Amazon Web Services (AWS), the world’s most comprehensive and broadly adopted cloud platform, offers over 200 fully-featured services from data centres globally. With the mission to help customers of all sizes reap the full benefits of their services, AWS hosted Cost and Security Optimisation Clinics for Edtechs. The clinics garnered participation from EdTechs who wanted support for learning continuity on the cloud.
Startups gained insights on architectural best practices for designing a strong security posture of AWS infrastructure, while optimising costs. Here are the key takeaways:
Best practices for cost optimisation
AWS has developed a Well-Architected Framework (WAF) to help cloud architects build the most secure and high-performing cost-efficient infrastructure for their workload. WAF is based on the five pillars of operational excellence — security, reliability, performance efficiency and cost optimisation.
The cost optimisation clinics focused on how businesses can understand and control where money is being spent, analyse spends over time and scale to meet business needs, without overspending. Some of the best practices are as follows:
1) Choose the latest Amazon EC2 instances over the older generation as it gives better price and performance. You need to right-size by choosing GP3 instead of GP2, as its price is 20 percent lower.
2) Choose between server vs serverless-based architecture and ensure that you use a private IP address to connect within VPC.
3) Use managed services to save upfront on development and maintenance costs. With Amazon EKS, you get a highly scalable and secured cluster deployed within 20-30 minutes. You get access to many other out-of-the-box managed services with usage-based pricing.
AWS also makes the existing expensive and tedious process of certification seamless with AWS Certificate Manager for Free Public SSL certificates.
4) Match supply with demand by using auto-scaling with smaller instances. EC2 Auto Scaling allows you to react dynamically to changes in load, schedule regular workloads, optimise your instance usage, reduce over-provisioning and warm pool for EC2 scaling to scale faster.
5) Practise cloud financial management by using AWS Organisation for volume-based discounts and AWS Budgets. This simplifies the workflow, making it easier to manage budgets and set them appropriately, and view how your actuals have performed against your budget.
AWS Instance Scheduler is another tool that provides custom start-and-stop schedules, works with Amazon EC2 & Amazon RDS instances, and selectively tags instances for multiple schedules with five-minute granularity.
6) Be aware of usage and expenditure so that you avoid paying for unnecessary costs. You can use AWS Cost Explorer along with Tags to get different views and Cost Anomaly Detection, to find out the root cause for potential cost drivers.
7) Use AWS Compute Optimizer to optimise over time. You get insights on the pattern of usage and awareness on reducing unused instances. For customers who have enterprise support on AWS, the AWS Trusted Advisor provides additional recommendations.
According to the AWS Solution Architects, businesses need to establish a cost optimisation function, whereby the architecture is constantly measured, monitored and improved to remain cost-effective.
Best practices for security optimisation
The security optimisation clinics highlighted the assessment approach to proactively monitor security posture on AWS.
At AWS, security is job zero, but in an organisation, security is everyone’s job. AWS Shared Responsibility Model differs for the cloud provider and customer. The security of the cloud (operating system, virtualisation layer) is AWS’s responsibility while security in the cloud (guest operating system, workflows) is managed by the customers.
Some of the common security gaps that customers miss out on are misconfigured network and storage solutions, insufficient data classification procedures, and identity and access management.
To regularly assess and monitor security, AWS goes through an independent audit to support customers with highly sensitive workloads. On the other end, AWS also helps customers with governance implementations by providing certain best practices and tools.
1) Identity and access management – To set a strong identity foundation, ensure that your root account is never used and consider AWS organisations if you have multiple accounts. You can set account security questions and contacts, and centralise identities. Make sure to never store credentials and instead, use temporary credentials. For an additional layer of security, you can enforce MFA (multi-factor authentication)) for everything and audit periodically.
2) Network security – Use WAF capabilities like Amazon CloudFront, Amazon VPC and security groups and enforcing service-level permission. Ensure that you apply security at all layers by hardening operating systems, using anti-malware and intrusion detection, scan your infrastructure and code, and patch vulnerabilities.
You can also leverage Amazon Inspector that provides findings around vulnerability, the specific resources affected and recommended actions to take.
3) Data protection – AWS experts suggest enforcing encryption mechanisms on classified data, verifying the accessibility of data, and considering AWS Certificate Manager (ACM), among other best practices.
Amazon Macie helps discover, classify and protect sensitive data in AWS. It regularly assesses your S3 environment and once the information is classified, you will know what kind of encryption to apply.
4) Detective controls – This helps assess your environment and provides traceability to backtrack to what caused the threat. To ensure traceability, consider Amazon GuardDuty and configure application and infrastructure logging. You can also enable Security Hub, which aggregates and prioritises findings, conducts security checks against benchmarks and helps take action.
5) Incident response – To prepare for unexpected events, you need to use template-based infrastructure like AWS CloudFormation or AWS SAM. You also need to automate the building and testing procedure, verify AWS Configuration rules, automate response to non-compliance and events.
It’s important to proactively assess your AWS environment for security and compliance. You can leverage AWS’s security tools and security automation to decrease the burden on your security teams.