Upload
amazon-web-services
View
1.079
Download
0
Embed Size (px)
Citation preview
Healthcare and Life Sciences DaysChicago, IL
Mark Johnston, Director of Global Business Development,
Healthcare and Life SciencesJune 28, 2016
05:00 PM – 06:30 PMClosing Remarks, Q&A and Networking6
04:15 PM – 05:00 PMLeveraging Amazon Echo and AWS to build IoT Applications5
03:30 PM – 04:15 PMCognizant: Managing Cloud Infrastructure at Scale4
02:45 PM – 03:30 PMHealthcare Analytics and Prediction using Amazon Machine Learning3
02:30 PM – 02:45 PMBreak
01:30 PM – 02:30 PMEmbracing DevOps with Improving Compliance and Security Agility and Posture2
01:00 PM – 01:30 PMIntroduction and Opening Remarks1
Agenda
12 Regions
33 Availability Zones
54 Edge Locations
Coming Soon:
5 Regions
11 Availability Zones
AWS global infrastructure
* As of 1 Feb 2016
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its services to support virtually
any cloud workload and it now has more than 50 services that range
from compute, storage, networking, database, analytics, application
services, deployment, management and mobile. Since inception AWS
has launched 776 new features and/or services for a total of 1,950
new features and/or services since inception in 2006.
AWS Rapid Pace of Innovation
ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousin
g
Hadoop
/Spark
Streaming
Data Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Backup
Queuing &
Notifications
Workflow
Search
Transcoding
One-click
App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps
Resource
Management
Application
Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
IntelligenceDatabases
DevOps
ToolsNetworkingSecurity Storage
RegionsAvailability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling,
& Load Balancing
StorageObject, Blocks,
Archival, Import/Export
DatabasesRelational,
NoSQL, Caching,
Migration
NetworkingVPC, DX,
DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web
application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming
Data Analysis
Business
Intelligence
Mobile
Analytics
Alex Dickinson
SVP, Strategic Initiatives
Working with AWS lets us focus
on what we’re good at, which is
doing sequencing
William H. Morris
Associate CIO
The cloud can lower the operating
cost, and actually allow us to
focus on what we do well, which
is taking care of patients.
David Bennett
EVP of Healthier Populations
The market acceptance of healthcare
running on AWS is pretty exciting to us
New technologies are emerging throughout
the industry
Data exchange
throughout your
healthcare network
New innovations in
care delivery
Consumer
applications and
personalized
medicine
Use Case: AWS for Precision Medicine
All the compute you need to deal with large,
complex data sets
Easily deploy to physicians throughout your
network
Cost-effective short-term and long-term
storage
Jason Gillman
Director of Precision Genomics
we wanted to provide information
to the oncologist as quickly as we
can. These new services ….
powered by AWS, helps provide
that.
Innovation in medication adherence
• Medication adherence for depression
and schizophrenia
• Therapeutic has an ingestible sensor
linked to a wearable patch
• Patch talks to the application
• Patient data (or lack of) is
communicated to care managers and
or physicians
Innovation in chronic care management
• Sensor attaches to existing inhaler
• Tracks therapeutic utilization
• Application allows environmental
condition capture
• Patient gets feedback regarding
their condition – Asthma and COPD
Jeroen Tas
CEO, Healthcare Informatics Solutions and Services
We combine data to make it
actionable….We’re doing that together with
Amazon, because there is only one company
that we can do this with which gives us the
reliability, scale, and performance we need.
Healthcare IoT – Philips HSDP
Torsten Kablitz
Vice President, IT Business Services
[Just one] of our customers…..500,000
transactions a day….AWS allows us to
bring up and bring down servers just as we
need them.
Security is foundational at AWS
Architected to be one of the most flexible and secure cloud
computing environments available today
AWS secures the
infrastructure....
....so you can
secure your
patient dataCustomer
Security: A Shared Responsibility
• Environment built for the most security sensitive organizations
• AWS manages 1800+ security controls so you don’t have to
• Certified and regularly audited
AWS secures the
infrastructure....
Security: A Shared Responsibility
• You retain ownership of your IP and content – AWS does not have access
• You control where your data is stored
• Enabling end-to-end compliance
....so you can
secure your
patient dataCustomer
Security: A Shared Responsibility
In the Cloud, Infrastructure Security is Code
Templates determine what
infrastructure is deployed
and how it is deployed
Built-in tools to monitor
your environment
Automatic logging for audit
support
The AWS Cloud Improves your Compliance Posture
Controllable Infrastructure Repeatable Testing Automatic Traceability
AWS and Validated Systems
Major companies run GxP on AWS today
We have GxP resources available to help you
migrate GxP systems to the AWS Cloud
Developed with input from Lachman
Consultants
Multiple partners with solutions available: Sparta,
TraceLink, Waters, Medidata, etc.
