Top tips for developing and deploying on AWS

Transcript

1. Top tips for developing and deploying on AWS Craig Bruce

   DjangoCon US 2nd Sept 2014

2. me •  @craigbruce •  Computational Chemistry & Cheminformatics •  Scientific

   Software Developer –  OpenEye Scientific Software, Inc. •  Django since 2009 August 31, 2014 ©2014 OpenEye Scientific Software

3. Open who? •  Molecular modeling and cheminformatics •  DSF Corporate

   Member •  APN Technology Partner August 31, 2014 ©2014 OpenEye Scientific Software

4. OpenEye August 31, 2014 ©2014 OpenEye Scientific Software

5. OpenEye September 2, 2014 ©2014 OpenEye Scientific Software

6. September 2, 2014 ©2014 OpenEye Scientific Software

7. Image credit Amazon Web Services August 31, 2014 ©2014 OpenEye

   Scientific Software

8. “AWS has five times more compute capacity than the rest

   of the top 14 cloud providers combined” August 31, 2014 ©2014 OpenEye Scientific Software

9. August 31, 2014 ©2014 OpenEye Scientific Software

10. (there are many more) Useful AWS products September 2, 2014

    ©2014 OpenEye Scientific Software

11. Route 53 •  DNS •  Domain Name Registration (since 31

    July 2014) August 31, 2014 ©2014 OpenEye Scientific Software

12. ElastiCache August 31, 2014 ©2014 OpenEye Scientific Software

13. DynamoDB •  NoSQL •  pip install pynamodb! August 31, 2014

    ©2014 OpenEye Scientific Software

14. RDS •  Relational Database Service August 31, 2014 ©2014 OpenEye

    Scientific Software

15. TLS tangent •  RDS •  ELB •  CloudFront •  S3

    •  All AWS Endpoints September 2, 2014 ©2014 OpenEye Scientific Software DATABASES = {! 'default': {! 'ENGINE': 'django.db.backends.postgresql_psycopg2’,! …! 'OPTIONS': {! 'sslmode': 'verify-full',! 'sslrootcert': '/tmp/rds-ssl-ca-cert.pem',! },! !

16. S3 •  Simple Storage Service •  99.999999999% durability •  A

    home for your static assets •  Works best with… August 31, 2014 ©2014 OpenEye Scientific Software

17. CloudFront •  Your personal CDN •  Use edge locations to

    speed up delivery •  TLS available by default August 31, 2014 ©2014 OpenEye Scientific Software

18. SES •  Simple Email Service •  pip install django-ses! August

    31, 2014 ©2014 OpenEye Scientific Software

19. VPC •  Virtual Private Cloud •  Secure by default • 

    Complicated (read the docs/white papers) •  Excellent integration with on-premise resources August 31, 2014 ©2014 OpenEye Scientific Software

20. Boto •  Now supports Python 3! •  Supports EC2 Roles

    •  AWS CLI (written in Python) •  pip install boto! •  pip install awscli! August 31, 2014 ©2014 OpenEye Scientific Software

21. August 31, 2014 ©2014 OpenEye Scientific Software

22. Elastic Beanstalk •  Build an application •  Deploy by uploading

    to AWS with minimum configuration August 31, 2014 ©2014 OpenEye Scientific Software

23. September 2, 2014 ©2014 OpenEye Scientific Software

24. September 2, 2014 ©2014 OpenEye Scientific Software

25. September 2, 2014 ©2014 OpenEye Scientific Software

26. When EB is too restrictive •  CloudFormation •  Create a

    JSON template of every AWS resource you need •  pip install troposphere! August 31, 2014 ©2014 OpenEye Scientific Software

27. September 2, 2014 ©2014 OpenEye Scientific Software
    
      

            
    
       
    
    
       
          
    
        
       
     
      
    
     
                 
           
     
        
    
      
           
    
    
           
     
         
         
      
          
    !   
    !  
    
              " ! 
     
