Podcasts about aws accounts

In this episode, we provide an introductory overview of AWS's best practices for managing infrastructure using multiple accounts under an organization. We discuss the advantages of this approach and how to get started creating your own multi-account environment, or "landing zone".

In cybersecurity, the teaching of Cloud security is often weak. So, here are my Top 100 things about encryption in the Cloud. I've focused on AWS, but Azure is likely to also be applicable. Keys are created in the AWS KMS (Key Management Store). In Azure, this is named KeyVault. The cost of using a key in KMS is around $1/month (prorated hourly). When a key is disabled, it is not charged. With AWS KMS, we use a shared customer HSM (Hardware Security Module), and with AWS CloudHSM it is dedidated to one customer. For data at rest, with file storage, we can integrate encryption with Amazon EBS (Elastic Block Storage) and Amazon S3. Amazon EBS drives are encrypted with AES-256 with XTS mode. For AWS-managed keys, a unique key is used for every object within S3 buckets. Amazon S3 uses server-side encryption to store encrypted data. The customer can use client-side encryption to encrypt data before it is stored in the AWS infrastructure. AWS uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) for its symmetric key encryption. In AWS S3, by default, all the objects are encrypted. A customer can use client-side encryption to encrypt data before it goes into the AWS infrastructure. For data at rest, for databases, we can integrate encryption with Amazon RDS (AWS's relational database service) and Amazon Redshift (AWS's data warehousing). For data at rest, we can integrate encryption into ElastiCache (AWS's content caching service), AWS Lambda (AWS's serverless computing service), and Amazon SageMake (AWS's machine learning service). Keys are tokenized and have an ARN (Amazon Resource Names) and alias. An example ARN for a key is arn:aws:kms:us-east-1:103269750866:key/de30e8e6-c753–4a2c-881a-53c761242644, and an example alias is “Bill's Key”. Both of these should be unique in the user's account. To define a KMS key, we can either use its key ID, its key ARN, its alias name, or alias ARN. You can link keys to other AWS Accounts. For this, we specify in the form of “arn:aws:iam::[AWS ID]:root”, and where AWS ID is the ID of the other AWS account. To enhance security, we can use AWS CloudHSM (Hardware Security Module). For simpler and less costly solutions, we typically use AWS KMS (Key Management Solution). For CloudHSM, we pay per hour, but for KMS, we just pay for the usage of the keys. The application of the keys is restricted to defined services. Key identifiers and policies are defined with a JSON key-value pair for data objects. Each key should have a unique GUID, such as “de30e8e6-c753–4a2c-881a-53c761242644”. Users are identified and roles are identified with an ARN, such as : “arn:aws:iam::222222:root”. With the usage of keys we have Key Administrative Permission and a Key Usage policies. There is an explicit denial on a policy if there is not a specific allow defined in a policy. For key permissions, we have fields of “Sid” (the descriptive name of the policy), “Effect” (typically “Allow”), Principal (the ARN of the user/group), “Action” (such as Create, Disable and Delete) and “Resource”. A wildcard (“*”) allows or disallows all. To enable a user of “root” access to everything with a key would be : “Sid”: “Enable IAM User Permissions”, “Effect”: “Allow”,“Principal”: {“AWS”: “arn:aws:iam::22222222:root”},“Action”: “kms:*”, “Resource”: “*”}. The main operations within the KMS are to encrypt/decrpyt data, sign/verify signatures, export data keys, and generate/verify MACs (Message Authentication Codes). Key are either AWS managed (such as for the Lambda service), Customer managed keys (these are created and managed by the customer). Custom key stores are where the customer has complete control over the keys). The main use of keys are for EC2 (Compute), EBS (Elastic Block Storage) and S3 (Storage). AES symmetric keys or an RSA key pair are used to encrypt and decrypt. RSA uses 2K, 3K or 4K keys, and with either “RSA PCKS1 v1.5” or “RSA PSS” padding. RSA PCKS1 v1.5 padding is susceptible to Bleichenbacher's attack, so it should only be used for legacy applications, and for all others, we should use RSA PSS. For RSA, we can use a hashing method of SHA-256, SHA-384 or SHA-512. In RSA, we encrypt with the public key and decrypt with the private key. For signatures, we can use either RSA or ECC signing. For RSA, we have 2K, 3K, or 4K keys, whereas ECC signing uses NIST P256, NIST P384, NIST P521, and SECG P256k1 (as used in Bitcoin and Ethereum). For MACs (Message Authentication Codes), Bob and Alice have the same shared secret key and can authenticate the hash version of a message. In the KMS, we can have HMAC-224, HMAC-256, HMAC-384 and HMAC-512. KMS uses hardware security modules (HSMs) with FIPS 140–2 and which cannot be accessed by AWS employees (or any other customer). Keys will never appear in an AWS disk or backup, and only existing the memory of the HSM. They are only loaded when used. Encryption keys can be restricted to one region of the world (unless defined by the user). With symmetric keys, the key never appears outside the HSM, and for asymmetric keys (public key encryption), the private key stays inside the HSM, and only the public key is exported outside. AWS CloudWatch shows how and when the encryption keys are being used. The minimum time that can be set for a key to be deleted is seven days (and up to 30 days maximum). An organisation can also create its own HSM with the CloudHSM cluster. When a key is then created in KMS, it is then stored in the cluster. The usage of encryption keys should be limited to a minimal set of service requirements. If possible, separate key managers and key users. With a key management (KEY_ADMINISTRATOR) role, we typically have the rights to create, revoke, put, get, list and disable keys. The key management role will typically not be able to encrypt and decrypt. For a key user (KEY_WORKER) role, we cannot create or delete keys and typically focus on tasks such as encrypting and decrypting. Hae a rule of minimum access rights, and simplify user access by defining key administration and usage roles. Users are then added to these roles. Avoid manual updates to keys and use key rotation. The system keeps track of keys that are rotated and can use previously defined ones. The default time to rotate keys is once every year. Key rotation shows up in the CloudWatch and CloudTrail logs. KMS complies with PCI DSS Level 1, FIPS 140–2, FedRAMP, and HIPAA. AWS KMS is matched to FIPS 140–2 Level 2. AWS CloudHSM complies with FIPS 140–2 Level 3 validated HSMs. AWS CloudHSM costs around $1.45 per hour to run, and the costs end when it is disabled or deleted. The CloudHSM is backed-up every 24 hours, and where we can cluster the HSMs into a single logical HSM. CloudHSM can be replicated in AWS regions. AWS KSM is limited