Vodafone Hutchison Australia operates mobile networks serving over 7 million customers across various brands, and in the early 2000s pioneered live mobile TV streaming of shows like Big Brother, which drove immense traffic to their content portals. This early adoption of new technologies demonstrated how interactive live content on mobile networks can engage users and boost traffic to online services.

1. Your Future with Cloud Computing
Dr. Werner Vogels
CTO, Amazon.com

2. AWS Global Infrastructure
GovCloud US West US West US East South America EU Asia Pacific Asia
(US ITAR Region)(Northern California) (Oregon) (Northern Virginia) (Sao Paulo) (Ireland) (Singapore) Pacific
(Tokyo)
AWS Regions
AWS Edge Locations

3. Powering the Most Popular Internet Businesses

4. Trusted by Enterprises

5. And Government Agencies

6. Partner Ecosystem
System Integrators Independent Software Vendors

7. What Enterprises are Running on AWS
Business
Applications
Web
Applications
Big Data & High
Performance Computing
Disaster Recovery
& Archive

8. What Analysts are Saying about AWS
Infrastructure-as-a-Service Leader in 2011 Gartner IaaS Leader in 2011 Forrester
Market Share Leader Magic Quadrant Hadoop Wave

9. The Scale of AWS: Amazon S3 Growth
Peak Requests:
650,000+
per second
Total Number of Objects Stored in Amazon S3

10. The Scale of AWS: Amazon S3 Growth
Peak Requests:
650,000+ 762 Billion
per second
Total Number of Objects Stored in Amazon S3
262 Billion
102 Billion
14 Billion 40 Billion
2.9 Billion
Q4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011

11. The Scale of AWS: Amazon S3 Growth
905 Billion
Peak Requests:
650,000+ 762 Billion
per second
Total Number of Objects Stored in Amazon S3
262 Billion
102 Billion
14 Billion 40 Billion
2.9 Billion
Q4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011 Q1 2012

12. Our Price Reduction Philosophy
Scale & Innovation… … Drive Costs Down
Invest in
Capital
Attract More
Customers
Invest in
Technology
19 Price Reductions
Reduce Improve
Prices Efficiency

13. AWS Platform Overview
Deployment & Administration
App Services
Compute Storage Database
Networking
AWS Global Infrastructure

14. AWS Global Infrastructure
Secure, redundant Cloud infrastructure
for global companies and global apps
Regions
Deployment & Administration
Availability Zones
App Services
Compute Storage Database
Networking Edge Locations
AWS Global Infrastructure

15. AWS Networking Services
Extend your enterprise infrastructure to
the AWS Cloud
Amazon Virtual Private Cloud
VPN to Extend Your Network Topology to AWS
Deployment & Administration AWS Direct Connect
Private, Dedicated Connection to AWS
App Services
Compute Storage Database
Amazon Route 53
Networking Scalable Domain Name Service
AWS Global Infrastructure

16. Compute Services
Scalable Linux and Windows
compute services
Amazon EC2
Virtual Servers in the AWS Cloud
Deployment & Administration
Auto Scaling
App Services
Rule-driven scaling service for EC2
Compute Storage Database
Amazon Elastic Load Balancing
Networking
Virtual load balancers for EC2
AWS Global Infrastructure

17. Storage Services
Scalable and Durable High Performance Cloud Storage
Amazon S3
Redundant, High-Scale Object Store
Deployment & Administration
App Services Amazon Elastic Block Store
Persistent block storage for EC2
Compute Storage Database
Networking
AWS Storage Gateway
AWS Global Infrastructure
Seamless backup of enterprise data to S3

18. Database Services
Scalable and Durable High
Performance Cloud Storage
Amazon DynamoDB
High Performance NoSQL Database Service
Amazon RDS
Deployment & Administration
Managed Oracle & MySQL Database Service
App Services
Compute Storage Database
Amazon ElastiCache
Managed Memecached Service
Networking
AWS Global Infrastructure

