AW S A c a d e m y C l o u d F o u n d a t i o n s

Module 9: Cloud Architecture

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
Module overview

Topics Activities
• AWS Well-Architected Framework • AWS Well-Architected Framework
Design Principles
• Reliability and high availability • Interpret AWS Trusted Advisor
• AWS Trusted Advisor Recommendations

Knowledge check
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
2
reserved.
Module objectives

After completing this module, you should be able to:

• Describe the AWS Well-Architected Framework, including the five
pillars
• Identify the design principles of the AWS Well-Architected Framework
• Explain the importance of reliability and high availability
• Identify how AWS Trusted Advisor helps customers
• Interpret AWS Trusted Advisor recommendations

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

3
reserved.
Module 9: Cloud Architecture

Section 1: AWS Well-Architected Framework

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
Architecture: designing and building

Architect

Customer
Structure design (Decision maker) Completed structure
Building crew
(Delivery team)

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

5
reserved.
What is the AWS Well-Architected
Framework?

• A guide for designing infrastructures that are:

Secure
High-performing
Resilient
Efficient
• A consistent approach to evaluating and implementing cloud
architectures
• A way to provide best practices that were developed through
lessons learned by reviewing customer architectures

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights

6
reserved.
Pillars of the AWS Well-Architected
Framework

Operational Performance Cost

Security Reliability
excellence efficiency optimization

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

7
reserved.
 Pillar organization
Best practice
Identity and Access Management
area
Question text SEC 1: How do you manage credentials and authentication?
Question context Credential and authentication mechanisms include passwords, tokens, and
keys that grant access directly or indirectly in your workload. Protect
credentials with appropriate mechanisms to help reduce the risk of accidental
or malicious use.
Best practices
Best practices:
• Define requirements for identity and access management
• Secure AWS account root user
• Enforce use of multi-factor authentication
• Automate enforcement of access controls
• Integrate with centralized federation provider
• Enforce password requirements
• Rotate credentials regularly
•
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
Audit credentials periodically
8
reserved.
Introduction to the
AWS Well-
Architected
Framework
Design Principles
Activity

Operational Performance Cost

Security Reliability
excellence efficiency optimization

9 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AnyCompany background

• AnyCompany Corporation: “Cityscapes you can stand over”

• Founded in 2008 by John Doe
• Sells 3D-printed cityscapes
• About to apply for investment
• Has asked you to perform a review of their platform as part of their
due diligence
• Cloud native

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

10
reserved.
AnyCompany background (continued)

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

11
reserved.
AnyCompany architecture: Fly and Snap

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

12
reserved.
AnyCompany architecture: Show and
Sell

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

13
reserved.
AnyCompany architecture: Make and
Ship

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

14
reserved.
Activity overview

• Break into small groups.

• You will learn about each of the pillars. At the end of each pillar, there is a set of
questions from the AWS Well-Architected Framework for you to work through
with your group. Use these Framework questions to guide your review of the
AnyCompany architecture.
• For each Well-Architected Framework question, answer the following questions
about the AnyCompany architecture:
• What is the CURRENT STATE (what is AnyCompany doing now)?
• What is the FUTURE STATE (what do you think AnyCompany should be doing?)
• Agree on the top improvement that AnyCompany should make to its architecture
for each set of Well-Architected Framework questions.
• Hint: There are no right or wrong answers.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
15
reserved.
Operational Excellence pillar

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

16
reserved.
Operational Excellence pillar

• Focus
Operational • Run and monitor systems to deliver business value, and to
Excellence continually improve supporting processes and procedures.
pillar

• Key topics
• Automating changes
• Responding to events
• Defining standards to manage daily operations
Deliver
business
value

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

17
reserved.
Operational excellence design principles

• Perform operations as code

Operational
• Make frequent, small, reversible changes
Excellence
pillar • Refine operations procedures frequently
• Anticipate failure
• Learn from all operational events and failures

Deliver
business
value

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

18
reserved.
Operational excellence questions
Organization Operate
• How do you determine what your priorities are? • How do you understand the health of your
workload?
• How do you structure your organization to support
your business outcomes? • How do you understand the health of your
operations?
• How does your organizational culture support your
business outcomes? • How do you manage workload and operations
events?

