Tweet
Tweet

Slide 1

Slide 1 text

Top tips for developing and deploying on AWS Craig Bruce DjangoCon US 2nd Sept 2014

Slide 2

Slide 2 text

me •  @craigbruce •  Computational Chemistry & Cheminformatics •  Scientific Software Developer –  OpenEye Scientific Software, Inc. •  Django since 2009 August 31, 2014 ©2014 OpenEye Scientific Software

Slide 3

Slide 3 text

Open who? •  Molecular modeling and cheminformatics •  DSF Corporate Member •  APN Technology Partner August 31, 2014 ©2014 OpenEye Scientific Software

Slide 4

Slide 4 text

OpenEye August 31, 2014 ©2014 OpenEye Scientific Software

Slide 5

Slide 5 text

OpenEye September 2, 2014 ©2014 OpenEye Scientific Software

Slide 6

Slide 6 text

September 2, 2014 ©2014 OpenEye Scientific Software

Slide 7

Slide 7 text

Image credit Amazon Web Services August 31, 2014 ©2014 OpenEye Scientific Software

Slide 8

Slide 8 text

“AWS has five times more compute capacity than the rest of the top 14 cloud providers combined” August 31, 2014 ©2014 OpenEye Scientific Software

Slide 9

Slide 9 text

August 31, 2014 ©2014 OpenEye Scientific Software

Slide 10

Slide 10 text

(there are many more) Useful AWS products September 2, 2014 ©2014 OpenEye Scientific Software

Slide 11

Slide 11 text

Route 53 •  DNS •  Domain Name Registration (since 31 July 2014) August 31, 2014 ©2014 OpenEye Scientific Software

Slide 12

Slide 12 text

ElastiCache August 31, 2014 ©2014 OpenEye Scientific Software

Slide 13

Slide 13 text

DynamoDB •  NoSQL •  pip install pynamodb! August 31, 2014 ©2014 OpenEye Scientific Software

Slide 14

Slide 14 text

RDS •  Relational Database Service August 31, 2014 ©2014 OpenEye Scientific Software

Slide 15

Slide 15 text

TLS tangent •  RDS •  ELB •  CloudFront •  S3 •  All AWS Endpoints September 2, 2014 ©2014 OpenEye Scientific Software DATABASES = {! 'default': {! 'ENGINE': 'django.db.backends.postgresql_psycopg2’,! …! 'OPTIONS': {! 'sslmode': 'verify-full',! 'sslrootcert': '/tmp/rds-ssl-ca-cert.pem',! },! !

Slide 16

Slide 16 text

S3 •  Simple Storage Service •  99.999999999% durability •  A home for your static assets •  Works best with… August 31, 2014 ©2014 OpenEye Scientific Software

Slide 17

Slide 17 text

CloudFront •  Your personal CDN •  Use edge locations to speed up delivery •  TLS available by default August 31, 2014 ©2014 OpenEye Scientific Software

Slide 18

Slide 18 text

SES •  Simple Email Service •  pip install django-ses! August 31, 2014 ©2014 OpenEye Scientific Software

Slide 19

Slide 19 text

VPC •  Virtual Private Cloud •  Secure by default •  Complicated (read the docs/white papers) •  Excellent integration with on-premise resources August 31, 2014 ©2014 OpenEye Scientific Software

Slide 20

Slide 20 text

Boto •  Now supports Python 3! •  Supports EC2 Roles •  AWS CLI (written in Python) •  pip install boto! •  pip install awscli! August 31, 2014 ©2014 OpenEye Scientific Software

Slide 21

Slide 21 text

August 31, 2014 ©2014 OpenEye Scientific Software

Slide 22

Slide 22 text

Elastic Beanstalk •  Build an application •  Deploy by uploading to AWS with minimum configuration August 31, 2014 ©2014 OpenEye Scientific Software

Slide 23

Slide 23 text

September 2, 2014 ©2014 OpenEye Scientific Software

Slide 24

Slide 24 text

September 2, 2014 ©2014 OpenEye Scientific Software

Slide 25

Slide 25 text

September 2, 2014 ©2014 OpenEye Scientific Software

Slide 26

Slide 26 text

When EB is too restrictive •  CloudFormation •  Create a JSON template of every AWS resource you need •  pip install troposphere! August 31, 2014 ©2014 OpenEye Scientific Software