19. AWS App Services
Highly abstracted services that
Amazon CloudFront
replace software for commonly Global Content Delivery Service
needed application functionality
Amazon CloudSearch
Managed Search Service that Automatically Scales
Amazon SWF
Deployment & Administration Simple Workflow Service
App Services
Amazon SNS
Simple Notification Service
Compute Storage Database
Amazon SQS
Networking Simple Queuing Service
AWS Global Infrastructure Amazon SES
Simple Transactional Email Service

20. Ecosystem App Services
3rd party highly abstracted services that
Security
replace software for commonly needed Services
application functionality
… and already run on AWS Log Analysis
Services
Deployment & Administration Developer
Services
App Services
BI Services
Compute Storage Database
Networking Test
Services
AWS Global Infrastructure

21. Deployment & Administration
3rd party managed services that
replace software for commonly AWS Ecosystem
needed application functionality … AWS Management Console
and already run on AWS Web-based management interface
Amazon Elastic MapReduce
Big Data Analytics Service
a
Deployment & Administration AWS IAM
Identity & Access Management
App Services
Amazon CloudWatch
Automated monitoring & alerts
Compute Storage Database
AWS CloudFormation
Networking Automated AWS resource provisioning
AWS Elastic Beanstalk
AWS Global Infrastructure Java & PHP App deployment & management

22. AWS Pace of Innovation… 82
Including:
61 AWS Oregon Region
Elastic Beanstalk (Beta)
Amazon SES (Beta)
Including:
AWS CloudFormation
Amazon SNS
Amazon RDS for Oracle
Amazon CloudFront
AWS Direct Connect
Amazon Route 53
48 S3 Bucket Policies
AWS GovCloud (US)
Amazon ElastiCache
Including: RDS Multi-AZ Support
VPC Virtual Networking
Amazon RDS RDS Reserved Databases
VPC Dedicated Instances
Amazon VPC AWS Import/Export
SMS Text Notification
Amazon EMR AWS IAM Beta
24 EC2 Auto Scaling AWS Singapore Region
CloudFront Live Streaming
AWS Tokyo Region
EC2 Reserved Instances Cluster Instances for EC2
Including:
SAP RDS on EC2
EC2 Elastic Load Balance Micro Instances for EC2
Amazon SimpleDB
9 Amazon Cloudfront AWS Import/Export Amazon Linux AMI
SAP BO on EC2
Win Srv 2008 R2 on EC2
AWS Mngmt Console Oracle Apps on EC2
Including: Amazon EBS
Win Srv 2003 VM Import
Win Srv 2008 on EC2 SUSE Linux on EC2
Amazon FPS EC2 Availability Zones
Amazon S3 SSE
IBM Apps on EC2 VM Import for EC2
Red Hat Enterprise on EC2 EC2 Elastic IP Addresses
2007 2008 2009 2010 2011

23. …Continuing in 2012
15
Amazon DynamoDB in Europe
Storage Gateway in South America
CloudFront Live Streaming
9
Route 53 Latency Based Routing
PHP and Git for Elastic Beanstalk
Live Smooth Streaming for Amazon
CloudFront Lowers Content Expiration CloudFront
7 RDS Increases Backup Retention Reserved Cache Nodes for Amazon
ElastiCache
6 IAM Password Management
AWS CloudSearch
Amazon DynamoDB IAM User Access to Account Billing
AWS Marketplace
AWS Storage Gateway Amazon Simple Workflow Service Amazon RDS Free Trial program
DynamoDB Announces BatchWriteItem
Amazon RDS on Amazon VPC Amazon DynamoDB in Japan Amazon EC2 Medium Instances Feature
AWS IAM Identity Federation ElastiCache in Oregon and Sao Paulo 64-bit AMI on Small & Medium AWS Elastic Beanstalk in Japan
Windows Free Usage Tier Amazon S3 Lower Prices EC2 Linux Login from Console DynamoDB in Three Regions
New Premium Support Features AWS CloudFormation for VPC Beanstalk Resource Permissions AWS CloudFormation in VPC
New AWS Direct Connect Locations New Osaka and Milan Edge Locations EC2, RDS, ElastiCache Lower Prices EC2 CC2 Instance in Amazon VPC
January February March April

