Why AWS?
| The AWS Well-Architected Framework is based on five pillars — operational excellence, security, reliability, performance efficiency, and cost optimization. | |
| Pillar Name | Description |
| Operational Excellence | The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures |
| Security | The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. |
| Reliability | The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. |
| Performance Efficiency | The ability to use computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technologies evolve. |
| Cost Optimization | The ability to avoid or eliminate unneeded cost or suboptimal resources. |
Amazon Elastic Compute Cloud (EC2): is a web service that provides reliable compute capacity in cloud
Amazon Lambda: “zero-administration compute platform for back-end web developers that runs your code for you on the AWS Cloud and provides you with a fine-grained pricing structure.”
Auto Scaling: Auto Scaling allows organizations to scale Amazon EC2 capacity up or down automatically according to conditions defined for the particular workload
Amazon Elastic Load Balancing: automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud.
AWS Elastic Beanstalk: AWS Elastic Beanstalk is the fastest and simplest way to get a web application up and running on AWS. Developers can simply upload their application code, and the service automatically handles all the details, such as resource provisioning, load balancing, Auto Scaling, and monitoring.
Amazon Virtual Private Cloud (Amazon VPC): lets organizations provision a logically isolated section of the AWS Cloud where they can launch AWS resources in a virtual network that they define. Organizations have complete control over the virtual environment, including selection of the IP address range, creation of subnets, and configuration of route tables and network gateways.”
AWS Direct Connect: organizations to establish a dedicated network connection from their data center to AWS. Using AWS Direct Connect, organizations can establish private connectivity between AWS and their data center, office, or colocation environment, which in many cases can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based VPN connections.
Amazon Relational Database Service (Amazon RDS): provides a fully managed relational database with support for many popular open source and commercial database engines.
Amazon DynamoDB: is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale
Amazon Redshift: fully managed, petabyte-scale data warehouse service that makes it simple and cost effective to analyze structured data. Amazon Redshift provides a standard SQL interface that lets organizations use existing business intelligence tools The Amazon Redshift architecture allows organizations to automate most of the common administrative tasks associated with provisioning, configuring, and monitoring a cloud data warehouse.
Amazon ElastiCache; is a web service that simplifies deployment, operation, and scaling of an in-memory cache in the cloud. The service improves the performance of web applications by allowing organizations to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower, disk-based databases. As of this writing, Amazon ElastiCache supports Memcached and Redis cache engines.
Management Tools
Amazon CloudWatch is a monitoring service for AWS Cloud resources and the applications running on AWS. It allows organizations to collect and track metrics, collect and monitor log files, and set alarms. By leveraging Amazon CloudWatch, organizations can gain system-wide visibility into resource utilization, application performance, and operational health.
AWS CloudFormation gives developers and systems administrators an effective way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. AWS CloudFormation defines a JSON-based templating language that can be used to describe all the AWS resources that are necessary for a workload. Templates can be submitted to AWS CloudFormation and the service will take care of provisioning and configuring those resources in appropriate order”
AWS CloudTrail AWS CloudTrail is a web service that records AWS API calls for an account and delivers log files for audit and review. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the service.”
AWS Config “is a fully managed service that provides organizations with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config, organizations can discover existing AWS resources, export an inventory of their AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. ”
Application
Amazon API Gateway “is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. Organizations can create an API that acts as a “front door” for applications to access data, business logic, or functionality from back-end services, such as workloads running on Amazon EC2, code running on AWS Lambda, or any web application. Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.”
Amazon Elastic Transcoder is media transcoding in the cloud. It is designed to be a highly scalable and cost-effective way for evelopers and businesses to convert (or transcode) media files from their source formats into versions that will play back on devices like smartphones, tablets, and PCs.
Amazon Simple Notification Service (Amazon SNS) “is a web service that coordinates and manages the delivery or sending of messages to recipients. In Amazon SNS, there are two types of clients—publishers and subscribers—also referred to as producers and consumers. Publishers communicate asynchronously with subscribers by producing and sending a message to a topic, which is a logical access point and communication channel. Subscribers consume or receive the message or notification over one of the supported protocols when they are subscribed to the topic.”
