This document discusses best practices for getting started with AWS. It recommends laying out foundations such as creating an account structure, setting up billing and access controls using IAM, and choosing initial use cases that are well-scoped such as development and testing. It also emphasizes building on AWS security features and designing systems to take advantage of AWS strengths like auto-scaling and cost-effective storage.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brian Wagner
AWS Professional Services
Security Consultant
Sep 21st 2016
Starting your Journey in the Cloud

2. Getting Started with AWS: Agenda
Best practices you should focus on when getting started
Resources you can use to learn more
Getting Started with AWS

3. http://aws.amazon.com/getting-started/
Getting Started with AWS

4. Choose Your First
Use Case Well
1

5. Chose Your First Use Case Well
Make your first project a S.M.A.R.T one

6. Chose Your First Use Case Well
Dev & Test
Spin environments up
and down on demand
Decouple development
and test environments
from operations
constraints
Explore elasticity in a
sandboxed environment
Make your first project a S.M.A.R.T one

7. Chose Your First Use Case Well
Dev & Test
Spin environments up
and down on demand
Decouple development
and test environments
from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications
step- by-step into non-
production DR use
Understand cloud
dynamics and test during
controlled failover
Make your first project a S.M.A.R.T one

8. Chose Your First Use Case Well
Dev & Test
Spin environments up
and down on demand
Decouple development
and test environments
from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications
step- by-step into non-
production DR use
Understand cloud
dynamics and test during
controlled failover
Greenfield Project
Embody best practice of
cloud computing in
unconstrained greenfield
projects
Self contained web
projects, document
archiving etc
Make your first project a S.M.A.R.T one

9. Chose Your First Use Case Well
Dev & Test
Spin environments up
and down on demand
Decouple development
and test environments
from operations
constraints
Explore elasticity in a
sandboxed environment
Backup & DR
Take part of your data or
business applications
step- by-step into non-
production DR use
Understand cloud
dynamics and test during
controlled failover
Greenfield Project
Embody best practice of
cloud computing in
unconstrained greenfield
projects
Self contained web
projects, document
archiving etc
Pain point
Move specific service
aspects causing undue
cost or management
burden
Workflows, search
indexing, media
streaming, document
archiving, constrained
databases
Make your first project a S.M.A.R.T one

10. Plan Evolution and Set Goals
Understand services
Test performance
Architect for scale
Develop team capabilities
Implement monitoring
Change control and management
Security management
Scalability
Automate corrective actions
Auto-scaling
Zero downtime deployments
System backup and recovery
Proof of Concept Production Automation
SampleActivities

11. Lay Out Your
Foundations
2

12. Accounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Lay Out Your Foundations

13. BillingAccounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when
billing reaches a point and output
csv reports to S3 for analysis
Lay Out Your Foundations

14. Enable delivery of billing reports
with resources & tags
Billing preferences
Billing Settings

15. Billing
Master Account
aws.invoices@mycompany.com

16. Billing
Consolidated Billing Relationship
Master Account
aws.invoices@mycompany.com
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM

17. Billing
Consolidated Billing Relationship
Master Account
aws.invoices@mycompany.com
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Tags: (key-value)
e.g Own=Div
Proj=R

18. Billing
Consolidated Billing Relationships
Master Account
aws.invoices@mycompany.com
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Operating Co. A
admin@opcoA.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C

19. Billing
Consolidated Billing Relationships
Master Account
aws.invoices@mycompany.com
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Operating Co. A
admin@opcoA.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C

20. S3CSV
Billing
ANALYSIS
Programmatic Billing Access
Consolidated Billing Relationships
Master Account
aws.invoices@mycompany.com
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Operating Co. A
admin@opcoA.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C

21. S3CSV
Billing
ANALYSIS
Programmatic Billing Access
Consolidated Billing Relationships
Master Account
aws.invoices@mycompany.com
Business Unit C
admin@busUnitC.com
User3
Dev3
Admin3
IAM
Tags:
Own=BusC
Proj=X
Tags:
Own=BusC
Proj=Y
Tags:
Own=BusC
Proj=Z
Division B
admin@divisionB.com
User2
Dev2
Admin2
IAM
Tags:
Own=Div
Proj=P
Tags:
Own=Div
Proj=Q
Tags:
Own=Div
Proj=R
Operating Co. A
admin@opcoA.com
User1
Dev1
Admin1
IAM
Tags:
Own=OpCo
Proj=A
Tags:
Own=OpCo
Proj=B
Tags:
Own=OpCo
Proj=C

22. 3rd Party Cost Management Tools

23. Access KeysBillingAccounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when
billing reaches a point and output
csv reports to S3 for analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings
on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Lay Out Your Foundations