Build HIPAA-compliant applications that store, process and transmit PHI
Business Associate Agreement (BAA) addendum available
HIPAA-eligible services for broad range of applications:
Compute Storage DatabaseManaged
Big DataArchiving
Data
Warehousing
Enabling Compliance
Networking
Lee Kim
Director, Privacy and Security
HIMSS North America
Most healthcare institutions don’t have
the time and resources
to devote to cybersecurity that an
established cloud provider
might have
Embracing DevSecOps while improving your
compliance and security agility and posture
Scott Paddock
Security Solutions Architect
Gerry Miller
Founder & CTO, Cloudticity
Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS• Tools, processes and frameworks to assist
• Example Compliance Workflows
DevOps ToolchainPlan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements and metrics
Building, coding and configuration
Ensuring quality; acceptance, regression testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application and infrastructure
Release coordination, promotion, scheduling, rollback and recovery
DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Manual Hacking
Drivers for DevSecOps
Embedding Security into DevOps was not successful because…
• Compliance checklists didn’t take us far before we stopped scaling…
• We couldn’t keep up with deployments without automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help the business make decisions…
DevSecOps: Security as Code
Establishing these principles…
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
DevOps ToolchainPlan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
Amazon
EC2
Amazon
EMR
Amazon
GlacierAmazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
Amazon ECS AWS Elastic
Beanstalk
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
SQSSNS
AWS Config
AWS
Device Farm
AWS HIPAA Eligible Services (as of 4/21)
AWS Non-HIPAA Eligible Services
Consult with compliance and security organizations before implementing
Actual workflow (diagram)
Post-commit hook
• Build & test
• Notify if failure - or
• Package manifest on success
• Executables
• Required resources
• Any other necessary
metadata
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• Install and configure any
packages or roles
• OS configuration and updates
• Download any required static
files
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
• CloudFormation wait conditions
• CloudWatch events (uses tags)
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack
“New” Stack
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack – 90%
“New” Stack – 10%
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack – 50%
“New” Stack – 50%
Actual workflow (diagram)
Post-commit hook Put to S3 bucket Triggers Lambda
Cloud-
Formation
Dynamic
cf-init
SSM
Route53
“Old” Stack
“New” Stack – 100%
Variations on workflow
Gitflow pull request approvals
Stack per branch
• Variation – naming conventions
Stage gates (human intervention) using Slack
Blue/green vs. destructive deployments
Deployment dashboards
Consult internally before implementing
These slides have been practices we have
used in industry – but security and compliance
is determined by YOU, the customer. So
please, please:
• Consult with your internal best practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance organization
• Do your due diligence
Advanced Analytics & Machine
Learning on AWS
Ujjwal RatanHealthcare and Life Sciences Solutions Architect
Amazon Web Services
This Talk Will Cover
Analytics on AWS overview
Reference architectures
Amazon Machine Learning (AML) Overview
Application of AML to a real world problem - patient readmission
A look at the end user application
Q&A
Gartner: User Survey Analysis: Key Trends Shaping the Future of Data Center Infrastructure Through 2011
IDC: Worldwide Business Analytics Software 2012–2016 Forecast and 2011 Vendor Shares
Available for analysis
Generated data
Data volume - Gap
1990 2000 2010 2020
A growing gap…
Amazon S3
Amazon Kinesis
Amazon DynamoDB
Amazon RDS (Aurora)
AWS Lambda
KCL Apps
Amazon
EMRAmazon
Redshift
Amazon Machine
Learning
Collect Process Analyze
Store
Data Collection
and StorageData
Processing
Event
Processing
Data
Analysis
Data Answers
Analytical pipeline on AWS
Lets rewind to the 90s…. Familiar with this?
https://en.wikipedia.org/wiki/Data_warehouse#/media/File:Data_warehouse_overview.JPG
Fast-forward to the present day – Data Lakes
Amazon S3
Application data
Server logs
Internet APIsCustom Apps
Amazon EMR Amazon RDS
Data Mart
Amazon Redshift
Dashboards
Amazon Machine Learning
Amazon
S3Amazon
Redshift
Amazon Machine
Learning Amazon
EC2
Amazon
EMR
users
Internet
corporate data center
Redshift used to
enrich/transform the
data set to make it
suitable for acting as a
ML data source.
