View
811
Download
0
Category
Preview:
Citation preview
1© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
DublinAviva Stadium | Thursday, June 9 2016
Technical EssentialsGeorge Whiffen & Ryan Little
2© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module Layout
Ø Module 1: AWS Introduction and History
Ø Module 2: AWS Infrastructure : Compute (EC2), Storage (S3, EBS), Networking (VPC)
Ø Module 3: Security, Identity, and Access Management: IAM
Ø Module 4: Databases: Amazon DynamoDB and Amazon RDS
Ø Module 5: AWS Elasticity and Management Tools: Auto Scaling, Elastic Load Balancing, Amazon CloudWatch, and AWS Trusted Advisor
3© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 1AWS Introduction and History
4© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon History
1994: Jeff Bezos Incorporated the
Company
1995: Amazon.com
Launched Online
Bookstore
2005: Amazon
Publishing Launched
2006: Amazon
Web Services (AWS)
Launched
2007: Kindle
Launched
2011: Amazon Fresh
Launched
2012: Amazon Game Studios
Launched
2013: Amazon
Art Launched
2014: Amazon Prime Now
Launched
2015: Amazon Home
Services & Amazon
Echo Launched
5© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Web Services (AWS)
ComputeMessaging
Mobile
App ServicesDatabaseNetworking
Development and Management Tools
Payments
VPCOn-Demand Workforce
Analytics Content Delivery
StorageEnable businesses and developers to use web services to build scalable, sophisticated applications.
6© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Six Advantages & Benefits of AWS Cloud Computing
Trade capital expense for variable expense.
Benefit from massive economies of scale.
Stop guessing capacity.
Go global in minutes.
Increase speed and agility.
Stop spending money on running and maintaining data centers.
7© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Core Infrastructure and Services
AWS Technical Essentials 3.8 ILT
Security
Network
Security
Network
Security Groups NACLs Access Mgmt
VPCVPCEC2 “Classic”
“Public”
ELBOn-DemandProvision
Traditional Infrastructure Amazon Web Services
ServersAMI Amazon EC2 InstancesOn-Premises Servers
SecuritySecurity Groups NACLs AWS IAMFirewalls ACLs Administrators
NetworkingVPCELBRouter Network Pipeline Switch
Storageand
DatabaseRDBMSDAS SAN NAS Amazon
EBSAmazon
EFSAmazon
S3Amazon
RDS
8© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure Regions Edge LocationsAvailability Zones
FoundationServices
Compute(Virtual, Auto-scaling and Load Balancing)
Networking
Applications Virtual Desktops
Collaboration and Sharing
PlatformServices
Caching
Relational
No SQL
Cluster Computing
Real-time
Data Workflows
Data Warehouse
Queuing
Orchestration
App Streaming
Transcoding
Search
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Identity
Sync
Mobile Analytics
Notifications
AWS Cloud Computing
Databases Analytics App Services Deployment and Management
Mobile Services
Storage(Object, Block and Archive)
9© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compute Network Storage Security & Identity Applications
AWS Foundation Services
Amazon EC2
AWS Lambda
Amazon EC2 Container Service
AWS Elastic Beanstalk
Elastic Load Balancing
Amazon VPC
AWS Direct
Connect
Amazon Route 53 Amazon S3
AmazonCloudFront
Amazon Elastic File
System
Amazon Glacier
AWS Storage Gateway
AWS Import/Export
Snowball
AWS Identity andAccess Management
AWS Directory Service
AWS Cloud HSM
AWS KMS
AWS WAF
Amazon WorkDocs
Amazon WorkSpaces
Auto Scaling
Amazon WorkMail
10© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Infrastructure
RegionsGeographic locationsConsists of at least two Availability Zones(AZs)
Availability ZonesClusters of data centersIsolated from failures in other Availability Zones
11© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Infrastructure
12© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Achieving High Availability Using Multi-AZ
Availability Zone - A
Availability Zone - B
Availability Zone - C
Region
13© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Global Infrastructure
50+ AWS Edge Locations:Local points-of-presence commonly supporting AWS services like:Ø Amazon Route 53Ø Amazon CloudFront
14© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Management Console Demonstration
15© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge Check
Q: What is the AWS term for physically distinct groups of data centers within a region?
