AWS re:Invent 2022 - Data protection and governance on AWS (STG207)
AWS re:Invent 2022 - Data protection and governance on AWS (STG207)
The world’s most valuable resource is data. Data protection and data governance help fuel business success and regulatory compliance and proactively prevent inadvertent issues or data loss. Join this session to dive deep on how AWS managed data protection services offer organizations defense in depth to help mitigate risks around their sensitive application data at rest and in transit.
Learn more about AWS re:Invent at https://go.aws/3ikK4dD.
Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents
Content
6.451 -> - Hello and welcome
everyone to AWS re:Invent.
10.65 -> My name is Palak and I'm joined today here
15.87 -> with Marcos, who's our
senior solutions architect,
19.74 -> and Matthews, who's our
customer representation
22.14 -> from Asurion.
23.73 -> So let's get started.
26.16 -> Did you know that from the
beginning of humanity 'til 2003,
31.26 -> the data growth was
about half a zettabyte?
34.47 -> Now, in 2013 alone, just in two days
39.24 -> that much amount of data was recreated.
42.51 -> The data has been growing
steadily and exponentially,
45.18 -> and in 2018, that number
reached an estimated worth
49.53 -> of 33 zettabytes.
51.72 -> IDC expects that the
data will keep on growing
55.02 -> at a rate of 5.3 times,
56.91 -> and by 2025, we expect the
data to become 181 zettabytes.
63.96 -> Now, just to give you a
little bit of a perspective,
67.2 -> one zettabyte equals to
a trillion gigabytes.
70.62 -> That's a lot of data.
72.355 -> And that's, while it's exciting,
74.61 -> it poses interesting challenges
for customers of all sizes,
78.12 -> for our CIOs, our storage administrators,
80.73 -> on how to protect and safeguard that data.
84.36 -> So let me start by
talking about, you know,
87.3 -> what is data protection in the
context of this presentation?
91.44 -> Data protection refers to
strategies that one puts in place
95.016 -> to safeguard critical important data
98.64 -> from loss, compromise, and corruption,
101.76 -> and recover that data
to an operational state
104.52 -> to ensure business continuity.
107.04 -> Our customers require a
simple, cost efficient,
111.75 -> and a centralized management system
114.06 -> to be able to protect their data.
120.3 -> All right, now the AWS native services
123.63 -> have data protection inbuilt
125.19 -> based on the microservices architecture.
128.76 -> However, the management of
the data protection policies
132 -> is all one off based on the service type.
135.03 -> Customers often use ProServe
or Professional Services
138.78 -> to write scripts to create
data protection policies
142.38 -> for the individual services.
144.09 -> Now, this results into
a sprawl of tech tools
147.66 -> and additional hands required
to manage that scripts
151.83 -> and the policies associated
with the services.
155.07 -> This just results into a
siloed solutions per service.
158.907 -> Moreover, when we talk to our customers,
161.82 -> it is very clear that
compliance is a key requirement.
165.96 -> Majority of our customers not
only use one type of resource.
169.41 -> So for example, if they're protecting EFS,
172.41 -> mostly they would be also working
174.18 -> with EBS, Azure, Aurora,
RDS, and other resources.
181.08 -> So now to maintain compliance
and report on the compliance
184.35 -> of those data protection
policies, it is very cumbersome
187.23 -> to audit the logs manually through scripts
190.38 -> and report on the compliance.
192.09 -> Moreover, that approach is error prone,
194.34 -> can result into the customer
being non-compliant.
198.09 -> This siloed approach results
into costly operations
200.88 -> for the end customer.
202.35 -> As a result of this, you know,
we listen to our customers.
204.87 -> We always work backward from
our customer requirements,
207.36 -> and we decided to create
AWS Backup solution.
212.13 -> Talking to our customers,
typically, they fall
214.59 -> into one of the three
categories or topologies
216.93 -> as described here.
218.97 -> The first topology is where customers
220.92 -> are running their applications
222.78 -> on premises in their own data centers,
224.88 -> and they're using software
from backup vendors
227.85 -> or media servers or backup appliances
230.147 -> to backup or protect their data.
233.58 -> The second topology is,
you know, mostly due
236.4 -> to the onset of Cloud.
237.57 -> Customers have started using
applications on premises,
240.96 -> but are using a target Cloud
to protect their DA data
245.16 -> using, say for example, a storage gateway.