to the popular encryption methods, whereas the CloudHSM can implement a wider range of methods. The CloudHSM can support methods such as 3DES with AWS Payment Cryptography. This complies with payment card industry (PCI) standards, such as PCI PIN, PCI P2PE, and PCI DSS. In the CloudHSM for payments, we can generate CVV, CVV2 and ARQC values, and where sensitive details never exist outside the HSM in an unprotected form. With the CloudHSM, we have a command line interface where we can issue commands, and is named CloudHSM CLI. Within the CloudHSM CLI, we can use the genSymKey command to generate symmetric key within the HSM, such as where -t is a key type (31 is AES), -s is a key size (32 bytes) and -l is the label: genSymKey -t 31 -s 32 -l aes256 With genSymKey the key types are: 16 (Generic Secret), 18 (RC4), 21 (Triple DES), and 31 (AES). Within the CloudHSM CLI, we can use the genRSAKeyPair command to generate an RSA key pair, such as where -m is the modulus and -e is the public exponent: genRSAKeyPair -m 2048 -e 65537 -l mykey AWS CloudHSM is integrated with AWS CloudTrail, and where we can track user, role, or an AWS service within AWS CloudHSM. With AWS Payments Cryptography, the 2KEY TDES is Two-key Triple DES and has a 112-bit equivalent key size. The Pin Encryption Key (PEK) is used to encryption PIN values and uses a KEY TDES key. This can store PINs in a secure way, and then decrypt them when required. S3 buckets can be encrypted either with Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) keys. There is no cost to use SSE keys. For symmetric key encryption, AWS uses envelope encryption, and where a random key is used to encrypt data, and then the key is encrypted with the user's key. AWS should not be able to access the key used for the encryption. The default in creating an encryption key is for it only be to used in a single region, but this can be changed to multi-region, and where the key will be replicated across more than one region. In AWS, a region is a geographical area, and which is split into isolated locations. US-East-1 (N.Virginia) and US-East-2 (Ohio) are different regions, while us-east-1a, us-east-1b and us-east-1c are in the same region. A single region key the US-East-1 region would replicate across eu-east-1a, eu-east-1b and eu-east-1c, and not to eu-east-2a, eu-east-2b and eu-east-2c. When creating a key, you can either create in the KMS, import a key (BYOK — bring your own key), create in the AWS CloudHSM, or create in an external key store (HYOK — hold you own key). For keys stored on-premise we can use an external key store (XKS) — this can be defined as Hold Your Own Keys (HYOKs), and where and where no entity in AWS will able to read any of the encrypted data. [here]. You can BYOK (bring your own key) with KMS, and import keys. KMS will keep a copy of this key. With XKS, we need a proxy URI endpoint, with the proxy credentials of an access key ID, and secret access key. To export keys from AWS CloudHSM, we can encrypt them with an AES key. This is known as key wrapping, as defined in RFC 5648 (for padding with zeros) or RFC 3394 (without padding). A strong password should always be used for key wrapping. AWS encryption operations can either be conducted from the command line or within API, such as with Python, Node.js or Golang. With KMS, the maximum data size is 4,096 bytes for a symmetric key, 190 bytes for RSA 2048 OAEP SHA-256, 318 bytes for RSA 3072 OAEP SHA-256, ad 446 bytes for RSA 4096 OAEP SHA-256. An example command to encrypt a file for 1.txt with symmetric key encryption is: aws kms encryp --key-id alias/MySymKey --plaintext fileb://1.txt --query CiphertextBlob --output text > 1.out To decrypt a file with symmetric key encryption, an example with 1.enc is: aws kms decrypt --key-id alias/BillsNewKey --output text --query Plaintext --ciphertext-blob fileb://1.enc > 2.out In Python, to integrate with KMS, we use the Boto3 library. The standard output of encrypted content is in byte format. If we need to have a text version of ciphertext, we typically use Base64 format. The base64 command can be used to convert byte format in Base64, such as with: $ base64 -i 1.out — decode > 1.enc The xxd command in the command line allows the cipher text to be dumped to a hex output and can then be edited. We can then convert it back to a binary output with: An example piece of Python code for encrypting a plaintext message with the symmetric key in Python is: ciphertext = kms_client.encrypt(KeyId=alias,Plaintext=bytes(secret, encoding='utf8') An example piece of Python code to decrypt some cipher text (in Base64 format) is: plain_text = kms_client.decrypt(KeyId=alias,CiphertextBlob=bytes(base64.b64decode(ciphertext))) To generate an HMAC signature for a message in the command line, we have the form of: aws kms generate-mac --key-id alias/MyHMACKey --message fileb://1.txt --mac-algorithm HMAC_SHA_256 --query Mac > 4.out To verify an HMAC signature for a message in the command line, we have the form of: aws kms verify-mac -key-id alias/MyHMACKey -message fileb://1.txt -mac-algorithm HMAC_SHA_256 -mac fileb://4.mac To create an ECDSA signature in the command line, we have the form of: aws kms sign -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signing-algorithm ECDSA_SHA_256 -query Signature > 1.out To verify an ECDSA signature in the command line, we have the form of: aws kms verify -key-id alias/MyPublicKeyForSigning -message fileb://1.txt -signature fileb://1.sig -signing-algorithm ECDSA_SHA_256 To encrypt data using RSA in the command line, we have the form of: aws kms encrypt -key-id alias/PublicKeyForDemo -plaintext fileb://1.txt -query CiphertextBlob -output text -encryption-algorithm RSAES_OAEP_SHA_1 > 1.out To decrypt data using RSA in the command line, we have the form of: aws kms decryptb -key-id alias/PublicKeyForDemo -output text -query Plaintext -ciphertext-blob fileb://1.enc -encryption-algorithm RSAES_OAEP_SHA_1 > 2.out To sign data using RSA in the command line, we have the form of: aws kms sign --key-id alias/MyRSAKey --message fileb://1.txt --signing-algorithm RSASSA_PSS_SHA_256 --query Signature --output text > 1.out To verify data using RSA in the command line, we have the form of: aws kms verify --key-id alias/MyRSAKey --message fileb://1.txt — signature fileb://1.sig --signing-algorithm RSASSA_PSS_SHA_256 You cannot encrypt data with Elliptic Curve keys. Only RSA and AES can do that. Elliptic Curve keys are used to sign data. If you delete an encryption key, you will not be able to decrypt any ciphertext that uses it. We can store our secrets, such as application passwords, in the secrets manager. An example of a secret name of “my-secret-passphrase” and a secret string of “Qwery123” we can have: aws secretsmanager create-secret --name my-secret-passphrase --secret-string Qwerty123 In China regions, along with RSA and ECDSA, you can use SM2 KMS signing keys. In China Regions, we can use SM2PKE to encrypt data with asymmetric key encryption. Find out more here: https://asecuritysite.com/aws