An ML model is created with
Redshift as the data source
EC2 used as a web
server to host a
website to act as a
frontend for AML end
point
Use EMR to process
unstructured/semi-structured data
and store it back as objects on S3.
S3 acts as a scalable
object store for all forms
of data. It is used as a
data lake.
Amazon
S3
Amazon
QuickSightAmazon
RDS users
A batch prediction can be generated using AML and the
result file stored back in S3. An RDS schema acts as a
source for Amazon QuickSight that generates BI repots on
prediction data.
DB Schemas
CSV Files
Unstructured files
A reference architecture to build smart
applications on AWS
Real world problem – Hospital Readmissions
• Hospital Readmission Reduction
Program (HRRP) part of the Affordable
Care Act.
• CMS is required to reduce payments to
hospitals with excess readmissions.
• Not all readmissions can be prevented
as some of them are a part of an
overall care plan for the patient.
• Facilities with high readmission rates
had their Medicare payment cut by 1%
in 2013 which rose to 2% in 2014.
Machine Learning
Wouldn’t it be great to proactively predict
patient’s risk of readmission based on some
generic features?
Patient
Demographics
Patient History
Admission
Attributes
Other features
Patient
High Risk Patient
Low Risk Patient
Moderate Risk
Patient
Amazon
S3Amazon
Redshift
Amazon Machine
Learning
users
Internet
CSV Files
1
2
3
5
Amazon
Cognito
S3 Static
Website
Internet
4
A machine learning application to predict
readmissions
The data set
The accuracy of ML models become better when more data is used to train it. This is a very limited dataset to build a
comprehensive ML model but this methodology can be replicated with larger data sets as well.
https://archive.ics.uci.edu/ml/datasets/Diabetes+130-US+hospitals+for+years+1999-2008
Public Data Set from UCI
consists of 101,766 rows and represents 10 years of clinical care records
130 US hospitals and integrated delivery networks
includes over 50 features (attributes) representing Diabetes patient and hospital outcomes.
Ingesting Data Into S3 - Staging
Table Name Table Type
admission_source.csv Master
admission_type.csv Master
discharge_dispoition.cs
v
Master
Diabetic_data.csv Transaction
aws s3 cp /tmp/foo/ s3://bucket/ --recursive \
Schema In RedshiftFact
create table admission_type (
admission_type_id INTEGER NOT NULL,
description varchar(100)
);
create table discharge_disposition (
discharge_disposition_id INTEGER NOT NULL,
description VARCHAR(500)
);
create table admission_source (
admission_source_id INTEGER NOT NULL,
description VARCHAR(500)
);
create table diabetes_data (
// ~50 attributes
);
Dim2
Dim3
Dim1
Data Load and Standardization
COPY<Redshift_Table_Name> FROM's3://<file_path.csv>' CREDENTIALS
'aws_access_key_id=<>;aws_secret_access_key=<>' DELIMETER',' IGNOREHEADER 1;
Data Load
• Update NULL values
• Change attributes values which do not comply with standard patterns. Ex: SSN =
XXX-XX-XXXX
• Complete geographical data where possible
• Add timeline values if possible
• Group granular attributes in sets. Ex: Ages 0 to 20 as young, 20 to 40 as Adult
and so on.
Data Standardization
Introducing Amazon ML
Easy to use, managed machine learning service built for developers
Robust, powerful machine learning technology based on Amazon’s internal systems
Create models using your data already stored in the AWS cloud
Deploy models to production in seconds
Real-time predictions
Synchronous, low-latency, high-throughput prediction generation
Request through service API or server or mobile SDKs
Best for interaction applications that deal with individual data records
>>> import boto
>>> ml = boto.connect_machinelearning()
>>> ml.predict(
ml_model_id=’my_model',
predict_endpoint=’example_endpoint’,
record={’key1':’value1’, ’key2':’value2’})
{
'Prediction': {
'predictedValue': 13.284348,
'details': {
'Algorithm': 'SGD',
'PredictiveModelType': 'REGRESSION’
}
}
}
Real-time Predictions Using AML
Create a real-time endpoint using the console of the CreateRealTimeEndpoint
API. Once enabled, the model can be queried in real time using the end point
Target Attribute for the Binary Classification Model : Readmission_Result
Application website hosted on S3
var machinelearning = new AWS.MachineLearning({apiVersion: '2014-12-12'});var params = {
MLModelId: ‘<AML Model ID>',PredictEndpoint: ‘<AML Model Real Time End Point>',Record: <Selected Attributes record set>
};var request = machinelearning.predict(params);
Application calls the Predict() API using necessary parameters
Website hosting feature of S3 allows us to host websites without any web servers
and takes away the complexities of scaling hardware based on traffic routed to your
application.
