1 00:00:07,530 --> 00:00:10,070 - Now, let's review optimizing usage with 2 00:00:10,070 --> 00:00:11,843 AWS Trusted Advisor. 3 00:00:13,050 --> 00:00:15,450 So, AWS Trusted Advisor is an 4 00:00:15,450 --> 00:00:17,600 automated tool that regularly 5 00:00:17,600 --> 00:00:20,550 automatically analyzes your environment and 6 00:00:20,550 --> 00:00:23,470 compares what you're doing and the state of 7 00:00:23,470 --> 00:00:26,410 your infrastructure to best practices. 8 00:00:26,410 --> 00:00:29,380 And, then it can advise you based on 9 00:00:29,380 --> 00:00:31,280 those best practice recommendations. 10 00:00:31,280 --> 00:00:34,050 It can advise you to ways that 11 00:00:34,050 --> 00:00:37,070 we can improve cost optimization. 12 00:00:37,070 --> 00:00:39,224 It will recommend ways to save money, 13 00:00:39,224 --> 00:00:43,240 recommend ways to improve performance. 14 00:00:43,240 --> 00:00:45,614 It can recommend ways to improve security, 15 00:00:45,614 --> 00:00:49,770 and also recommend ways to improve fault tolerance. 16 00:00:49,770 --> 00:00:52,940 So, for example, it might look to see that 17 00:00:54,364 --> 00:00:57,440 you have certain Security Group Ports that 18 00:00:57,440 --> 00:01:00,150 are open that are known to be insecure, 19 00:01:00,150 --> 00:01:03,090 and it might recommend that you close those ports. 20 00:01:03,090 --> 00:01:06,100 It might see that you've been running a 21 00:01:06,100 --> 00:01:08,306 particular EC2 Instance using the 22 00:01:08,306 --> 00:01:12,690 On-Demand Billing Model for an extended period of time. 23 00:01:12,690 --> 00:01:15,730 And, it might recommend that you could save money by 24 00:01:15,730 --> 00:01:19,520 switching to or purchasing a Reserved Instance. 25 00:01:19,520 --> 00:01:22,030 It might see that you are running, 26 00:01:22,030 --> 00:01:25,478 let's say, one EC2 Instance behind a Load Balancer, 27 00:01:25,478 --> 00:01:29,670 in which case you don't have any fault tolerance. 28 00:01:29,670 --> 00:01:34,105 It might notice that you're running a RDS Instance in 29 00:01:34,105 --> 00:01:37,525 a Single AZ rather than Multi-AZ Deployment. 30 00:01:37,525 --> 00:01:40,670 Which, could improve fault tolerance. 31 00:01:40,670 --> 00:01:43,590 And, so everyone, no matter what 32 00:01:43,590 --> 00:01:47,400 level of support you are paying for, 33 00:01:47,400 --> 00:01:50,660 everyone gains access to seven core checks. 34 00:01:50,660 --> 00:01:53,870 And, those core checks, are one 35 00:01:53,870 --> 00:01:56,750 looking at your S3 Bucket Permissions. 36 00:01:56,750 --> 00:02:00,712 This is an area, in particular, where over the years, 37 00:02:00,712 --> 00:02:03,980 a number of organizations have gotten themselves in 38 00:02:03,980 --> 00:02:06,758 trouble by making sensitive information 39 00:02:06,758 --> 00:02:08,910 available to the public. 40 00:02:08,910 --> 00:02:10,986 And, I think, in those cases, it's just a matter of 41 00:02:10,986 --> 00:02:13,720 a combination of a lack of education 42 00:02:14,718 --> 00:02:17,290 and a lack of communication. 43 00:02:17,290 --> 00:02:19,520 And, so, one of the things that 44 00:02:19,520 --> 00:02:21,930 the Trusted Advisor can do is take a look at 45 00:02:21,930 --> 00:02:25,403 your S3 Bucket Permissions and inform you that 46 00:02:25,403 --> 00:02:27,672 certain buckets may be making 47 00:02:27,672 --> 00:02:30,823 certain data publicly available. 48 00:02:31,910 --> 00:02:35,950 Another thing that the Trusted Advisor will do is, 49 00:02:35,950 --> 00:02:38,256 like I mentioned earlier, looking at 50 00:02:38,256 --> 00:02:41,426 your security groups and taking note of 51 00:02:41,426 --> 00:02:45,650 certain ports that are left unrestricted. 52 00:02:45,650 --> 00:02:49,509 For example, it would probably be a security issue if 53 00:02:49,509 --> 00:02:54,210 you were opening Port 22 to everywhere, right? 