7. Infrastructure
Request
Current State
Typical Enterprise Situation
Governance
&
Service
Management
Central IT
Lines of
Business
Provisioning
Characteristics
• Lead times ~days to weeks
• Service Catalogue of components
• Often process-heavy Service
Management
8. Monitor
&
Respond
Landing Zone
Templates
Policy &
Best Practices
Landscape
Management
Current State
Opportunity to achieve agility and control
Automation
Lines of
Business
Central IT Opportunities
• Lead times in minutes
• Service Catalogue of
landscapes
• Automated Service
Management
11. Account Structure
• Don’t overdo on Day One
• Use separate accounts for
Security and
Compliance Isolation
(production non-prod,
logging)
Cost Allocation Resource Management
and Ownership
14. Analyze your CloudTrail Logs
AWS
CloudTrail
AWS
Management
Console
AWS CLI
SDK
Your Central Amazon
S3 logging bucket
Analysis
&
Action
AWS Services
You make
API calls …
…to AWS
Services,
logged by
CloudTrail
delivered to
your S3 bucket
19. Network
Direct Connect for connecting on-prem and AWS environment
Customer
Gateway
VPN backup
Direct Connect Location
Virtual
Interface #1
Virtual
Interface #2
Secondary Direct
Connect Location
`
`
Partner
Network
20. Network
Central Services in a central VPC
Central common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
• Internet Proxy
Production
Generic
Production
Business Critical
Central
Services
Non-production
22. You get to control who can do what in your AWS
environment when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing LDAP / Active directory
using federation and single sign-on
You can use AWS managed policies or customer
generated policies using the policy generator and
test with the policy simulator
AWS account
owner
Identity and Access Management
Control access and segregate duties everywhere
23. Identities and Access Control
Sample Access Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": “arn:aws:ec2:::instance/*”,
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment" : "Dev"
}
}
}
]
}
Allow or Deny access to resource
Service calls allowed to be performed
Resource object or objects that the
statement covers
Conditions to satisfy:
EC2 resources must be tagged with
“Dev”
24. Identities and Access Control
Example user types with corresponding access policies
IAM Master
Create policies
IAM Manager
Assign Policies
Audit
Read-Only
Access
Managers
Architect
Create landscapes
Storage
Design and Build
Network
Design and Build
Design
DevOps
API Access
App Owner
Landscape owner
Application
Owners
Support
Account policy
Empty Role
No policy
Support and
Operations
Typical Access Policy
Administrator
Landscape Mgt
Administrator
Service Catalog
Administrators
25. Corporate Data Center
Browser interface
Identity
Store
Identity and Access Management
Federation with on-prem directory
AD Group
Identity and
Authentication
Mapping to specific
IAM Role with
Access Policy
Access to AWS
27. Cloud Consumers
AWS Service Catalog
AWS Service Catalog allows organizations to create and manage
catalogs of IT services. It enables users to quickly deploy approved IT
services they need in a self-service manner.
Administrator Users
Control
Standardization
Governance
Agility
Self-service
Time to market
28. Product =
Template
CloudFormation Running Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customisable
Framework
Stack creation
Stack updates
Error detection and rollback
Administrator Interaction
CloudFormation to create products
29. Creates portfolio and
assigns product portfolio
1
Administrator
Adds constraints, grant access
and add tags
4
2 Creates
product
Authors
template
Administrator Interaction
Managing products
ProductX
Versions
Portfolio BPortfolio A
• Users and Roles
• Constraints
• Tags
Service Catalog
3
Landscape
Architect
30. Agility and Control
Opportunities to strengthen the handshake
User generated
products to foster
innovation
Back-end micro-services
acting on the stacks
Administrator
Products
40. • “Break-Fix”
• SLA based managed services
• Unplanned business interruptions
• Complex supply chain new demand
• Wide variety of versions
• Not Scalable
• Pay for capacity reserved
• Reporting “after the fact”
• Design for “Always On”
• SLA based managed services
• Self Provisioning, consumer driven
• Standard market available services
• Scalable Resources
• Pay only for what you use
• “real time” usage & performance
From Legacy to Cloud First
Does not represent a
Philips location
21 September 2016