Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
SERVICE GUIDE
MANAGED SERVICESFOR AWS
2
Account Management
Transferring AWS Accounts to Media Temple
Advisory
Fully Managed
Account and Data Ownership
Advisory
Fully Managed
Mixing Service Levels
Guidance with Authority
Disclaimer
Support
Service Delivery
Tooling & Automation
Add-on Services
10
10
10
10
10
Emergency
Urgent
Standard
11
11
11
6
5
8
9
7
Overview 6
Service Level Comparison 8
Managed AWS Service Levels 7
AWS Accounts 10
Response Time SLAs 11
8
7
9
7
Service and Support 12
Your Journey, Our Team
Ready
AWS Cloud Consultant
AWS Solutions Architect
Set
Onboarding Manager (OM)
Deployment Team
Go
Service Delivery Manager (SDM)
24/7/365 Support Team
12
12
12
12
12
12
12
13
13
13
TABLE OF CONTENTS
3
Application Load Testing
DevOps Services
Database Tuning
DevOps Maturity & Strategic Planning
Enhanced Security
SSH IP Allow List
Bastion Instance
VPN Instance
Site Malware Scanning
Audit Logging
21
21
21
21
21
22
Monitoring
Customer Runbooks
Incident Management
1) Communication
2) Incident Response (IR)
3) Resolution
4) Analysis
A Note on Complex Changes
Change Management
Change Management Process
Ongoing Management
Operating System Security Patching
Rollback
Backups
Restores
Account Reviews
Cloud Optimization
Communication
Tickets
Phone
Slack
AWS Escalations
13
13
13
13
13
Service Operations 14
Security 21
Professional Services 23
23
23
24
24
14
14
14
14
14
19
19
19
20
20
15
14
15
15
16
17
17
4
Emergency
Urgent
29
30
31
29
30
31
30
31
32
34
35
34
34
35
34
35
35
33
33
Compute
EC2
Storage & Content Delivery
Database
RDS
Networking & Content Delivery
Developer Tools
Management Tools
Security, Identity, & Compliance
Analytics
Artificial Intelligence
Mobile Services
Application Services
Messaging
Business Productivity
Desktop & Application Streaming
Internet of Things
Contact Center
Game Development
Appendix A: RACI matrix (customer vs. MT responsibility) 25
Appendix C: Supported AWS Services 29
Appendix B: Process for support requests and incident management 28
Appendix D: Default monitoring 36
Appendix E: Default alarms 37
37
37
5
DISCLAIMERSince we’ll add new features and you may add new applications and software to your cloud, it’s important that we
inform you up front what Media Temple’s support entails and what it doesn’t. While this guide doesn’t constitute
a binding agreement by you or Media Temple, it does outline the guidelines of your Media Temple service to help
ensure we’re both operating off the same expectations. That said, this guide is subject to change at any time at the
sole discretion of Media Temple without notice to you. For complete terms governing the services described herein,
please refer to the Managed Services Agreement: x.co/mtawstos.
6
OVERVIEWAs businesses increasingly commit to the cloud, it’s essential to have expertise devoted to harnessing its intricacies
and potential.
Maybe you want to focus on the core competencies of your business or maybe you simply don’t have cloud expertise
in house: Either way, Media Temple helps you get the most out of your cloud investment, reducing the burden on
your team and creating a custom solution for your business.
With Media Temple’s Managed Services for AWS, we leverage our human expertise and automation to provide
architecture, optimization, security, and 24/7/365 live support for your cloud.
Media Temple empowers you to utilize the cloud more effectively and with the assurance that experts are
on your side.
Our support for digital agencies and enterprises extends over two decades in web hosting, providing a foundation
of experience and culture suited to transitioning your business to the cloud. In this new era, our AWS certifications
reach across our team and our long adherence to DevOps methods gives us an edge over those just picking up on the
latest buzzword.
Most importantly, we’re dedicated to applying this expertise specifically toward your business objectives. Our
guidance comes with refined knowledge of the particulars of AWS: Utilizing its best practices, we work to build well-
architected, secure solutions to accommodate your unique requirements. We understand the challenges you’ll face
and the opportunities you have. So, in getting you to proven solutions, our guidance is both clear and decisive.