Prepare Evolve
• How do you design your workload so that you can
• How do you evolve operations?
understand its state?
• How do you reduce defects, ease remediation,
and improve flow into production?
• How do you mitigate deployment risks?
• How do you know that you are ready to support a
workload?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
19
reserved.
Activity breakout

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

20
reserved.
Security pillar

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

21
reserved.
Security pillar

• Focus
Security • Protect information, systems, and assets while delivering
pillar business value through risk assessments and mitigation
strategies.

• Key topics
• Protecting confidentiality and integrity of data
• Identifying and managing who can do what
Protect and • Protecting systems
monitor • Establishing controls to detect security events
systems

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

22
reserved.
Security design principles

• Implement a strong identity foundation

Security
• Enable traceability
pillar
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
Protect and
monitor
systems

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

23
reserved.
Security questions

Security Infrastructure protection

• How do you securely operate your workload? • How do you protect your network resources?
• How do you protect your compute
resources?
Identity and access management
• How do you manage identities for people
and machines? Data protection
• How do you manage permissions for people • How do you classify your data?
and machines? • How do you protect your data at rest?
• How do you protect your data in transit?
Detection
• How do you detect and investigate security Incident response
events?
• How do you anticipate, respond to, and
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
recover from incidents?
24
reserved.
Activity breakout

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

25
reserved.
Reliability pillar

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

26
reserved.
Reliability pillar

• Focus
Reliability • Ensure a workload performs its intended function correctly
pillar and consistently when it’s expected to.

• Key topics
• Designing distributed systems
• Recovery planning
Recover • Handling change
from failure
and mitigate
disruption.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

27
reserved.
Reliability design principles

• Automatically recover from failure

Reliability
• Test recovery procedures
pillar
• Scale horizontally to increase aggregate workload
availability
• Stop guessing capacity
• Manage change in automation
Recover
from failure
and mitigate
disruption.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

28
reserved.
Reliability questions

Foundations Change management

• How do you manage service quotas and • How do you monitor workload resources?
constraints? • How do you design your workload to adapt to
• How do you plan your network topology? changes in demand?
Workload architecture • How do you implement change?
• How do you design your workload service Failure management
architecture? • How do you back up data?
• How do you design interactions in a • How do you use fault isolation to protect your
distributed system to prevent failure? workload?
• How do you design interactions in a • How do you design your workload to
distributed system to mitigate or withstand withstand component failures?
failures?
• How do you test reliability?
• How do you plan for disaster recovery?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
29
reserved.
Activity breakout

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

30
reserved.
Performance Efficiency pillar

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

31
reserved.
Performance Efficiency pillar

• Focus
Performance • Use IT and computing resources efficiently to meet system
Efficiency requirements and to maintain that efficiency as demand
pillar changes and technologies evolve.

• Key topics
• Selecting the right resource types and sizes based on
workload requirements
Use • Monitoring performance
resources • Making informed decisions to maintain efficiency as
sparingly. business needs evolve

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

32
reserved.
Performance efficiency design principles

• Democratize advanced technologies

Performance
• Go global in minutes
Efficiency
pillar • Use serverless architectures
• Experiment more often
• Consider mechanical sympathy

Use
resources
sparingly.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

33
reserved.
Performance efficiency questions

Selection Review
• How do you select the best • How do you evolve your workload to
performing architecture? take advantage of new releases?
• How do you select your compute
solution? Monitoring
• How do you select your storage • How do you monitor your resources
solution? to ensure they are performing?
• How do you select your database
solution? Tradeoffs
• How do you configure your • How do you use tradeoffs to improve
networking solution? performance?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
34
reserved.
Activity breakout

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

35
reserved.
Cost Optimization pillar

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

36
reserved.
Cost Optimization pillar

• Focus
Cost • Avoid unnecessary costs.
Optimization
pillar
• Key topics
• Understanding and controlling where money is being spent
• Selecting the most appropriate and right number of
resource types
• Analyzing spend over time
Eliminate • Scaling to meeting business needs without overspending
unneeded
expense.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

37
reserved.
Cost optimization design principles

• Implement Cloud Financial Management

Cost
• Adopt a consumption model
Optimization
pillar • Measure overall efficiency
• Stop spending money on undifferentiated heavy lifting
• Analyze and attribute expenditure

