Graduate Program KB

Account Management, Billing & Supports

  • AWS Organizations is a global service, allowing you to manage multiple AWS accounts

    • The main account is the master account
    • Cost benefits:
      • Consolidated billing across all accounts (single payment method)
      • Pricing benefits from aggregated usage (volume discount for EC2, S3, etc.)
      • Pooling of reserved RC2 instances for optimal savings
    • There is an API available for automating AWS account creation
    • Ability to restrict account privileges using Service Control Policies (SCP)

  • Multi account strategies

    • Create accounts per department, per cost centre, per dev / test / prod based on regulatory restrictions using SCP
      • Better resource isolation
      • Separate per-account service limits
      • Isolated accounts for logging
    • Multi account vs one account multi VPC
    • For billing purposes, use tagging standards
    • Enable CloudTrail for all accounts, sending logs to a central S3 account
    • Send CloudWatch Logs to a central logging account

Service Control Policies (SCP)

  • A type of organisational policy to manage permissions in your organisation

  • Whitelist / blacklist IAM actions

  • Applied at the OU or Account level

    • OU level takes precedence over Account level for conflicting SCP

  • Policy doesn't apply to the master account (even if SCP is set to it)

  • SCP is applied to all the users and roles of the account, including the root user

  • The SCP doesn't affect service-linked roles

    • Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs

  • SCP must have an explicit Allow (doesn't allow anything by default)

  • Use cases:

    • Restrict access to certain services (ex. EMR)
    • Enforce PCI compliance by explicitly disabling services

  • Example of Blacklist SCP

    {    
    "Version": "2012-10-17",    
    "Statement": [        
        {         
            "Sid": "AllowsAllActions",   
            "Effect": "Allow",            
            "Action": "*",            
            "Resource": "*"        
        },        
        {         
            "Sid": "DenyDynamoDB",   
            "Effect": "Deny",            
            "Action": "dynamodb:*",            
            "Resource": "*"        
        }  
    ] 
}

  • Example of Whitelist SCP

    {    
    "Version": "2012-10-17",    
    "Statement": [        
        {         
            "Effect": "Allow",            
            "Action": [
                "ec2:*",
                "cloudwatch:*"
            ]          
            "Resource": "*"        
        }
    ] 
}

Consolidated Billing for AWS Organization

  • When enabled, provides:
    • Combined usage across all AWS accounts in the AWS Organization to share the volume pricing, Reserved Instances and Savings Plans discounts
    • A single bill for all AWS accounts in the AWS Organization
  • The management account can turn off Reserved Instances discount sharing for any account in the AWS Organization, including itself

AWS Control Tower

  • Provides an easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
  • Benefits:
    • Automate set up of environment quickly
    • Automate ongoing policy management using guardrails
    • Detect policy violations and remediate them
    • Monitor compliance through an interactive dashboard
  • AWS Control Tower runs on top of AWS Organizations
    • Automatically sets up AWS Organizations to organise accounts and implement SCPs

AWS Resource Access Manager (AWS RAM)

  • Enables you to share AWS resources that you own with other AWS accounts or accounts within your organisation
  • Avoids duplicating resources
  • Some supported resources include:
    • Aurora
    • VPC Subnets
    • Transit Gateway
    • Route 53
    • EC2 Dedicated Hosts
    • License Manager Configurations

AWS Service Catalog

  • New users of AWS have too many options and may create stacks that aren't compliant with the rest of the organisation
    • Some users just want a quick self-service portal to launch a set of authorised products pre-defined by admins
      • Includes VMs, databases, storage options, servers, etc.
    • AWS Service Catalog resolves this issue by enabling organisations to create and manage catalogs of IT services approved for AWS

Pricing Models in AWS

  • Pay as you go: Pay for what you use

    • Remain agile, responsive and meet scale demands

  • Save when you reserve: Minimise risks, predictably manage budgets and comply with long-term requirements

    • Reservations are available for EC2 Reserved Instances, DynamoDB Reserved Capacity, ElastiCache Reserved Nodes, RDS Reserved Instance, Redshift Reserved Nodes

  • Pay less by using more: Volume-based discounts

  • Pay less as AWS grows

  • Free services & free tier in AWS

    • IAM
    • VPC
    • Auto Scaling Groups
    • Pay for resources created:
      • Consolidated Billing
      • Elastic Beanstalk
      • CloudFormation
    • Free tier

EC2 Compute Pricing

  • Only charged for what you use

  • Number of instances

  • Instance configuration:

    • Physical capacity
    • Region
    • OS and software
    • Instance type and size

