Post on 14-Apr-2017
AWS Account Best PracticesSteven Bryen
Manager, Solutions Architecture, AWS
@steven_bryen
sbryen@amazon.com
• Account Management & Billing
• Network Infrastructure & Connectivity
• Security & Compliance
• Optimizing for Cost
• Managing & Auditing Access
AGENDA
ACCOUNT MANAGEMENT &
BILLING
AWS ACCOUNTS
Accounts act as the main billing entity for AWS Resources
Also a security boundary for environments, applications and organisational units.
BILLING
Different billing options are available including invoicing
Consolidated billing: Let one account pick up the bill for multiple ‘sub accounts’
Set up billing alerts, AWS Budgets and automated bill reporting for better insight.
Utilise tagging for better cost allocation.
AWS Budgets & Cost Management Tools
Fully Centralized Model
aws.invoices@mycompany.com
Master Account
• Centrally managed business and IT
• Centralised Governance
Autonomous Model
division.a.invoices@mycompany.com
Division A Master Account
• Autonomous Business and IT functions (Geographic, Departmental, Project)
• Independent Business and IT Governance
division.b.invoices@mycompany.com
Division B Master Account
Single Master Hierarchical Model
division.a@mycompany.com
Division A
• Central Governance
• Devolved IT Function
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Multi-Master Hierarchical Model
• Multiple Autonomous Governance Bodies
• Multiple IT Functions
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master Account
Consolidated billing information
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Resource Tagging
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Tags
Proj=x
Tags
Proj=yTags
Proj=z
Tags
Proj=x
Tags
Proj=yTags
Proj=z
Billing Alerts & Programmatic Access
division.a@mycompany.com
Division A
division.b@mycompany.com
Division B
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Tags
Proj=x
Tags
Proj=yTags
Proj=z
Tags
Proj=x
Tags
Proj=yTags
Proj=z
S3 CSV
What can I share between Accounts?
EC2 Virtual Machine Template
Pre-configured, templated Amazon
Machine Images, can be used to
package together the following
elements
Operating SystemApplication Code
Configuration
EC2 AMIs
S3 Bucket Policies
Amazon Simple Storage Service is
organized into buckets. You can
control access to S3 buckets using
bucket polices
Bucket Policies can also integrate with
IAM to give access to all users in
different accounts, or a subset of
users
S3 Buckets
Block File system Snapshot
As with a traditional SAN storage
infrastructure, EBS volumes can be
snapshotted and the data shared.
EBS Volumes and Snapshots support a
wide range of file systems
e.g.NTFS
EXT2/3/4
EBS Snapshots
Sign up for AWS Accounts
• Sign up with a real, monitored email address
• Create accounts with the same domain
• Populate the alternate contacts for billing, operations and security
• AWS accounts and Amazon retail accounts are linked
• Leverage consolidated billing to simplify payments and make use of volume discounts
• Move to invoicing payment
• Enable support
• Enable Billing Alerts
VPCs
VPC is a private, isolated section of the AWS cloud where YOU define the networ
king within it. A VPC spans all AZ’s in a region.
VPC Peering allows you to peer multiple VPCs across AWS accounts in a single
region.
Route Table Elastic Network
InterfaceAmazon VPC Router
Internet
Gateway
Customer
GatewayVirtual
Private
Gateway
VPN
ConnectionSubnet
Connectivity Options
Direct Connect is a physical connection to Amazon Public Cloud and/or Amazon
VPC providing dedicated bandwidth between your site and AWS
Configure redundant, secure VPN connections between your VPC and your site
Alternatively you can connect directly to your VPC using a secured internet chan
nel (SSH, RDP etc).
Basic VPC
10.1.0.0/16
Availability Zone A Availability Zone B
Subnet (10.1.1.0/24) Subnet (10.1.2.0/24)
Private & Public Subnets
10.1.0.0/16
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Segregate Environments into VPCs
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Staging
(10.1.0.0/16)
Test/Dev
(10.0.0.0/16)
Production
(10.2.0.0/16)
Shared Services Model
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Application B
(10.0.80.0/20
Application A
(10.0.64.0/20)
Shared Services
(10.0.0.0/18)
VPC Peer VPC Peer
(10.0.0.0/16)
Putting it all together
Production Account
aws.invoices@mycompany.com
Master Account
Consolidated billing information
Dev/Test Account
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Application B
(10.0.80.0/20
Application A
(10.0.64.0/20)
Shared Services
(10.0.0.0/18)
VPC Peer VPC Peer
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Application B
(10.0.80.0/20
Application A
(10.0.64.0/20)
Shared Services
(10.0.0.0/18)
VPC PeerVPC Peer
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Availability Zone A Availability Zone B
Public Subnet (10.1.1.0/24) Public Subnet (10.1.2.0/24)
Private Subnet (10.1.4.0/24)Private Subnet (10.1.3.0/24)
Application B
(10.0.80.0/20
Application A
(10.0.64.0/20)
Shared Services
(10.0.0.0/18)
VPC PeerVPC Peer
Consider using CloudFormation to manage VPCs
"Public2Subnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region"
},"2"]},
"CidrBlock":{"Fn::FindInMap":["SubnetConfig","Public2","CIDR"]},
"Tags" : [
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} },
{"Key" : "Name", "Value" : "Public2Subnet" }
]
}
},
"Private1Subnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock":{"Fn::FindInMap":["SubnetConfig","Private1","CIDR"]},
"AvailabilityZone" : {"Fn::FindInMap":["Zones",{ "Ref" : "AWS::Region"
},"1"]},
"Tags" : [
{"Key" : "Application", "Value" : { "Ref" : "AWS::StackId"} },
{"Key" : "Name", "Value" : "Private1Subnet" }
]
}
},
Template your Environments
• Version Control your datacenter with
Cloudformation!