26. AWS Direct Connect
Private secure connection to AWS
AWS Cloud
Bypass the public Internet
AWS Direct
Connect
High bandwidth and predictable
Internet latency
Corporate Data Center

27. AWS Storage Gateway
Easily backup on-premises data to AWS
Snapshots in
S3 Amazon S3
Store snapshots in Amazon S3 for backup
and disaster recovery
Simple software appliance - no changes
required to your on-premises architecture
AWS Storage
Gateway
Your Data Center

28. Amazon Simple Workflow Service
Run application workflows and business
processes on AWS
Amazon SWF
Manage processes across Cloud, mobile
and on-premises environments
Cloud Mobile On Premises Use any programming language for
workflow logic

29. Amazon DynamoDB
Non Relational (NoSQL) Database
Fast & predictable performance
Seamless Scalability
Zero administration

30. Oracle Multi-AZ
Replicates database updates across two
Availability Zones
Automatically fail over to the standby for
planned maintenance and unplanned
disruptions
Increased durability and availability
Availability Zone Availability Zone

31. PHP & Git Deployment for AWS Beanstalk
git push
Elastic Beanstalk
Run and manage existing PHP
applications with no changes to
application code
PHP
Your App Apache HTTP
Server Provides full control over the
Amazon Linux infrastructure and the software
Elastic Load
Balancer
yourApp.elasticbeanstalk.com

32. SQL Server & .NET Beanstalk
Fully managed Express,Web, Standard
and Enterprise Editions of SQL Server
2008 R2
.NET
SQL Server (Express Edition) covered
Text
under the free usage tier for a full year
Elastic Beanstalk leverages the Windows
SQL
Server 2008 R2 AMI and IIS 7.5
Server
Deploy using AWS Toolkit for Visual
Studio

33. Amazon CloudSearch
Fully managed search service
Up and running in less than an hour
Automatically scales for data and traffic
Starting at less than $100 / month

34. AWS Marketplace
Find, buy and run software running on
AWS
More than 250 listings at launch
Sell your software or SaaS app to our
hundreds of thousands of customers
aws.amazon.com/marketplace

35. VPC 2

36. News Limited
Craige Pendleton-Browne
Chief Technology Officer

37. Context
•News Ltd runs a single enterprise CMS platform
•Supporting 8 major web sites
•12 different critical systems
•Over 600m page impressions per month
•Approximately 2400 new assets created daily
34

38. The Challenge
•Complex technology stack – development = 46 servers
•All configuration and deployment manual
•56 days and 6 teams to build a new environment
•Impact
– slow project start up
– Only run one major project at a time
– Lack of innovation
The Challenge
go from 56 days to 1 day in the cloud
35

39. Current Status
•Virtual Private Cloud configured and working
•Configuration separated out and all systems packaged
•Semi automated build process implemented in EC2
•2 project environments up and running in EC2
•From 56 days to 3 days semi automated
36

40. Current Status
•Developers can run up or tear down environments
•Two new projects starting this month with poof of concepts in the cloud
•Ability to stand up 8 distinct environments quickly
•By the end of the month reduce time to 6 hours
37

41. Where to next
•An agreed corporate cloud governance model
•Seamlessly integrate cloud and physical environments
•Automated procedures for managing costs
•Move towards a devops model
•Move production to the cloud
38