  • ELB running time and amount of data processed

  • Detailed monitoring

  • On-demand instances

    • Minimum of 60s
    • Pay per second (Linux / Windows) or per hour (other)

  • Reserved instances

    • Up to 75% discount compared to On-demand on hourly rate
    • 1 or 3 years commitment
    • Can pay upfront, partially or no upfront (pay at end of month)

  • Spot instances

    • Up to 90% discount compared to On-demand on hourly rate
    • Bid for unused capacity

  • Dedicated Host

    • On-demand
    • Reservation for 1 or 3 years commitment

  • Savings plans as an alternative to save on sustained usage

Lambda & ECS Compute Pricing

  • Lambda
    • Pay per call and duration
  • ECS
    • EC2 Launch Type Model: No additional fees, pay for AWS resources stored and created in your application
  • Fargate
    • Fargate Launch Type Model: Pay for virtual CPU and memory resources allocated to your applications in your containers

S3 Storage Pricing

  • Storage class: S3 Standard, S3 Infrequent Access, S3 One-Zone IA, S3 Intelligent Tiering, S3 Glacier and S3 Glacier Deep Archive
  • Number and size of objects
    • Price can be tiered based on volume
  • Number and type of requests
  • Data transfer OUT of the S3 region
  • S3 Transfer Acceleration
  • Lifecycle transitions
  • Similar to the EFS service (pay per use, has infrequent access & lifecycle rules)

EBS Storage Pricing

  • Volume type (based on performance)
  • Storage volumne in GB per month provisioned
  • IOPS
    • General purpose SSD: Included
    • Provisioned IOPS SSD: Provisioned amount in IOPS
    • Magnetic: Number of requests
  • Snapshots
    • Added data cost per GB per month
  • Data transfer
    • Outbound data transfer are tiered for volume discounts
    • Inbound is free

RDS Database Pricing

  • Per hour billing
  • Database characteristics
    • Engine
    • Size
    • Memory class
  • Purchase type
    • On-demand
    • Reserved instances (1 or 3 years) with required upfront
  • Backup storage
    • There is no additional charge for backup storage up to 100% of your total database storage for a region
  • Additional storage (per GB per month)
  • Number of input and output requests per month
  • Deployment type (variable to storage and I/O)
    • Single or multiple AZ
  • Data transfer
    • Outbound data transfer are tiered for volumne discounts
    • Inbound is free

Content Delivery for CloudFront

  • Pricing is different across geographic regions
  • Aggegrated for each edge location, then applied to your bill
  • Data Transfer Out (volume discount)
  • Number of HTTP / HTTPS requests

Network costs in AWS per GB

  • Use private IP instead of public IP for better savings and network performance
  • Use same AZ for maximum savings (compromise on cost of high availability, though)

Savings Plan

  • Commit a certain price per hour for 1 or 3 years

  • Easiest way to setup long-term commitments on AWS

  • EC2 Savings Plan

    • Up to 72% discount compared to On-demand
    • Commit to usage of individual instance families in a region (ex. C5 or M5)
    • Regardless of AZ, size, OS or tenancy
    • Can pay upfront, partially or no upfront (pay at end of month)

  • Compute Savings Plan

    • Up to 66% discount compared to On-demand
    • Regardless of family, region, size, OS, tenancy and compute options
    • Compute options include EC2, Fargate and Lambda

  • Machine Learning Savings Plan

    • SageMaker

  • Setup from the AWS Cost Explorer console

  • Estimated pricing

AWS Compute Optimizer

  • A service that analyses your AWS resources' configurations and metrics to recommend optimal resources for your workloads
    • Reduce costs and improve performance
    • Choose optimal configurations and right-size your workloads (over / under provisioned)
  • Uses ML to analyse your resources' configurations and their utilisation CloudWatch metrics
  • Supported resources
    • EC2 instances
    • EC2 Auto Scaling Groups
    • EBS volumes
    • Lambda functions
  • Lower your costs by up to 25%
  • Recommendations can be exported to S3

Billing and Costing Tools

  • Estimating costs in the cloud

  • Tracking costs in the cloud

    • AWS Billing Dashboard
    • Cost allocation tags for tracking details
      • AWS generated tags are automatically applied to the resources you create (starts with prefix aws, ex. aws: createdBy)
      • User-defined tags are prefixed with user
    • AWS Cost and Usage Reports
      • Contains a comprehensive set of AWS cost and usage data available, includes metadata about services, pricing and reservations
      • List usage for each service category used by an account and its IAM users in hourly / daily line items and any tags activated for cost allocation purposes
      • Can be integrated with Athena, Redshift or QuickSight
    • AWS Cost Explorer
      • Visualise, understand and manage AWS costs and usage over time
      • Create custom reports and analyse cost and usage data across all accounts at a monthly, hourly or resource level granularity
      • Choose an optimal Savings Plan, forecasting usage up to 12 months based on previous usage