248.19 -> And the third topology is
more Cloud-native topology,
251.82 -> where customers want to go ahead
253.62 -> and run their applications on the Cloud,
255.685 -> and they also want to natively
protect those applications
258.555 -> within the same Cloud.
260.4 -> They want to be able to
monitor, audit, and report
263.88 -> on the compliance of your data
protection policies natively
267.3 -> from the Cloud.
268.47 -> We listen to our customers
and we worked backwards,
271.08 -> and as a result of which, AWS
Backup is available to solve
274.595 -> for the hybrid and Cloud-native use cases.
277.74 -> This is what our customers wanted from us.
282.18 -> With this brief introduction, I would like
284.52 -> to invite Marcos here to
talk through the solution
288.93 -> and the architecture of AWS Backup.
290.627 -> Marcos.
- Thank you, Palak.
292.65 -> Good afternoon, y'all.
My name is Marcos Perez.
294.72 -> I'm a storage specialist
SA, part of AWS Backup team.
300.12 -> Let's go over how AWS Backup works,
303.39 -> but even before that, can you show hands
305.842 -> who is using AWS Backup
currently right now?
310.62 -> Okay, I see quite half of the
of the audience. Thank you.
315.54 -> So AWS Backup, as Palak mentioned,
318.51 -> was created to simplify, to automate,
321.93 -> to centralize the data protection,
325.83 -> both for Cloud and for on premises.
330.42 -> It's a managed services.
331.8 -> So for those you are familiar
with managed service,
335.13 -> basically we are taking out
of the undifferentiated,
339.364 -> heavy lifting of managing,
provisioning, servers, licensing,
344.64 -> infrastructure, network,
everything that you need
347.07 -> to put together in order
to put a solution together.
351.9 -> With AWS Backup, you just opt in
354.09 -> and you start using the service.
355.53 -> That's the first step.
357.24 -> The second step's quite important,
358.95 -> because most of the time we spend
360.57 -> there creating your
data protection strategy
363.78 -> is the backup plan.
365.34 -> So for those that are
using already familiar
367.74 -> with the dashboard or using scripting
369.483 -> or using CLIS decay,
371.76 -> you can create your backup plan.
373.65 -> The backup plan encapsulates
things like the frequencies of
377.683 -> the backups, the rotation,
where the backups will be saved,
385.32 -> any type of transition to code storage,
388.92 -> lifecycle management policies, and so on.
392.07 -> Once you define the backup
plan, the frequencies,
395.01 -> the retention and all the policies,
396.477 -> and then you start assigning resource,
399.09 -> you can assign resource to
a backup plan in two ways.
402.75 -> You can do that pointing
directly to the services
406.47 -> or the resources that you want to protect
408.99 -> or which is more common.
410.31 -> Customers are using tagging systems.
412.08 -> So you, you just tag your resource,
414.27 -> you select certain tags that
you put on your backup lens,
418.2 -> and then after you start
tagging the resource
421.059 -> and the multiple services
you're protecting,
423.209 -> you are able to activate the
protection for those resources.
427.979 -> You can further extend
AWS Backup functionality
431.94 -> with external components,
external primitive components
435.06 -> from AWS, for example, notification, log,
439.14 -> out trail automation, so things
like CloudTrail, CloudWatch,
444.347 -> SMS, EventBridge, all you
can go at that EventBridge
448.5 -> to learn the function that
you generate reports on S3
451.65 -> and I start inventing a few, a few new,
454.92 -> new solutions right now,
456.09 -> and Matt will share his
experience later creating
460.153 -> those components, connecting those dots
462.33 -> to generate a data protection strategy.
465.78 -> Still talking about integration,
468.48 -> AWS Backup integrates
with AWS organizations.
472.71 -> For those that are not
familiar with organizations,
475.24 -> you can manage multiple
accounts and define policies
479.55 -> and define controls for your accounts
481.56 -> in a central centralized fashion.
483.99 -> So you go to your organizations,
define the backup policies,
488.062 -> what is integrated with
backup, and then you deploy
491.34 -> all those policies and backup
plans to the child accounts.
494.79 -> You even can organize those
policies in organization units
498.75 -> or group of accounts.
501.63 -> Every single backup that's
created by AWS Backup is saved to
507.42 -> a repository called backup vault.
510.12 -> The backup vault's not
a physical repository,
512.46 -> it's not a physical storage's.