42. The Seven Transformations of
Cloud Computing

43. A common misconception:
cloud computing is only about….
Saving money Doing things faster

44. Cloud Transforms what’s possible

45. Transformation 1:
Distributed Architectures Made Easy
High
Availability

46. Building Distributed Architectures

47. Cloud Computing Makes This Easier
Distributed Multi-AZ Building Blocks Loosely Coupled
Infrastructure Services Process Coordination
AWS
Regions S3
EC2 SWF
Instances
DynamoDB SNS
Availability
Zones
Elastic Load
SQS
RDS Balancer

48. Architecture Templates for Common Patterns
MICROSOFT SHAREPOINT
aws.amazon.com/architecture

50. … open source Simian Army
coming soon

51. Vodafone
Hutchison Australia
Easwaren Siva
General Manager
Technology Strategy & Product

52. Vodafone
Cricket LIVE
Australia
Behind the Scenes
Vodafone Hutchison Australia

53. Vodafone Australia
Vodafone Australia operated by Vodafone Hutchison Australia (VHA)
2009 merger, Vodafone Australia and Hutchison 3G Australia
Operates Vodafone, 3 Mobile and Crazy John’s brands
VHA mobile services to over 7.0 million customers
Shareholders operate Mobile Networks across the globe
50

54. Big Brother
Key Learning:
‘Big Brother’ 05
No Smartphones - No Apps
Environments
Early days of 3G – 3 Mobile 100% 3G
3 Mobile pioneered ‘Live’ Mobile TV with
‘Live’ interactive TV can drive immense
traffic towards your Portals and Content
0
200
400
600
800
16:44:23
16:45:23
16:46:23
16:47:23
16:48:23
16:49:23
16:50:23
16:51:23
16:52:23
16:53:23
16:54:23
16:55:23
16:56:23
16:57:23
16:58:23
16:59:23
17:00:23
17:01:23
17:02:23
17:03:23
17:04:23
17:05:23
17:06:23
17:07:23
17:08:23
17:09:23
17:10:23
17:11:23
17:12:23
17:13:23
17:14:23
17:15:23
17:16:23
17:17:23
17:18:23
17:19:23
17:20:23
17:21:23
17:22:23
17:23:23
17:24:23
17:25:23
17:26:23
17:27:23
17:28:23
17:29:23
17:30:23
17:31:23
17:32:23
17:33:23
17:34:23
17:35:23
17:36:23
17:37:23
17:38:23
17:39:23
17:40:23
17:41:23
17:42:23
17:43:23
17:44:23
17:45:23
17:46:23
17:47:23
17:48:23
17:49:23
17:50:23
17:51:23
17:52:23
17:53:23
17:54:23
17:55:23
17:56:23
17:57:23
17:58:23
17:59:23
18:00:23
18:01:23
18:02:23
18:03:23
18:04:23
18:05:23
18:06:23
18:07:23
18:08:23
18:09:23
18:10:23
18:11:23
18:12:23
18:13:23
18:14:23
18:15:23
18:16:23
18:17:23
18:18:23
18:19:23
18:20:23
18:21:23
18:22:23
18:23:23
18:24:23
18:25:23
18:26:23
18:27:23
18:28:23
18:29:23
18:30:23
18:31:23
18:32:23
18:33:23
18:34:23
18:35:23
18:36:23
18:37:23
18:38:23
18:39:23
18:40:23
18:41:23
18:42:23
18:43:23
18:44:23
18:45:23
18:46:23
18:47:23
18:48:23
18:49:23
18:50:23
18:51:23
18:52:23
18:53:23
18:54:23
18:55:23
18:56:23
18:57:23
18:58:23
18:59:23