  • Monitoring against costs plans

    • Billing alarms
      • Billing data metric is stored in CloudWatch us-east-1
      • Billing data are for overall worldwide AWS costs (for actual costs, not projected costs)
    • AWS Budgets
      • Create budget and send alarms when costs exceeds the budget
      • 4 types of budgets: Usage, Cost, Reservation, Savings Plans
      • For Reserved Instances:
        • Track utilisation
        • Supports EC2, ElastiCache, RDS, Redshift
      • Up to 5 SNS notifications per budget
      • Filterable by Service, Linked Account, Tag, Purchase Option, Instance Type, Region, Availability Zone, API Operation, etc.
      • Same options as AWS Cost Explorer
      • 2 budgets are free, after that it's $0.02 per day per budget

  • Tags are used for organising resources

    • EC2 instances, images, load balancers, security groups, etc.
    • RDS, VPC resources, Route 53, IAM users, etc.
    • Resources created by CloudFormation are all tagged simiarly

  • Free naming, common tags include words such as Name, Environment, Team

  • Tags can be used to create Resource Groups

    • Used to create, maintain and view a collection of resources that share common tags
    • Tags can be managed using the Tag Editor

AWS Cost Anomaly Detection

  • Continuously monitor cost and usage using ML to detect spending anomalies
  • Learns your unqiue, historic spending patterns to detect one-time cost spike and continous cost increases
  • Monitor AWS services, member accounts, cost allocation tags or cost categories
  • Sends you anomaly detection report with root-cause analysis
  • Get notified with individual alerts or daily / weekly summary using SNS

AWS Service Quotas

  • Notify when you're close to a service quota value threshold
  • Create CloudWatch Alarms on the Service Quotas console
  • Request a quota increase from AWS Service Quotas or shutdown resources before limit is reached

Trusted Advisor

  • Don't need to install anything, provides a high level AWS account assessment
  • Analyse AWS accounts and provides recommendation on 6 categories
    • Cost optimisation
    • Performance
    • Security
    • Fault tolerance
    • Service limits
    • Operational excellence
  • Business & Enterprise Support plan
    • Full set of checks
    • Programmatic access using AWS Support API

AWS Support Plans Pricing

  • Basic Support Plan

    • Free
    • Customer Service & Communities: 24/7 access to customer service, documentation, whitepapers and support forums
    • AWS Trusted Advisor: Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices
      • Increased performance and improved security
    • AWS Personal Health Dashboard: Personalised view of the health of AWS services, alerts when your resources are impacted

  • Developer Support Plan

    • Has all functionality of Basic Support Plan
    • Business hours email access to Cloud Support Associates
    • Unlimited cases / one primary contact
    • Case severity / response times
      • General guidance: Less than 24 business hours
      • System impaired: Less than 12 business hours

  • Business Suport Plan (24/7)

    • Used for production workloads
    • Trusted Advisor: Full set of checks and API access
    • 24/7 phone, email and chat access to Cloud Support Engineers
    • Unlimited cases / unlimited contacts
    • Access to Infrastructure Event Management for an additional fee
    • Case severity / response times
      • General guidance: Less than 24 business hours
      • System impaired: Less than 12 business hours
      • Production system impaired: Less than 4 hours
      • Production system down: Less than 1 hour

  • Enterprise On-Ramp Support Plan

    • Has all functionality of Business Support Plan
    • Used for production or business critical workloads
    • Access to a pool of Technical Account Managers (TAM)
    • Concierge Support Team for billing and account best practices
    • Infrastructure Event Management, Well-Architected & Operations Reviews
    • Case severity / response times
      • General guidance: Less than 24 business hours
      • System impaired: Less than 12 business hours
      • Production system impaired: Less than 4 hours
      • Production system down: Less than 1 hour
      • Business-critical system down: Less than 30 minutes

  • Enterprise Support Plan (24/7)

    • Has all functionality of Business Support Plan
    • Used for mission critical workloads
    • Access to a designated Technical Account Manager (TAM)
    • Concierge Support Team for billing and account best practices
    • Infrastructure Event Management, Well-Architected & Operations Reviews
    • Case severity / response times
      • General guidance: Less than 24 business hours
      • System impaired: Less than 12 business hours
      • Production system impaired: Less than 4 hours
      • Production system down: Less than 1 hour
      • Business-critical system down: Less than 15 minutes