GUIDANCE WITH AUTHORITY
7
MANAGED AWS SERVICE LEVELSBased on the degree of support you need from Media Temple, we offer two service levels.
With our Advisory service level, you get access to our tooling and guidance
while you manage your AWS cloud on your own. Whether you have existing AWS
proficiency or are building it, the Advisory service level gives you full control, with
our specialized expertise available when you get stuck.
Hands-on device management and services like monitoring and patching aren’t
included. If you want Media Temple to provide hands-on management of your cloud
and its infrastructure, you can move to our Fully Managed service level at any time.
Our Fully Managed service level takes the nitty-gritty work of managing your
AWS cloud off your hands and puts it into the care of Media Temple’s experts.
We’ll handle architecture, deployment, security, and optimization, while delivering
24/7/365 operational support.
You can trust that we’ll have a close eye on your infrastructure, with a goal of
catching, communicating, and fixing issues before you even notice them. The Fully
Managed service level gives you the most direct application of our decades of
support experience and AWS expertise.
ADVISORY
FULLY MANAGED
MIXING SERVICE LEVELSIn case areas of your business have distinct needs, you can have a mix of Advisory and Fully Managed
accounts. However, individual AWS resources can’t be split between accounts. We’ll help figure out the
best way to structure your accounts during onboarding.
8
ADVISORY FULLY MANAGED
Onboarding ManagerPersonal contact, providing onboarding assistance and project management as you get up and running on AWS
• Yes, onboarding call only, to gather business and technical requirements • Yes
Service Delivery ManagerPersonal contact for ongoing account and billing management, including technical and business assistance
• Yes, Service Delivery team • Yes, dedicated point of contact• Regular account reviews
AWS account and escalation management • Yes • Yes
SERVICE LEVEL COMPARISONSUPPORT
ADVISORY FULLY MANAGED
Support for AWS servicesSupport from AWS-certified engineers for AWS-related issues
• Yes• Assistance with AWS console
• Yes• See Appendix C: Supported AWS
Services
Initial response time SLAs • Standard: 8 hours• Emergency: 15 minutes• Urgent: 2 hours• Standard: 8 hours
Solution architectureAWS & Media Temple best practices and guidance
• Ongoing consultation• Ongoing consultation• Custom code tailored to your specific
use case
Monitoring • N/A• CloudWatch alarms• Panopta (uptime)• Additional 24/7 monitoring
EC2 operating system management• AMZ• RHEL• Ubuntu LTS
• N/A
• Deployment• Configuration• Management• Optimization• Patching
SERVICE DELIVERY
9
TOOLING & AUTOMATION
ADD-ON SERVICES
ADVISORY FULLY MANAGED
Customer portal • Yes • Yes
Infrastructure-as-code templates • Curated CloudFormation templates• CodeDeploy templates
• Curated CloudFormation templates• CodeDeploy templates• Custom templates
Automatic support tickets from Emergency and Urgent alarms • N/A • Yes
Patch management • N/A • Yes
Migration assistanceGuidance, tooling, onboarding, project Management
• Yes • Yes
ADVISORY FULLY MANAGED
Migration services • N/A • Add-on
DevOps strategy & services• Application optimization• DevOps best practices• CI/CD
• N/A • Add-on
Application load testing • Add-on • Add-on
Custom professional services • Add-on • Add-on
Our service levels focus on your AWS infrastructure. However, some application-side services are available at an
additional cost.
10
AWS ACCOUNTS
Your existing AWS account will be consolidated as a member account under Media Temple. You’ll have full access to
the AWS console with the exception of Billing and AWS Support. Everything else remains the same.
If you already have a running AWS environment, we’ll work with you to re-architect and migrate your existing
platform to one built to Media Temple’s best practices. This allows us to actively manage and optimize it.
If you leave, you will retain ownership of all your data plus the AWS architecture and configuration.