Thank You.. Any Questions?
Before we end, here’s a look at the application
http://predictreadmission.s3-website-us-west-2.amazonaws.com
© 2016 Cognizant © 2016 Cognizant
June 28, 2016
Managing Cloud Infrastructure at ScaleShashank JoshiPrinciple Architect – Cognizant Cloud Services
AWS Certified Solution Architect - Professional
© 2016 Cognizant 88
Agenda
Managing Cloud Infrastructure at Scale
• What is different at scale?
• Examples & Case studies
© 2016 Cognizant 89
What is different at scale?
Provisioning & Orchestration
• Manual vs automated provisioning
• Provisioning entire application stacks
• Complex scenarios
Global Deployment
• Multi-geography requirements
• Hybrid scenarios
• Disaster Recover & Business
Continuity
User Access Management
• Number of users & roles
• Multiple accounts
• AD Federation
Monitoring & Tools Solution
• Integrated monitoring solution
• IT Service management
• Build vs Buy
Cloud Operations Service
• Manual vs automated activities
• Pricing models
• Skill development and management
Cost Management & Optimization
• Tracking & reporting
• Manual vs automated policy
enforcement
© 2016 Cognizant 90
Example 1 – DR Automation, Multi-region deployment
Background:
The application, GeoLocus, is a telematics solution including in-car device option,
smartphone apps, configurable scoring and user portals. Application is hosted in the AWS
Cloud and contains the following:
• Application servers hosted on Amazon EC2
• MySQL server hosted using Amazon RDS
• PostgreSQL server hosted using Amazon RDS
Objective:
Automate steps in multi-region DR
© 2016 Cognizant 91
Example 1 – AWS Products and Services Used
Amazon CloudWatch
• Monitor deployment logs
• Raise an event once a pre-specified keyword appears in the monitored log file
AWS Lambda
• Invoke Python scripts based on different events
AWS SDK for Python
• Perform automation activities such as AMI build, copy etc.
Amazon S3
• Store CloudFormation templates
• Amazon S3 Events are used to trigger Lambda functions once an action is completed
AWS CloudFormation
• Deployment Stack for the DR region, which can be triggered in case of a disaster
© 2016 Cognizant
Example 1 – Bringing it all togetherEU Frankfurt EU Ireland
Production server
CloudWatch Log Monitoring
Create Image Function
Production web server AMI
Pending-AMI-Id.txt
Pending AMI Event
Check A
MI
Sta
tus
Fu
nctio
n
Pending AMI Event
Available AMI Event
Copied Production Image
Pending-AMI-Id.txt/
Available-AMI-Id.txt
Copy Image Function
© 2016 Cognizant 93
Example 1 – Bringing it all togetherEU Frankfurt EU Ireland
Copied Production ImageCopy Image Function
CloudFormation JSON
with copied AMI ID
MySQL Snapshot Event
Copy RDS Snapshot
Function
Copy RDS Snapshot
Function
CloudFormation JSON
with copied MySQL
Snapshot ID
CloudFormation JSON
with copied PostgreSQL
Snapshot ID
PostgreSQL Snapshot Event
Latest PostgreSQL Snapshot
Latest MySQL Snapshot
© 2016 Cognizant 94
Example 1 – Key Takeaways for Managing at Scale
Provisioning
• Custom AMIs
• AMI vs Dynamic configuration
Automation
• Event-based and scheduled tasks
• Region-dependent services
Cost optimization
• Pick the right DR model
• Design for the RPO/RTO
• Use Serverless compute
© 2016 Cognizant 95
Example 2 – Multi-region, multi-environment automated build & deployment
Background:
A multi-tenant SaaS solution deployed in three regions US, EU & APAC. US region consists
of multiple lower environments. Microservices architecture with multiple applications and
services consisting of the following:
• Multi-tier architecture
• AWS Elastic Beanstalk, Amazon EC2 Container Registry
• Amazon RDS PostgreSQL, Amazon DynamoDB
Objective:
Automated code deployment in multiple environments and regions and other tasks
© 2016 Cognizant 96
Example 2 – Products and Services Used
Amazon EC2 Container Registry
• Manage Docker images
• Managed private repository with IAM integration
AWS CodeCommit
• Store source code
AWS Elastic Beanstalk
• High availability, auto-scaling, health check, monitoring for the deployed environments
• Docker Support
Jenkins
• Continuous Integration, run various jobs
Docker
• Containerize the applications/services
© 2016 Cognizant 97
Example 2 – Bringing it all together
EC2 Container
Registry
Dockerrun.aws.json
Deploy Docker
Image and run
containers
EB Dev environment EB testing/QA environment EB Prod environment
Continuous Deployment
Continuous Integration
Poll SCMBuild Docker
Image
Export Unit test
result XML file from
container
Tag Docker image
and push to
repository
Docker File
CodeCommit
Jenkins
© 2016 Cognizant 98
Example 2 – Bringing it all togetherParameterized environment, region and application version for deploy jobs
© 2016 Cognizant 99
Example 2 – Key Takeaways for Managing at Scale
Provisioning
• Multi-region & multi-environment deployment
• AWS Elastic Beanstalk & AWS CloudFormation
• Rapid feature delivery with CI/CD pipeline
Automation
• Automated deployment, upgrade & operations
• IAM Roles
Cost optimization
• Optimal resource utilization with Docker
• Automated scaling with AWS Elastic Beanstalk
© 2016 Cognizant 100
Example 3 – Cloud360 Policies
Background:
Cognizant Cloud360 is an Enterprise Cloud Management & Governance solution. It has
core features such as provisioning & orchestration, policy-driven automation, metering &
showback and analytics.