True or False: There are more regions than Edge locations.
True or False: AWS owns and maintains the infrastructure required for application services and you provision and use them as needed.
Q: How do AZs in the same region differ?
Availability Zone (AZ).
False.
True.
Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.
16© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 2AWS Infrastructure
17© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Elastic Compute Cloud (EC2)
18© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Elastic Compute Cloud (EC2)
Resizable compute capacityComplete control of your computing resourcesReduces the time required to obtain and boot new server instances to minutesAmazon
EC2
19© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Facts
Scale capacity as your computing requirements changePay only for capacity that you actually useChoose Linux or WindowsDeploy across AWS Regions and Availability Zones for reliability
20© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Launching an Amazon EC2 Instance via the Web Console1. Determine the AWS Region in which you want to launch the
Amazon EC2 instance.2. Launch an Amazon EC2 instance from a pre-configured
Amazon Machine Image (AMI). 3. Choose an instance type based on CPU, memory, storage,
and network requirements.4. Configure network, IP address, security groups, storage
volume, tags, and key pair.
21© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AMI Details
An AMI includes the following:A template for the root volume for the instance (for example, an operating system, an application server, and applications).Launch permissions that control which AWS accounts can use the AMI to launch instances.A block device mapping that specifies the volumes to attach to the instance when it's launched.
22© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instances and AMIs
Select an AMI based on:RegionOperating systemArchitecture (32-bit or 64-bit)Launch permissionsStorage for the root device
AMI
Instances
Instance
Launch instances of any
type
Host computer
Host computer
23© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Instances
OS, Applications, & Configuration
AMI
Running or Stopped VM
Instances
AZ
VPC
Region
EBS
S3
EBS Snapshots S3 Buckets
EBS EBS EBS EBS EBS
AZ
Instances Instances
24© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS vs. Amazon EC2 Instance Store
Amazon EBSØ Data stored on an Amazon EBS volume can persist
independently of the life of the instance.Ø Storage is persistent.
Amazon EC2 Instance StoreØ Data stored on a local instance store persists only as long as the
instance is alive.Ø Storage is ephemeral.
25© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Marketplace – IT Software Optimized for the CloudAWS Marketplace:
Is an online store to discover, purchase, and deploy IT software on top of the AWS infrastructure.
Ø Catalog of 2300+ IT software solutions• Including Paid, BYOL, Open Source, SaaS, & free to try options
Ø Pre-configured to operate on AWS• Software checked by AWS for security and operability
Ø Deploys to AWS environment in minutesØ Flexible, usage-based billing modelsØ Software charges billed to AWS account
Includes AWS Test Drive.https://aws.amazon.com/marketplace
26© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing the Right Amazon EC2 Instance
EC2 instance types are optimized for different use cases and come in multiple sizes. This allows you to optimally scale resources to your workload requirements.AWS uses Intel® Xeon® processors for EC2 instances, providing customers with high performance and value.Consider the following when choosing your instances: Core count, memory size, storage size and type, network performance, and CPU technologies.Hurry Up and Go Idle - A larger compute instance can save you time and money, therefore paying more per hour for a shorter amount of time can be less expensive.
27© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intel® Processor Technologies
Intel® AVX – Get dramatically better performance for highly parallel HPC workloads such as life science engineering, data mining, financial analysis, or other technical computing applications. AVX also enhances image, video, and audio processing.Intel® AES-NI – Enhance your security with these new encryption instructions that reduce the performance penalty associated with encrypting/decrypting data. Intel® Turbo Boost Technology – Get more computing power when you need it with performance that adapts to spikes in your workload with Intel® Turbo Boost Technology 2.0
28© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current Generation Instances
Instance Family Some Use Cases
General purpose (t2, m4, m3) • Low-traffic websites and web applications• Small databases and mid-size databases
Compute optimized (c4, c3) • High performance front-end fleets• Video-encoding
Memory optimized (r3) • High performance databases• Distributed memory caches
Storage optimized (i2, d2) • Data warehousing• Log or data-processing applications
GPU instances (g2) • 3D application streaming• Machine learning
29© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instance Metadata & User Data
Instance Metadata:Is data about your instance.Can be used to configure or manage a running instance.
