AWS Essentials, including Governance training– for Development Teams

What is AWS Governance?

In one sentence, ‘Leveraging the AWS API (public cloud API) to create automated templates around provisioning of resources’

All public cloud governance consists of these three broad categories

• Automation – Resource Provisioning Automation, Account Automation, Policy Automation
• Budget Enforcement and Cost Compliance
• Security Compliance
• Base Enablement – Tagging, Centralized Logging. This isn’t a separate category, but is required for enabling the other 3.

Automation – Includes Policy Automation, Account Automation, Identity Federation

Resource Provisioning

• AWS Service Catalog automate  – network architecture baselining. They replace manual processes, and facilitate the use of pre-defined, standardized system deployment templates.
• AWS Landing Zones and
• AWS Quick Starts

Account Automation

• Services such as AWS Organizations, AWS CloudFormation –  AWS account provisioning
• AWS Landing Zones

Policy Automation

• AWS guidance to achieve governance at scale automates the application of company policies, deploying accounts with standard specifications to ensure consistency across AWS accounts and resources. The policy engine is flexible to accommodate and enforce different types of security polices such as AWS Identity and Access Management (IAM), AWS CloudFormation, or custom scripts.

Identity Federation

• AWS governance solutions employ AWS Single Sign-On (SSO) through federated identity integration with external authentication providers such as OpenID, or Active Directory to centralize AWS account management and simplify user access to AWS accounts. When SSO is used in conjunction with AWS CloudTrail, user activity can be tracked across multiple AWS accounts.

Budget Enforcement

Enforcement of budget constraints is a key component of governance at scale. Each layer of the company defines spending limits within accounts and projects, monitors account spending in near real-time, and triggers warning notifications or enforcement actions. Automated actions include:

• Restricting the use of AWS resources to those that cost less than a specified price.
• Throttle new resource provisioning.
• Shut down, terminate, or de-provision AWS resources after archiving configurations and data for future use.

Security Compliance

• AWS services or Amazon Virtual Private Cloud (Amazon VPC) baseline configurations can be provisioned using standardized AWS configurations or AWS CloudFormation templates
• These templates align with the company’s security and compliance requirements and have been evaluated and approved by company’s risk decision makers.
• Well implemented security automation is responsive to security incidents. This includes processes to respond to policy violations by revoking IAM user access, preventing new resource allocation, terminating resources, or isolating existing cloud resources for forensic analysis.
• Automation can be accomplished by collecting and storing AWS logging data into centralized data lakes and performing analytics, or basing responses on the output of other analytics tools.
• At each level of the hierarchy the company can specify which AWS Services, features, and resources are approved for use on a per department, per user, or per project basis. This ensures self-service requests can’t provision unapproved items, as illustrated in the following diagram.

Base Enablement – Tagging and Logging

• Centralized logging
• Tagging Strategy and Enforcement

Governance Track (1 day) – AWS Governance Training

Day One – AWS Governance Training

• Multiple Account Management – Automated Account Provisioning
• Cost Enforcement – Actual Spend vs. Projection, Automation and Metering
• Automation of Compliance (Security, Data) — Security – Dynamic Policies — Data – PCI, PII, HIPAA
• Service Catalog Templated Approach vs. Manual, Flexible provisioning approach
• Tools for monitoring and enforcing compliance – Trusted Advisor, CloudCheckr, CloudHealth
• List of Best Practices , Tagging, AWS Native cost saving tips (EBS, Spot Instances, Volume discounts, RIs…)

Development Track (3 days)

Day 1 – AWS Developer Training

Identity, Accounts, Access Management

• Account Structure – Single Account vs Multiple Account Structure, Organizations
• IAM – Users, Groups, Roles, Policies

Networking
— Regions and Zones
— VPCs – default and custom
— Shared vs Dedicated Tenancy Models
— Subnets – public, private
— Route tables
— Security Groups and NACLs
— CloudFront and Route53 (Discussion Only)

Management and Governance
— CloudWatch, CloudTrail, VPC Flowlogs
— AWS Config – (create rules) for monitoring configuration changes to your resources
— Trusted Advisor

Day 2 – AWS Developer Training – EC2, S3 and RDS

— Compute Services, Storage Services, RDS Services
— Elastic IPs
— On-Demand vs. Reserved instances  – RIs – Standard RIs vs. Convertible RIs
— Instance Types
— Instance Tagging
— EBS Volumes – Volume Types
S3
— Naming conventions
— Versioning, Server Access Logging, Object Level Logging
— Public Access versus Restricted Access (e.g. restricting to single IP address)
— Bucket Access Policies (https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html)
— Bucket Lifecycle Policies, Cross Region Replication – Discussion Only
— Tools for syncing between desktops and S3 (CloudBerry..) – Discussion Only

RDS 

Day 3 – AWS Developer Training – VPN Setup, AD One way and 2 way trust setup, Security, Cost Optimization

— Customer Gateway
— VPGs
— Site to Site VPN = VPG  + Customer Gateway – Demo, Try Deleting Customer Gateway or VPG individually.

AD 2-Way Trust Setup – as part of Day 3, developer training AWS

— Configuring On Prem Piece
— Configuring AWS Piece
— Trial Sync of Directory Objects

Security , Cost Optimization – AWS Developer Training

— AWS GuardDuty, Inspector, DMZ subnets
— AWS WAF
— Trusted Advisor
— CloudHealth