        
        
     #  
    
       
       
      
     
      $  
         
    
         
      
    
           
          
     
    
         
       
         %%%%%% 
    
    " $#
     
       
      
      
       
            
    
    
    
     
    
     
    
    
    
      
      
      &  
     
    
     
       #
    $
     
       ' ()        
      % * 
          # 
       
      !  #
    !   
       
     
     
    #
      
        
          ! # &'   
    
        
              
     $ 
     #
    ! 
     
        #&'  
       
       
     
      #!  
      
     
      
    + #! # ! , -
    
          
         & (      # 
     
      # $& ' ./0) 
    
     
      
    
    
      
         
    !  #!  /"1 
      
      ) "    
    
    
       # **(     23* 
    
      
          #
     #**( 
       #
    
    
    
         %! + 4       
         
    
        #   $& ' .4,) 
    
      
    
    
    
     
      
      5          # 
      
    
       #
    !     
       # **( 
       
         
      
      
    
     
     
        #
    !  
          
       
    
    #  
    
     
    
    
       
     , $
        
        #
    $  
       ' .)   
     
        
      
       
      # 
       
    
    
    
    
            * *( 
                             !"   
     #     $  
          % $ 
       ) %      ,   - + & 
     
         " !

28. Shared Security model “AWS has secured the underlying infrastructure and

    you must secure anything you put on the infrastructure” Source http://aws.amazon.com/security/ August 31, 2014 ©2014 OpenEye Scientific Software

29. Security •  Use IAM –  Identity and Access Management Slides

    from re:Invent 2013 August 31, 2014 ©2014 OpenEye Scientific Software

30. 1. Users •  1 AWS account, multiple users •  Unique

    permissions •  Unique credentials August 31, 2014 ©2014 OpenEye Scientific Software

31. 2. Groups •  All users belongs to groups •  Everyone

    gets the right permissions •  User specific permissions will hurt you August 31, 2014 ©2014 OpenEye Scientific Software

32. 3. Permissions •  Grant least privilege •  Easy to add

    more later August 31, 2014 ©2014 OpenEye Scientific Software

33. 4. Passwords •  Make them strong with a policy • 

    Do users even need a password? •  Password is for AWS Management Console •  Useless for API users August 31, 2014 ©2014 OpenEye Scientific Software

34. 5. MFA •  A must for the root account • 

    Strongly recommended for Power Users August 31, 2014 ©2014 OpenEye Scientific Software

35. 6. Roles •  For EC2 •  Automatically rotating keys • 

    No keys in your code (works with Boto) August 31, 2014 ©2014 OpenEye Scientific Software

36. 7. Sharing •  Roles can be used to share credentials

    between AWS accounts August 31, 2014 ©2014 OpenEye Scientific Software

37. 8. Rotation •  Easy with EC2 Roles •  Otherwise by

    hand August 31, 2014 ©2014 OpenEye Scientific Software

38. 9. Conditions •  Enable permissions to require –  MFA – 

    TLS –  Source IP August 31, 2014 ©2014 OpenEye Scientific Software

39. 10. Root •  Never use it •  Only account with

    full IAM access •  Physical MFA a must August 31, 2014 ©2014 OpenEye Scientific Software

40. AWS Support •  Email (next day) •  Telephone & Chat

    (near instant) •  Join AWS Partner Network (APN) •  Get an account manager –  Sign an NDA –  Get on private betas August 31, 2014 ©2014 OpenEye Scientific Software

41. Keep up •  Blog (http://aws.amazon.com/blogs/aws/) –  Other blogs with specific

    themes •  Mailing list •  @awscloud –  Other accounts @AWSIdentity •  AWS Summits •  AWS re:Invent September 2, 2014 ©2014 OpenEye Scientific Software

42. September 2, 2014 ©2014 OpenEye Scientific Software

43. Conclusions •  Easy to prototype with AWS services •  Roll

    your own if you need more flexibility •  Get your IAM settings right from day one •  Always changing so you should keep up •  New features, which get cheaper over time •  Use the Free Tier August 31, 2014 ©2014 OpenEye Scientific Software

44. Thanks for your attention Questions? •  @craigbruce August 31, 2014

    ©2014 OpenEye Scientific Software