514.32 -> More of a logical construct,
516.22 -> an abstraction layer that
we created for two reasons.
519.868 -> First reason, we want to make sure
522.51 -> that AWS Backup simple enough so you
525.15 -> can organize your backups,
526.56 -> organize your recovery points
in any fashion you want
529.95 -> by SLA, by business unit,
by region, by account,
534.57 -> so you, you can create the
vaults the way you need
537.963 -> to organize your backups.
539.25 -> The second aspect, and also
quite important is security.
543.69 -> We are providing a protection
layer or separation
546.329 -> from the vault where the
recovery points will be saved
550.23 -> to the storage underneath.
551.97 -> We are not exposing any
APIs on that storage.
554.97 -> So you creating that separation
will allow protection
558.21 -> against intentional or no
intentional description
561.96 -> of the data, access to the
data or to the account.
564.96 -> Once we have that separated
and not expose it.
570.12 -> The backup vault is still
the security aspect.
572.94 -> You can define IAM or identity
access management policies
578.19 -> to allow and deny access to the vaults.
581.01 -> So that's a second line of
defense to your backup vaults
586.74 -> that you can customize according
588.63 -> to your business requirements.
590.52 -> Finally, the last point about backup vault
593.483 -> is the Vault Lock.
595.11 -> So as you can see the red lock over there,
597.33 -> we have the option to
activate the Vault Lock
598.163 -> in any AWS Backup vault and
transform that repository
603.949 -> into a immutable backup repository
608.25 -> or a right once really
many backup appliance.
612.973 -> This way, the data that's
on a vault that's locked,
616.89 -> cannot be changed, cannot
be deleted UN until the end
620.43 -> of the expiration no matter
what user, even a root user,
624.21 -> for example, will not be
able to delete or change
626.844 -> or tamper in any way with
the data that's inside
630.36 -> a vault that's locked.
632.7 -> Finally, protecting backups,
restore is important,
637.32 -> but in some cases, and
Palak mentioned some
639.72 -> of those use cases, you need to prove
641.259 -> that you are protecting the data.
643.65 -> You need to show proof of backup,
645.27 -> you show need to show to
auditors reports showing
648.69 -> if our backups are compliant
with the regulations
651.017 -> and the controls that we predefined.
653.227 -> And if they are not, we can
take actions to remedy that.
658.23 -> We'll talk about Backup Audit Manager
660.21 -> and you see that we
have part of AWS Backup,
663 -> we'll be able to take care of that.
667.5 -> Today I want to share with
you three main use cases
670.921 -> around data protection.
672.316 -> I know there are several
more possible actualizations
676.22 -> for backup, butt I want to
focus on this three today
679.95 -> and Matt will share a little
bit about their journey
682.795 -> towards that compliance protection.
686.76 -> The first use case is, as Palak
mentioned, the Cloud-native.
692.7 -> So we have customers that have
the applications being born
696.99 -> or being constructed from
bottom up on the Cloud,
700.32 -> taking advantage of the resiliency,
702.54 -> the flexibility of the Cloud
703.605 -> to create applications and solutions.
709.71 -> With that media of components and services
713.7 -> that we have available
also comes complexity comes
716.85 -> the challenges that we have
718.32 -> to manage multiple services, protect them.
721.013 -> So each one of those services
we have are not a mechanism
725.55 -> which is to take a snapshots
or to take backups or sometimes
729.48 -> is different mechanisms
on the same product.
732.54 -> So how do I face this challenge?
734.918 -> Having a central, a central solution
738.72 -> that will protect
resource across the board.
741.99 -> I'll talk a little bit
more about this use case.
744.66 -> Then the second use case that
I want to share with you is
746.76 -> the compliance one.
747.72 -> So customers looking for
follow regular regulation and
755.509 -> and industry requirements,
757.079 -> they need to not just prove their,
760.023 -> their adherence to those rules,
762.933 -> but they also have to
enforce some of them.
766.02 -> So how you we can provide that enforcement
769.8 -> and how you can monitor
our compliance posture.
775.5 -> Finally, disaster recovery,
quite common use case.
778.53 -> I bet most of the audience here
has some type of need around
783.955 -> disaster recovery, creating
a secondary response
787.86 -> to any disaster happening
to my first environment.
791.37 -> So I'm assuming that
most of the audience here
794.28 -> is using one, two or the
three of those use cases
797.34 -> or planning to do so.