ADVISORY
FULLY MANAGED
Once you’re a Media Temple customer, an AWS account will be created for you. This member account belongs to you,
and you can delink the account from Media Temple at any time if you no longer need our support.
We will be your liaison with AWS for all your needs, so we’ll escalate any and all AWS support issues on your behalf.
You’ll also receive access to our account management dashboard and tools.
ACCOUNT MANAGEMENT
TRANSFERRING AWS ACCOUNTS TO MEDIA TEMPLE
ACCOUNT AND DATA OWNERSHIP
11
RESPONSE TIME SLAs
Initial response time: <15 minutes
If an AWS infrastructure issue halts your business operations (e.g. your site is no longer accessible to customers), we’ll
be notified by automated alerts and guarantee an initial response in under fifteen minutes.
Initial response time: <2 hours
If your AWS services are degraded or have exceeded their defined thresholds, an Urgent ticket will be created and we
guarantee an initial response in under two hours.
Initial response time: <8 hours
For any assistance you might need, whether it’s configuration, a non-immediate task, or just information, you can
raise a Standard ticket and we guarantee an initial response in under 8 hours. All tickets for the Advisory service level
fall under this SLA.
EMERGENCY
URGENT
STANDARD
Fully Managed only
Fully Managed only
Advisory only Fully Managed only
12
SERVICE AND SUPPORT
A successful journey in the cloud calls for an array of tasks, from planning and assessment to management and
optimization. There’s a lot to be done, but Media Temple makes it a smooth, transparent experience. Our goal is for
your journey to be as simple as: Ready. Set. Go.
YOUR JOURNEY, OUR TEAM
READYYour day-one decisions can influence the options you have on day one hundred. So, at this stage we prepare you for
the shift and plan your new cloud.
AWS Cloud Consultant
With a strong understanding of the cloud, you’ll get more from it. Your AWS Cloud Consultant explains
how your environment will work and ensures you’re comfortable with any new concepts.
AWS Solutions Architect
Your AWS Solutions Architect custom designs infrastructure based on your application. By collaborating
with you in establishing requirements and goals, your architect maps out how your cloud will achieve
scale, security, and performance.
SETRest easy knowing Media Temple works through the details in transitioning you to your new cloud. In this stage, we
deploy your AWS cloud and help ensure our relationship is set for success over the long term.
Onboarding Manager (OM)
Your Onboarding Manager is your primary point of contact. As your guide during the transition from an
idea to infrastructure, your Onboarding Manager will lead an onboarding call, work with you to create
runbooks, and provide project management.
Deployment Team
Media Temple’s AWS Deployment Team builds the environment your Solutions Architect has designed for
you. The team’s DevOps engineers will work to solve the technical challenges of getting your cloud into
production.
13
GOWith your application live in the cloud, our team continues to manage and optimize your environment. As new
technologies become available and new challenges are revealed, we’ll work with you to make your cloud even better.
With your application live in the cloud, our team continues to manage and optimize your environment. As new
technologies become available and new challenges are revealed, we’ll work with you to make your cloud even better.
Service Delivery Manager (SDM)
Once onboarding is complete, your Service Delivery Manager takes over as your point of contact.
Performing regular account reviews with you, they’ll build a deep understanding of your business
objectives and guide any optimizations.
24/7/365 Support Team
Your cloud is in good hands every minute of every day: Our AWS support engineers are available
24/7/365. If issues arise, you can be confident our team will be here to help solve them.
TICKETSOur ticketing system is our primary means of communication, plus it acts as a repository of information
about your account. Each ticket represents a problem to be addressed or decision that’s been made.
PHONEOur AWS support engineers are available for phone support 24/7/365.
SLACKThere may be stages through the life of your account where increased communication is important. For
those stages, we provide a dedicated Slack channel for fluid messaging.
COMMUNICATION
AWS ESCALATIONIncidents and escalations will be managed by us directly with Amazon Web Services.
