And you thought you knew EC2, GOT edition

© 2017, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. And you thought you knew EC2… Ben Whaley D i r e c t o r , S e c u r i t y a n d O p e r a t i o n s K o u n t a b l e

rights reserved. Pertinent announcements since June 2017 Docker Device and Init Flags in Container Task Definitions Amazon ECS Allows Containers to Directly Access Environmental Metadata Announcing New AWS Deep Learning AMI for Amazon EC2 P3 Instances  Amazon EC2 Systems Manager Parameter Store Adds Versioning Support Amazon EC2 Systems Manager Now Integrates With GitHub Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI Introducing Amazon EC2 P3 Instances Introducing Lifecycle Policies for Amazon EC2 Container Registry Application Load Balancers now support multiple SSL certificates EC2 Per second billing ECS Adds Support for Adding or Dropping Linux Capabilities to Containers Network Load Balancer now supports load balancing to IP addresses as targets Amazon EC2 Spot Can Now Stop and Start Your Spot Instances Amazon EC2 Systems Manager Run Command Adds Tag-Based Permissions and Multi- Tag Support Auto Scaling Lifecycle Hooks Enhancements A new addition to the Amazon EC2 memory-optimized X1 Instance family – x1e.32xlarge Amazon EC2 Container Service Now Integrated with Network Load Balancer Application Load Balancer Adds Support for New RequestCountPerTarget CloudWatch Metric EC2 Systems Manager Now Supports Linux Patching Sync Amazon EC2 Systems Manager Inventory Data to Amazon S3 Buckets ECS RunTask and StartTask APIs now support additional override parameters EC2 Systems Manager Adds Hierarchy, Tagging, and Notification Support for Parameter Store Announcing Network Load Balancer for Elastic Load Balancing Announcing improved networking performance for Amazon EC2 instances Application Load Balancer now supports load balancing to IP addresses as targets Amazon EC2 Systems Manager Adds Configuration Compliance Reporting and Auto- Remediation Amazon ECS is now HIPAA Eligible Amazon EC2 Systems Manager now HIPAA eligible Tag Your Spot Fleet EC2 Instances Introducing Amazon EC2 G3 Instances, the next-generation of GPU-powered instances for graphics-intensive applications Support for LCU metrics on Classic Load Balancer Amazon EC2 Systems Manager Adds Cross-Platform and Multi-Step Document Support Amazon EC2 Systems Manager Adds Raspbian OS and Raspberry Pi Support Introducing Target Tracking Scaling Policies for Auto Scaling

rights reserved. C5 Compute-optimized with 3.0GHz Intel Skylake P3 Next-gen GPU instances suitable for ML, HPC R4 Memory optimized (up to 488GiB) I3 High I/O with NVMe SSD 10k-300k IOPS X1e In-memory databases - up to 3.8TiB, 128vCPU D2 Up to 43TiB HDD EC2 Instance Types

rights reserved. EBS Volume Types Type Description I/O Throughput Cost io1 Provisioned IOPS SSD Highest High Highest gp2 General purpose SSD High Low(ish) Medium st1 Throughput-optimized HDD Low Highest Low sc1 Non-optimized HDD Low Medium Lowest

rights reserved. Miscellaneous changes, features ▪ IPv6 ▪ KVM hypervisor for new instance types ▪ Elastic Network Adapter - 25 Gbps ▪ Per second billing ▪ Elastic GPUs ▪ Target Tracking Scaling Policies for Auto Scaling ▪ New regions 2016 - Ohio, Canada, London, Mumbia, Seoul Soon - China (Ningxia), Paris, Stockholm, Hong Kong, Bahrain  #awswishlist - Kenya

rights reserved. CloudWatch Integration Scheduled tasks Event handling Metrics Logs

rights reserved. CloudWatch Events ▪ Scheduled Events ▪ Instance state changes ▪ Systems manager ▪ Maintenance window ▪ ECS event stream ▪ EBS snapshots, encryption/decryption ▪ Cross-account event delivery

rights reserved. CloudWatch Telemetry ▪ High resolution (1s/3H) custom metrics ▪ High resolution alarms (10s) ▪ collectd CloudWatch plugin ▪ Dashboards (GUI, CLI) ▪ Percentile statistics (p50, p90, p99…) ▪ Logs ▪ Metric ﬁlters for log parsing and alarms