AWS Morning Brief for the week of July 18th, 2022 with Corey Quinn.

Eoin and Luciano try to answer the question of what AWS accounts do you need for your team and how to organize them. In this episode of AWS bites we discuss common ways to organize AWS accounts and environments from the perspective of a company running production workloads. We try to answer questions like “how many accounts and how many environments?”. We also discuss how you and your team can be more productive by effectively managing AWS accounts and environments. Finally we explore some common security and cost-related tradeoffs that are common when it comes to organizing AWS accounts. Thanks to David Lynam for suggesting this awesome topic! In this episode, we mentioned the following resources: - AWS Account vending machines: https://aws.amazon.com/solutions/implementations/aws-landing-zone/ - Org Formation: https://github.com/org-formation/org-formation-cli - Terraform for accounts and organizations: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account This episode is also available on YouTube: https://www.youtube.com/AWSBites You can listen to AWS Bites wherever you get your podcasts: - Apple Podcasts: https://podcasts.apple.com/us/podcast/aws-bites/id1585489017 - Spotify: https://open.spotify.com/show/3Lh7PzqBFV6yt5WsTAmO5q - Google: https://podcasts.google.com/feed/aHR0cHM6Ly9hbmNob3IuZm0vcy82YTMzMTJhMC9wb2RjYXN0L3Jzcw== - Breaker: https://www.breaker.audio/aws-bites - RSS: ​​https://anchor.fm/s/6a3312a0/podcast/rss Do you have any AWS questions you would like us to address? Leave a comment here or connect with us on Twitter: - https://twitter.com/eoins - https://twitter.com/loige

Der offizielle deutschsprachige Podcast rund um Amazon Web Services (AWS), für Neugierige, Cloud-Einsteiger und AWS-Experten, produziert von Dennis Traub, Developer Advocate bei AWS. Bei Fragen, Anregungen und Feedback wendet euch gerne direkt an Dennis auf Twitter (@dtraub) oder per Mail an traubd@amazon.com. In dieser Episode entwirrt Dennis ein paar Begriffe, die im Zusammenhang mit AWS immer wieder auftauchen und Gesprächen mit Kunden oder bei Fragen auf StackOverflow regelmäßig für Verwirrung sorgen. Für mehr Infos, Tipps und Tricks rund um AWS und die Cloud folgt Dennis auf: - Twitter - https://twitter.com/dtraub   - Twitch - https://www.twitch.tv/dennis_at_work  - YouTube - https://www.youtube.com/dennistraub

Der offizielle deutschsprachige Podcast rund um Amazon Web Services (AWS), für Neugierige, Cloud-Einsteiger und AWS-Experten, produziert von Dennis Traub, Developer Advocate bei AWS. Bei Fragen, Anregungen und Feedback wendet euch gerne direkt an Dennis auf Twitter (@dtraub) oder per Mail an traubd@amazon.com. In dieser Episode stellt Dennis den AWS Trusted Advisor vor, ein kostenloses Online-Tool, das euch dabei hilft, die wichtigsten Sicherheitsmerkmale eures AWS-Accounts im Blick zu behalten, die Performance zu erhöhen und die Gesamtkosten zu senken.  Links zum Trusted Advisor:  - Infos zum AWS Trsuted Advisor - https://aws.amazon.com/premiumsupport/technology/trusted-advisor  - Direkt zum Dashboard im AWS-Konto - https://console.aws.amazon.com/trustedadvisor/home  Für mehr Infos, Tipps und Tricks rund um AWS und die Cloud folgt Dennis auf: - Twitter - https://twitter.com/dtraub  - Twitch - https://www.twitch.tv/dennis_at_work  - YouTube - https://www.youtube.com/dennistraub