14
SERVICE OPERATIONS
Media Temple uses New Relic, Panopta, CloudWatch, and other industry-leading platforms to monitor and maintain
your application’s infrastructure. In addition to our default monitoring and metrics configuration, your OM and SDM
will work with you on your specific monitoring requirements while adhering to best practices.
As part of our onboarding process, Media Temple will work with you to tailor the incident management process to
meet your business and technical requirements. As part of your ongoing service delivery, we will audit these books
during regular account reviews.
Media Temple prioritizes our customers’ uptime. We’ve built a streamlined incident-management process that
ensures you receive a rapid and consistent response.
MONITORING
CUSTOMER RUNBOOKS
INCIDENT MANAGEMENT
1) COMMUNICATIONWhen an incident arises, the Media Temple team raises a ticket. This contains all relevant information and is updated
regularly to ensure you remain informed.
3) RESOLUTIONOnce the service disruption has been remediated and your infrastructure is reporting normally, we’ll let you know if
any steps are needed at the application layer. The ticket remains open until you give your approval that the incident
has been resolved to your satisfaction.
2) INCIDENT RESPONSE (IR)We respond to each incident in accordance with the SLAs outlined earlier. Using your runbooks, we work to resolve
the issue based on your organizational and technical guidelines, including:
• Who should be informed
• What information is important
• Which sites/applications take priority
When problems need to be escalated, we follow a clear procedure to pull in resources and remediate service
disruptions quickly.
15
As AWS evolves, we’ll find opportunities to innovate and optimize your cloud. Our Managed Services for AWS
solution helps you manage changes with minimal impact to business.
Your SDM is your main technical consultant and will work with you to define the objective, evaluate options,
coordinate resources, and oversee the process.
For clarity and organization, each change to your AWS infrastructure will generally be tracked and documented in its
own ticket.
CHANGE MANAGEMENT
4) ANALYSISOnce an incident is closed, our support team will work with you to analyze the root cause. For example:
• What happened?
• Why did it happen?
• What resolved the issue?
• How can the issue be prevented in the future?
A NOTE ON COMPLEX CHANGESIn some cases resolution and prevention can involve complex changes to your cloud infrastructure
and/or recommendations to optimize your application. In these cases, Media Temple will use our
change-management process to minimize the impact on your business.
16
CHANGE MANAGEMENT PROCESS
CUSTOMER SDM SUPPORT
REQUEST
PLAN + ASSESS + DESIGN
APPROVAL
IMPLEMENTATION
CONFIRMATION & DOCUMENTATION
CUSTOMERCHANGE REQUESTED
CHANGE/REQUESTCONFIRMED
TICKETCREATED
REVIEWED BYSOLUTION ARCHITECT
DEPLOYMENT &ROLLBACK DOCUMENTED
CHANGESCHEDULED
CHANGEIMPLEMENTED
ROLLBACK
TICKET UPDATEDACCOUNT RECORDUPDATED
APPROVED
SUCCESS
CHANGECANCELLED
CHANGECOMPLETED &DOCUMENTED
17
OPERATING SYSTEM SECURITY PATCHINGMedia Temple’s scope of support for patching is limited to updates for server OS and core services (i.e. Apache, PHP
etc.).
We categorize each update by the severity of the security issue – as defined by AWS – and by its impact.
ONGOING MANAGEMENT
EXPECTED IMPACT OF UPDATE (TO UPTIME)
IMPA
CT
High Outage greater than 20 minutes
Medium Outage of 1 to 20 minutes (e.g., update to NFS)
Low Outage of less than 15 seconds (e.g., update to RDS)
Very Low No outage expected (e.g., update to instances in an Auto Scaling Group)
18
If a security alert is applicable to your infrastructure, Media Temple will handle the change based on the guidelines
stated in the following table.
SEVERITY
Critical Important Medium/Low
IMPA
CT
High
Media Temple will attempt to notify customer at least 24 hours in advance, unless we deem it’s an immediate threat and at that point we will attempt to patch it as soon as possible.
Customer is not able to delay update.
Update will generally be applied during the next maintenance window.
Media Temple will attempt to notify the customer that the update is complete.