Instance User Data:Can be passed to the instance at launch.Can be used to perform common automated configuration tasks.Runs scripts after the instance starts.
30© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Purchasing Options
On-Demand Instances
Pay by the hour.
Reserved Instances
Purchase at significant discount.
Instances are always available.
1-year to 3-year terms.
Scheduled Instances
Purchase a 1-year RI for a
recurring period of time.
Spot Instances
Highest bidder uses instance at a
significant discount.
Spot blocks supported.
Dedicated Hosts
Physical host is fully dedicated to
run your instances. Bring your per-socket, per-core, or per-
VM software licenses to reduce
cost.
31© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Storage Services
Amazon S3 and Amazon EBS
32© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Simple Storage Service (S3)
Amazon S3
Storage for the Internet Natively online, HTTP accessStore and retrieve any amount of data, any time, from anywhere on the webHighly scalable, reliable, fast and durable
33© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Facts
Able to store an unlimited number of objects in a bucketObjects up to 5 TB; no bucket size limitDesigned for 99.999999999% durability and 99.99% availability of objects over a given year HTTP/S endpoint to store and retrieve any amount of data, at any time, from anywhere on the webHighly scalable, reliable, fast, and inexpensiveOptional server-side encryption using AWS or customer-managed provided client-side encryption Access logs for auditingProvides standards-based REST and SOAP interfaces
34© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common Use Scenarios
Storage and Backup Application File HostingMedia HostingSoftware DeliveryStore AMIs and Snapshots
35© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Pricing
Pay only for what you useNo minimum feePrices based on location of your Amazon S3 bucketEstimate monthly bill using the AWS Simple Monthly CalculatorPricing is available as:Ø Storage PricingØ Request PricingØ Data Transfer Pricing: data transferred out of Amazon S3
36© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Concepts
Amazon S3 stores data as objects within bucketsAn object is composed of a file and optionally any metadata that describes that fileYou can have up to 100 buckets in each accountYou can control access to the bucket and its objects
Amazon S3
Bucket with
Objects
Bucket
Object
37© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Object Keys
An object key is the unique identifier for an object in a bucket.
http://doc.s3.amazonaws.com/2006-03-01/AmazonS3.html
Bucket Object/Key
38© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Security
You can control access to buckets and objects with:Ø Access Control Lists (ACLs)Ø Bucket policiesØ Identity and Access Management (IAM) policies
You can upload or download data to Amazon S3 via SSL encrypted endpoints. You can encrypt data using AWS SDKs.
39© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Versioning
Protects from accidental overwrites and deletes with no performance penalty.Generates a new version with every upload.Allows easily retrieval of deleted objects or roll back to previous versions.Three states of an Amazon S3 bucketØ Un-versioned (default)Ø Versioning-enabledØ Versioning-suspended
Versioning Enabled
Key: photo.gifID: 121212Key: photo.gifID: 111111
40© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Storage Classes
Storage Class Durability Availability Other ConsiderationsAmazon S3 Standard
99.999999999% 99.99% None
Amazon S3 Standard -InfrequentAccess (IA)
99.999999999% 99.99% • Retrieval fee associated with objects
• Most suitable for infrequently accessed data
Glacier 99.999999999% 99.99% (after you restore objects)
• Not available for real-time access
• Must restore objects before you can access them
41© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Object Lifecycle
Lifecycle management defines how Amazon S3 manages objects during their lifetime. Some objects that you store in an Amazon S3 bucket might have a well-defined lifecycle:
Log filesArchive documentsDigital media archivesFinancial and healthcare recordsRaw genomics sequence dataLong-term database backupsData that must be retained for regulatory compliance
42© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Glacier
Long term low-cost archiving serviceOptimal for infrequently accessed dataDesigned for 99.999999999% durability3-5 hours retrieval timeLess than $0.01 per GB / month (depending on region)
43© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
SoundCloud Case Study
SoundCloud:Operates worldwide.Enables users to upload 12 hours of audio material to its platform every minute.Ø Each audio file must be transcoded and stored in multiple formats.Ø Logs and analyzes billions of events.