Der offizielle deutschsprachige Podcast rund um Amazon Web Services (AWS), für Neugierige, Cloud-Einsteiger und AWS-Experten, produziert von Dennis Traub, Developer Advocate bei AWS. Bei Fragen, Anregungen und Feedback wendet euch gerne direkt an Dennis auf Twitter (@dtraub) oder per Mail an traubd@amazon.com. In dieser Episode stellt Dennis AWS Budgets und AWS Budget Actions vor, ein Feature, das euch dabei hilft, die Kosten eurer AWS-Accounts im Blick zu behalten. Ganz egal, ob ihr euch gerade erst mit AWS beschäftigt und höchstens ein oder zwei Dollar im Monat ausgeben wollt, oder ob ihr bereits große Unternehmens-Workloads betreibt und eine entsprechende Kostentransparenz benötigt.   Links zu AWS Budgets: - Mehr Infos - https://aws.amazon.com/aws-cost-management/aws-budgets - User Guide: How to create a budget - https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-create.html - AWS Cost Management Blog: How to set up AWS Budget Actions - https://aws.amazon.com/blogs/aws-cost-management/get-started-with-aws-budgets-actions   Für mehr Infos, Tipps und Tricks rund um AWS und die Cloud folgt Dennis gerne auf: - Twitter - https://twitter.com/dtraub - Twitch - https://www.twitch.tv/dennis_at_work - YouTube - https://www.youtube.com/dennistraub

In this episode, we know that using multiple availability zones helps increase your application availability and resiliency by distributing our application across multiple disperse data centers. But did you know that availability zones don’t necessarily give you the separation you expect? In fact, it is entirely possible to have two instances of a service running in two distinct availability zones, but actually have them running in the same data center, in the same physical rack, and possibly even on the same physical server! How can this be? And even more importantly, how can we avoid it? The answer involves understanding how availability zones work and how they are structured. And then, one of the oddest cloud services created is also one of the first cloud services. Before AI and before machine learning, humans actually powered a part of the cloud. This is, Life with Multiple AWS Accounts. Links and More Information The following are links mentioned in this episode, and links to related information: How to maintain availability when using multiple AWS accounts (https://www.infoworld.com/article/3444860/5-pain-points-of-modern-software-development-and-how-to-overcome-them.html (https://www.infoworld.com/article/3444860/5-pain-points-of-modern-software-development-and-how-to-overcome-them.html)) Modern Digital Applications Website (https://mdacast.com (https://mdacast.com)) Lee Atchison Articles and Presentations (https://leeatchison.com (https://leeatchison.com)) Architecting for Scale, published by O’Reilly Media (https://architectingforscale.com (https://architectingforscale.com)) Distributing Your Application When building a modern, high-performant application at scale, it’s important to make sure the individual application instances are distributed across a variety of data centers in such a way that if any given data center goes offline, the application can continue to function relatively normally. This is an industry-wide best practice, and an important characteristic to architect into your applications in order to make them sufficiently resilient to data center problems. The same philosophy occurs when you build your application in the cloud. Except, when you build a cloud-based application, you typically do not have visibility into which data center a particular server or cloud resource is located. This is part of the abstraction that gives the cloud its value. Not having visibility into which data centers your application is operating in makes it difficult to build multi data center resiliency into your applications.  To solve this problem, AWS created a cloud abstraction of the data center that allows you to build on this level of resiliency without being exposed to the details of data center location. The abstraction is the availability zone. AWS availability zones An AWS availability zone is an isolated set of cloud resources that allows specifying a certain level of isolation into your applications. Resources within a single availability zone may be physically or virtually near each other, to the extent that they can be dependent on each other and share subcomponents with each other. For example, two EC2 servers that are in the same availability zone may be in the same data center, in the same rack, or even on the same physical server. However, cloud resources that are in different availability zones are guaranteed to be separated into distinct data centers. They cannot be in the same data center, they cannot be in the same rack, and they cannot be using the same physical servers. They are distinct and independent from each other. Hence, the solution to the resiliency problem, you can build your application to live in multiple availability zones. If you construct your application so instances of your application are distributed across multiple availability zones, you can isolate yourself from hardware failures such as server failures, rack failures, and even entire data center failures....