Media Temple will attempt to notify customer at least 24 hours in advance.
Customer is able to delay update for up to one month.
Update will generally be applied during the next maintenance window.
Media Temple will attempt to notify the customer that the update is complete.
Update will generally be applied during subsequent build or quarterly review.
Medium
Media Temple will attempt to notify customer at least 24 hours in advance.
Customer is not able to delay update.
Update will generally be applied during the next maintenance window.
Media Temple will attempt to notify the customer that the update is complete.
Media Temple will attempt to notify customer at least 24 hours in advance.
Customer is able to delay update for up to one month.
Update will generally be applied during the next maintenance window.
Media Temple will attempt to notify the customer that the update is complete.
Update will generally be applied during subsequent build or quarterly review.
Low
Customer is not able to delay update.
Update will generally be applied during the next maintenance window.
Update will generally be applied during the next maintenance window.
Update will generally be applied during subsequent build or quarterly review.
Very Low
Customer is not able to delay update.
Update will generally be applied during Media Temple’s regular business hours.
Update will generally be applied during Media Temple’s regular business hours.
Update will generally be applied during subsequent build or quarterly review.
19
BACKUPSBy default, instances are backed up using the following methods:
Backups can be tailored to your technical and organizational needs, but custom methods might be subject to an
additional cost.
RESTORESYou can request restores via our ticketing system by including specific instructions on which backup should be
restored and where it should be placed.
Your scheduled maintenance window will occur weekly during a two-hour time period you’ve chosen (by default, this
will be 1am to 3am in your timezone).
Because AWS can add and remove instances from an Auto Scaling Group, Very Low impact updates can be performed
without interruption to your site or application. However, you can request that Very Low impact updates be done
during the assigned maintenance window.
ROLLBACKIn the event that an update fails, Media Temple will switch back to an earlier Amazon Machine Image (AMI)
or revert the configuration to an earlier working state. In this event, we’ll let you know why the rollback
happened and what was done to restore functionality.
Elastic Block Storage (EBS) Daily snapshots stored to S3 bucket with 7-day retention.
Amazon Relational Database (RDS)Continuous backups and daily snapshots (allowing restore from any point in time)
with 7-day retention.
Elastic File System (EFS) Daily duplication to a secondary EFS volume with 7-day retention.
20
ACCOUNT REVIEWS
CLOUD OPTIMIZATION
To ensure we’re meeting your requirements and maximizing the return on your cloud investment, we’ll conduct
regular account reviews with you.
These sessions are an opportunity for you and your SDM to review the following data:
• Optimization for cost, performance, and availability
• Support tickets
• Monitoring alerts
• Change management
• Infrastructure performance
• Application performance
• New AWS products and services
• AWS best practices
• Product roadmap
These account reviews are key touchpoints to measure Media Temple’s progress in helping you meet the business
objectives you’ve defined. We call it Continuously Improving Service Delivery.
We’ll use all available data to take a holistic look at your application and infrastructure, suggesting ways to:
• Lower costs
• Improve performance
• Increase uptime
We handle changes to your infrastructure, while providing guidance to your development team to maximize the
return on your cloud investment. For example, offloading compute tasks to Lambda could be found to reduce
complexity and cost.
21
There are a number of modifications that can be made to your AWS infrastructure at your request that will enhance
security.
SSH IP ALLOW LISTBy default, web instances are configured to accept SSH connections from the public Internet. All instances are
configured with Fail2ban brute-force-detection software, which blocks IPs that repeatedly fail to authenticate.
An additional level of protection can be achieved by configuring a set of IPs that are allowed to connect, thereby
blocking all unauthorized access.
BASTION INSTANCEA further level of protection can be achieved by using a bastion instance. With this, all SSH access goes through a
dedicated instance – which may also have an IP whitelist – and all access to web instances is blocked from the public
Internet.
VPN INSTANCESimilar to how a bastion instance allows for concentrated access to your infrastructure, a VPN allows your local
desktop to access all services (SSH, web, database) directly over an encrypted connection. With this in place, the only
port open to the public internet is the VPN port, and an IP whitelist can be applied for even more protection.