19:00:23
19:01:23
19:02:23
19:03:23
19:04:23
19:05:23
19:06:23
19:07:23
19:08:23
19:09:23
19:10:23
19:11:23
19:12:23
19:13:23
19:14:23
19:15:23
19:16:23
19:17:23
19:18:23
19:19:23
19:20:23
19:21:23
19:22:23
19:23:23
19:24:23
19:25:23
19:26:23
19:27:23
19:28:23
19:29:23
19:30:23
19:31:23
19:32:23
19:33:23
19:34:23
19:35:23
19:36:23
19:37:23
19:38:23
19:39:23
19:40:23
19:41:23
19:42:23
19:43:23
19:44:23
19:45:23
19:46:23
19:47:23
19:48:23
19:49:23
19:50:23
19:51:23
19:52:23
19:53:23
19:54:23
19:55:23
19:56:23
19:57:23
19:58:23
19:59:23
20:00:23
20:01:23
20:02:23
20:03:23
20:04:23
20:05:23
20:06:23
20:07:23
20:08:23
20:09:23
20:10:23
20:11:23
20:12:23
20:13:23
20:14:23
20:15:23
20:16:23
20:17:23
20:18:23
20:19:23
20:20:23
20:21:23
20:22:23
20:23:23
20:24:23
20:25:23
20:26:23
20:27:23
20:28:23
20:29:23
20:30:23
20:31:23
20:32:23
20:33:23
20:34:23
20:35:23
20:36:23
20:37:23
20:38:23
20:39:23
20:40:23
20:41:23
20:42:23
20:43:23
20:44:23
20:45:23
20:46:23
20:47:23
20:48:23
20:49:23
20:50:23
20:51:23
20:52:23
20:53:23
20:54:23
20:55:23
20:56:23
20:57:23
20:58:23
20:59:23
21:00:23
21:01:23
21:02:23
21:03:23
21:04:23
Total Concurrent Conenctions (Sun 26th June - 16:45 -> 23:00)
21:05:23
21:06:23
21:07:23
21:08:23
21:09:23
21:10:23
21:11:23
21:12:23
21:13:23
21:14:23
21:15:23
21:16:23
21:17:23
21:18:23
21:19:23
21:20:23
21:21:23
21:22:23
21:23:23
21:24:23
21:25:23
21:26:23
21:27:23
21:28:23
21:29:23
21:30:23
21:31:23
21:32:23
21:33:23
21:34:23
21:35:23
21:36:23
21:37:23
21:38:23
21:39:23
21:40:23
21:41:23
21:42:23
21:43:23
21:44:23
21:45:23
21:46:23
21:47:23
21:48:23
21:49:23
21:50:23
21:51:23
21:52:23
21:53:23
21:54:23
21:55:23
21:56:23
21:57:23
21:58:23
21:59:23
22:00:23
22:01:23
22:02:23
22:03:23
22:04:23
22:05:23
22:06:23
22:07:23
22:08:23
22:09:23
22:10:23
22:11:23
22:12:23
22:13:23
22:14:23
22:15:23
22:16:23
22:17:23
22:18:23
22:19:23
22:20:23
22:21:23
22:22:23
22:23:23
22:24:23
22:25:23
22:26:23
22:27:23
22:28:23
22:29:23
22:30:23
22:31:23
22:32:23
22:33:23
22:34:23
22:35:23
22:36:23
51
22:37:23
22:38:23
22:39:23
22:40:23
22:41:23
22:42:23
22:43:23
22:44:23
22:45:23
22:46:23
22:47:23
22:48:23
22:49:23
22:50:23
22:51:23
22:52:23
22:53:23
22:54:23
22:55:23
22:56:23
22:57:23
22:58:23
22:59:23
23:00:23

55. 2011/12 Vodafone Cricket Live Australia
iPhone and iPad App
Android and Tablet App
Scores and Highlights
‘Live’ Cricket TV Streaming
Vodafone Viewers verdict

56. 2011/12 Vodafone Cricket Live Australia – Some Stats
Over 700K Apps downloaded
Approximately 4 Million visits
Over 500K streams
24.7TB iPhone streaming data for December
Peak 10K Simultaneous Streams
Live scores peaked at 1000 rps (Jan)