Simon shares a huge selection of updates and new things! Chapter Marks: 00:00:19 Satellites 00:01:12 Storage 00:03:01 Compute 00:05:35 Databases 00:09:17 Developer Tools 00:10:32 Analytics 00:12:28 IoT 00:14:06 End User Computing 00:15:03 Machine Learning 00:16:22 Robotics 00:16:46 Application Integration 00:17:42 Management and Governance 00:20:49 Customer Engagement 00:21:24 Security 00:22:10 Training and Certification 00:22:36 Quick Starts 00:23:04 AWS Marketplace Shownotes Topic || Satellite Announcing General Availability of AWS Ground Station | https://aws.amazon.com/about-aws/whats-new/2019/05/announcing-general-availability-of-aws-ground-station-/ Topic || Storage You can now encrypt new EBS volumes in your account in a region with a single setting | https://aws.amazon.com/about-aws/whats-new/2019/05/with-a-single-setting-you-can-encrypt-all-new-amazon-ebs-volumes/ AWS Backup Now Supports AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-backup-now-supports-aws-cloudformation/ AWS DataSync Now Supports EFS-to-EFS Transfer | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-datasync-now-supports-efs-to-efs-transfer/ AWS DataSync adds filtering for data transfers – Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-datasync-adds-filtering-for-data-transfers/ AWS DataSync is now SOC compliant | https://aws.amazon.com/about-aws/whats-new/2019/06/aws-datasync-is-now-soc-compliant/ Topic || Compute Amazon EC2 announces Host Recovery | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-ec2-announces-host-recovery/ Enable EC2 Hibernation Without Specifying Encryption Intent at Every Instance Launch | https://aws.amazon.com/about-aws/whats-new/2019/05/enable-ec2-hibernation-without-specifying-encryption-intent/ AWS Step Functions Adds Support for Callback Patterns in Workflows | https://aws.amazon.com/about-aws/ whats-new/2019/05/aws-step-functions-support-callback-patterns/ Amazon ECS Support for Windows Server 2019 Containers is Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-ecs-support-windows-server-2019-containers-generally-available/ Amazon ECS Improves ENI Density Limits for awsvpc Networking Mode | https://aws.amazon.com/about-aws/whats-new/2019/06/Amazon-ECS-Improves-ENI-Density-Limits-for-awsvpc-Networking-Mode/ Serverless Image Handler Now Leverages Sharp and Provides Smart Cropping with Amazon Rekognition | https://aws.amazon.com/about-aws/whats-new/2019/06/serverless-image-handler-now-leverages-sharp-and-provides-smart-cropping-with-amazon-rekognition/ Topic || Databases Amazon Aurora Serverless MySQL 5.6 Now Supports Data API | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon_aurora_serverless_mysql_5_6_now_supportsdataapi/ Amazon RDS Recommendations Provide Best Practice Guidance for Amazon Aurora | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-rds-recommendations-provide-best-practice-guidance-for-amazon-aurora/ Amazon Aurora with PostgreSQL Compatibility Supports PostgreSQL 10.7 | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-aurora-with-postgresql-compatibility-supports-postgresql-107/ Amazon Aurora with PostgreSQL Compatibility Supports Database Activity Streams For Real-time Monitoring | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-aurora-with-postgresql-compatibility-supports-database-activity-streams/ Amazon RDS for SQL Server Increases the Database Limit Per Database Instance up to 100 | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon_rds_for_sql_server_increases/ Amazon RDS for SQL Server Now Supports Always On Availability Groups for SQL Server 2017 | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-rds-for-sql-server-now-supports-always-on-availability-groups-for-sql-server-2017/ Amazon RDS for SQL Server now Supports Multi-File Native Restores | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-rds-for-sql-server-now-supports-multi-file-native-restores/ Amazon DocumentDB (with MongoDB compatibility) is now SOC 1, 2, and 3 compliant | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-documentdb-now-soc-1-2-3-compliant/ Amazon DynamoDB adaptive capacity is now instant | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-dynamodb-adaptive-capacity-is-now-instant/ Amazon ElastiCache for Redis improves cluster availability during planned maintenance | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon_elasticache_for_redis_improves_cluster_availability/ Amazon ElastiCache for Redis launches self-service updates | https://aws.amazon.com/about-aws/whats-new/2019/06/elasticache-self-service-updates/ Topic || Developer Tools Amplify Framework Adds Support for AWS Lambda Functions and Amazon DynamoDB Custom Indexes in GraphQL Schemas | https://aws.amazon.com/about-aws/whats-new/2019/05/amplify-framework-adds-support-for-aws-lambda-as-a-data-source-and-custom-indexes-for-amazon-dynamodb-in-graphql-schema/ AWS CodeCommit Now Supports Including Application Code When Creating a Repository with AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-codecommit-now-supports-the-ability-to-make-an-initial-commit/ Topic || Analytics Amazon Managed Streaming for Apache Kafka (Amazon MSK) is now Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon_managed_streaming_for_apache_kafka_amazon_msk_is_now_generally_available/ Amazon Elasticsearch Service Is Now SOC Compliant | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-elasticsearch-service-now-soc-compliant/ Amazon Elasticsearch Service announces support for Elasticsearch 6.7 | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-elasticsearch-service-announces-support-for-elasticsearch-67/ AWS Glue now provides an VPC interface endpoint | https://aws.amazon.com/about-aws/whats-new/2019/06/aws_glue_now_provides_vpc_interface_endpoint/ AWS Glue supports scripts that are compatible with Python 3.6 in Python shell jobs | https://aws.amazon.com/about-aws/whats-new/2019/06/aws_glue_supportscripts/ Topic || IoT AWS IoT Things Graph Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-iot-things-graph-now-generally-available/ AWS IoT Events is now generally available | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-iot-events-now-generally-available/ AWS IoT Device Tester v1.2 is Now Available for Amazon FreeRTOS v1.4.8 | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-iot-device-tester-v120-now-available-amazon-freertos-v148/ AWS IoT Analytics Now Supports Channel and Data Stores in Your Own Amazon S3 Buckets | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-iot-analytics-now-supports-channel-and-data-stores-in-your-o/ Topic || End User Computing Announcing Amazon WorkLink support for Additional Website Authorization Providers | https://aws.amazon.com/about-aws/whats-new/2019/05/announcing-amazon-workLink-support-for-additional-website-authorization-providers/ Amazon AppStream 2.0 launches three self-guided workshops to build online trials and SaaS solutions – Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-appstream2-launches-three-self-guided-workshops-to-build-online-trials-and-saas-solutions/ Amazon Chime Voice Connector now supports United States Toll-Free Numbers | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-chime-voice-connector-now-supports-us-toll-free-numbers/ Topic || Machine Learning Introducing Fraud Detection Using Machine Learning | https://aws.amazon.com/about-aws/whats-new/2019/05/introducing-fraud-detection-using-machine-learning/ Amazon Textract - Now Generally Available | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-textract-now-generally-available/ Amazon Transcribe now supports speech-to-text in Modern Standard Arabic | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-transcribe-now-supports-speech-to-text-in-modern-standard-arabic/ Topic || Robotics AWS RoboMaker now supports over-the-air deployment job cancellation | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-robomaker-supports-over-the-air-deployment-job-cancellation/ Topic || Application Integration Amazon API Gateway Now Supports Tag-Based Access Control and Tags on Additional Resources | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-api-gateway-now-supports-tag-based-access-control-tags-additional-resources/ Amazon API Gateway Now Supports VPC Endpoint Policies | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-api-gateway-supports-vpc-endpoint-policies/ Topic || Management and Governance Introducing AWS Systems Manager OpsCenter to enable faster issue resolution | https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-aws-systems-manager-opscenter-to-enable-faster-issue-resolution/ AWS Budgets now Supports Variable Budget Targets for Monthly and Quarterly Cost and Usage Budgets | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-budgets-support-for-variable-budget-targets-for-cost-and-usage-budgets/ CloudWatch Logs adds support for percentiles in metric filters | https://aws.amazon.com/about-aws/whats-new/2019/05/cloudwatch-logs-adds-support-for-percentiles-in-metric-filters/ Announcing Tag-Based Access Control for AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/05/announcing-tag-based-access-control-for-aws-cloudformation/ AWS Organizations Now Supports Tagging and Untagging of AWS Accounts | https://aws.amazon.com/about-aws/whats-new/2019/06/aws-organizations-now-supports-tagging-and-untagging-of-aws-acco/ AWS Well-Architected Tool Now Supports 8x More Text in the Notes Field | https://aws.amazon.com/about-aws/whats-new/2019/06/aws-well-architected-tool-now-supports-8x-more-text-in-notes-field/ Topic || Customer Engagement Amazon Pinpoint now includes support for AWS CloudFormation | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-pinpoint-now-includes-support-for-aws-cloudformation/ Amazon Connect Adds Additional Telephony Metadata | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-connect-adds-additional-telephony-metadata/ Amazon Connect Decreases US Telephony Pricing by 26% in the US East (N. Virginia) and US West (Oregon) regions | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-connect-decreases-US-telephony-pricing-by-26-percent-in-the-US-east-N-Virginia-and-US-West-Oregon-regions/ Topic || Security Amazon GuardDuty is Now SOC Compliant | https://aws.amazon.com/about-aws/whats-new/2019/05/amazon-guardduty-now-soc-compliant/ AWS Encryption SDK for C is now available | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-encryption-sdk-for-c-now-available/ Amazon Inspector adds CIS Benchmark support for Amazon Linux 2 | https://aws.amazon.com/about-aws/whats-new/2019/06/amazon-inspector-adds-cis-benchmark-support-for-amazon-linux-2/ Topic || Training and Certification Announcing New and Updated Exam Readiness Courses for AWS Certifications | https://aws.amazon.com/about-aws/whats-new/2019/05/announcing-new-and-updated-exam-readiness-courses-for-aws-certifications/ Topic || Quick Starts New Quick Start deploys a modular architecture for Amazon Aurora PostgreSQL | https://aws.amazon.com/about-aws/whats-new/2019/05/new-quick-start-deploys-modular-aurora-postgresql-architecture-on-aws/ Topic || AWS Marketplace AWS Marketplace enables long term contracts for AMI products | https://aws.amazon.com/about-aws/whats-new/2019/05/aws-marketplace-enables-long-term-contracts-for-ami-products/