SITE MALWARE SCANNINGFor malware and exploit protection, we can set up services to scan your application code regularly and clean up any
issues found.
ENHANCED SECURITY
The safety of your data and code is essential. To protect it, AWS has developed an extensive set of security guidelines.
All advice and architecture you receive from Media Temple adheres to those guidelines and our own best practices.
Some examples of our practices:
• All resources (e.g. RDS instances) that do not need to be accessed from the public Internet are placed in private
subnets, eliminating the possibility of unauthorized access.
• IAM permissions are granted at a granular level so that each resource that needs access is given the least possible
permission to accomplish its tasks.
• All logs are sent from individual instances to CloudWatch Logs, allowing for analysis.
• CloudTrail logging is enabled on every account, so every API call is logged and available for auditing and analysis.
SECURITY
22
AUDIT LOGGING
By default, CloudTrail is enabled on every account. This service logs detailed information about every action taken
via the web console, command line, and API, no matter if the action was initiated by a human or an AWS service. This
allows for near-real-time monitoring of the activity in your account as well as examination of past activity in the event
of an outage or unauthorized access.
CloudTrail logs are saved to an S3 bucket and are available when needed.
23
APPLICATION LOAD TESTING
DEVOPS SERVICES
These services are available at an additional cost.
PROFESSIONAL SERVICES
Using the parameters you give us, we can provide Load Testing and a report of the results. Most tests will focus on
these questions:
• How many concurrent requests can the base (unscaled) infrastructure support?
• Will the infrastructure support x number of requests?
If required, we’re able to script and test complex operations such as cart checkout or search/form submission.
The tool we use to perform the test depends on the request parameters.
Media Temple can provide guidance and configuration on custom DevOps services utilizing AWS services, including:
• CodeDeploy
• CodeCommit
• CodePipeline
• CodeBuild
Which services you choose depends on your goals. Simple configurations generally include only CodeDeploy – for
deploying applications from S3 or a Git repository (CodeCommit, GitHub, BitBucket, etc) – but more complex
configurations can use a complete pipeline with all services.
24
If your database is routinely running out of capacity or unable to handle the load of your application, we can provide
best-effort advice on how to enhance, tune, or modify database-related resources to improve performance.
Modifications may include moving to a different database engine or instanced size, query modification, query
splitting, index tuning, and database-parameter tuning.
• The time spent investigating and providing advice will be billed hourly and doesn’t guarantee
any specific outcome.
• If we feel we’re unable to provide any meaningful advice after our investigation, we’ll notify you
and stop the work.
• If Media Temple can’t provide a satisfactory outcome, we can recommend third-party vendors that
may be able to help further.
DATABASE TUNING
DEVOPS MATURITY & STRATEGIC PLANNING
Media Temple’s team is comprised of first-class developers and DevOps engineers. If you’re looking to reach your
own maturity as a DevOps culture, we can help with:
• Information about principles, benefits, and tooling
• Analysis of your existing DevOps practices
• Development of a roadmap to reach your DevOps goals
• Guidance as you work to reach those goals
25
APPENDIX ARACI MATRIX: CUSTOMER VS. MEDIA TEMPLE RESPONSIBILITY
R Responsible A Accountable C Consulted I Informed
FULLY MANAGED SERVICE LEVEL ACTIVITIES MEDIA TEMPLE CUSTOMER
Assessment & Discovery
Understanding business objectives
Understanding current challenges
Scheduling and conducting a discovery call
Design & Architecture
Define architecture options to be considered (e.g. EC2 vs. S3, etc.)