Objective:
Demonstrate use cases for policy-driven automation for cost optimization and compliance.
© 2016 Cognizant 101
Example 3 – Cloud360 PoliciesMonitoring Policy
• Automate monitoring and take immediate action on events
• Auto-healing policies can resolve events impacting application availability
Provisioning Policy
• Control provisioning-related tasks
• Define a set of conditions for managing provisioning tasks
Placement Policy
• Set rules that defines the location where the Compute Instances will be created, to use the available
resources in an efficient way
• Set rules to select these datacenters, hosts, and networks and to ensure their optimum allocation &
usage
Compliance Policy
• Define policies to meet compliance requirements
• Notifications & approval workflow based on the rules defined
© 2016 Cognizant 102
Example 3 – Cost Optimization Policy - Cloud360
IfLIST (Event ((Status = Open AND Severity = Critical AND Device = CPU), Instance (“Deployment Name” = production AND “Instance Group Name” = webserver)) > 70
DoSCALEOUT(“app profile.scaleout”)
Performs scale out when more than 70% of VMs in a Webserver resource pool of production environment are in critical CPU state
IfCOUNT (Instance (“Deployment Name” != Production AND “Instance Group Name” = Webserver)) >= 20
AND
OPERATION (Instance (“Deployment Name” != Production AND “Instance Group Name” = Webserver), “Create Instance”) = TRUE
Do“Restrict the operation”
Restricts any user from creating or powering on webserver VMs, in non-production environment, if number of powered on VMs is greater than 20
IfLIST (EBSVolume (“Provider Name” = myAWS AND “Volume ID” = vol-12345 AND “Snapshot Count” > 10)) is NOT EMPTY
Do“Retain EBS Snapshots” (latest 10)
Ensures retention of only the latest 10 Snapshots of a specific volume in AWS environment
IfLIST (EBSSnapshot (“Creation Date”< -10d)) =! EMPTY
Do“Delete EBS Snapshots”
Delete Snapshots older than 10 days for any EBS volume
If Consumption metering (“Compute Date” > -24h AND Usage (“Compute Date” = -30d) > 50)
DoNotify the Owner (Usage (Top 5))Restrict any provisioning operation
If the consumption metering in last 24 hours is 50% over the last 30-day average, notify the user and also the top 5 users with highest burn rate
© 2016 Cognizant 103
Example 3 – Key Takeaways for Managing at Scale
Tools solution
• Build vs Integrate vs Buy
Automation
• Operational activities
• Policy enforcement
Cost optimization
• Analytics & reporting
• Implement cost optimization best practices
© 2016 Cognizant 104
Summary – Tools & levers to manage at scale
Provisioning & Orchestration
• AMIs vs Dynamic configuration
• Docker, CloudFormation, Ops Work
• 3rd party tools, Cloud360
Global Deployment
• Multi-region deployments
• Hybrid connectivity options
• Replication and reuse
User Access Management
• IAM strategies & best practices
• AD Federation
Monitoring & Tools Solution
• Cloud Watch, Cloud Trail, Config
• OS & Application monitoring
• ITSM Tool integration
Cloud Operations Service
• Org structure
• Managed Service Partners
Cost Management & Optimization
• Consolidated billing
• Cognizant Cloud 360, 3rd Party tools
© 2016 Cognizant
Thank You!Shashank Joshi
http://www.cognizant.com/cloud
http://www.aws-partner-directory.com/PartnerDirectory/PartnerDetail?Name=cognizant
Leveraging Amazon Echo and AWS to build IoT
Applications
Chris McCurdy
AWS Healthcare and Life Sciences Specialist Solutions Architect
What is IoT?