24. Groups & RolesAccess KeysBillingAccounts
Create an account structure
that makes sense
Use accounts like environments
where you need separation and
control
e.g. Dev Sandboxes
Test Environments
Business Units
Products & Services
Control access to billing
information
Use IAM users to keep billing
information in the master account
Consolidate billing into a
single account
Let one account pick up the bill for
multiple ‘sub accounts’
Setup billing alerts and
automated bill reporting
Get CloudWatch notifications when
billing reaches a point and output
csv reports to S3 for analysis
Decide upon a key
management strategy
Control access to EC2 instances
via SSH and embedded public key:
e.g. EC2 Key Pair per group of
instances, EC2 Key Pair per
account
Consider SSH key rotation
& automation
Limit exposure to private key
compromise by rotating keys and
replacing authorized_keys listings
on running instances
Consider bootstrap automation to
grant developer access with
developer unique keypairs
Use IAM Groups to manage
console users and API
access
Provide developers with IAM user
login and unique API access
credentials
Control & restrict what IAM users
can do by placing them in groups
with associated policies
Assign EC2 Instances IAM
roles
Let AWS manage API access
credentials on running instances by
assigning a system entitlement to
an instance
e.g. instance can only read S3
bucket
Lay Out Your Foundations

25. Identity & Access Management - IAM
Account
ApplicationsAdministrators Developers

26. Identity & Access Management - IAM
Account
ApplicationsAdministrators Developers
Groups
Multi-factor
Authentication

27. Identity & Access Management - IAM
Account
ApplicationsAdministrators Developers
Groups Roles
Multi-factor
Authentication
AWS API
Credentials

28. IAM Policies
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*"
],
"Resource": "*"
}
]
}
Create a policy to assign permissions to a
user, group, role or resource.
Policies are created using JSON. A policy
consists of one or more statements, each of
which describes one set of permissions.
Policies control access to AWS APIs

29. Identity and Access Management - IAM
For more details on IAM, visit:
aws.amazon.com/iam

30. Think Security
3

31. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
AmazonYou
Shared Security Responsibility

32. Understand your customer & determine your security stance
Leverage AWS Security
External
Audience
Regulatory
Audience
Internal
Audience
Architecture
Administration
IAM
Certifications
White Papers
QSA Process
Your Processes
Your Certifications Penetration Test Results

33. Understand your customer & determine your security stance
Engage with security assessors early in your adoption cycle
Leverage AWS Security
Don’t fear assessment – AWS meets high standards (PCI DSS, ISO27001)
Security assessments take time, so allow for this in your planning
Undertake architecture reviews early in your design/deployment process

34. Understand your customer & determine your security stance
Engage with security assessors early in your adoption cycle
Use comprehensive materials and certifications provided by AWS
Leverage AWS Security
For more details on AWS Security, visit:
aws.amazon.com/security
Risk and compliance white paper
AWS security processes white paper
CSA consensus assessments initiative questionnaire
(requires NDA)

35. Understand your customer & determine your security stance
Engage with security assessors early in your adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon the security features of AWS to implement ‘security by design’
Leverage AWS Security

36. Direct Connect & VPNVirtual Private CloudControl & AuditTiered Access
IAM
Control users and allow use IAM
Roles to provide API credentials
for instances to enable access to
AWS resources via APIs
APIs vs Instance
Provide developers with API
credentials with separately
controlled access to SSH
keys/administrative logins
Temporary Credentials
Provide temporary API credentials
for access to AWS resources
Instance firewalls
Firewall control on instances via
Security Groups
AWS CloudTrail
The AWS API call history recorded
by CloudTrail enables security
analysis, resource change
tracking, and compliance auditing
AWS Config
A fully managed service that
provides you with an AWS
resource inventory, configuration
history, and configuration change
notifications to enable security and
governance
Subnet control
Create low level networking
constraints for resource access,
such as public and private
subnets, internet gateways and
NATs
Bastion hosts
Only allow access for
management of production
resources from a bastion host.
Turn off when not needed and
restrict startup via MFA
VPC Peering
Connect privately to other VPCs-
Peer VPCs together to share
resources across multiple virtual
networks owned by your or other
AWS accounts.
Private connections to VPC
Secured access to resources in
AWS over software or hardware
VPN and dedicated network links
Because your VPC can be hosted
behind your corporate firewall, you
can seamlessly move your IT
resources into the cloud without
changing how your users access
these applications.
Build on AWS Security Features

37. Build on the Strengths
of the AWS Cloud
4

38. e.g. Application performance improvement by migration of static content to Amazon S3 & CloudFront
Review application architectures early – assess their fit for the cloud
Can cloud benefits be delivered with minimum effort & outlay?
e.g. variable capacity requirements, ‘standard’ technology stacks, reference architectures*
e.g. Faster development cycles for dev/test, reduced cap-ex for application environments
Will cloud yield top-line growth, cost savings or agility improvements?
e.g. fully scripted deployments, IAM & EC2 instance roles, rolling deployments
Can automation lead to a more robust, agile & secure services?
Build on the Strengths of the AWS Cloud
1
2
3
4

39. Disposable compute
Design systems that can tolerate
instance failures
Build on the Strengths of the AWS Cloud
✖ ✖
Dispose of compute when it is
not required
✖ ✖