The AWS Solution:SoundCloud uses a storage solution comprised of:Ø Amazon S3Ø Amazon Glacier
The audio files are:Ø Placed in Amazon S3.Ø Distributed from Amazon S3 via the SoundCloud website. Ø Copied to Amazon Glacier.
The company currently stores 2.5 PB of data on Amazon Glacier.
Amazon Glacier
AmazonS3
44© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Instructor Demo
Amazon S3
45© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Elastic Block Store (EBS)
Persistent block level storage volumes offering consistent and low-latency performanceAutomatically replicated within its Availability ZoneSnapshots stored durably in Amazon S3
Amazon EBS
46© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Lifecycle
Vast amounts of unused space Create
Call CreateVolume1 GB to 16 TB
AttachCall AttachVolume to affiliate with one Amazon EC2 instance
Attached and
In Use
• Format from Amazon EC2 instance OS
• Mount formatted drive
CreateSnapshotSnapshot to
Amazon S3Detach
Call DetachVolume
Deleted
Call DeleteVolume
47© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Facts
You can create:Ø EBS Magnetic volumes from 1 GiB to 1 TiB in size.Ø EBS General Purpose (SSD) and Provisioned IOPS (SSD)
volumes up to 16 TiB in size.You can use encrypted EBS volumes to meet a wide range of data at-rest encryption requirements for regulated/audited data and applications.You can create point-in-time snapshots of EBS volumes, which are persisted to Amazon S3.
48© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS Pricing
* Check Amazon EBS Pricing page for current pricing for all regions.
Pay for what you provision:Pricing based on regionAWS GovCloud (US) Pricing pageReview Pricing Calculator onlinePricing is available as:ØStorageØIOPS
49© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EBS and Amazon S3
Amazon EBS Amazon S3
Paradigm Block storage with file system Object store
Performance Very fast FastRedundancy Across multiple servers in an
Availability ZoneAcross multiple facilities in a Region
Security EBS Encryption – Data volumes and Snapshots
Encryption
Access from the Internet?
No (1) Yes (2)
Typical use case It is a disk drive Online storage
(1) Accessible from the Internet if mounted to server and set up as FTP, etc.(2) Only with proper credentials, unless ACLs are world-readable
50© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Instance Storage
Local, complimentary direct attached block storage resource.Availability, number of disks, and size is based on EC2 instance type.Storage optimized instances for up to 365,000 Read IOPS and 315,000 First Write IOPS.SSD or magnetic.No persistence.All data is automatically deleted when an EC2 instance stops, fails or is terminated.
51© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reboot vs. Stop vs. Terminate
Characteristic Reboot Stop/Start (EBS-backed instances only)
Terminate
Host computer The instance stays on the same host computer.
The instance runs on a new host computer.
N/A
Private and public IP addresses
Stay the same. Instance keeps its private IP address and gets a new public IP address.
N/A
Elastic IP addresses (EIP)
EIP remains associated with the instance.
EIP remains associated with the instance.
The EIP is disassociated from the instance.
Instance store volumes
The data is preserved. The data is erased. The data is erased.
EBS volume The volume is preserved. The volume is preserved. The volume is deleted by default.
Billing Instance billing hour doesn’t change.
You stop incurring charges as soon as state is changed to stopping.
You stop incurring charges as soon as state is changed to shutting-down.
52© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Networking
Amazon VPC
53© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud (VPC)
Provision a private, isolated virtual network on the AWS cloud.Have complete control over your virtual networking environment.