57. 2011/12 Vodafone Cricket Live Australia – Some Stats
Scores Data Requests
iPhone Streaming Traffic

58. Cricket App - Vodafone Viewers Verdict
Challenge - managing ‘peak’
load cost effectively 55

59. Vodafone Cricket Live Australia - Architecture
56

60. Vodafone Cricket Live Australia - Architecture
57

61. Vodafone Cricket Live Australia – Amazon Components
2 Elastic Load Balancers (ELB)
3 EC2 instances in idle configuration (2 large 1 small), auto expandable up to 9 (8 large 1 small)
under load
All EC2 instances are bootstrapped to load application after instantiation.
1 S3 bucket to store application itself
2 auto-scaling groups to protect from hardware failure and give expandability. Any failed server
will be automatically replaced
MySQL relational database service (RDS) instance to hold all data
Cloudwatch CPU usage alarms linked to auto-scaling groups for auto expand and auto shrink
Contracted ProQuest to build and optimise our AWS instances/environment

62. Key Learnings and Next Step
Key Learnings
Public Cloud Infrastructure - best cost option for Low Frequency but High
Demand services
Content Delivery Networks (CDN) and Cloud Computing provides an
optimal solution
Next Step in Progress
Unified Content Management System on Amazon to manage ‘peak
demands’ when new devices are released Online
Oracle Webcentre Sites / Fatwire 7.6 Content Management System in
Production

63. Transformation 2:
Embracing the security advantages of shared systems

65. Applications
Flexibility to Choose the Right Security
Model for Each Application
You
Infrastructure AWS Security Infrastructure
SOC 1/SSAE 16/ISAE 3402,
Every Customer Gets the Highest ISO 27001, PCI DSS, HIPAA, ITAR,
FISMA Moderate, FIPS 140-2
Level of Security

66. Kit, go
faster
Transformation 3:
From Scaling by
Architecture …
to Scaling By Command
Yes
Michael

67. Scaling by Architecture: NoSQL Database Cluster
Set up Config & Shard & Rinse &
more servers Tune Repartition Repeat

68. Scaling by Command with Amazon DynamoDB
Amazon DynamoDB
Data is automatically spread across
enough hardware to deliver single
digit millisecond latency.

70. Transformation 4:
A Supercomputer in the Hands of Every Developer

71. Supercomputers used to be Privileges of the Elite
Expensive
Rationed time
Only for the “highest value” jobs

72. Supercomputers by the Hour… for Everyone.
AWS built the 42 nd fastest supercomputer in the world
1,064 Amazon EC2 CC2 instances with17,024 cores
240 teraflops cluster (240 trillion calculations per second)
Less than $1,000 per hour

74. Develops leading computational

75. Instead of $20M in datacenter spend…
51,132 Cores…
3 Hours…
$4,828/ hour …

76. Transformation 5:
Experiment Often & Fail Quickly

77. Traditional Infrastructure Drives up the Cost of
Failure … Innovation Suffers
$1
2
How many big ticket 7 M
$
technology ideas can your $9
M
budget tolerate?

78. Experiment Often & Fail Quickly with AWS
 $1
00
 $2
K
 $5
00

Cost of failure falls dramatically
People are free to try out new ideas
 $7
5
$3
3
 $3
K
More risk taking, more innovation
 $2
34
 $5
00
 $6
92
 $1
K
 $9
6
 $1
2

79. REA Group
Richard Durnall
Head of Delivery

80. • Picture of view from my desk
77

81. A bit about us
• Picture of view from my desk
77

82. helped by

83. Distributed Agile
helped by

84. helped by

85. Continuous Delivery
helped by

86. helped by

87. Hack Days
helped by

89. helped by

90. Home Ideas
helped by

91. Transformation 6:
Big Data without Big Servers

92. Attacking Big Data Problems Shouldn’t Be This
Complicated
Storing Massive Data Investing In Expensive
Volumes Into A Huge Data Server Clusters To Process
Warehouse The Data

