Questions

Question 1

I’ve heard some rumors that the cloud is more expensive so i’d like to learn how this will affect our bottom line — TCO team

Answer 1

I need to better understand the workloads in discussion, perhaps we can have a session around a particular workload and business needs to perform a Total Cost of Ownership analysis.

There may be areas to further cost-optimize workloads for cloud hosting.

Question 2

If we enter an enterprise relationship with AWS, what discount structures can we expect?

Answer 2

I can give a broad overview of pricing for various services, but to get into a more detailed discussion, including specific discounts, we should have a followup conversation with your Account Manager as well.

Question 3

On-demand pricing seems to be a good option, but I need to know how much I need to allocate expenses up-front for budget estimation.

On-demand pricing won’t work for us

Answer 3

We also offer saving with our Reserved Capacity (Reserved Instances for example) pricing, where you can fix-priced the cost with 1 or 3 year engagement.

Question 4

We just bought lots of new hardware and software licenses, do I need to throw them away to move to AWS?

Answer 4

You don’t need to throw away your current investment, many of our customers use AWS to extend their current datacenters and applications, without more large up-front expenses.

Question 5

How do we prevent costs going out of control?

It’s great that this can enable our developers to be more agile, but what’s to stop them from spinning up a lot of expensive services?

Answer 5

AWS provides robust billing reporting features. One best-practices is to tag resources, which can help break down costs consumed by application area or business unit, etc.

You can create budgets in your AWS account tied to tags and/or services. By setting a threshold, you can configure alerts to be notified when costs start to approach a level you’re not comfortable with.

Budget alerts can also be tied to functions you can create using our Lambda service to take action on the alert.

Using our Identity and Access Management service, you can also define policies which limit the services certain groups of users can interact with. One could be to ensure only smaller computer instances are available to developers in their account.

Question 6

If we go over a defined budget, are you going to terminate and delete our instances and data?

Answer 6

AWS won’t terminate or delete your data. We provide tools allowing you to define the actions to take based on alerts, but those are for you to define and manage.

Question 7

Do you support AIX?

Answer 7

AIX isn’t a supported OS, but what are you looking to migrate?

I’d like to go into more detail on that workload. While the OS itself may not be supported, we can go over architectures to support the workload in AWS.

Question 8

We can’t have competitors on the same hosts as our workloads. Can AWS guarantee we won’t be sharing hardware?

Answer 8

I’m curious what your concerns are?

AWS fully isolates instances from each other, but we do offer Dedicated Hosts which dedicates the underlying host soley for your account’s use.

Question 9

We’ve invested heavily in X and its licensed per processor ID, so we can’t use cloud virtualization can we?

Answer 9

If you have licensing requirements tied to hardware IDs, AWS offers Bare Metal instances where you have access to the hardware for use cases like this.

Question 10

What hypervisor do you run?

How do you guarantee isolation between guests?

Answer 10

AWS historically leveraged the Xen hypervisor. Starting in 2018 AWS launched its own hypervisor named Nitro which uses less resources than traditional hypervisors making performance nearly indistinguishable from bare-metal systems. Hypervisor runs in Ring0
VMs run in Ring3/Ring4 and discuss from there.
Isolation between EC2 and EBS - Understanding the communication.

Question 11

So, EC2 is basically the same as VMware?

Answer 11

While similar to VMware in terms of being virtualized operating systems, EC2 is compute on demand and there are a lot of options to enable your developers and engineers to create resilient applications with AWS managing the underling infrastructure.

VMware is also a partner and it is possible to run VMware on top of EC2 and to integrate with your on-premises VMWare infrastructure.]

Question 12

You mentioned encryption at rest and in transit, but that’s a heavy hit to compute power. How much overhead is there when enabling encryption?

Answer 12

That depends on where we’re discussing encryption. For example: encrypted EBS volumes you can expect the same IOPs with minimal impact on latency. For SSL between EC2 instances, you can expect similar performance overhead to hosting on-premises.

Where are you most concerned about performance impact? I can dig deeper into this and get back to you with more details.

Question 13

How do you guarantee we don’t get impacted by “noisy neighbors”?

How do you guarantee the CPU and memory we’ve requested is actually allocated to us and not stolen by another VM?