40. Disposable compute
Flexible capacity
Design systems that can
dynamically scale from zero to
hundreds of instances
Build on the Strengths of the AWS Cloud
✖ ✖ ✖
Use Auto-scaling (events, schedules
etc) to drive capacity availability
✖ ✖ ✖

41. Disposable compute
Flexible capacity
Cost effective storage
Use Amazon S3 for durable &
cost effective storage
Build on the Strengths of the AWS Cloud
✖ ✖ ✖
Deploy & scale relational
databases with RDS & use
DynamoDB for high throughput
NoSQL tables
✖ ✖ ✖

42. Disposable compute
Flexible capacity
Cost effective storage
Automation and control
Automate everything from
deployment, to scaling, to
instance recovery from failure
Build on the Strengths of the AWS Cloud
✖ ✖ ✖

43. 1. Use multiple availability zones

44. 2. Use RDS with replicas and slaves

45. 3. Use auto-scaling groups

46. 4. Use Elastic Load Balancing

47. 5. Use Route53 to host DNS zones

48. Auto-ScalingRDSRoute 53Elastic Load Balancing
Use at regional level
Combined with autoscaling will
balance requests and resource
capacity across availability zones
Within VPC
Use to load balance between
application tiers within an
availability zone
Instance migrations
Easily move instances from dev
environments to test environments
by moving between ELBs
Leverage SLA
Improve application reliability with
Route 53’s SLA on requests
served
Weighted routing
Perform A/B analysis, and staged
application roll-outs by moving a
portion of traffic to new
infrastructure
Control TTLs and updates
Take absolute control of DNS
updates for more decisive system
updates
Scale databases without
admin overhead
Choose instance size for
databases and scale up over time
Add high availability from
management console
Create master-slave configurations
and read-replicas. AWS takes care
of the failover and recreation of a
new slave in event of master DB
loss
Dynamically scale
resources & control costs
Only provision the resources that
are required with scale up and cool
down policies that match demand
Build on the Strengths of the AWS Cloud
For more details, visit the AWS architecture center: aws.amazon.com/architecture

49. Services not Software
5

50. AWS Cloud
Infrastructure & Services
Your
Business
More Time to Focus on
Your Business
Configuring
Cloud Services
70%
30%70%
Self Managed Software
& Infrastructure
30%
Managing All of the
“Undifferentiated Heavy Lifting”
Services Not Software

51. Relational Database Service
Easy to set up, operate, and scale
Handles time-consuming database management tasks,
such as backups, patch management, and replication
Supports MySQL, Oracle, Microsoft SQL Server, and
PostgreSQL, with Amazon Aurora in preview
NoSQL Database Service
Fast, predictable performance
Supports document & key-value data models
Fully distributed, fault tolerant architecture
Amazon RDS
Amazon DynamoDB
Services Not Software

52. Amazon SQS
Processing
task/processing
trigger
Processing results
Simple Queue Service
Fast, reliable, scalable, fully managed
message queuing service
Transmit any volume of data, at any level
of throughput
Amazon SQS
Amazon EMR
Elastic MapReduce
Uses Hadoop, an open source
framework, to distribute your data and
processing across EC2 instances
Integrates with other AWS services, such
S3 & DynamoDB
Supports the broad Hadoop tools
ecosystem
Services Not Software

53. Optimise Your Costs
6

54. Use the Right Instance Types
Use Auto Scaling
Turn Off Unused Instances
Use Reserved Instances
1
2
3
4
Use Spot Instances5
Use Storage Classes6
Offload Your Architecture7
Use Services, Not Software8
Use Consolidated Billing9
Use Cost Management Tools10

55. G2
GPU
enabled
M3
General
purpose
Memory
optimized
R3
CR1M2
Storage and IO
optimized
C4
Compute
optimized
C1 CC2
I2
HI1
HS1
CG1M1 C3
Use the Right Instance Types

56. Use Tools &
Frameworks
7

57. Access everything via CLI, API or Console
Use one of 9 (soon to be 10) fully supported
SDKs to create or make use of existing AWS
resources within your own code
Leverage a broad ecosystem of open source,
free and commercially licensed tools to work
with AWS Services
Achieve the highest levels of automation to
support continuous deployment, define your
infrastructure-as-code or automate your
development, operations or DevOps processes
Find out more at: aws.amazon.com/developers/getting-started/
Everything is Programmable

58. Resources You Can Use to Learn More
aws.amazon.com/getting-started/
aws.amazon.com/premiumsupport
aws.amazon.com/architecture
aws.amazon.com/security
aws.amazon.com/campaigns/emea-getting-started

59. Certification
aws.amazon.com/certification
Self-Paced Labs
aws.amazon.com/training/
self-paced-labs
Try products, gain new
skills, and get hands-on
practice working with
AWS technologies
aws.amazon.com/training
Training
Validate your proven skills
and expertise with the
AWS platform
Build technical expertise
to design and operate
scalable, efficient
applications on AWS
AWS Training & Certification

60. Thank You!
Brian Wagner
AWS Professional Services
Security Consultant