The internet of things (IoT) is the network of physical objects—devices,
vehicles, buildings and other items—embedded with electronics, software,
sensors, and network connectivity that enables these objects to collect and
exchange data.https://en.wikipedia.org/wiki/Internet_of_things
Why AWS IoT?
AWS IoT can support billions of devices and trillions of messages, and can
process and route those messages to AWS endpoints and to other devices
reliably and securely. With AWS IoT, your applications can keep track of and
communicate with all your devices, all the time, even when they aren’t
connected.
Use-Case: Medication Status
Scenario:Button is pressed by a technician to dispense medication
Requirements:• Simple example (one of many ways)
• Data stored in queriable repository
• Notification via SMS if medication is not distributed for a day
• Accessible from Amazon Echo/Alexa
AWS
Medication Status architecture
IoT MQTT
protocol
IoT
certificateIoT
ruleIoT
topic
Amazon
Kinesis
AWS
Lambda Amazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
LambdaAWS
Lambda
Elephant in the room
http://nos.twnsnd.co/post/104252656546/elephants-tea-party-robur-tea-room-24-march
Amazon
Kinesis
AWS
Lambda
Amazon
DynamoDB
Amazon
SNS
Alexa
AWS IoT
HIPAA Eligible Not HIPAA Eligible
What does AWS IoT Consist of?
Device Gateway
The managed backbone of communication between
connected devices and the cloud which supports
the pub/sub messaging pattern, enabling scalable, low-
latency, and low-overhead communication.
IoT Rule Engine
The AWS IoT Rules Engine enables continuous processing
of inbound data from devices connected to the AWS IoT
service in a SQL-like syntax.
What doe AWS IoT Consist of? (Part 2)
Device Registry
Allows you to organize and track devices using a logical
handle.
Device Shadow
Used to store and retrieve current state information for a
thing whether it is connected to the internet or not.
HTTPS, WebSockets and MQTTS
Supported Protocols
HTTPS, Websockets, Secure MQTT
What is MQTT?
A lightweight pub/sub protocol, designed to minimize network bandwidth and device
resource requirements. MQTT supports TLS for encryption.
MQTTS vs HTTPS:
• 93x faster throughput
• 11.89x less battery to send
• 170.9x less battery to receive
• 50% less power to keep connected
• 8x less network overheadSource: http://stephendnicholas.com/archives/1217
Installing the SDKs
Install jsupm_grove and AWS IoT SDK
$ npm install [email protected]
$ npm install aws-iot-device-sdk
Creating a certificate (option 1)$ aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile
certificate.pem --public-key-outfile public_key.pem --private-key-outfile private_key.pem
{
"certificateArn":
"arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"keyPair": {
"PublicKey":
"-----BEGIN PUBLIC KEY-----…SNIP…-----END PUBLIC KEY-----",
"PrivateKey":
"-----BEGIN RSA PRIVATE KEY-----…SNIP…-----END RSA PRIVATE KEY-----"
},
"certificateId":
"d7677b0…SNIP…026d9"
}
IoT
certificate
Certificate Signing Request
Dear Certificate Authority,
I’d really like a certificate for %NAME%, as identified by
the key pair with public key %PUB_KEY%. If you could sign
a certificate for me with those parameters, it’d be super
spiffy.