Decide on presented architecture from Media Temple
Generate logical diagrams for proposed architecture
Generate detailed code to deploy infrastructure
Author detailed environment documentation
Infrastructure Build
Create, test and deploy infrastructure (See Appendix C – Supported AWS Services)
Infrastructure and configuration validation based on customer requirements
Configure & test WAN connectivity (site-to-site VPN)
Configure alarms and monitors for AWS instances
Configure application runtimes
Configure resource tagging for infrastructure
DNS configurations
Network And Access Security Implementation
Create, test, and apply IAM roles and policies
Create, test, and apply security groups and NACLs
Operating system user management
C
C
C
R A I
R A I
R A
R A
I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
R A CR I
CR IR A
C I
26
R Responsible A Accountable C Consulted I Informed
FULLY MANAGED SERVICE LEVEL ACTIVITIES MEDIA TEMPLE CUSTOMER
Network And Access Security Implementation
Malware detection & removal (Sucuri)
Antivirus
Application Implementation
Creation of golden AMIs
Configure bootstrapping of supported OS using CloudFormation
Arrange extended scope application engagement (Pro Services, service add-ons, etc.)
Migration of application data
Database schema creation, migration, and import
Development and deployment of configuration management artifacts (Chef, Salt, Ansible, etc.)
Creation and management of continuous integration and continuous deployment pipelines
Monitoring
Configuration of OS monitoring (CloudWatch, Panopta)
Configuration of AWS service monitoring (CloudWatch) incl. VPC, EC2, RDS, SQS, ElastiCache, DynamoDB
Configuration of base app monitoring (e.g. Apache, NGINX, SQL)
Configuration and management of log aggregation (e.g. Splunk, CloudWatch, Syslogs)
Configuration of application performance monitoring (e.g. New Relic, AppDynamics, etc.)
Patching
OS patching
3rd-party patching system
(Supported) Application patching
R CA I
CR A I
CR A I
CR A I
CR A I
CCR A I
R A
R A
R A
C I
R AC I
R AC I
R AC I
C I
CR A I
CR A I
CR A II
CR A II
CR A II
CR I
27
R Responsible A Accountable C Consulted I Informed
FULLY MANAGED SERVICE LEVEL ACTIVITIES MEDIA TEMPLE CUSTOMER
Support Operations
24/7/365 support
Definitions of alarm triggers, thresholds, and remediation
Configuration of standard alarms
Configuration of custom alarms
SNS configuration (for standard CloudWatch alarms)
CloudWatch logs configuration & management
Response to alerts to meet SLAs
Backups & Replication **
EBS snapshot backup management
EBS snapshot restores
File-level backup and retrieval
S3 lifecycle policy creation and optimization
DynamoDB cross-region replication
RDS database backups & replication
Service Delivery
Provide named Service Delivery Manager resource
Conduct periodic account reviews
Identify opportunities for cost and performance optimization
Consolidate billing across AWS accounts
Consolidate AWS Console user management across AWS accounts
Provide escalation management to AWS if needed
CR A I
CR A I
CR A I
CR A I
CR A I
CR A I
C
C
C
R
R
R
A I
R A
A
C
C
C R
R
I
I
A C I
A C I
I
R A CC R II
R A CC R II
C I
CR A I
CR A I
CR A I
C CR A I
C CR A I
C CR A I
**Customer is accountable for validating work Media Temple is performing around backups and replication activities. Media Temple is not liable for ensuring integrity of customer data. Regular testing and validation of backed up data should be a part of a customer’s ongoing Disaster Recovery and Business Continuity Planning.
28
APPENDIX BPROCESS FOR SUPPORT REQUESTS AND INCIDENT MANAGEMENT
CREATETICKET
FOLLOW STANDARDSUPPORT GUIDELINES
FOLLOWRUNBOOK
INFORMCUSTOMER
CUSTOMERINITIATES
MEDIA TEMPLEINITIATES
RUNBOOKEXISTS
ESCALATIONREQUIRED
CUSTOMERCONFIRMS ISSUE
RESOLVED
ISSUERESOLVED
ISSUEDOCUMENTED
UPDATETICKET
YES
YES
NO
NO
YES
NO
ESCALATE TOENGINEERS
29
Comprehensive Support Media Temple has significant support expertise and has developed specific support tooling and services.
Best-effortBest-effort activities will be made to resolve issues but with no guarantee of resolution, and with
escalation management to Amazon where required. Over time, best-effort features may transition into
comprehensive support.