In this episode of AWS TechChat, Shane and Pete take it up a notch in a thought-provoking episode. They discuss some key AWS feature releases that are fundamentally changing the approach of how customers wire up those more complex AWS account structures and talk to you about some modern approaches more mature customers are adopting. We started the show with AWS RAM (Resource Access Manager) which is a simple and secure way to share resources across AWS Accounts, worth taking a look if you use VPC Peering or hybrid DNS resolvers today. They then pivoted to AWS CDK (Cloud Development Kit) which is a software development framework, with the artifact being AWS CloudFormation, yet another tool to help you move to No-Ops and focus on improving developer productivity. AWS CDK offers a higher-level object-oriented abstraction to define AWS resources imperatively. And lastly out with the old and in with the new (and it’s not Pete). Node JS 6 is EOL (End-of-Life) for AWS Lambda, and we announce the arrival of Node JS 10 touting significant performance and functionality improvements.

Simon takes you through the December updates to finish up 2018! Shownotes: Topic || Customer Engagement 0:23 Amazon Pinpoint Announces Event-Based Campaigns, Driving Personalization and Engagement | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-pinpoint-announces-event-based-campaigns-driving-personalization-and-engagement/ Amazon Pinpoint Announces a New Email Deliverability Dashboard to Help Customers Reach their Users' Inboxes | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-pinpoint-announces-a-new-email-deliverability-dashboard-to-help-customers-reach-their-users-inboxes/ Amazon Connect Adds New Contact API to Get Contact Attributes | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-connect-adds-new-contact-api-to-get-contact-attributes/ Topic || Storage 2:05 Amazon S3 Inventory adds Apache Parquet output format | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-s3-announces-parquet-output-format-for-inventory/ AWS Storage Gateway Increases File Gateway Performance - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-storage-gateway-announces-increased-throughput-and-adds-new-/ Topic || Networking & Content Delivery 3:32 Amazon Virtual Private Clouds can now be shared with other AWS Accounts | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-virtual-private-clouds-can-now-be-shared-with-other-aws-accounts/ Introducing AWS Client VPN to Securely Access AWS and On-Premises Resources | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/ New AWS Direct Connect locations in Silicon Valley and Stockholm | https://aws.amazon.com/about-aws/whats-new/2018/12/new-aws-direct-connect-locations-silicon-valley-stockholm/ Amazon CloudFront announces ten new Edge locations in North America, Europe, and Asia | https://aws.amazon.com/about-aws/whats-new/2018/12/cloudfront-dec2018-10-edge-locations/ Amazon API Gateway Simplifies Building Real-Time Two-Way Communication Applications with WebSocket APIs | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-api-gateway-launches-support-for-websocket-apis/ Amazon Route 53 Adds Alias Record Support For API Gateway and VPC Endpoints | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-route-53-adds-alias-record-support-for-api-gateway-and-vpc-endpoints/ Topic || Database 7:41 Introducing Workload Qualification Framework to Project Plan Your Database Migrations to AWS | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-workload-qualification-framework-to-plan-your-database-migration-projects/ AWS Database Migration Service Adds Support for Parallel Full Load and Enhanced LOB Migration | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-database-migration-service-adds-support-for-parallel-full-load/ Amazon RDS Enhances Automatic Minor Version Upgrades | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-enhances-auto-minor-version-upgrades/ Amazon RDS for PostgreSQL Now Supports R5 Instance Types | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-postgresql-now-supports-r5-instance-types/ Amazon RDS Supports Publishing PostgreSQL Log Files to Amazon CloudWatch Logs | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-supports-postgresql-logfiles-publish-to-amazon-cloudwatch-logs/ Amazon RDS Performance Insights Supports Counter Metrics for Aurora PostgreSQL | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-performance-insights-supports-counter-metrics-for-aurora-postgresql/ Amazon RDS for PostgreSQL Supports New Minor Versions 10.6, 9.6.11, 9.5.15, and 9.4.20 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-rds-postgresql-supports-minor-version-106/ Amazon Aurora with PostgreSQL Compatibility Supports PostgreSQL 10.5 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-aurora-postgresql-supports-postgresql-105/ Amazon Aurora with PostgreSQL Compatibility Adds Query Plan Management | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-aurora-postgresql-compatibility-adds-query-plan-management/ Announcing the New Amazon DynamoDB Key Diagnostics Library | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-the-new-amazon-dynamodb-key-diagnostics-library/ Amazon DynamoDB Increases the Number of Global Secondary Indexes and Projected Index Attributes You Can Create Per Table | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-dynamodb-increases-the-number-of-global-secondary-indexes-and-projected-index-attributes-you-can-create-per-table/ Amazon DynamoDB Accelerator (DAX) Adds Support for DynamoDB Transactions | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-dynamodb-accelerator-adds-support-for-dynamodb-transactions/ Amazon MQ Now Supports ActiveMQ Minor Version 5.15.8 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-mq-now-supports-activemq-minor-version5-15-8/ Topic || Compute 14:13 Amazon ECR Console Version 2 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ecr-console-version-2/ Amazon ECR now allows Repository Tagging | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ecr-now-allows-repository-tagging/ Amazon EC2 Introduces Partition Placement Groups | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ec2-ntroduces-partition-placement-groups/ AWS Auto Scaling is Now Available in 8 more Regions Worldwide and Offers Predictive Scaling for Amazon EC2 | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-auto-scaling-is-now-available-in-8-more-regions-worldwide/ Amazon EC2 C5d, M5d, and R5d Instances are Now Available in Additional AWS Regions | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-ec2-c5d-m5d-and-r5d-instances-are-now-available-in-additional-aws-regions/ AWS Fargate Platform Version 1.3 Adds Secrets Support | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-fargate-platform-version-1-3-adds-secrets-support/ Amazon EKS Adds Managed Cluster Updates and Support for Kubernetes Version 1.11 | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-eks-adds-managed-cluster-updates-and-support-for-kubernetes/ AWS Server Migration Service Adds Support for Multi-Server Migration | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-server-migration-service-adds-support-for-multi-server-migration/ AWS Batch now supports Amazon EC2 C5n Instances Featuring 100 Gbps of Network Bandwidth | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-batch-now-supports-amazon-ec2-c5n-instances-featuring-100-gbps-of-network-bandwidth/ AWS Batch Now Supports Amazon EC2 P3dn Instances | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-batch-now-supports-amazon-ec2-p3dn-instances/ New AWS ParallelCluster Features | https://aws.amazon.com/about-aws/whats-new/2018/12/new-aws-parallelcluster-features/ New SAM PUBLISH Command Simplifies Publishing Applications to the AWS Serverless Application Repository | https://aws.amazon.com/about-aws/whats-new/2018/12/sam-publish-command-simplifies-publishing-apps-to-serverless-application-repository/ AWS Elastic Beanstalk Adds Tag-Based Permissions | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-elastic-beanstalk-adds-tag-based-permissions/ Topic || Developer Tools 20:39 AWS X-Ray Adds the Ability to Group Traces by Root Cause | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-xray-adds-the-ability-to-group-traces-by-root-cause/ AWS CodePipeline Supports VPC Endpoints | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-codepipeline-supports-vpc-endpoints/ AWS CloudFormation macros can now be used in templates with nested stacks | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-cloudformation-macros-can-now-be-used-in-templates-with-nest/ Quickly Create, Build, and Deploy Amazon Alexa Skills from AWS | https://aws.amazon.com/about-aws/whats-new/2018/12/quickly-create-build-and-deploy-amazon-alexa-skills-from-aws/ Topic || Machine Learning 22:07 Amazon Transcribe now supports speech-to-text in French, Italian, and Brazilian Portuguese | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-transcribe-now-supports-speech-to-text-in-french-italian-and-brazilian-portuguese/ Topic || Security, Identity and Compliance 22:27 AWS IAM Console Now Available In German, Portuguese, Spanish, Italian, and Traditional Chinese | https://aws.amazon.com/about-aws/whats-new/2018/12/iam-console-available-in-new-languages/ Automate AWS IAM Permissions Analysis Using the New IAM Access Advisor APIs | https://aws.amazon.com/about-aws/whats-new/2018/12/iam_access_advisor_apis/ Introducing Notifications for New Amazon GuardDuty Finding Types and Feature Releases | https://aws.amazon.com/about-aws/whats-new/2018/12/Introducing-Notifications-for-New-Amazon-GuardDuty-Finding-Types-and-Feature-Releases/ AWS Organizations Supports AWS License Manager Cross Account Sharing Capabilities | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-organizations-supports-aws-license-manager/ AWS Shield Adds Advanced DDoS Protection for AWS Global Accelerator | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-shield-adds-advanced-ddos-protection-for-aws-global-accelerator/ AWS Systems Manager Automation Now Supports at Scale Action | https://aws.amazon.com/about-aws/whats-new/2018/12/AWS-Systems-Manager-Automation-Now-Supports-at-Scale-Actions/ AWS Service Catalog – Integration with AWS Organizations | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-service-catalog-announces-integration-with-aws-organizations/ The AWS WAF Security Automations solution now includes a monitoring dashboard | https://aws.amazon.com/about-aws/whats-new/2018/12/the-aws-waf-security-automations-solution-now-includes-a-monitoring-dashboard/ Announcing rule group exception for Managed Rules for AWS WAF | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-rule-group-exception-for-managed-rules-for-aws-waf/ AWS Firewall Manager Available in Four Additional Regions | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-firewall-manager-now-available-in-four-more-regions/ Topic || Application Integration 26:59 Amazon SQS now Supports Amazon VPC Endpoints using AWS PrivateLink - Amazon Web Services | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-sqs-vpc-endpoints-aws-privatelink/ Amazon MQ Introduces Network of Brokers Feature | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-mq-introduces-network-of-brokers-feature/ Topic || Desktop & App Streaming 27:27 AppStream 2.0 introduces APIs to simplify app entitlements and enable delivery of virtualized apps | https://aws.amazon.com/about-aws/whats-new/2018/12/appstream-2-0-introduces-apis-to-simplify-app-entitlements-and-e/ Topic || Analytics 28:10 Support for Spark 2.4.0, and Hue 4.3.0 on Amazon EMR release 5.20.0 | https://aws.amazon.com/about-aws/whats-new/2018/12/support-for-spark-240-hue-430-on-amazon-emr-release-5200/ Amazon Redshift now runs VACUUM DELETE automatically | https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-redshift-automatic-vacuum/ Topic || Internet of Things 29:41 Introducing AWS CloudFormation Template Support for AWS IoT Analytics | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-aws-cloudformation-template-support-for-aws-iot-analytics/ AWS IoT Device Defender Adds Support for Two New Security Metrics | https://aws.amazon.com/about-aws/whats-new/2018/12/aws-iot-device-defender-adds-support-for-two-new-security-metrics/ MediaTek MT7697H System on Chip is Qualified for Amazon FreeRTOS | https://aws.amazon.com/about-aws/whats-new/2018/12/mediatek-mt7697h-system-on-chip-qualified-amazon-freertos/ Topic || Other 30:35 Announcing Programmatic Access to AWS Pricing Information in China via the AWS Price List API | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-aws-price-list-api-availability-in-china/ Introducing the Media Services Application Mapper | https://aws.amazon.com/about-aws/whats-new/2018/12/introducing-the-media-services-application-mapper/ New Quick Start Deploys Varnish Cache Plus (VCP) on the AWS Cloud | https://aws.amazon.com/about-aws/whats-new/2018/12/new-quick-start-deploys-varnish-on-aws/ Announcing 15 Free Digital Training Courses on New AWS Services Launched at re:Invent 2018 | https://aws.amazon.com/about-aws/whats-new/2018/12/announcing-15-free-digital-training-courses-on-new-aws-services-launched-at-re-invent-2018/