54 00:02:54,210 --> 00:02:57,410 Ideally, to have more security around that, 55 00:02:57,410 --> 00:03:00,354 you would probably want to open Port 22 from a 56 00:03:00,354 --> 00:03:04,110 small, trusted range of IP Addresses, 57 00:03:04,110 --> 00:03:06,720 like a VPN connection, for example. 58 00:03:06,720 --> 00:03:10,090 Another one of the checks would be your use of IAM. 59 00:03:10,090 --> 00:03:12,552 It can look through the policies that you are 60 00:03:12,552 --> 00:03:16,572 giving to your users, to your groups and roles, 61 00:03:16,572 --> 00:03:18,380 and tell you that, perhaps, you are 62 00:03:18,380 --> 00:03:21,470 giving more permissions than are necessary for 63 00:03:21,470 --> 00:03:23,483 that particular use case. 64 00:03:24,550 --> 00:03:27,210 It will also look to see if you have enabled 65 00:03:27,210 --> 00:03:30,950 Multi-Factor Authentication on the Root Account. 66 00:03:30,950 --> 00:03:33,677 Remember that if you are logging into the console 67 00:03:33,677 --> 00:03:37,450 with an email address, then you are logging into 68 00:03:37,450 --> 00:03:39,014 the Root Account, and that Root Account, 69 00:03:39,014 --> 00:03:42,620 we call it the Root Account because it has 70 00:03:42,620 --> 00:03:44,160 essentially root permissions, 71 00:03:44,160 --> 00:03:45,670 or administrative permissions, 72 00:03:45,670 --> 00:03:48,180 and you cannot limit those. 73 00:03:48,180 --> 00:03:49,880 So, if someone were to gain access to 74 00:03:49,880 --> 00:03:51,300 those Root Credentials, 75 00:03:51,300 --> 00:03:53,030 they could really do some damage. 76 00:03:53,030 --> 00:03:55,330 In fact, companies have gone out of business. 77 00:03:55,330 --> 00:03:57,570 So, it's really important that 78 00:03:57,570 --> 00:04:00,017 we take every measure we can to 79 00:04:00,017 --> 00:04:02,590 protect those Root Account Credentials, 80 00:04:02,590 --> 00:04:06,870 including configuring MFA for the Root Account. 81 00:04:06,870 --> 00:04:09,400 And, again, one of those checks of 82 00:04:09,400 --> 00:04:12,470 the Trusted Advisor is to inform you as 83 00:04:12,470 --> 00:04:14,420 to whether or not you have done that. 84 00:04:14,420 --> 00:04:18,290 Trusted Advisor can also look at your EBS Volumes, 85 00:04:18,290 --> 00:04:20,490 and look at the Snapshots that you've created and 86 00:04:20,490 --> 00:04:22,930 inform you whether or not 87 00:04:22,930 --> 00:04:26,510 you have made any of those publicly available. 88 00:04:26,510 --> 00:04:28,363 Right, so very similar to S3, 89 00:04:28,363 --> 00:04:32,310 it could be, it's relatively trivial to 90 00:04:32,310 --> 00:04:37,310 make EBS Snapshots publicly available to anyone. 91 00:04:38,420 --> 00:04:41,310 And, so, that is something that we certainly 92 00:04:41,310 --> 00:04:44,813 would not want to do if that Snapshot contained any 93 00:04:44,813 --> 00:04:47,120 kind of sensitive data. 94 00:04:47,120 --> 00:04:50,220 And, the same thing applies to RDS Snapshots. 95 00:04:50,220 --> 00:04:53,310 We could make RDS Snapshots publicly available, 96 00:04:53,310 --> 00:04:56,720 but only if they didn't include sensitive data. 97 00:04:56,720 --> 00:04:58,960 So, that's one of the seven core checks. 98 00:04:58,960 --> 00:05:01,840 It will also take a look at service limits. 99 00:05:01,840 --> 00:05:03,820 So, remember, we've mentioned this a 100 00:05:03,820 --> 00:05:06,270 number of times before throughout the course that 101 00:05:07,510 --> 00:05:09,250 AWS does impose service limits, 102 00:05:09,250 --> 00:05:12,153 there are hard limits and soft limits. 103 00:05:13,010 --> 00:05:16,086 For example, one of those soft limits, 104 00:05:16,086 --> 00:05:21,086 the initial default limit for EC2 Instances is 20 Instances. 