Eliminate
unneeded
expense.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

38
reserved.
Cost optimization questions
Practice cloud financial management
• How do you implement cloud financial
management?
Expenditure and usage awareness
• How do you govern usage?
• How do you monitor usage and cost?
• How do you decommission resources?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
reserved.
Cost-effective resources
• How do you evaluate cost when you select
services?
• How do you meet cost targets when you select
resource type, size, and number?
• How do you use pricing models to reduce cost?
• How do you plan for data transfer changes?
Manage demand and supply resources
• How do you manage demand and supply
resources?
Optimize over time
• How do you evaluate new services?
39
Activity breakout

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

40
reserved.
The AWS Well-Architected Tool

• Helps you review the state of your workloads and compares them to
the latest AWS architectural best practices
• Gives you access to knowledge and best practices used by AWS
architects, whenever you need it
• Delivers an action plan with step-by-step guidance on how to build
better workloads for the cloud
• Provides a consistent process for you to review and measure your
cloud architectures

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights

41
reserved.
 • The AWS Well-Architected Framework
Section 1 key provides a consistent approach to
takeaways evaluate cloud architectures and
guidance to help implement designs.
• The AWS Well-Architected Framework
documents a set of foundational
questions that enable you to
understand if a specific architecture
aligns well with cloud best practices.
• The AWS Well-Architected Framework
is organized into five pillars.
• Each pillar includes a set of design
principles and best practices.

42 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 9: Cloud Architecture

Section 2: Reliability and availability

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
“Everything fails, all the time.”

“Everything fails, all the time.”

Werner Vogels, CTO, Amazon.com

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

44
reserved.
Reliability

• A measure of your system’s

ability to provide functionality Car
when desired by the user.
• System includes all system
components: hardware,
firmware, and software. Brakes

• Probability that your entire System

Component
system will function as Ignition
intended for a specified period. Cooling System
• Mean time between failures System
Component

(MTBF) = total time in component

service/number of failures
System
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
45
reserved.
Understanding reliability metrics

System brought online

(system available)

Mean Time Between Failures Mean Time to Failure

(MTBF = MTTF + MTTR) (MTTF)

System System
(component) Mean Time to Repair (component)
repaired (MTTR) fails
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
46
reserved.
Availability

• Normal operation time / total time

• A percentage of uptime (for example, 99.9 percent) over time (for
example, 1 year)
• Number of 9s – Five 9s means 99.999 percent availability

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

47
reserved.
High availability

• System can withstand some measure of

degradation while still remaining available.
• Downtime is minimized.
• Minimal human intervention is required.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

48
reserved.
Availability tiers

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

49
reserved.
Factors that influence availability

Fault tolerance Recoverability

• The built-in redundancy of an • The process, policies, and
application's components and procedures that are related to
its ability to remain operational. restoring service after a
catastrophic event.
Scalability
• The ability of an application to
accommodate increases in
capacity needs without
changing design.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights
50
reserved.
 • Reliability is a measure of your
Section 2 key system’s ability to provide functionality
when desired by the user, and it can be
takeaways measured in terms of MTBF.
• Availability is the percentage of time
that a system is operating normally or
correctly performing the operations
expected of it (or normal operation time
over total time).
• Three factors that influence the
availability of your applications are fault
tolerance, scalability, and recoverability.
• You can design your workloads and
applications to be highly available, but
there is a cost tradeoff to consider.
51 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 9: Cloud Architecture

Section 3: AWS Trusted Advisor

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
 AWS Trusted Advisor

• Online tool that provides real-time guidance to help you

provision your resources following AWS best practices.
AWS Trusted
• Looks at your entire AWS environment and gives you real-
Advisor time recommendations in five categories.
Cost Optimization Performance Security Fault Tolerance Service Limits

Potential monthly savings

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

53
reserved.
Activity: Interpret AWS Trusted Advisor
recommendations

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

54
reserved.
Activity: Recommendation #1
MFA on Root Account
Description: Checks the root account and warns if multi-factor authentication (MFA) is not enabled. For
increased security, we recommend that you protect your account by using MFA, which requires a user to
enter a unique authentication code from their MFA hardware or virtual device when interacting with the
AWS console and associated websites.
Alert Criteria: MFA is not enabled on the root account.
Recommended Action: Log in to your root account and activate an MFA device.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