Slide 27

Slide 27 text

September 2, 2014 ©2014 OpenEye Scientific Software                                                                                                                           !     !              " !             #                  $                                                 %%%%%%   " $#                                         &          # $    ' ()           % *         #        !  #!            #               ! # &'                    $  #!         #&'            #!          + #! # ! , -             & (      #       # $& ' ./0)                 !  #!  /"1      ) "        # **(     23*            # #**(      #         %! + 4                     #   $& ' .4,)               5          #         #!         # **(                          #!               #          , $          #  $      ' .)                    #              * *(                          !"    #     $        % $    ) %      ,   - + &       " !

Slide 28

Slide 28 text

Shared Security model “AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure” Source http://aws.amazon.com/security/ August 31, 2014 ©2014 OpenEye Scientific Software

Slide 29

Slide 29 text

Security •  Use IAM –  Identity and Access Management Slides from re:Invent 2013 August 31, 2014 ©2014 OpenEye Scientific Software

Slide 30

Slide 30 text

1. Users •  1 AWS account, multiple users •  Unique permissions •  Unique credentials August 31, 2014 ©2014 OpenEye Scientific Software

Slide 31

Slide 31 text

2. Groups •  All users belongs to groups •  Everyone gets the right permissions •  User specific permissions will hurt you August 31, 2014 ©2014 OpenEye Scientific Software

Slide 32

Slide 32 text

3. Permissions •  Grant least privilege •  Easy to add more later August 31, 2014 ©2014 OpenEye Scientific Software

Slide 33

Slide 33 text

4. Passwords •  Make them strong with a policy •  Do users even need a password? •  Password is for AWS Management Console •  Useless for API users August 31, 2014 ©2014 OpenEye Scientific Software

Slide 34

Slide 34 text

5. MFA •  A must for the root account •  Strongly recommended for Power Users August 31, 2014 ©2014 OpenEye Scientific Software

Slide 35

Slide 35 text

6. Roles •  For EC2 •  Automatically rotating keys •  No keys in your code (works with Boto) August 31, 2014 ©2014 OpenEye Scientific Software

Slide 36

Slide 36 text

7. Sharing •  Roles can be used to share credentials between AWS accounts August 31, 2014 ©2014 OpenEye Scientific Software

Slide 37

Slide 37 text

8. Rotation •  Easy with EC2 Roles •  Otherwise by hand August 31, 2014 ©2014 OpenEye Scientific Software

Slide 38

Slide 38 text

9. Conditions •  Enable permissions to require –  MFA –  TLS –  Source IP August 31, 2014 ©2014 OpenEye Scientific Software

Slide 39

Slide 39 text

10. Root •  Never use it •  Only account with full IAM access •  Physical MFA a must August 31, 2014 ©2014 OpenEye Scientific Software

Slide 40

Slide 40 text

AWS Support •  Email (next day) •  Telephone & Chat (near instant) •  Join AWS Partner Network (APN) •  Get an account manager –  Sign an NDA –  Get on private betas August 31, 2014 ©2014 OpenEye Scientific Software

Slide 41

Slide 41 text

Keep up •  Blog (http://aws.amazon.com/blogs/aws/) –  Other blogs with specific themes •  Mailing list •  @awscloud –  Other accounts @AWSIdentity •  AWS Summits •  AWS re:Invent September 2, 2014 ©2014 OpenEye Scientific Software

Slide 42

Slide 42 text

September 2, 2014 ©2014 OpenEye Scientific Software

Slide 43

Slide 43 text

Conclusions •  Easy to prototype with AWS services •  Roll your own if you need more flexibility •  Get your IAM settings right from day one •  Always changing so you should keep up •  New features, which get cheaper over time •  Use the Free Tier August 31, 2014 ©2014 OpenEye Scientific Software

Slide 44

Slide 44 text

Thanks for your attention Questions? •  @craigbruce August 31, 2014 ©2014 OpenEye Scientific Software