Signed (Cryptographically),
- The holder of the private key
Create a certificate from the CSR (option 2)
$ aws iot create-certificate-from-csr \
--certificate-signing-request file://Thing.csr \
--set-as-active --certificate-pem-outfile certificate.pem
{
"certificateArn":
"arn:aws:iot:us-east-1:123456972007:cert/b5a396e…SNIP…400877b",
"certificatePem":
"-----BEGIN CERTIFICATE-----…SNIP…-----END CERTIFICATE-----",
"certificateId":
"b5a396e…SNIP…400877b"
}
IoT
certificate
Private Key Protection
Protect from Software Threats
• chroot
• Security Enhanced Linux (SELinux)
• One-Time Programmable (OTP) Fuses
Protect from Hardware Threats
• Trusted Platform Modules
• Smartcards
• Locks and Boxes
• FIPS-style hardware
Medication Status architecture (AWS side)
IoT MQTT
protocol
IoT
certificateIoT
ruleIoT
topic
Amazon
Kinesis
AWS
Lambda Amazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
LambdaAWS
Lambda
Creating Things
$ aws iot create-thing --thing-name medication_button_12016de3-794a-4c91-99ee-
7b64851f4961
{
"thingArn": "arn:aws:iot:us-east-
1:789539825478:thing/medication_button_12016de3-794a-4c91-99ee-7b64851f4961",
"thingName": “medication_button
}
IoT
thing
Create Policy
$ aws iot create-policy --policy-name medication_button_policy --policy-
document file://iot.policy.js
{
…
} IoT
policy
Attach Thing and Policy
$ aws iot attach-thing-principal \
-–thing-name medication_button_12016de3-794a-4c91-99ee-7b64851f496 \
-–principal arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f
$ aws iot attach-principal-policy \
--policy-name medication_button_policy \
--principal arn:aws:iot:us-east-
1:789539825478:cert/ddb2d5a5bad102db423cf8918465f1e1c5fb228f4955f6ecb060011695b2514f
IoT
certificateIoT
policy
IoT Thing
Creating Kinesis Role and Stream
$ aws kinesis create-stream –-stream-name medication_status_stream –-shard-count 2
Amazon
Kinesis
• Streams are made of Shards
• Each Shard ingests data up to 1MB/sec,
and up to 1000 TPS
• Each Shard emits up to 2 MB/sec
• All data is stored for 24 hours – 7 days
• Scale Kinesis streams by splitting or
merging Shards
• Replay data inside of 24Hr -7days
Window
Add IoT Kinesis Policy and Role
$ aws iam create-policy --policy-name lambda_medication_status_kinesis_policy --policy-
document file://kinesis.policy.js
{
"Policy": {
…
"Arn": "arn:aws:iam::789539825478:policy/lambda-medication-status-kinesis-policy",
}
$ aws iam create-role --role-name medication_status_kinesis_role --assume-role-policy-
document file://lambda_medication_iot_trust.policy.js
"Role": {
...
"Arn": "arn:aws:iam::789539825478:role/medication-status-kinesis-role"
}
}
$ aws iam attach-role-policy --role-name medication_status_kinesis_role --policy-arn
arn:aws:iam::789539825478:policy/lambda_medication_status_kinesis_policy
$
IoT
rule
Create IoT Rule
IoT
ruleIoT
topic
Amazon
Kinesis
$ aws iot create-topic-rule --rule-name medication_status_lambda_forwarder --
topic-rule-payload file://iot.rule.js
$
Creating DynamoDB table
Amazon
DynamoDB
ClientID (S-Hash) LastSubmittedDate (N-
Range)
fa99489c-dae3-4a7a-b43c-ee696a883d28 201606261540
74dab686-e04c-4201-8c12-406af33dbdc2 201604051330
Creating DynamoDB table$ aws dynamodb create-table --table-name MedicationStatusTable --attribute-definitions
AttributeName=ClientID,AttributeType=S AttributeName=LastSubmittedDate,AttributeType=N --key-schema
AttributeName=ClientID,KeyType=HASH AttributeName=LastSubmittedDate,KeyType=RANGE --
provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=5
{
"TableDescription": {
"TableArn": "arn:aws:dynamodb:us-east-1:789539825478:table/MedicationStatusTable",
...
}
}
Amazon
DynamoDB
Throughput
• Provisioned at the table level• Write capacity units (WCUs) are measured in 1KB per second
• Read capacity units (RCUs) are measured in 4KB per second
• RCUs measure strictly consistent reads
• Eventually consistent reads cost ½ of constant reads
• Read and write throughput limits are independent
• Increase as necessary, decrease at most 4 times per UTC day
Lambda Role Policies
Lambda Role Policy Lambda Role Trust Policy
Amazon
Kinesis
AWS
LambdaAmazon
DynamoDB
Creating Lambda Role and Policies$ aws iam create-policy --policy-name lambda_medication_status_policy --policy-
document file://lambda_medication.policy.js
{
"Policy": {
"PolicyName": "lambda-medication-status",
…
"Arn": "arn:aws:iam::789539825478:policy/lambda_medication_status",
}
$ aws iam create-role --role-name medication_status_role --assume-role-policy-
document file://lambda_medication_status_trust.policy.js
{
"Role": {
...
"Arn": "arn:aws:iam::789539825478:role/medication_status_role"
}
}
$ aws iam attach-role-policy --role-name medication-status-role--policy-arn
arn:aws:iam::789539825478:policy/lambda-lambda-medication-status
$
Amazon
Kinesis
AWS
LambdaAmazon
DynamoDB
Deploying the Medication Status Lambda$ aws lambda create-function --function-name MedicationStatus --runtime python2.7 --
role arn:aws:iam::789539825478:role/medication_status_role --handler
medication_kinesis.lambda_handler --timeout 3 --memory-size 128 --zip-file
fileb://medication_kensis_lambda.zip
{
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatus",
...