Traditional solutions for using Microsoft Active Directory across on-premises and AWS Cloud Windows workloads can require complex networking or synching identities across multiple systems. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed AD, offers you actual Microsoft Active Directory on the AWS Cloud as a managed service. In this session, you learn how Capital One uses AWS Managed AD to provide highly available authentication and authorization services for its Windows workloads, such as Amazon RDS for SQL Server. We detail how Capital One uses Lambda, Python, and PowerShell with cross-account AWS Identity and Access Management (IAM) roles to automate directory deployment across AWS accounts. We also cover best practices for integrating AWS Managed AD with your on-premises domain securely, and show you how to automate the joining of AWS resources to your managed domain.

In this session, we review best practices for managing multiple AWS accounts using AWS Organizations. We cover how to think about the master account and your account strategy, as well as how to roll out changes. You learn how Capital One applies these best practices to manage its AWS accounts, which number over 160, and PCI workloads.

Every enterprise knows by now that it can save money by simply lifting and shifting workloads to the cloud, but many are missing the larger opportunity to also make money by moving. While quick costs savings are good for the bottom line, they do little to move the top line numbers. To achieve both savings and earnings, corporate thinking about technologies must change in order to enable faster processes leveraged enterprise-wide. In this session we will explore multiple customer success stories where the customers have evolved from leveraging basic compute and storage products (EC2 and S3) to integrating new services into operations by leveraging Lambda, DynamoDB, CodeDeploy, etc. Once this is achieved, enterprises are enabled to manage and deploy code rapidly in a programmatic and elastic secure network, ensuring governance and security standards across the globe. We will look at the migration process trusted by hundreds of clients as well as how to cope with the process and people components that are so important to enable agility, while focusing heavily on the technology. The Coca-Cola Company (TCCC) and 2nd Watch story will dive deep into the technology that allows TCCC to manage hundreds of AWS Accounts, hundreds of workloads, thousands of instances, and hundreds of business partners around the globe. TCCC’s Configuration Management System has Puppet at the core and relies on over a dozen core and emerging AWS products across accounts, availability zones and regions. This complex and globally-available system ensures all of TCCC’s workloads in AWS meet corporate policies but also allows for rapid scale of both consumer and enterprise workloads.

AWS Organizations is a new administrative capability, which allows you to control multiple AWS accounts centrally. With Organizations, you can hierarchically organize and manage your AWS accounts and apply organizational controls across these accounts to meet your business needs. In this session, we cover the capabilities of AWS Organizations and discuss best practices when managing multiple AWS accounts.

This session shows you how to reduce your blast radius by using multiple AWS accounts per region and service, which helps limit the impact of a critical event such as a security breach. Using multiple accounts helps you define boundaries and provides blast-radius isolation. Though managing multiple accounts can be difficult, we will present an upcoming AWS solution that will help automate the process for controlling cross- account access by managing roles across multiple accounts.