Answer 13

As we get into architectural discussions with your teams, we have a Well Architected Framework and whitepapers we can leverage for resiliancy designs. With CloudWatch monitoring, actions can be automated for recovering from impacted components.

AWS also offers Dedicated Hosts, which dedicates the underlying host solely for your account’s use, but I would like to look at the requirements in more detail before making a recommendation.

Question 14

Microsoft offers instances with 64TB of memory. What’s your largest?

What’s the largest machine we can get in terms of memory?

If you can’t offer 64TB, why would we choose you over Azure?

Answer 14

We’re constantly release new instance types so I’ll need to look it up to be sure [pull up https://aws.amazon.com/ec2/instance-types/ if possible]

What are you looking to run on this instance type?

Question 15

Our app needs sub milisecond response times between components, so we locate VMs in the same rack in our datacenter. Running these in multiple AZs or even across the datacenter from each other is too slow. Can you guarantee they’ll be hosted physically together?

What are placement groups?

Answer 15

I’d like to dive a little deeper in the architecture at some point, but if there are workloads that require specific placement requirements, you can use Placement Groups to define several scenarios:

• Clusters: logical grouping of instances within a single Availability Zone where all nodes can communicate at the full line rate of 10 Gpbs with very low latency
• Partitions: logical groupings of instances, where contained instances do not share the same underlying hardware across different partitions
• Spread: group of instances that are each placed on distinct underlying hardware

Question 16

Can I bring my Windows Server licenses to AWS?

Answer 16

AWS supports BYOL for Windows and SQL Server, but you will need to check with your enterprise agreement terms as to whether you’re able to leverage this feature.

Question 17

Do you support Windows Server 2003?

Answer 17

Windows 2003 R2 is available as an AMI, but we can also discuss steps to migrate your workloads to a newer Windows version since Microsoft ended support in 2015.

Question 18

How often do you patch Amazon Linux and Windows AMIs? What about other OSs?

Answer 18

Amazon Linux is a rolling-release distribution where the latest package versions are available on first boot. The major releases are packaged every 6 months.

Amazon also releases updated Windows AMIs monthly.

For each AMI release, there’s a changelog of included fixes, but once instances are launched from the AMIs, patching is the responsibility of the customer.

Question 19

You said we can instantly scale, but realistically how long does it take?

Answer 19

This depends on your workload and services and how you choose to configure the instances.

For services like DynamoDB, when you adjust the throughput capacity, the capacity is available as soon as the configuration change is applied.

For an EC2 instance, you’ll want to do some test runs to determine the average OS bootup time and any post-boot configuration management runs to understand how long from initiating an launch to application availability.

Question 20

Hardware fails and if we’re running thousands of instances, what do you do to guarnatee we’re not losing VMs when your servers crash or fail?

Answer 20

As we get into architectural discussions with your teams, we have a Well Architected Framework and whitepapers we can leverage for resiliancy designs. At a high level, using multiple Availability Zones, Autoscaling Groups, and Eleastic Load Balancers are some best practices around ensuring high availability.

Is there a particular workload you have in mind?

Question 21

What type of hardware is this going to run on? We are very particular on what we want.

Answer 21

AWS custom designs most of the hardware in our datacenters in order to meet our capacity, resiliency, and maintenance standards. We don’t purchase off-the-shelf hardware. If you want specifics, I can look into getting more details.

Can you share any examples of your particular requirements?

Question 22

What is a hypervisor ?

Answer 22

A hypervisor is software that runs on a physical machine to support the EC2 instances on that machine. It is a layer that AWS is responsible for and not something that you would have visibiity of. In the Shared Responsibility Model it is an AWS responsibility to secure that layer.

Question 23

We’re heavily invested in Oracle RAC. Do you support that?

Answer 23

AWS doesn’t natively support Oracle RAC, but there may be partner solutions [FlashGrid?] to leverage if RAC is a requirement. I’d love to sit down and go over this in more detail. There may be other services like Aurora that can provide the high availability and speed you need.

Question 24

Do you support TDE? (Transparent Data Encryption)

Answer 24

AWS supports encryption at rest and in transit via a variety of methods. Using server-side encryption, you can provide a key or generate one and using the Key Management Service, configure policies for access. Client-side keys are also supported.