APPENDIX CSUPPORTED AWS SERVICES
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Compute
EC2
Instances (individual)
AMIs
EBS Volumes
Security Groups
Load Balancers
Auto Scaling Groups
EC2 Container Service
Lightsail
Elastic Beanstalk
Lambda
Batch
30
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Storage & Content Delivery
S3
Glacier
EFS
Storage Gateway
Snowball
Snowball Edge
Snowmobile
Database
RDS
MySQL/MariaDB
PostgreSQL
Aurora
Oracle
SQL Server
DynamoDB
ElastiCache
RedShift
31
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Networking & Content Delivery
VPC
Direct Connect
Route 53
CloudFront
Developer Tools
CodeCommit
CodeDeploy
CodePipeline
CodeBuild
CodeStar
X-Ray
AWS CLI Tool
Management Tools
CloudWatch
CloudFormation
CloudTrail
Config
32
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Management Tools
OpsWorks
Service Catalog
Trusted Advisor
Personal Health Dashboard
Security, Identity, and Compliance
Cloud Directory
IAM
Inspector
Macie
Certificate Manager
CloudHSM
Directory Service
KMS
Organizations
Shield
WAF
33
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Analytics
Athena
EMR
CloudSearch
ElasticSearch
Kinesis
Redshift
Quicksight
Data Pipeline
Glue
Artificial Intelligence
Lex
Polly
Rekognition
Machine Learning
Apache MXNet
TensorFlow
34
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Mobile Services
Mobile Hub
Cognito
Pinpoint
Device Farm
Mobile SDK
Application Services
Step Functions
API Gateway
Elastic Transcoder
Messaging
SQS
SNS
SES
Business Productivity
Chime
WorkDocs
WorkMail
35
CATEGORY COMPREHENSIVE SUPPORT BEST-EFFORT SUPPORT
Desktop & Application Streaming
Workspaces
AppStream
Internet of Things
IoT Platform
Greengrass
IoT Button
Contact Center
Connect
Game Development
GameLift
Lumberyard
36
APPENDIX D
Instance CPU Utilization CPU utilization of a single EC2 instance
Instance Memory Utilization Memory utilization of a single EC2 instance
Instance Disk Space Utilization Percentage of disk space in use
Instance Credit Usage How many CPU credits the node is using
Auto Scaling Group CPU Aggregate average CPU across an entire ASG
Auto Scaling Group Size Number of instances in an ASG
Relational Database Service CPU CPU utilization of a single RDS instance
Relational Database Service Memory Memory utilization of a single RDS instance
DB Cache Request Count Stats on the number of requests sent to cache
DB Cache Hits/Miss Ratio Cache hit/miss ratio to show cache use
Elastic Load Balancing Healthy Host Count Monitors the number of healthy instances registered with your load balancer
Network In/Out Amount of ingress and egress traffic
CloudFront Traffic Total amount of traffic being served from CloudFront
CloudFront Hit/Miss Ratio Analysis of CloudFront caching effectiveness
Forecasted Cost Projected cost
DEFAULT MONITORING
Additional health checks can be added based on your objectives. Please discuss these requirements with your
Solutions Architect or Service Delivery Manager (SDM).
37
APPENDIX EDEFAULT ALARMS
These alarms are grouped by the response time SLAs associated with them.
EMERGENCY
URGENT
ALARM DESCRIPTION
Site unreachable for 5 minutes External monitoring via Panopta, checked every 60 seconds
ALARM DESCRIPTION
RDS CPU > 90% for 5 minutes RDS instance average CPU utilization greater than 90%
RDS Disk < 5G for 5 minutes RDS instance free disk space below 5G
ASG instances < 2 from limit for > 30 minutes Count of instances in an ASG is approaching the limit (i.e. would alert when there are 8 instances in an ASG with an upper limit of 10)
EBS Snapshots > 1 day old EBS snapshots are done on a daily basis. If one is missed, this alarm fires
© MEDIA TEMPLE INC. | PRIVATE AND CONFIDENTIAL: FOR AWS CLIENT ONLY