93. The Cloud Makes This a Lot Simpler
Hadoop Clusters
Amazon S3
Amazon DynamoDB Amazon EMR
Load Data in Organize & Visualize
the Cloud Analyze Data Results
1 2 3

94. Brandscreen
Seth Yates
Founder & CTO

95. It’s broken

96. Structurally, a
commodity
market

97. Low latency. High throughput. Huge
volume.

98. 1 petabyte
10% per month

101. 1.Experimen
t
2.Learn
3.Plan
All images sourced from
iStockPhoto.com

102. Transformation 7:
Mobile Ecosystem for a Mobile-First World

103. Building Mobile

105. Rich media experience
Location context aware
Real-time presence driven
Social graph based
User generated content
Recommendations
Integration w/ social networks
Virtual goods economy
Advertisement / premium support
Multi-device access

106. Cloud Mobile Ecosystem

108. PBS Video for iPad PBSKids Video for iPad
Launched Nov ‘10 Launched April ‘11

109. Fun With Numbers - February 2012
Total Video Mobile Video
Unique visitors: 30M/mo 115k unique visitors per day
Visits: 57M/mo 310k daily app opens
Page views: 367M / mo 27% of hours watched, 40%
of streams
Video streams: 145M/mo
Hours watched: 2.3M/mo

110. The AWS Mission
Enable businesses and developers to use web services
to build scalable, sophisticated applications.

111. Security and Privacy
in the Cloud
Stephen Schmidt
Vice President &
Chief Information Security Officer

112. AWS Security Model Overview
Certifications & Accreditations Shared Responsibility Model
Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls guest
ISO 27001 Certification OS-level security, including patching and
PCI DSS Level I Certification maintenance
HIPAA compliant architecture Application level security, including
password and role based access
SAS 70(SOC 1) Type II Audit
Host-based firewalls, including Intrusion
FISMA Low & Moderate ATOs
Detection/Prevention Systems
DIACAP MAC III-Sensitive
Separation of Access
 Pursuing DIACAP MAC II–Sensitive
Physical Security VM Security Network Security
Multi-level, multi-factor controlled access Multi-factor access to Amazon Account Instance firewalls can be configured in
environment Instance Isolation security groups;
Controlled, need-based access for AWS • Customer-controlled firewall at the The traffic may be restricted by protocol,
employees (least privilege) hypervisor level by service port, as well as by source IP
Management Plane Administrative Access • Neighboring instances prevented access address (individual IP or Classless Inter-
Multi-factor, controlled, need-based Domain Routing (CIDR) block).
• Virtualized disk management layer
access to administrative host ensure only account owners can access Virtual Private Cloud (VPC) provides
All access logged, monitored, reviewed storage disks (EBS) IPSec VPN access from existing enterprise
AWS Administrators DO NOT have logical data center to a set of logically isolated
Support for SSL end point encryption for
access inside a customer’s VMs, including AWS resources
API calls
applications and data

113. Shared Responsibility Model
AWS Customer
•Facilities •Operating System
•Physical Security •Application
•Physical •Security Groups
Infrastructure •Network ACLs
•Network •Network
Infrastructure Configuration
•Account Management

114. AWS Security Resources
http://aws.amazon.com/security/
Security Whitepaper
Risk and Compliance Whitepaper
Latest Versions May 2011, January 2012
respectively
Regularly Updated
Feedback is welcome

115. AWS Certifications
Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SAS70(SOC 1) Type II Audit
FISMA A&As
• Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive ATO
Customers have deployed various compliant applications such as HIPAA
(healthcare)

116. SOC 1 Type II
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report
every six months and maintains a favorable unbiased and unqualified opinion from its
independent auditors. AWS identifies those controls relating to the operational performance
and security to safeguard customer data. The SOC 1 report audit attests that AWS’ control
objectives are appropriately designed and that the individual controls defined to safeguard
customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we
plan to continue our process of periodic audits.
The audit for this report is conducted in accordance with the Statement on Standards for
Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance
Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet
a broad range of auditing requirements for U.S. and international auditing bodies. This audit is
the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.

