How AWS Helps MSPs Deliver Well-Designed Clouds

Taylor Gaffney

Today’s cloud infrastructure isn’t like yesterday’s or even last month’s cloud. AWS is releasing new features and services every week. The speed at which you can set up and deploy a new environment in the cloud is mind-boggling: minutes, compared with the old way of weeks of time spent on hardware procurement and installation. Of course, you must know what you’re doing.

MSPs looking to move clients to the public cloud need a regular refresher on skills and knowledge to ensure cost and performance optimization as well as strong security. Partners play an important role in delivering visibility into the customer’s cloud infrastructure. IT professionals who’ve been running traditional, on-premise environments typically lack skills in the specific public cloud platforms, as well as in the tenets of hyperscale computing.

Creating a well-architected cloud environment in AWS consists of best practices spanning security, cost and performance. AWS offers guidance to get you started. Here’s how we break this down:

Security: More than 90% of the issues our customers face when moving to the cloud relate to the security pillar. Companies aren’t often aware of security vulnerabilities in the cloud until we do a thorough review. The challenge is that in most traditional environments, security teams focus primarily on protecting the edge of the network, using technologies such as firewalls, intrusion detection systems, data loss prevention and access control. In AWS, companies must secure their environment at every layer, including instances, subnets, load balancers, operating systems and applications.

The top best practices include:

• Multifactor authentication: Ensure customers have MFA enabled on all local AWS accounts. Roughly 80% of the companies we work with don’t have this feature turned on, and it’s an easy, effective way to double down on secure access to your systems.
• Control access: Advise the customer to give authorized AWS users the bare minimum of access privileges to start, increasing privileges only as the role requires.
• Encryption: AWS supports encryption of data at rest and in transit. AWS key management service (KMS) allows you to define encryption keys, encrypt data and protect keys with identity and access management (IAM) policies.
• Automation: A general principle is to minimize the amount of human touch on the AWS environment and instead take advantage of the many cloud services to automate configurations and workload management. This prevents errors and lowers the customer’s overall risk.
• Visibility: Enable traceability and monitor alerts in real time, because of the constantly-changing nature of on-demand infrastructure. AWS CloudTrail is a fundamental tool in this effort, as it provides rich detail about API calls made in your AWS account so you can see exactly what happened, where and when if you are investigating issues. Landing Zone is another: this service allows you to create a master account template from which all AWS accounts follow during set up. Not only is this more secure because it automates a standardized, secure configuration matching the customer’s requirements, but it dramatically reduces the time needed to create new accounts. Amazon GuardDuty, a managed threat detection service; AWS Config, which manages configuration history; and Amazon CloudWatch are other valuable monitoring and management services to consider. There are also now plenty of sophisticated AWS partner solutions, such as OpsRamp, which you can use for similar purposes.

Cost: A common issue with cost containment is …