Every IT project accrues technical debt. Even the best engineering teams sometimes take shortcuts, resulting in waste and complexity.
As the end of the year looms, it’s a perfect time to pause and evaluate your Amazon Web Services (AWS) cloud account. Cloud cost management can be challenging — are you spending too much? Are migrations taking longer than you expected? Maintaining cloud compliance is often overlooked – are you confident that you can meet your audit requirements in 2019?
Here’s the story of how a financial services institution reviewed its AWS account at the end of last year — and how they used this evaluation to fuel a rebuild of their entire AWS account.
Are we meeting basic AWS best practices?
A prominent mortgage bank initially started running on AWS with one or two small projects. Now several years later, the bank spends tens of thousands of dollars on AWS — but since the account grew haphazardly in fits and starts by different cloud engineers with different requirements, they have little confidence that their account meets basic AWS best practices.
Their environment consisted of hundreds of instances, both Spot and On-Demand, which supported two core applications that needed to maintain Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry (PCI-DSS 3.0) compliance. However, only some projects had sufficient access controls and backups, and their testing and code deployment processes were completely disorganized.
All of this complexity meant that they had a 4-hour SLA and frequent application outages. When something went wrong, there were so many interdependent services that their IT team had to rebuild entire portions of their environment from backups.
The company knew that large portions of their environment had also “fallen out” of compliance. This isn’t unusual; a recent study found that nearly 45% of companies fall out of PCI-DSS compliance within 9 months of certification.
As a result of this waste and mismanagement, they had not expanded their AWS cloud usage by moving other applications to AWS. They understood that these architectural deficiencies were due an AWS skills gap, rather than gaps in the AWS services themselves.
AWS Well-Architected Review
The company decided to seek out an AWS cloud expert to remediate their AWS account in accordance with AWS Well-Architected and Well-Operated Frameworks and take over long-term management.
The Well-Architected Framework is a system of cloud best practices designed by AWS, based on their experience across millions of customers. It includes five “pillars”:
- Operational Excellence
- Cloud Security
- Performance Efficiency
- Cloud Cost Optimization
Why is this framework important? As AWS writes:
“This framework provides a consistent approach for customers and AWS Partner Network (APN) Partners to evaluate architectures, and provides guidance to implement designs that scale with your application needs over time.”
In other words, the Well-Architected Framework provides a single source of cloud architecture best practices for your team, so that each environment is maintained in a secure, efficient manner. It’s the principle that AWS uses to evaluate architectures — and the system that AWS uses to train and audit Logicworks to conduct reviews.
The mortgage bank approached Logicworks and quickly identified us as their desired managed services provider due to our staff of AWS certified and tenured engineers, pedigree in Financial Services, and flexible service tiers. The company wanted to rebuild their existing AWS environments in accordance with AWS best practices and PCI-DSS compliance standards, and supplement their internal AWS resources with a focus on operational support, DevOps automation, and cloud cost management.
Review and Rebuild
Within weeks, Logicworks’ Certified AWS Engineers conducted a comprehensive review of the organization’s existing AWS environment. This involved a series of interviews with the company’s engineers, a hands-on evaluation of their account, and a review of available documentation and team processes.
As a result of this review, Logicworks produced a report that outlined the company’s current state in terms of meeting the five pillars of the AWS Well-Architected Framework, and specific technical recommendations for improving their environment. The gaps in their current environment were so extensive that the company decided to completely rebuild their AWS environment (while keeping their current AWS environment active), and conduct the cloud migration to the new AWS environment once complete.
This resulted in a new architecture design produced in just 2 weeks according to AWS best practices, including specific technical features such as:
- Hub-spoke AWS VPC architecture
- CIS hardened AWS EC2 AMIs
- Mature, easily replicated/destroyed code testing and deployment environments
- Multi-factor authentication (MFA) on Bastion, AWS Console
- AWS Key Management Service (KMS) for encryption of RDS, EBS, S3, etc.
- Regular patching timetable and process
- AWS log collection via CloudTrail logs
- TrendMicro Anti-Virus for Linux, Windows Defender for Windows Server 2016
- AWS CloudWatch Detailed Monitoring with best practice thresholds
- Active Directory (AD) configuration and maintenance
- AWS ElasticBeanstalk for application delivery
- MS SQL on EC2 with License Mobility through Software Assurance
All architectures are deployed using AWS CloudFormation templates for easy repeatability, and the Management VPC includes Logicworks proprietary Central Automation Platform, which contains “bots” and scanners that enforce security configurations and best practices (built in AWS EC2 Systems Manager, Lambda, Inspector, Config, Puppet, and Jenkins). After build out in CloudFormation, all instances receive their configuration (including 3rd party security tools, packages, log configurations, etc.) from Puppet, which ensures that configurations are consistently implemented and maintained. This has a significant impact on the bank’s compliance goals; they are now able to demonstrate to auditors that every instance continually “checks in” to a central manifest and thus is always in a “known good” state.
After build-out, Logicworks and the mortgage bank collaborated on extensive cloud reliability and cloud security testing. The platform launched in production in July 2017, just 60 days after the initial design phase, and Logicworks now offers 24×7 cloud monitoring, ticket support, patching, updates, and select benefits of AWS Enterprise Support.
As a result of working with Logicworks, the mortgage company is confident in their AWS Cloud architecture — and ready to move more workloads to AWS in 2019.
Ready for your Well-Architected Review?
The end of the year is the perfect time to review and re-architect your cloud environment — especially if you need to meet a particular requirement such as PCI or HIPAA cloud compliance.
Until the end of 2018, Logicworks is providing extra funding help to any company that wants to conduct an AWS Well-Architected Review. Contact us to learn more.