}
Amazon
Kinesis
AWS
LambdaAmazon
DynamoDB
Resource Sizing
• AWS Lambda offers 23 "power levels"
• Higher levels offer more memory and more CPU power
• 128MB, lowest CPU power
• 1.5GB, highest CPU power
• Compute price scales with the power level
• Duration ranging from 100ms to 5 minutes
Attaching Lambda to Kinesis$ aws lambda create-event-source-mapping \
--event-source-arn arn:aws:kinesis:us-east-1:789539825478:stream/medication_status_stream \
--function-name MedicationStatus \
--starting-position LATEST
Amazon
Kinesis
AWS
Lambda
Medication Status architecture (AWS side)
IoT MQTT
protocol
IoT
certificate IoT
ruleIoT
topic
Amazon
Kinesis
AWS
LambdaAmazon
DynamoDB
Amazon
SNS
Alexa
Medication Status
monitoring device
Medication Status Backend
Node.js
AWS
LambdaAWS
Lambda
Adding SNS and Subscriptions$ aws sns create-topic --name MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-
9cd042cd9a78
{
"TopicArn": "arn:aws:sns:us-east-1:789539825478: MedicationStatusGroupContact-
488dbe6f-0ce0-49f5-9e90-9cd042cd9a78”
}
$ aws sns set-topic-attributes --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --attribute-name
DisplayName --attribute-value "Med Status”
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol sms --
notification-endpoint <phone number>
{
"SubscriptionArn": "pending confirmation"
}
$ aws sns subscribe --topic-arn arn:aws:sns:us-east-1:789539825478:
MedicationStatusGroupContact-488dbe6f-0ce0-49f5-9e90-9cd042cd9a78 --protocol email -
-notification-endpoint [email protected]
{
"SubscriptionArn": "pending confirmation"
}
Amazon
SNS
Deploying Medication Status Monitor Lambda$ aws lambda create-function --function-name MedicationStatusMonitor --runtime python2.7 --role
arn:aws:iam::789539825478:role/medication_status_role --handler medication_sns_lambda.lambda_handler --timeout
3 --memory-size 128 --zip-file fileb://medication_sns_lambda.zip
{
"FunctionName": ”MedicationStatusMonitor ",
"MemorySize": 128,
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:lambda-medication-status-monitor",
"Role": "arn:aws:iam::789539825478:role/medication_status_role",
"Timeout": 3,
"Handler": "medication_sns_lambda.lambda_handler",
…
}
AWS
Lambda
Adding Polling Lambda Function$ aws lambda add-permission --function-name MedicationStatusMonitor --statement-id
adding_event_handler --action 'lambda:InvokeFunction' --principal events.amazonaws.com --
source-arn arn:aws:events:us-east-1:789539825478:rule/scheduled_medication_status_check
{
…
}
aws events put-rule --name scheduled_medication_status_check --schedule-expression 'rate(1
hour)'
{
"RuleArn": "arn:aws:events:us-east-
1:789539825478:rule/scheduled_medication_status_check"
}
$ aws events put-targets --rule scheduled_medication_status_check --targets '{"Id" : "1", "Arn":
"arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusMonitor"}'
{
…
}AWS
Lambda
Create Utterances and Intents
GetMedicationStatus has device {DeviceNumber} dispensed medication {Date}
GetMedicationStatus did device {DeviceNumber} dispense medication {Date}
GetMedicationStatus did device {DeviceNumber} deliver medication on {Date}
GetMedicationStatus if device {DeviceNumber} dispense medication on {Date}
Alexa
Utterance
Intents
Deploying Medication Status Monitor Lambda
$ aws lambda create-function --function-name MedicationStatusAlexa --runtime python2.7 --role
arn:aws:iam::789539825478:role/medication_status_role --handler medication_alexa.lambda_handler --timeout
3 --memory-size 128 --zip-file fileb://medication_alexa_lambda.zip
{
"FunctionArn": "arn:aws:lambda:us-east-1:789539825478:function:MedicationStatusAlexa ",
…
}
$ aws lambda add-permission --function-name AlexaMedicationStatus –statement-id 1 --action
lambda:invokeFunction --principal alexa-appkit.amazon.com --region us-east-1
{
…
}
AWS
Lambda
Alexa
Improvements
• CloudWatch Monitors on all resources
• IoT Shadow
• Viewing Metrics with QuickSight / Elastic Search +
Kibana
• Flush out Alexa Medication Status Monitor python code
Other Use Cases
• Light/Motion Monitor