Is there a particular use case you have in mind?

Question 25

We just went through a major purchase of Oracle database licenses. What do I do with them if we use RDS?

Answer 25

Depending on your licensing agreement with Oracle, you may be able to use the same licenses with Oracle on RDS.

Question 26

Why should we switch away from MongoDB?

Answer 26

AWS allows the flexibility to run almost any workload, including MongoDB. You can continue to use and manage MongoDB like you currently do by running it on EC2. AWS offers DocumentDB with MongoDB compatibility if you'd like to shift the infrastructure manangement to AWS, but there's no requirement to do so.

Question 27

What’s our RTO if there is a failure? do you support point-in-time restores?

Answer 27

If you are using Multi-AZ RDS, a failure of one node generally recovers within a minute by switching to the standby instance with the only availability impact being the time it takes for the DNS pointer to update. For a single-AZ RDS instance, the RTO of an outage where the data isn't impacted, just the EC2 instance, the availability impact would be the length of time it takes for the underlying EC2 instance to recover, which could take several minutes plus the time to replay any transaction logs. If the impact is due to losing the storage volume, a point-in-time restore can be performed from a snapshot.

Question 28

Redshift: How is it different from Green Plum data warehouse that we use?

Answer 28

AWS Redshift is Large scale data warehouse service for use with business intelligence tools while Pivotal GreenPlum is a Analytic Database platform built on PostgresSQL. Can you kindly elaborate on the particular use case to deep dive at later point of time

Question 29

Redshift and EMR kind of the same thing, no?

Answer 29

Use Redshift when... Traditional data warehouse When you need the data relatively hot for analytics such as BI when there is no data engineering team When you require joins When u need a cluster 24X7. **Use EMR (SparkSQL, Presto, hive) when** When you dont need a cluster 24X7 When elasticity is important (auto scaling on tasks) When cost is important: spots Until a few hundred TB’s, In some cases PB’s will work. When you want to separate compute and storage (external table + task node + auto scaling)

Question 30

If Elasticache is compatible with redis/memcached, you're saying its not actually them? Is it Amazon’s own? We don’t want to do a whole re-engineering effort and get locked into your solution.

Answer 30

Both Elasticache for Redis and for Memcached are fully compatible services that don't require code changes. You can point your existing applications and clients to Elasticache to begin using the service.

Question 31

Elastic Beanstalk and OpsWorks sound really similar. How are they different?

Answer 31

Both Beanstalk and OpsWorks are means of managing your infrastructure, but they target different use cases. For Beanstalk, you can simply upload your code and Elastic Beanstalk and define its requirements and the service handles the infrastructure, deployment, load-balancing, scaling, and monitoring. OpsWorks is a configuration management service that provides managed instances of Chef and Puppet that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed.

Question 32

Is this similar to salesforce cloud or icloud?

Answer 32

Those services are cloud-hosted. AWS provides all the I.T. resources necessary to host an application, such as these, in the cloud. Those applications are higher-level offerings built on top of I.T. resources provided by cloud providers, like AWS.

Question 33

How does AWS operate under Amazon.com? Since you're part of Amazon, are we just getting excess capacity they're not using? Are we going to be treated like second-class citizens? As a retailer, we're competitors with Amazon, so why should we work with AWS?

Answer 33

AWS and Amazon.com are separate entities and Amazon.com is a customer of AWS with their own account manager and team, just like anyone else. Amazon.com doesn't get priority or special access and their utilization and growth plans are taken into account during AWS's capacity planning, just like with any other customer.

Question 34

If we spin down an environment on Friday, but need it on Monday, will AWS guarantee that they the capacity be available? If we're anticipating a huge spike and need 1000 instances, will AWS guarantee the capacity?

Answer 34

One of the reserved instance types offered are "Availability Zone" RIs, which would ensure the capacity purchased in that specific Availability Zone is reserved for use. There are design considerations and strategies we can go over to help ensure application resiliency should a specific instance type not be available in a specific Availability Zone. If you're anticipating a need for a sudden increase in resources, like 1000 new instances, your Solution Architects and Account Manager would work with you to understand the use case and guide you meeting that demand. AWS also has a process for special events. By working with your account team, we can open an Infrastructure Events Management ticket that helps you plan for large-scale events such as product or application launches, infrastructure migrations, and marketing events. This includes capacity planning support.