AmazonVPC
54© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPCs and Subnets
A subnet defines a range of IP addresses in your VPC.You can launch AWS resources into a subnet that you select.A private subnet should be used for resources that won’t be accessible over the Internet.A public subnet should be used for resources that will be accessed over the Internet.Each subnet must reside entirely within one Availability Zone and cannot span zones.
55© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Example
Availability Zone A
Virtual Private Cloud
AWS Cloud
Public Subnet
Internet
Virtual Private Cloud
Availability Zone B
Private Subnet
Availability Zone C
VPN Only Subnet
DB Server DB Server
App Server
DB Server DB Server
DB Server
Web Server Web Server
NAT
Customer Network
R
56© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in Your VPC
Security groupsNetwork access control lists (ACLs) Subnet
10.0.0.0/24Subnet
10.0.1.0/24
Internet GatewayVPN Gateway
VPC Router10.0.0.0/16
Security Group Security Group
Security Group
Network ACL Network ACL
Routing Table Routing Table
instance instance instance instance
57© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge Check Answers
Q: What AWS service would help support your web application to offload serving static assets and store user uploaded images and video off-instance?
Q: How would you find out the private and public IP addresses for an EC2 instance?
Q: What acts as an additional layer of security at the subnet level in a VPC?
True or False: S3 Provides unlimited storage.True
Retrieve the instance metadata. http://169.254.169.254/latest/meta-data/
Amazon S3
Network ACLs
58© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 3Security, Identity, and Access
Management
59© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility – AWSAW
S
Client-side Data Encryption and Data Integrity
AuthenticationServer-side Encryption
(File System and/or Data)Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity and Access ManagementOperating System, Network and Firewall Configuration
Customer DataCu
stom
er
Foundation ServicesCompute Storage Database Network
AWS Global Infrastructure Regions
Availability Zones Edge Locations
60© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Physical Security
24/7 trained security staffAWS data centers in nondescript and undisclosed facilitiesTwo-factor authentication for authorized staffAuthorization for data center access
61© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hardware, Software, and Network
Automated change-control processBastion servers that record all access attemptsFirewall and other boundary devicesAWS monitoring tools
62© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certifications and Accreditations
ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more …
63© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
SSL Endpoints
VPC
Secure Transmission
Establish secure communication
sessions (HTTPS) using SSL/TLS.
Instance Firewalls
Configure firewall rules for instances
using Security Groups.
SSL Endpoints Security Groups
Network Control
In your Virtual Private Cloud, create low-level networking
constraints for resource access. Public and private subnets, NAT and
VPN support.
SSL Endpoints
64© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Groups
SSL Endpoints Security Groups
Instance Firewalls
Configure firewall rules for instances
using Security Groups.
VPC
Secure Transmission
Establish secure communication
sessions (HTTPS) using SSL/TLS.
Network Control
In your Virtual Private Cloud, create low-level networking
constraints for resource access. Public and private subnets, NAT and
VPN support.
65© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Multi-Tier Security Groups
HTTP
SSH/RDP
Ports 80 and 443 only open to the Internet
Engineering staff have SSH/RDP access to Bastion Host
All other internet ports blocked by default
Bastion
66© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud (VPC)
VPCSSL Endpoints Security Groups
Network Control
In your Virtual Private Cloud, create low-level networking
constraints for resource access. Public and private subnets, NAT and
VPN support.
Instance Firewalls
Configure firewall rules for instances
using Security Groups.
Secure Transmission
Establish secure communication
sessions (HTTPS) using SSL/TLS.
67© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
AWS IAM
3
Manage federated users and their permissions
2
Manage AWS IAM roles and their permissions
1
Manage AWS IAM users and their access
68© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authentication
AuthenticationAWS Management ConsoleØ User Name and Password IAM User
69© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authentication
Access Key ID: AKIAIOSFODNN7EXAMPLESecret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
AuthenticationAWS CLI or SDK APIØ Access Key and Secret Key IAM User
70© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM User Management - Groups
User D
DevOps Group
User C
AWS Account
TestDev Group
User BUser A
71© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authorization
AuthorizationPolicies:Ø Are JSON documents to
describe permissions.Ø Are assigned to Users,
Groups or Roles.