55
reserved.
Activity: Recommendation #2
IAM Password Policy
Description: Checks the password policy for your account and warns when a password policy is not
enabled, or if password content requirements have not been enabled. Password content requirements
increase the overall security of your AWS environment by enforcing the creation of strong user passwords.
When you create or change a password policy, the change is enforced immediately for new users but does
not require existing users to change their passwords.
Alert Criteria: A password policy is enabled, but at least one content requirement is not enabled.
Recommended Action: If some content requirements are not enabled, consider enabling them. If no
password policy is enabled, create and configure one. See Setting an Account Password Policy for IAM
Users.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

56
reserved.
Activity: Recommendation #3
Security Groups – Unrestricted Access

Description: Checks security groups for rules that allow unrestricted access to a resource. Unrestricted
access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data).

Alert Criteria: A security group rule has a source IP address with a /0 suffix for ports other than 25, 80, or
443.)

Recommended Action: Restrict access to only those IP addresses that require it. To restrict access to a
specific IP address, set the suffix to /32 (for example, 192.0.2.10/32). Be sure to delete overly permissive
rules after creating rules that are more restrictive.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

57
reserved.
Activity: Recommendation #4
Amazon EBS Snapshots

Description: Checks the age of the snapshots for your Amazon Elastic Block Store (Amazon
EBS) volumes (available or in-use). Even though Amazon EBS volumes are replicated, failures
can occur. Snapshots are persisted to Amazon Simple Storage Service (Amazon S3) for durable
storage and point-in-time recovery.

Alert Criteria:
Yellow: The most recent volume snapshot is between 7 and 30 days old.
Red: The most recent volume snapshot is more than 30 days old.
Red: The volume does not have a snapshot.

Recommended Action: Create weekly or monthly snapshots of your volumes

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

58
reserved.
Activity: Recommendation #5
Amazon S3 Bucket Logging
Description: Checks the logging configuration of Amazon Simple Storage Service (Amazon S3) buckets.
When server access logging is enabled, detailed access logs are delivered hourly to a bucket that you
choose. An access log record contains details about each request, such as the request type, the resources
specified in the request, and the time and date the request was processed. By default, bucket logging is not
enabled; you should enable logging if you want to perform security audits or learn more about users and
usage patterns.
Alert Criteria:
Yellow: The bucket does not have server access logging enabled.
Yellow: The target bucket permissions do not include the owner account. Trusted Advisor cannot check it.
Recommended Action:
Enable bucket logging for most buckets.
If the target bucket permissions do not include the owner account and you want Trusted Advisor to check
the logging status, add the owner account as a grantee.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

59
reserved.
 • AWS Trusted Advisor is an online tool
Section 3 key that provides real-time guidance to help
you provision your resources by
takeaways following AWS best practices.
• AWS Trusted Advisor looks at your
entire AWS environment and gives you
real-time recommendations in five
categories.
• You can use AWS Trusted Advisor to
help you optimize your AWS
environment as soon as you start
implementing your architecture
designs.

60 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Module 9: Cloud Architecture

Module wrap-up

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
Module summary

In summary, in this module you learned how to:

• Describe the AWS Well-Architected Framework, including the five
pillars
• Identify the design principles of the AWS Well-Architected Framework
• Explain the importance of reliability and high availability
• Identify how AWS Trusted Advisor helps customers
• Interpret AWS Trusted Advisor recommendations

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

62
reserved.
Complete the knowledge check

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

63
reserved.
Sample exam question

A SysOps engineer working at a company wants to protect their data in transit and
at rest. What services could they use to protect their data?

A. Elastic Load Balancing

B. Amazon Elastic Block Store (Amazon EBS)
C. Amazon Simple Storage Service (Amazon S3)
D. All of the above

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 64
Additional resources

• AWS Well-Architected website

• AWS Well-Architected Framework whitepaper
• AWS Well-Architected Labs
• AWS Trusted Advisor Best Practice Checks

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

65
reserved.
Thank You

© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-
[email protected]. For all other questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.