Question 35

What's a region? What's an Availability Zone?

Answer 35

Regions are separete geographic areas completely independent from each other. Each region has multiple isolate fault tolerant domains called Availability Zones connected to each other by low latency links. Availability Zones contain one or more datacenters.

Question 36

Azure has x # of Regions but you have only Y?

Answer 36

I'm not sure how other providers configure their offerings, but AWS has 81 Availability Zones within 25 geographic regions around the world, with announced plans for XX more Availability Zones and 3 more AWS Regions. (XX- confirm the latest numbers on global infrastructure site) AWS also has XX Points of Presence (XX Edge Locations and X Regional Edge Caches) in XX cities across XX countries. What global capabilities are you looking for?

Question 37

We have requirements for datacenter distances. How far apart are the datacenters in an Availability Zone? Where are your datacenters? How far apart are two AZs? How many Availability Zones are in a region?

Answer 37

For the security of all customers, we don't publish the locations or details of the specific datacenters. We can provide you with the third-party audit reports and dive deeper into our certifications if you'd like. For high availability, best practices are to ensure a workload spans multiple Availability Zones, which are designed to be fault-isolated from each other. Every region has at least two Availability Zones, but for a particular region, we publish the AZ counts by region online. I'd be happy to get the latest info for you. What is the business driver for specified distances?

Question 38

I see that some regions only have 2 AZ's listed. That means S3 Standard isn't supported there, correct?

Answer 38

While we design regions with at least two publicly Availability Zones, we ensure the capacity exists to meet service committments. S3-standard is supported and the replication occurs to a private area within that Region, but that area isn't made publically available for workload placement.

Question 39

What kind of connectivity to AWS can we expect from our datacenters?

Answer 39

[Ask questions about connectivity requirements] Aside from general Internet access, we have a several connectivity options. With VPN Gateways, you can establish a secure connection between your datacenter and your cloud environment. We also have Direct Connect, which would be a crossover from your datacenter directly to AWS's network.

Question 40

Can you create a new region where I need it?

Answer 40

AWS is also looking for where demand exists for establishing or expanding our points of presence. What are the requirements for why you'd need AWS to build you a datacenter?

Question 41

Can I use the GovCloud region?

Answer 41

GovCloud has a set of requirements for who can access it, but you are able to apply for access if you have an existing AWS account. What are you looking to use GovCloud for?

Question 42

What's the latency b/w two AZs?

Answer 42

Availibility Zones are connected by high speed, low latency links, typically in a single digit millisecond range. If you want to measure the latency of a particular set of AZs, you can use the same tools you normally would to test connectivity between instances.

Question 43

What is the unit of failure? Can AWS guarantee 99.999% availability?

Answer 43

For most of our services the unit of failure is at the AZ level. We also have regional services (S3) and global services (IAM). We recommed to spread your workloads with autoscaling configurations across multiple AZs and multiple Regions. What are your requirements for high availability?

Question 44

Can you talk about your plans to open new locations? Like India?

Answer 44

AWS is constantly looking for upgrading their region/AZ/datacenter footprints globally based on customer needs. We also publish our Global map of presence along with upcoming/planned AZ/region. What is the specific usecase

Question 45

Do you own all of the regions and AZs?

Answer 45

Amazon owns and operates many of its data centers, while others are housed in collocation spaces that are offered by various reputable companies under contract to Amazon. Is there any specific concern that I can help you address?

Question 46

How do I cutover across regions if one is unavailable?

Answer 46

Can you please help me to understand the use case ? We can do a deep dive using AWS Well Architected Framework and work on this concern/requirements of availability/fault toleranc

Question 47

You only have X POPs? Akamai has YY so why would we use CloudFront?

Answer 47

I am not sure about our competitors capabilities. To deliver content to end users with lower latency, Amazon services like CloudFront uses a global network of 230 Points of Presence (218 Edge Locations and 12 Regional Edge Caches) in 84 cities across 42 countries and growing. We can do a deep dive

Question 48

Our F5 upgrades are going to run over a $1M. How much would it cost me to use load balancing on AWS?