IAM User IAM Group
IAM Roles
72© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Roles - Instance Profiles
Amazon EC2
App & EC2 MetaData Servicehttp://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S31
2
3
4
Create Instance
Sele
ct IA
M R
ole
Application interacts with S3
73© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authentication and Authorization
AuthenticationØ AWS Management Console
• User Name and PasswordØ AWS CLI or SDK API
• Access Key and Secret Key
AuthorizationØ Policies
IAM User IAM Group
IAM Roles
74© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Best Practices
Delete AWS account (root) access keys.Create individual IAM users.Use groups to assign permissions to IAM users.Grant least privilege.Configure a strong password policy.Enable MFA for privileged users.
75© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Best Practices (cont.)
Use roles for applications that run on Amazon EC2 instances.Delegate by using roles instead of by sharing credentials.Rotate credentials regularly.Remove unnecessary users and credentials.Use policy conditions for extra security.Monitor activity in your AWS account.
76© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Resource-Based Policies
Are an alternative to IAM and supported by some services.Grant cross-account access to your resources.Use a principal to uniquely identify account in the policy.Supported AWS services include :Ø Amazon S3 Bucket PolicyØ Amazon SNS Topic PolicyØ Amazon SQS Queue PolicyØ Amazon Glacier Vault PolicyØ AWS OpsWorks Stack PolicyØ AWS Lambda Function Policy
77© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge Check Answer
Q: Your web application needs to read/write an Amazon DynamoDB table and an Amazon S3 bucket. This operation requires AWS credentials and authorization to use AWS services. What service would you use? AWS IAM Role
78© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 4Databases
79© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Storage Considerations
No one size fits all.Analyze your data requirements by considering:Ø Data formatsØ Data sizeØ Query frequencyØ Data access speedØ Data retention period
80© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Managed Database Services
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment and Administration
Networking
Amazon DynamoDB
Amazon ElastiCache
Amazon RDS
Amazon Redshift
AWS Database Migration Service
81© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Relational Database Service (RDS)
Cost-efficient and resizable capacityManages time-consuming database administration tasksAccess to the full capabilities of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, and PostgreSQL databases
Amazon RDS
82© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon RDS Use Case
We were able to go from concept to delivered product in about six months with just
a handful of engineers.Greg Scallan
Chief Architect, Flipboard
”
“ Flipboard is an online magazine with millions of users and billions of “flips” per month.Flipboard is one of the world’s first social media magazines.Flipboard uses Amazon RDS and its Multi-AZ capabilities to store mission critical user data.
83© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon RDS
Simple and fast to deployManages common database administrative tasksCompatible with your applicationsFast, predictable performanceSimple and fast to scaleSecureCost-effective
84© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Amazon RDS Backups Work
Automatic Backups:Ø Restore your database to a
point in time.Ø Are enabled by default.Ø Let you choose a retention
period up to 35 days.
Manual Snapshots:Ø Let you build a new
database instance from a snapshot.
Ø Are initiated by the user.Ø Persist until the user deletes
them.Ø Are stored in Amazon S3.
85© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-Region Snapshots
Are a copy of a database snapshot stored in a different AWS Region.Provide a backup for disaster recovery.Can be used as a base for migration to a different region.
86© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon RDS Security
Run your DB instance in an Amazon VPC.Use IAM policies to grant access to Amazon RDS resources.Use security groups.Use Secure Socket Layer (SSL) connections with DB instances (Amazon Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft SQL Server).Use Amazon RDS encryption to secure your RDS instances and snapshots at rest.Use network encryption and transparent data encryption (TDE) with Oracle DB and Microsoft SQL Server instances.Use the security features of your DB engine to control access to your DB instance.
87© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
A Resilient, Durable Application Architecture
Amazon RDS database instances:Master and Multi-AZ standby
Application, in Amazon EC2 instances
Elastic Load Balancing load balancer instance
DB snapshots in Amazon S3
88© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon RDS Best Practices
Monitor your memory, CPU, and storage usage.Use Multi-AZ deployments to automatically provision and maintain a synchronous standby in a different Availability Zone.Enable automatic backups.Set the backup window to occur during the daily low in WriteIOPS.To increase the I/O capacity of a DB instance:Ø Migrate to a DB instance class with high I/O capacity.Ø Convert from standard storage to provisioned IOPS storage and use a DB
instance class optimized for provisioned IOPS.Ø Provision additional throughput capacity (if using provisioned IOPS storage).
If your client application is caching the DNS data of your DB instances, set a TTL of less than 30 seconds.Test failover for your DB instance.
89© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon DynamoDB
Store any amount of data with no limitsFast, predictable performance using SSDsEasily provision and change the request capacity needed for each tableFully managed, NoSQL database serviceAmazon
DynamoDB
90© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
DynamoDB Use Case
AdRoll, an online advertising platform, serves 50 billion impressions a day worldwide with its
global retargeting platforms.
We spend more on snacks than we do on Amazon
DynamoDB.
Valentino VolonghiCTO, Adroll
”
“ Adroll Uses AWS to grow by more than 15,000% in a yearNeeded high-performance, flexibleplatform to swiftly sync data for worldwide audience Processes 50 TB of data a dayServes 50 billion impressions a dayStores 1.5 PB of dataWorldwide deployment minimizes latency
91© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
DynamoDB Data Model
Table:Music Items
Attributes (name-value pairs)
Artist Song Title
Album Title
Year Genre
92© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Primary Keys
Partition Key
Sort Key
Table: MusicPartition Key: ArtistSort Key: Song Title
(DynamoDB maintains a sorted index for both keys)
Table:Music
Artist Song Title
Album Title
Year Genre
93© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Provisioned Throughput
You specify how much provisioned throughput capacity you need for reads and writes.Amazon DynamoDB allocates the necessary machine resources to meet your needs.Read capacity unit: Ø One strongly consistent read per second for items as large
as 4 KB. Ø Two eventually consistent reads per second for items as
large as 4 KB.Write capacity unit:Ø One write per second for items as large as 1 KB.
94© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon RDS and Amazon DynamoDBFactors Relational (Amazon RDS) NoSQL (Amazon DynamoDB)
Application Type
• Existing database apps• Business process–centric apps
• New web-scale applications• Large number of small writes and
reads
Application Characteristics
• Relational data models, transactions
• Complex queries, joins, and updates
• Simple data models, transactions• Range queries, simple updates
Scaling Application or DBA–architected (clustering, partitions, sharding)
Seamless, on-demand scaling based on application requirements
QoS
• Performance–depends on data model, indexing, query, and storage optimization
• Reliability and availability• Durability
• Performance–Automatically optimized by the system
• Reliability and availability• Durability
95© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Database ConsiderationsIf You Need Consider Using
A relational database service with minimal administration
Amazon RDS • Choice of Amazon Aurora, MySQL, MariaDB, Microsoft
SQL Server, Oracle, or PostgreSQL database engines• Scale compute and storage• Multi-AZ availability
A fast, highly scalable NoSQL database service
Amazon DynamoDB• Extremely fast performance• Seamless scalability and reliability• Low cost
A database you can manage on your own
Your choice of AMIs on Amazon EC2 and Amazon EBS that provide scale compute and storage, complete control over instances, and more.
96© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 5AWS Elasticity and Management Tools
97© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling
Scale your Amazon EC2 capacity automaticallyWell-suited for applications that experience variability in usageAvailable at no additional charge Auto
Scaling
98© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Trio of Services
Latency
Utilization
CloudWatchAuto Scaling
Elastic Load Balancing
Auto Scaling group
Execute AS Policy
99© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling Benefits
Better Cost Management
Better Availability
Better Fault Tolerance
100© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Launch Configurations
A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances.When you create a launch configuration, you can specify:Ø AMI IDØ Instance typeØ Key pairØ Security groupsØ Block device mappingØ User data
101© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling Groups
Contain a collection of EC2 instances that share similar characteristics.Instances in an Auto Scaling group are treated as a logical grouping for the purpose of instance scaling and management. Auto Scaling group
Minimum size
Desired capacityMaximum size
Scale out as needed
102© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic Scaling
You can create a scaling policy that uses CloudWatch alarms to determine:Ø When your Auto Scaling group should scale out.Ø When your Auto Scaling group should scale in.
You can use alarms to monitor:Ø Any of the metrics that AWS services send to Amazon
CloudWatch.Ø Your own custom metrics.
103© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling Basic Lifecycle
instances
Auto Scaling group
Scale Out
Amazon CloudWatchScheduled Event
Scale In
Amazon CloudWatchScheduled Event
Launch Instance
Terminate Instance X
Attach to Group
Detach from Group
104© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing
Distributes traffic across multiple instancesSupports health checks to detect unhealthy Amazon EC2 instancesSupports the routing and load balancing of HTTP, HTTPS, and TCP traffic to Amazon EC2 instances
Elastic Load Balancing
105© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing Example
106© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Back-end Instances for Your Load Balancer
Health ChecksSecurity GroupsSubnetsRegisterDe-Register Instances
107© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch
A monitoring service for AWS cloud resources and the applications you run on AWSVisibility into resource utilization, operational performance, and overall demand patternsCustom application-specific metrics of your ownAccessible via AWS Management Console, APIs, SDK, or CLI
Amazon CloudWatch
108© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Architecture
AWS resources that support CloudWatch
Amazon CloudWatch
Amazon CloudWatch
Alarm
SNS Email Notification
Auto Scaling
Available Statistics
Statistics Consumer
AWS Management Console
CloudWatch Metrics
CPUUtilization
StatusCheckFailed
Custom Application-
Specific Metrics
PageViewCount
109© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Supported AWS Services
Auto Scaling
Amazon CloudFront
Amazon CloudWatch
Amazon CloudSearch
Amazon DynamoDB
Amazon EC2
Amazon ElastiCache
Amazon EBS
Elastic LoadBalancing
Amazon EMR
Amazon Kinesis Amazon EC2 Container Service
AWS OpsWorks
Amazon Redshift
Amazon RDS
Amazon Route 53
Amazon SNS
Amazon SQS
Amazon SWF
Amazon S3AWS Storage Gateway
Amazon WorkSpaces
Amazon Machine Learning
AWS Lambda AWS WAF
110© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Trusted Advisor
Best practice and recommendation engine.Provides AWS customers with performance and security recommendations in four categories: cost optimization, security, fault tolerance, and performance improvement.
AWS Trusted Advisor
111© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost Optimization
Amazon EC2 Reserved Instance OptimizationLow Utilization Amazon EC2 InstancesIdle Load BalancersUnderutilized Amazon EBS VolumesUnassociated Elastic IP AddressesAmazon RDS Idle DB Instances
112© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Security GroupsAWS IAM UseAmazon S3 Bucket PermissionsMFA on Root AccountAWS IAM Password PolicyAmazon RDS Security Group Access Risk
113© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fault Tolerance
Amazon EBS SnapshotsLoad Balancer OptimizationAuto Scaling Group ResourcesAmazon RDS Multi-AZAmazon Route 53 Name Server DelegationsELB Connection Draining
114© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance Improvement
High Utilization Amazon EC2 InstancesService LimitsLarge Number of Rules in EC2 Security GroupOver Utilized Amazon EBS Magnetic VolumesAmazon EC2 to EBS Throughput OptimizationAmazon CloudFront Alternate Domain Names
115© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial
copying, lending, or selling is prohibited.
Errors or corrections? Email us at aws-course-feedback@amazon.com. For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/.
All trademarks are the property of their owners.
Recommended