Security
Infrastructure protection and network security best practices
Well Architected Compute
Applying the AWS Well-Architected Framework Principles to Compute
Section titled “Applying the AWS Well-Architected Framework Principles to Compute”AWS Well-Architected Pillars
Section titled “AWS Well-Architected Pillars”The AWS Well-Architected Framework has six pillars, each including best practices and questions to consider when architecting cloud solutions. This section highlights best practices most relevant to compute resources:
Performance Efficiency
Compute and hardware optimization guidance
Cost Optimization
Cost effective resourcing strategies
Sustainability
Hardware and services environmental impact considerations
Security Pillar: Infrastructure Protection
Section titled “Security Pillar: Infrastructure Protection”Protecting Compute
Section titled “Protecting Compute”Best Practice Automate compute protection
Question: How do you protect your compute resources?
Compute resources require multiple layers of defense to protect from external and internal threats. Automate protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources.
EC2 Features Supporting This Practice:
- EC2 Image Builder: Reduces exposure to security vulnerabilities
- User data scripts: Automate commands when launching instances
- Silver (mutable) AMIs and Golden (immutable) AMIs: Lock down security configurations in instances
Protecting Networks
Section titled “Protecting Networks”Best Practice Control traffic at all layers
Question: How do you securely operate your workload?
Apply overarching security best practices to every area of connectivity. Examine connectivity requirements of each component and apply multiple controls with defense in depth approach.
EC2 Features Supporting This Practice:
- Security groups: Stateful inspection firewall that defines which ports network traffic is permitted on
- VPC network topology: Configure based on workload connectivity needs
Performance Efficiency Pillar: Compute and Hardware
Section titled “Performance Efficiency Pillar: Compute and Hardware”Best Practices for Compute Optimization
Section titled “Best Practices for Compute Optimization”Best Practice Scale the best compute options for your workload
Selecting the most appropriate compute option improves performance, reduces unnecessary infrastructure costs, and lowers operational efforts. Benefits include making workloads more resource efficient by identifying compute requirements and evaluating against available options.
Best Practice Configure and right-size compute resources
Configure and right-size compute resources to match workload performance requirements and avoid under or over-utilized resources. Properly sizing typically results in better performance, enhanced customer experience, and lower cost.
EC2 Features Supporting These Practices:
- AMIs: Pre-configured with required software and support usage of root storage type
- Instance type and size: Choose for computing workloads based on requirements
- Storage type and size: Select Amazon EBS or Instance store for root volumes and data volumes based on needs
Cost Optimization Pillar: Cost Effective Resourcing
Section titled “Cost Optimization Pillar: Cost Effective Resourcing”Best Practices for Cost Optimization
Section titled “Best Practices for Cost Optimization”Select Correct Resources
Best Practice Select the correct resource type, size, and number
By selecting the best resource type, size, and number of resources, you meet technical requirements with the lowest cost resource. Right-sizing takes into account all resources, attributes, and effort involved in the operation.
Select Best Pricing
Best Practice Select the best pricing model
Consider requirements of workload components and understand potential pricing models. AWS has multiple pricing models that let you pay for resources in the most cost-effective way for your organization’s needs.
EC2 Features Supporting These Practices:
- Right sizing: Instance type and storage size optimization for computing workloads saves money
- Purchasing models: Choose model that best fits workload’s use case:
- On-Demand instances
- Reserved instances
- Amazon EC2 Spot instances
- Savings Plans
- Reserved/Dedicated capacity models:
- On-Demand Capacity Reservations
- Amazon EC2 Capacity Blocks for ML
- Dedicated Host
Sustainability Pillar: Hardware and Services
Section titled “Sustainability Pillar: Hardware and Services”Best Practices for Environmental Impact
Section titled “Best Practices for Environmental Impact”Best Practice Use the minimum amount of hardware to meet your needs
Use minimum amount of hardware for workload to efficiently meet business needs. Right-sizing cloud resources helps reduce workload environmental impact, save money, and maintain performance benchmarks. AWS Cloud provides flexibility to modify computing resources dynamically.
Best Practice Use instance types with the least impact
Continually monitor and use new instance types to take advantage of energy efficiency improvements. Using efficient instances is crucial for lower resource usage and cost-effectiveness, including those designed for specific workloads like machine learning and video transcoding.
Best Practice Use managed services
Use managed services to operate more efficiently in the cloud. Shifts responsibility to AWS for maintaining high utilization and sustainability optimization of deployed hardware. AWS insights across millions of customers drive new innovations and efficiencies.
EC2 Features Supporting These Practices:
Storage Options Based on Requirements:
Section titled “Storage Options Based on Requirements:”- Instance store volumes: Use if you don’t need persistent storage and need faster computing time
- Amazon EBS: Use if you need persistent storage
AMI Options:
Section titled “AMI Options:”- Base AMIs: OS-only configuration
- Pre-configured AMIs: Available from AWS
- Custom AMIs: Customize and save to launch instances
Instance Types for Specific Use Cases:
Section titled “Instance Types for Specific Use Cases:”- General purpose: Balanced compute, memory, networking
- Compute optimized: High-performance processors
- Storage optimized: High sequential read/write access
- Memory optimized: Fast performance for large datasets in memory
- Accelerated computing: Hardware accelerators for specialized functions
- HPC optimized: High performance computing workloads
Managed Compute Services:
Section titled “Managed Compute Services:”AWS offers variety of compute services including managed services like AWS Batch and AWS Outposts, reducing operational overhead and improving efficiency.
The AWS Well-Architected Framework provides guidance for compute resources across multiple pillars. Key takeaways include: automate compute protection, scale the best compute options for your workload, configure and right-size compute resources, select the correct resource type and pricing model, and use minimum hardware with least environmental impact while leveraging managed services when possible.