Answer 48

I can help do a cost analysis, but we'll need to review the architecture further to help determine projections.

Question 49

What is the big difference between F5 and ELB on AWS? How does it scale if we have one IP and it goes everywhere?

Answer 49

Elastic Load Balancers are designed to be highly available and scalable for balancing traffic for nodes within and across Availability Zones within a region using features like host-based and/or path-based routing, connection draining, stickiness and cookies, etc.. When you say "one IP and it goes everywhere" what do you mean? Are there particular features you're looking for on the ELBs?

Question 50

Can I get a static IP with an ELB?

Answer 50

Network Load Balancers support a static IP. I can look into if we'll support this at the Application Load Balancer level, but what are you looking to use a static IP for?

Question 51

Can I use an ELB for my on-prem servers too?

Answer 51

If your on-premise environment is routable from within your VPC, such as via a VPN connection or Direct Connect, an ELB can direct traffic to it via IP.

Question 52

We have to use multicast, do you support it?

Answer 52

Not presently, but what are you using multicast for?

Question 53

Can you provide an SLA for latency over Direct Connect? Can you provide an SLA for latency over Direct Connect? Can you provide an SLA on your leg, your segment?

Answer 53

[I'm sure the answer is no, SLAs exist for availability, and latency has many factors outside AWS control to even offer, but I'm not sure of the best reply]

Question 54

How are you going to let us know and ask for our permission when you make a change to your network? We need to vet your changes.

Answer 54

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.

Question 55

You said that there is no SPoF but there is only one router here on your Overview of VPC diagram

Answer 55

I'm showing the logical concept of a router on the diagram, the networking layer behind this contains no single points of failure and is designed to be highly available.

Question 56

We use F5 load balancing - can we keep it? Would you support?

Answer 56

F5 is a partner and makes Big-IP available on the AWS Marketplace that you can deploy into your AWS account and continue to use. Support for the product itself would be between you and the vendor, but AWS support will cover any AWS infrastructure resources in your account.

Question 57

Can we import our F5 iRules into your ELB?

Answer 57

With the AWS CLI or API, an ELB configuration can be managed programmatically allowing for the scripted creation of ELB rules. I'm not aware of any specific importers from other products, but I can look into that further.

Question 58

I wanna make sure I have more than 10Gbps between two machines. Can I do that? Do you even have 10gbps NIC machines?

Answer 58

AWS offers instances with networking up to 100Gbps. The amount of bandwith depends on the instance type chosen. What type of workload do you have in mind for this requirement?

Question 59

Can we bring our own class C IP / public IP addresses? For email sending for example. We have our own range that's very clean and we don't want to get rejected.

Answer 59

Yes, AWS supports bringing IP ranges you own to your account. For email sending, I'd like to understand that use case further. AWS provides the Simple Email Service with agressive management of remaining a trusted sender to avoid rejections. One thing to mention is port 25 is throttled by default for all EC2 instances, but this can be removed for an specific instance if needed.

Question 60

private ips and public access

Answer 60

A private subnet is configured within your VPC as a subnet without a route to the Internet Gateway and where instances do not have public IP addresses. If you have data on-premise that cannot leave, AWS supports VPN endpoints and Direct Connect to allow your VPC to securely access your datacenter, allowing you to keep certain data on-prem but allow for processing and other workloads to run in AWS.

Question 61

Can we use Route 53 without CloudFront?

Answer 61

Yes, Route53 is a separate service that integrates with, but doesn't require CloudFront.

Question 62

Can we use CloudFront with our datacenter instances?

Answer 62

Yes, you can define a custom HTTP origin in CloudFront for your on-prem hosts.

Question 63

What kind of access do we have to routers and switches?

Answer 63

What kind of access are you referring to? What are you looking to do? AWS doesn't provide access to the infrastructure layer. The route tables within your VPC are fully managed by you, and you also control the network ACLs for your VPC subnets, through the AWS console or CLI/API calls.

Question 64

Do you use Juniper or Cisco switches?

Answer 64

AWS uses custom hardware for the networking layer.