105 00:05:22,620 --> 00:05:24,690 Now, in order to go above that, 106 00:05:24,690 --> 00:05:26,550 you would have to submit a ticket to 107 00:05:26,550 --> 00:05:30,190 Amazon Support asking for an increase in that. 108 00:05:30,190 --> 00:05:32,420 And, there are a number of soft limits like that 109 00:05:32,420 --> 00:05:34,173 that can be increased. 110 00:05:34,173 --> 00:05:36,400 And, so, one of the things that 111 00:05:36,400 --> 00:05:38,460 Trusted Advisor will do here is 112 00:05:38,460 --> 00:05:41,410 look through your account and inform you that 113 00:05:41,410 --> 00:05:43,510 you are getting close to that limit. 114 00:05:43,510 --> 00:05:47,060 If you have, let's say, a limit of 20 EC2 Instances, 115 00:05:47,060 --> 00:05:51,399 and now you are at, let's say, 15, 16 Instances or so, 116 00:05:51,399 --> 00:05:54,950 then the Trusted Advisor can warn you that 117 00:05:54,950 --> 00:05:56,570 you are approaching that limit, 118 00:05:56,570 --> 00:06:01,260 so you can increase that limit before you have the need. 119 00:06:01,260 --> 00:06:03,330 Which, and I've been there before. 120 00:06:03,330 --> 00:06:05,532 It's not a fun position to be in when 121 00:06:05,532 --> 00:06:09,007 you need more than what you're allowed to create, 122 00:06:09,007 --> 00:06:10,830 but you're stuck waiting on 123 00:06:10,830 --> 00:06:12,770 Amazon to answer your Support Ticket. 124 00:06:12,770 --> 00:06:15,280 So, those are the kinds of things that 125 00:06:15,280 --> 00:06:16,853 you want to get out ahead of. 126 00:06:18,070 --> 00:06:20,850 Now, all of these seven core checks are 127 00:06:20,850 --> 00:06:23,250 available to everyone. 128 00:06:23,250 --> 00:06:26,286 If you are paying for Business-level or 129 00:06:26,286 --> 00:06:30,390 Enterprise-level Support, then you gain the 130 00:06:30,390 --> 00:06:33,650 full benefits of Trusted Advisor. 131 00:06:33,650 --> 00:06:35,990 Which, includes more than 40 different checks 132 00:06:35,990 --> 00:06:40,320 across many different resources and many different types of 133 00:06:40,320 --> 00:06:42,350 things going on in your Amazon Environment, 134 00:06:42,350 --> 00:06:45,173 again all of it categorized according to 135 00:06:45,173 --> 00:06:50,173 cost savings, security performance, and fault tolerance. 136 00:06:51,942 --> 00:06:55,811 So, then, you also get the ability to receive notifications. 137 00:06:55,811 --> 00:06:59,865 As the Trusted Advisor finds things, it can notify you. 138 00:06:59,865 --> 00:07:04,498 And you gain Programmatic Access to the Trusted Advisor. 139 00:07:04,498 --> 00:07:09,498 These two things, the full set of 40+ checks and 140 00:07:09,867 --> 00:07:12,990 notifications and Programmatic Access are only 141 00:07:12,990 --> 00:07:16,051 available to those of us who are paying for 142 00:07:16,051 --> 00:07:20,100 Business-level or Enterprise-level Support. 143 00:07:20,100 --> 00:07:22,790 If you have Basic Support, which is included, 144 00:07:22,790 --> 00:07:24,939 or you're paying for Developer Support, 145 00:07:24,939 --> 00:07:28,360 then you only gain access to those Seven Core Checks. 146 00:07:28,360 --> 00:07:33,360 So, the Trusted Advisor, again, is an automated tool that 147 00:07:33,870 --> 00:07:38,360 regularly scans your environment and recommend things that 148 00:07:38,360 --> 00:07:41,303 you can do to improve that environment. 149 00:07:41,303 --> 00:07:45,682 It's a good idea when you're using AWS to 150 00:07:45,682 --> 00:07:48,510 regularly check with the Trusted Advisor, 151 00:07:48,510 --> 00:07:51,006 every so often, every day, or every other day at least. 152 00:07:51,006 --> 00:07:55,040 Go to the Trusted Advisor and see what it has to say. 153 00:07:55,040 --> 00:07:58,256 If you see something new, listen to it. 154 00:07:58,256 --> 00:08:01,293 Take its word, and go and explore ways to 155 00:08:01,293 --> 00:08:05,223 mitigate that issue that it is showing you.