launch Checklist for Going Production on AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Pre-launch Checklist for Going Production on AWS

Similar to Pre-launch Checklist for Going Production on AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Pre-launch Checklist for Going Production on AWS

Editor's Notes