• One click deployments
• Reproduce anywhere in the globe in
minutes
• Segregation of Duties between infra
structure and application owners.
Plan your VPC IP space before creating it
Consider future AWS region expansion
Consider how date will need to flow between VPCs
Consider future connectivity to corporate networks
VPC can be /16 down to /28
CIDR cannot be modified once created
Overlapping IP spaces = future headache
SECURITY & COMPLIANCE
Shared Responsibility ModelA
maz
on
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Availability Zones Regions Edge Locations
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
You
Security Tools & Techniques
Granular network filtering
“This instance can only receive HTTP traffic on port 80”
Applied to instance ENI (up to 5 per)
Stateful
Allow Only (whitelist)
Rules evaluated as a whole
SGs can reference other SGs in same VPC
Security Groups
Control access to S3 buckets
“Allow read access to all but put access
from a restricted list of IP addresses”
Bucket Policies can also integrate with
IAM to give access to all users in different
accounts, or a subset of users
S3 Bucket Policies
Enforcing baseline security policy
“No TFTP, NetBIOS or SMTP shall egress this subnet”
Applied to subnets (1 per)
Stateless
Allow & Deny (blacklist)
Rules processed in order
ACLs
Security Tools & Techniques cont.
Notification on changes to resources
“Tell me when changes are made to my AWS resources”
Integration with 3rd Party Tools
Notification via SNS
Config Rules allows you to take action based on rules.
e.g. If instances are not tagged with an ’owner’ notify me
AWS Config
Automated Security Assesment
“Can I assess my Application in AWS for
known vulnerabilities or best practices”
Pre built assessments for known
compliance programmes.
Agent based, API driven and delivered as
a service.
Enforce Security Standards for your AWS
Applications
AWS Inspector
Auditing of AWS Account Usage
“Who did what in my account at a specific time”
Capture logs of all AWS API invocations.
Logs are sent to S3 or Cloudwatch Logs
Integration with 3rd Party Tools
AWS CloudTrail
Security Best Practices
Use ACLs sparingly, keep it simple
Utilise Security Groups for fine grained control
Utilise security groups to manage access to instances that have similar functions
and security requirements
Read: http://media.amazonwebservices.com/AWS_Security_Best_Practices.
CIS Foundations Benchmark
OPTIMISING FOR COST
Many pricing options available
Reserved
Make a low, one-time
payment and receive
a significant discount
on the hourly charge
For committed
utilization
Free Tier
Get Started on
AWS with free
usage & no
commitment
For POCs and
getting started
On-Demand
Pay for compute
capacity by the hour
with no long-term
commitments
For spiky workloads,
or to define needs
Spot
Bid for unused
capacity, charged at
a Spot Price which
fluctuates based on
supply and demand
For time-insensitive
or transient
workloads
Dedicated
Launch instances
within Amazon VPC
that run on hardware
dedicated to a single
customer
For highly sensitive
or compliance
related workloads
Run the right instances at the right time
Stop or terminate instance when they’re not required
Utilise CloudFormation to tear down and recreate whole environments on demand
Use CloudWatch to monitor instance load and scale vertically and/or horizontally to
maximise instance utilisation
Utilise Reserved Instances to lower TCO
MANAGING & AUDITING ACCESS
Identity & Access Management
Account
Administrators Developers Applications
Bob
Tomcat
Jim Brad
Mark
Susan
Reporting
Console
IAM Groups IAM Roles
IAM Policies
Policy Driven
• Declarative definition of rights for g
roups
• Policies control access to AWS APIs
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*”
],
"Resource": "*"
}
]
}
Audit User Actions
AWS CloudTrail is a web service that records AWS API calls
for your account and delivers log files to you.
With CloudTrail, you can get a history of AWS API calls for
your account, including API calls made via:
• AWS Management Console
• AWS SDKs
• Command line tools
• Higher-level AWS services (such as CloudFormation).
Control access through fine grained policies
Use multi factor authentication for console access
Use groups to define access levels and assign IAM policies to groups
Even the superuser group should have some explicit denies
Utilise IAM roles to ensure no API credentials are places onto EC2 instances
Utilise tagging to define fine grained control to resources
Consider IAM federation into AD to simplify user management
Thank You
@steven_bryen
sbryen@amazon.com
awsloft.london
closing.party && startup.showcase
28 April :: 18:00 >> 22:00