Question 65

Can SNMP traps provide information to feed into CloudWatch? If yes, how?

Answer 65

CloudWatch allows you to send custom metrics to fit your workload's monitoring requirements. SNMP isn't natively supported, but between third party solutions from AWS partners or custom scripts, the data can be sent into CloudWatch. If you have an example in mind, I can look a more specific way to accomplish this or perhaps provide a script that would show how.

Question 66

We are happy with Akamai, why would we choose your CDN over them?

Answer 66

you get the benefit of several native integrations with other AWS services for easier management of your infrastructure. significant cost advantage when your origins are in AWS. Data Transfer costs (egress) from an AWS Origin (S3, ELB, EC2, etc.) to CloudFront is completely free advanced security features through integration with ACM, Amazon GuardDuty, Shield Advanced for DDoS protection, and Layer 7 protection with AWS WAF With CloudFront triggers for Lambda@Edge, you can implement advanced custom logic at the edge, closer to your viewers to get increased cacheability, more customized, and personalized content delivery to your viewers.

Question 67

We can't have our internal data on the Internet. Can we provision an S3 bucket in our VPC?

Answer 67

AWS supports VPC endpoints for services like S3, so you can certainly configure your account to ensure this traffic remains inside AWS network.

Question 68

If I buy through the AWS Marketplace, who do I call for support? You, or them?

Answer 68

Support for Marketplace software is based on your agreement with the vendor of that product, but the resources provisioned run within your AWS account and you can leverage your AWS support contract for assistance with the infrastructure, if needed.

Question 69

You said the AWS Marketplace helps with licensing, but how? Is it cheaper? What if I already have a license?

Answer 69

With AWS Marketplace, licensing is included as a per-hour charge, so you pay normal AWS costs for the infrastructure plus the vendor's licensing fee. You can use a product without paying a large up-front agreement. Depending on your licensing agreement and the vendor's Marketplace offering, you may be able to use your existing licenses, but that's a discussion to have with the vendor. Is there a particular workload you're looking for from the Marketplace?

Question 70

Can I get private pricing through the Marketplace?

Answer 70

I reach out to our partnership team to look into that further. Is there a particular product you're interested in?

Question 71

We have an existing auditor that comes in and inventories our systems and performs detailed tests. How do we get our audit team in to validate the environment and applications if they're in your datacenter?

Answer 71

Security in the cloud is a shared responsibility model. For infrastructure compliance, AWS have certifications based on third-party audits and we can provide you that documentation to aid in your audit requirements. Additionally, you have full visibility into the logical infrastructure via API calls, so your auditors can get information on items like security group (firewall) rules or RDS configuration via API calls, or account access information through our API auditing service, CloudTrail. I can also get you more information on auditing in the cloud, perhaps even sit down with your internal audit team and AWS's specialists in the field to better understand how to meet your needs.

Question 72

Can you view my data? if we're running on your hardware in your datacenters, i can't imagine you guys don't have root controls to log into the machines. If we have to store an encryption key with you, you can theoretically still get access, right?

Answer 72

Security is our top concern and we have a robust separation of duties. The datacenter operations personnel do not have access to or knowledge of the logical layer, meaning that even when troubleshooting a system, they don't know which customer or workload is running on that instance. Conversely, those with logical access don't know the physical systems involved. For physical system access, those events are tracked and audited. We have many certifications and regularly have third-parties audit us and those documents can be made available to you. Access to your account is under your control. Even the Solutions Architects assigned to you can't access your account or systems unless you create an IAM account for them. There are also many options for encrypting data at rest and in transit, including using client-side encryption if you want to retain full control over the keys.

Question 73

If you get a court order to deliver our data to the government, would you do that?

Answer 73

We operate within the jurisdictions and have to comply with local laws. However, AWS is committed to protecting our customers. If we get a court order, we will fight it on your behalf and, wherever permissible by law, we'll also notify you.

Question 74

We own our datacenter, so internal traffic isn't encrypted, but we're not comfortable having unencrypted traffic on a public cloud. Does AWS encrypt the traffic between our instances? Do you encrypt traffic between AZs?