rights reserved. EC2 Container Service ▪ Elastic Container Registry ▪ Docker Device and Init Flags in Container Task Definitions ▪ CloudWatch metrics for CPU and memory utilization across the cluster ▪ IAM roles for ECS tasks ▪ github.com/blox/blox marching towards v1.0 ▪ 3rd party tooling (Convox, Empire) ▪ Integration with Application Load Balancer ▪ Run tasks on a schedule ▪ Execute tasks in response to CloudWatch events

rights reserved. EC2 Systems Manager Superpowers for EC2 instances and on-premises systems. ▪ Remote command execution with Run Commands ▪ Controlled secrets and configuration data with the Parameter Store ▪ Periodic tasks with the State Manager and Maintenance Windows ▪ Stepwise Automation workflows for initializing nodes ▪ Collect and query Inventory and Patch status

rights reserved. Key Systems Manager Benefits ✓ All actions recorded in CloudTrail (e.g. immutable audit trail) ✓ Trigger SNS, Lambda from Systems Manager events ✓ Store command history and output to S3 ✓ Fine-grained access control to Run Commands ✓ Integration with Config to track changes over time

rights reserved. The SSM Agent ▪ Open source (Golang) executable for Linux and Windows ▪ Available for cloud and on-premises systems ▪ Assign IAM role with permissions to interface with SSM API ▪ Install at boot or on existing systems ▪ Polls for commands to execute

rights reserved. { "schemaVersion":"2.0", "description":"Run a script", "parameters":{ "commands":{ "type":"String", “description”:"Commands to run" } }, "mainSteps":[ { "action":"aws:runShellScript", "name":"runShellScript", "inputs":{ "runCommand":"{{ commands }}" } } ] } Systems Manager Documents

rights reserved. github.com/kountable/pssh A s h e l l f o r t h e E C 2 P a r a m e t e r S t o r e

rights reserved. λ pssh CloudWatch Event EC2 Parameter Store Game of Thrones Transfer of Power CloudWatch Metrics

rights reserved. Scoring System -40 Illegitimate -30 Handicapped -20 Exile 0 Deceased 30 Distinction 50 Noble 50 Royalty 100 Magical

rights reserved. Community Curated Pro Tips

rights reserved. Automated infrastructure is table stakes.

rights reserved. Ansible for provisioning and fleet control. Lambdas for glue. Packer for building images.

rights reserved. Single node ASGs for self-healing and resilience.

rights reserved. Use Config Rules to enforce compliance with tagging schemes, EBS snapshots, security group rules, or other site preferences.

rights reserved. Many EC2 IAM actions do not support resource-level permissions. Exercise caution. { "Statement": [ { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:DescribeAddresses", "ec2:DisassociateAddress", "ec2:CreateKeyPair", "ec2:DeleteKeyPair" ], "Effect": "Allow", "Resource": [ "*" ] } ] }

rights reserved. Use the BurstBalance CloudWatch metric to monitor I/O credit balance for gp2, st1, sc1 EBS volumes.

rights reserved. Use the CPUCreditUsage and CPUCreditBalance metrics in CloudWatch to track CPU burst usage on T2 instance types.

rights reserved. github.com/awslabs/aws-shell T h e r e a l h e r o

rights reserved. Network throughput increases substantially with instance type. (Don't forget to enable enhanced networking)

rights reserved. In CloudFormation, explicitly request SSD ephemeral disks or you may not get them.

rights reserved. Require MFA for SSH access and enable Fail2ban to block IPs with failed login attempts.

rights reserved. Improve your SSH experience with ControlPersist.

rights reserved. Use ssh -D and the SwitchyOmega Chrome extension for convenient access to services in a private network.

rights reserved. Running multiple apps per instance? Use AssumeRole to assign granular permissions to each app.

rights reserved. Protect the EC2 metadata and userdata.

rights reserved. Use the instance identity document to validate the authenticity of EC2 instances.

rights reserved. Use Linux >= 4.4 for best results.

rights reserved. checkip.amazonaws.com is HTTP only hence it cannot be trusted. Use icanhazip.com instead.

rights reserved. #!/bin/bash -x # Save userdata cmd output to a log exec > /var/log/userdata.log 2>&1 # Initialize instance …

rights reserved. Pace yourself tonight. It’s going to be a busy week.

rights reserved. Recently released!

rights reserved. ` Ben Whaley D i r e c t o r , S e c u r i t y a n d O p e r a t i o n s K o u n t a b l e

And you thought you knew EC2, GOT edition

And you thought you knew EC2, GOT edition

More Decks by Ben Whaley

Other Decks in Technology

Featured

Transcript