Partner SA Roundup – January 2017
Last year, we hosted a wealth of content from our Partner SAs (read all about our Partner SA guest posts), including a couple of posts recapping innovative ISV solutions on AWS. This year our SAs are back at it, and we’re going to kick off 2017 with Ian Scofield and Mike Kalberer, two Partner SAs who work closely with a number of APN Partners, who discuss solutions from CloudHealth Technologies, Saviynt, and Turbot.
By Ian Scofield
Optimizing your cloud infrastructure for cost is a core component of the AWS Well-Architected Framework. To save money, AWS customers can purchase Reserved Instances (RIs) at deeply discounted rates compared to On-Demand pricing. AWS recently released Convertible and Regional Benefits for RIs, which provide improved purchasing flexibility. To provide additional insight into these features from their perspective, APN Partner CloudHealth Technologies recently wrote a two-part blog series explaining the benefits of Convertible RIs and when to choose them over Standard RIs, as well as when to consider leveraging the Regional scope option.
CloudHealth not only helps you identify areas where leveraging RIs can save you money, but also allows you to automatically modify RIs whenever there is an opportunity for cost savings. Beyond RI management, CloudHealth provides visibility into your cloud infrastructure and analyzes current usage to identify optimizations focusing on cost, usage, performance, and security. CloudHeath users can also define governance policies to help automate basic operational tasks, such as identifying untagged resources and terminating them after giving owners a specified time to comply. CloudHealth can also provide security benefits like identifying overly permissive security groups and recommend steps to remediate.
By Mike Kalberer
It’s important to be able to provision access to AWS resources across a single or multiple accounts seamlessly. The workflow needs to be able to identify and manage the risks of granting that access, while also providing ease of use to users.
APN Partner Saviynt recently added privileged access management (PAM) to its existing AWS security offering. Granting least privileges via roles in order to complete a required task is considered best practice. This new feature gives customers visibility into which users have access to these privileged roles, and helps limit privilege creep or egregious permissions. PAM also provides an audit trail of the actions performed by users in these roles to give a complete picture of who had access and which actions they performed with that access.
Common tasks are usually associated with permissions that are typical and essential for performing those individual tasks; for example, a user does not need access to Amazon RDS if they’re only working with Amazon EC2. The PAM module includes self-service functionality against pre-defined, high privileged roles. This allows users to request access to these high privileged roles with multi-stage approvals. Auto provisioning can be configured for single or multiple AWS accounts, with additional controls like time-bound expiration.
Once the access has expired, PAM can automatically de-provision access from the AWS account(s) and pull audit trail information from AWS CloudTrail for automated review or certification. Since the user sessions are created using temporary credentials, PAM is able to associate these credentials with users to ensure that the audit trails are correctly correlated.
Saviynt’s security management solution integrates with various AWS services, including IAM, AWS CloudTrail, Amazon EC2, Amazon S3, and Amazon RDS. Saviynt’s Security Manager is available with a 30-day free trial on AWS Marketplace. For more information regarding the new PAM feature, see the Saviynt blog.
By Ian Scofield
Managing policies and access across multiple, even hundreds of, AWS accounts can require additional work to integrate with your existing workflow. Ensuring that policies are applied identically across all accounts and detecting when configuration drift has occurred is very important. This is where APN Partners like Turbot, who is also an AWS Life Sciences Competency Partner, can help by providing you with the tooling to automate these tasks, and additional confidence that your AWS infrastructure will remain exactly how you’ve configured it.
Turbot provides users with centralized access to all of their AWS accounts and resources. By leveraging single sign-in, it allows users to use the AWS console they’re familiar with for their application, with a benefit of additional control guardrails in place. Turbot provides other features like LDAP integration with predefined policies, predefined security group rules across accounts, automatic encryption and backup rotation, etc.
Turbot is also quick to react to various AWS feature and Region releases; for instance, they already support the recently launched London and Canada Regions, as well as the AWS Server Migration Service, AWS Shield, AWS Step Functions, and AWS X-Ray. For more information regarding this product and its features, check out the Turbot website. To schedule a demo, reach out to Turbot directly at firstname.lastname@example.org.