Answer 74

Within the AWS network, you'll be hosting in a Virtual Private Cloud (VPC) and all traffic between your instances stay within your VPC. Other customers cannot see your traffic. Configuring inter-instance traffic encryption would be the same as on-premises.

Question 75

Does AWS provide DDoS protection?

Answer 75

AWS Shield Standard and AWS Shield advanced. AWS Shield standard is automically provided to all AWS customers. AWS Shield Advanced service can be bought for additional fetaures

Question 76

How does IDS/IPS works on AWS? If we need a network tap, can we do so? If AWS is blocking attacks, that means you're reading our traffic, right?

Answer 76

To reiterate the shared security responsibility , security *of* the cloud is AWS while security in the cloud is customer's responsibility. Intrusion Detection and Prevention can be achieved in number of ways. There are tools/services like Guard Duty, 3rd party solution (AWS marketplace) as well architecture best practices which we can go through using our well architected framework. Let's setup a follow up with our specialists on this topic. Amazon VPC traffic mirroring is a “virtual fiber tap” that gives you direct access to the network packets flowing through your VPC. I respectfully disagree to to 3rd statement. Let's have a follow up on what are specific concerns

Question 77

Could we bring our own appliance? Where do I ship our servers for migration?

Answer 77

AWS provides and manages all equipment in the datacenter. What are you looking to move?

Question 78

Are there granular resource-level permission for SQS?

Answer 78

In what way, what are you looking to do? Access policies can be defined at the queue level or at the user level (using IAM policies) that can grant rights to perform queue-based actions like get/put/list.

Question 79

Could you talk about how you would provide us with HIPAA compliance. How much would it be? We need to be SOC1 compliant, will you certify our workload? We do business with gov and have to be FISMA compliant and end-point must have FIPS encryption. Do you provide this? If we don’t have access to these [infrastructure components] how will we make sure that we are compliant?

Answer 79

AWS doesn't certify your workloads. We will provide you with the accredation documentation covering the infrastructure and hosting operations that you can send to your auditors with your own workload information. We are [accredation] certified.

Question 80

We have to do regular intrusion / penetration testing and vulnerability scans. Are we allowed?

Answer 80

Yes, you can perform intrusion and penetration testing against your own workloads on AWS. Depending on the type of test, you may need to submit a request beforehand. You're not allowed to perform such tests against AWS services or APIs, however. I can get the AWS policy details around this if you'd like.

Question 81

We have a lot of business units with different policies so we don't want everyone in the same account. Should we have an account for each? How can we maintain cost controls, access policies, and security with a bunch of accounts?

Answer 81

There's a lot of flexibility in setting up an organization structure in AWS and creating centrally managed guardrails around security, access, compliance etc.. It might be a good idea go over your needs in more detail. We can help design a structure using AWS Landing Zones, which are our best practices around account management.

Question 82

If IAM is how we define policies, do we need to create accounts for everyone? Can we leverage our existing directory?

Answer 82

IAM can integrate with your existing directory where you can map IAM groups to directory group membership.

Question 83

EBS volumes are stored in S3, right? How is S3 different than EBS?

Answer 83

EBS snapshots are stored in S3, but they're not objects you can access via the S3 console. EBS volumes are not stored on S3, it is a separate storage service. EBS and S3 are different technologies. EBS is a block storage service to provide harddrives mounted to instances. S3 is an object store for API-based access to data. Think of EBS as just hard drives, mounted filesystems you access via normal file operations. S3 isn't mounted and is designed for API-based access.

Question 84

Can I mount S3 on multiple instances?@

Answer 84

Ask about use case as this likely means not understanding what S3 is. For shared storage, mention EFS, but let's dive into the use case further to see if that is the best fit.

Question 85

We have petabytes of data. Can we just dump it into S3 or do we need to notify you first to ensure capacity?

Answer 85

S3 is designed for to be effectively limitless. You're not required to notify AWS, but if you want to give your account team a heads up, we can help with the best methods for transferring that data. In addition to just copying to S3, we also offer services like SnowBall where we ship you an appliance to copy data to which we can load for you. These may be faster or more efficient.

Question 86

Can I use S3 for all my storage needs, or are there cases where its not appropriate?