Amazon Simple Email Service (Amazon SES) “is a cost-effective email service that organizations can use to send transactional email, marketing messages, or any other type of content to their customers.”
Amazon Simple Workflow Service (Amazon SWF) ” helps developers build, run, and scale background jobs that have parallel or sequential steps. Amazon SWF can be thought of as a fully managed state tracker and task coordinator on the cloud. In common architectural patterns, if your application’s steps take more than 500 milliseconds to complete, it is vitally important to track the state of processing and to provide the ability to recover or retry if a task fails.”
Amazon Simple Queue Service (Amazon SQS) Amazon Simple” “is a fast, reliable, scalable, fully managed message queuing service. Amazon SQS makes it simple and cost effective to decouple the components of a cloud application. With Amazon SQS, organizations can transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be always available.”
BEST PRACTICE:
| There are five best practice areas for security in the cloud: | |
| • Identity and Access Management | SEC 1: How are you protecting access to and use of the AWS account root user credentials? SEC 2: How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API? SEC 3: How are you limiting automated access to AWS resources (for example, applications, scripts, and/or third-party tools or services)? |
| • Detective Controls | SEC 4: How are you capturing and analyzing logs? |
| • Infrastructure Protection | SEC 5: How are you enforcing network and host-level boundary protection? SEC 6: How are you leveraging AWS service-level security features? SEC 7: How are you protecting the integrity of the operating system? |
| • Data Protection | SEC 8: How are you classifying your data? SEC 9: How are you encrypting and protecting your data at rest? SEC 10: How are you managing keys? SEC 11: How are you encrypting and protecting your data in transit? |
| • Incident Response | SEC 12: How do you ensure that you have the appropriate incident response? |
| There are five design principles for reliability in the cloud: |
| Test recovery procedures: |
| Automatically recover from failure: |
| Scale horizontally to increase aggregate system availability: |
| Stop guessing capacity: |
| Manage change in automation: |
| There are three best practice areas for reliability in the cloud: |
| • Foundations |
| • Change Management |
| • Failure Management |
| The following questions focus on foundations considerations for reliability. |
| REL 1: How are you managing AWS service limits for your accounts? REL 2: How are you planning your network topology on AWS? |
| The following questions focus on change management considerations for reliability. |
| REL 3: How does your system adapt to changes in demand? REL 4: How are you monitoring AWS resources? REL 5: How are you executing change? |
| The following questions focus on failure management considerations for reliability. |
| REL 6: How are you backing up your data? REL 7: How does your system withstand component failures? REL 8: How are you testing your resiliency? REL 9: How are you planning for disaster recovery? |
| There are five design principles for performance efficiency in the cloud: |
| Democratize advanced technologies |
| Go global in minutes |
| Use serverless architectures: |
| Experiment more often |
| Mechanical sympathy |
| There are four best practice areas for performance efficiency in the cloud: |
| • Selection |
| • Review |
| • Monitoring |
| • Tradeoffs |
Best practices for network security in the AWS cloud include the following:
Always use security groups: They provide stateful firewalls for Amazon EC2 instances at the hypervisor level. You can apply multiple security groups to a single instance, and to a single ENI.
Augment security groups with Network ACLs: They are stateless but they provide fast and efficient controls. Network ACLs are not instance- specific so they can provide another layer of control in addition to security groups. You can apply separation of duties to ACLs management and security group management.
Use IPSec or AWS Direct Connect for trusted connections to other sites. Use Virtual Gateway (VGW) where Amazon VPC-based resources require remote network connectivity
Protect data in transit to ensure the confidentiality and integrity of data, as well as the identities of the communicating parties.
For large-scale deployments, design network security in layers. Instead of creating a single layer of network security protection, apply network security at external, DMZ, and internal layers.
VPC Flow Logs provides further visibility as it enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Centralized access control is essential for managing risk. The IAM service provides role-based identity and access management for AWS, but AWS does not provide end-user repositories like Active Directory, LDAP, or RADIUS for your operating systems and applications. Instead, you establish user identification and authentication systems, alongside Authentication Authorization Accounting (AAA) servers, or sometimes proprietary database tables. All identity and access management servers for the purposes of user platforms and applications are critical to security and require special attention.