117. SOC 1
Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling

118. ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS) covering
AWS infrastructure, data centers in all regions worldwide,
and services including Amazon Elastic Compute Cloud
(Amazon EC2), Amazon Simple Storage Service (Amazon
S3) and Amazon Virtual Private Cloud (Amazon VPC). We
have established a formal program to maintain the
certification.

119. Physical Security
Amazon has been building large-scale data centers for
many years
Important attributes:
•Non-descript facilities
•Robust perimeter controls
•Strictly controlled physical access
•2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed

120. GovCloud US West US West US East South America EU Asia Asia
(US ITAR (Northern (Oregon) (Northern (Sao Paulo) (Ireland) Pacific Pacific
Region) California) Virginia) (Singapore) (Tokyo)
AWS Regions
AWS Edge Locations

121. AWS Regions and Availability Zones
Customer Decides Where Applications and Data Reside

122. AWS Identity and Access Management
Enables a customer to create multiple Users
and manage the permissions for each of
these Users.
Secure by default; new Users have no access
to AWS until permissions are explicitly
granted. Us
AWS IAM enables customers to minimize the
use of their AWS Account credentials.
Instead all interactions with AWS Services
and resources should be with AWS IAM User
security credentials.er
Customers can enable MFA devices for their
AWS Account as well as for the Users they
have created under their AWS Account with
AWS IAM.

124. AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge
of your e-mail address and password from
impersonating you
Requires a device in your physical possession to
gain access to secure pages on the AWS Portal or to
gain access to the AWS Management Console
Adds an extra layer of protection to sensitive
information, such as your AWS access identifiers
Extends protection to your AWS resources such as
Amazon EC2 instances and Amazon S3 data

125. Amazon EC2 Security
Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system
• Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall
• Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls
• Require X.509 certificate or customer’s secret AWS key

126. Amazon EC2 Instance Isolation
Customer 1 Customer 2 … Customer n
Hypervisor
Virtual Interfaces
Customer 1
Security Groups
Customer 2
Security Groups … Customer n
Security Groups
Firewall
Physical Interfaces

127. Virtual Memory & Local Disk
Amazon EC2
Instances
Encrypted
File System Amazon EC2
Instance
Encrypted
Swap File
•Proprietary Amazon disk management prevents one Instance
from reading the disk contents of another
•Local disk storage can also be encrypted by the customer for
an added layer of security

128. Network Security Considerations
DDoS (Distributed Denial of Service):
• Standard mitigation techniques in effect
MITM (Man in the Middle):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing:
• Prohibited at host OS level
Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
blocked by default
Packet Sniffing:
• Promiscuous mode is ineffective

129. Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies

130. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

131. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

132. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

133. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

134. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

135. Amazon VPC Architecture
Customer’s isolated
AWS resources
Subnets
NAT
Internet Router
VPN
Gateway
Secure VPN Amazon
Connection over the
Internet Web Services
AWS Direct Connect Cloud
– Dedicated Path/
Bandwidth
Customer’s
Network

136. Amazon VPC Network Security Controls

137. Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated

138. AWS Deployment Models
Logical Server Granular Logical Physical Government Only ITAR Sample Workloads
and Application Information Network server Physical Network Compliant
Isolation Access Policy Isolation Isolation and Facility (US Persons
Isolation Only)
Commercial Cloud   Public facing apps. Web
sites, Dev test etc.
Virtual Private     Data Center extension,
Cloud (VPC) TIC environment, email,
FISMA low and Moderate
AWS GovCloud       US Persons Compliant
(US) and Government Specific
Apps.

139. Thanks!
Remember to visit
https://aws.amazon.com/security