Answer 86

S3 is great for high speed object storage. Great use cases are to store static assets like images and javascript files to offload serving that content from the web tier. Any use case that require file I/O isn't a fit for S3, such as a database or any operations require file locks or file appends. In S3, reads are GET operations and writes are PUT, which uploads the entire object again.

Question 87

What's the difference between S3 and Glacier?

Answer 87

S3 is designed for fast access to frequently used data whereas Glacier is an archival system. Glacier has lower per-gig storage costs, but higher retrieval times. Glacier is also designed for meeting compliance requirements around long term data retention. Think of Glacier as like a tape library.

Question 88

How is S3 replicated and backed up? What is the S3 durability?

Answer 88

DRAFT: Region protection: Cross-region Replicaton Same region: Versioning 11-9s of durability for most storage options

Question 89

Can I host dynamic content on S3?

Answer 89

S3 is widely used for hosting static content. It doesn't process files read, so it cannot host dynamic content. S3 can be used to augment other options for dynamic hosting, like Elastic Beanstalk or EC2 instances running Apache or Nginx, by offloading the static content to S3. [If asked how to offload static:] Elastic Load Balancers and CloudFront can do path-based routing, so your /images/ URI can be configured to serve from S3

Question 90

What are S3 and EBS SLAs?

Answer 90

The SLA for S3 Standard is 99.99% and EBS is covered under the EC2 SLA with availability at 99.99%

Question 91

How much PIOPS storage (GB) do I need to provision in order to realize 20,000 IOPS?

Answer 91

I believe the ratio for maximum IOPs to storage is 50:1, which would mean 400G or more for 20k IOPs, but I can confirm that after our meeting if you'd like. I'm curious what sort of workload you have in mind, could you share more information?

Question 92

How do I move objects from S3 to Glacier? What if I need the S3 object back from Glacier?

Answer 92

.With S3's Lifecycle Policies you can define when and to what storage tier objects move. When objects are moved to Glacier, they remain as S3 objects that you can manage, but to retrieve the contents you have to request a temporary copy to be restored and it will become available in S3 for only the time period specified in the restore request.

Question 93

Does S3, Glacier or Storage Gateway de-dup data?

Answer 93

No, objects are mapped 1-1, there is no deduplication performed.

Question 94

How is AWS different from running my Private Cloud? We have OpenShift on-premises today, it already gives us the agility you're talking about.

Answer 94

I'd be curious to hear more about your use of your private cloud. What sort of workloads to you currently run? With a private cloud, you are still taking on the capital expense of acquiring and maintaining hardware and real estate. With AWS, that portion is handled by us, allowing you to focus on the business value of your applications instead of server maintenance, racking and stacking, etc.. You also gain benefits from AWS's economies of scale and our fast pace of innovation. With 90% of our feature roadmaps driven by customer feedback, we're continually launching more services and enhancements.

Question 95

You said we'll move to a variable expense model, but we are used to / like the CapEx model we have. Can we remain CapEx in AWS? Can we amortize our spend? How do we expense our AWS costs?

Answer 95

While AWS is a pay-as-you-go model for the consumption of resources, we do offer the ability to pay upfront for usage committments with our Reserved Instances. Several options there are full or partial upfront payment for 1 to 3 years of specified utilization for compute shapes. Whether or not you can amortize or consider this as CapEx is more of a finance discussion. I can set up a meeting with your Account Manager and your finance team to dive a bit deeper into this, if you'd like.

Question 96

You have a lot of services like DynamoDB or Kinesis which look designed to lock us into you as a vendor if we adopt them. Why would we want to choose being locked into AWS? Why should I use higher level services? Why can't I do things the old way with core services like EC2?

Answer 96

90% of the features and services AWS releases are based directly on customer feedback. Some services are based on what has worked well internally or created to address a gap in th market. We will never push you to use any particular service. They are available if you think they'll bring value. AWS was designed to be highly flexible. You can choose to run many of your existing workloads on our compute service, EC2. For example, while DocumentDB is a MongoDB API compliant service we offer, you can set up a MongoDB cluster on EC2 instances. The same is true for Kinesis, if you'd prefer to use Kafka or another product. Your Solutions Architects are here to help guide and support your decision.