799.26 -> So let's talk about some architecture,
801.72 -> some use cases from customers
that we are working on,
805.35 -> those use cases.
806.43 -> And then Matt will talk
about Asurion example.
813.42 -> So here on the Cloud data environment.
815.844 -> So you can see that all my
applications are running
819.923 -> within AWS services.
822.03 -> So I'm protecting
components like ABS volumes,
825.333 -> E2 instances, RDS databases, S3 buckets,
831.3 -> just to name a few right now
AWS Backup support all storage
836.58 -> services available on AWS
from file object to block.
841.08 -> We are supporting right now six data,
843.023 -> different database services,
845.43 -> just one recent launch
Redshift, and now we have this,
852.9 -> this immense list of services and, and,
855.72 -> and products that I'm
using at the same time.
859.14 -> Instead of having to go
each one of those services
862.05 -> and creating scripting,
creating automation manual
865.23 -> on on those, on those
resources, AWS Backup
868.8 -> is in the center of that architecture,
871.631 -> providing the protection,
873.51 -> providing the creation of the backups
875.187 -> and the recovery points.
876.36 -> So you can go back in time,
878.1 -> any point that you want
with the integration
884.28 -> with organizations, you can even make it
886.715 -> even simpler because you can
do that in a central fashion.
892.26 -> You create the policies,
you deploy the policies
895.5 -> to all the shared accounts.
898.26 -> You see again that we have the vault
899.97 -> and the option to Vault Lock
and then you can restore
902.67 -> that in a different availabilities zone.
905.34 -> We have customers like major
software in company here
910.29 -> in the US that were
struggling in the beginning
913.11 -> of the journey on the Cloud,
on protecting their resource.
916.47 -> So they have this
different services running,
919.83 -> They had scripts creating
their life cycle.
923.463 -> So protecting data is important.
927.6 -> Guaranteeing that you're not
extending the retention beyond
930.39 -> the points you want is important.
932.16 -> You also guarantee that you
are deleting those recover
935.52 -> points and creating that
lifecycle management is important.
938.978 -> AWS Backup will take care
of that automation and
941.46 -> that lifecycle management as well.
944.37 -> Just giving an example on the Vault Lock,
947.43 -> we have customers on the
financial industry here in North
950.88 -> America and in Europe that are
adopting the Vault Lock as an
954.804 -> additional layer to the
ransomware protection strategy.
958.77 -> So basically you're not
just creating the backups
961.408 -> in a central fashion.
963.03 -> So you have a central bunker account
964.98 -> where you send all your
backups, you all your backups
967.38 -> to that central account,
but you're also locking
969.81 -> that account in a way
that those recovery points
972.788 -> will not be exposed.
976.14 -> Finally, as you can see,
you have a line connection,
978.66 -> the two regions over there, AWS Backup.
980.946 -> We are allowing when you creating
the backup plan to define
983.88 -> a secondary region so you
can copy your backups to
986.578 -> the secondary region to
provide the separation
989.34 -> from production and offsite
backup in another region.
993.84 -> This copy can be in a same
account or it can even be created
997.95 -> like a air gap, a
logical air gap scenario,
1001.94 -> sending that data to
another account on the same,
1005.42 -> on a different region.
1006.77 -> When you provide that copy
to a separate account,
1009.47 -> you will create this air
gap, this logical air gap.
1014.54 -> The next use case is the audited manager.
1017 -> So using Backup Audit
Manager to provide response
1021.89 -> to to compliance challenges,
1024.159 -> so AWS Backup Audit Managers.
1027.167 -> Part of AWSs backup is
available on the on the side
1031.024 -> of the dashboard and you
can create their reports.
1035.57 -> First of all, AWS Backup Audit Manager
1037.82 -> will continually track
every single activity
1040.58 -> on your backup environment.
1042.26 -> So all backups, creation,
all restores, all copies.
1046.7 -> They are being monitored by this resource.
1049.1 -> When you create a backup plan,
1050.9 -> it'll also monitor and check
the compliance controls
1057.05 -> for each one of those services.
1059.376 -> And once you have anything
that's drifting off that posture,
1066.05 -> then you have alerts on your dashboard.
1068.03 -> You can activate additional
logging connectivity to another
1073.49 -> other services on a AWS to
provide you, for example,
1075.92 -> SNS EventBridge provide
you more information.
1080.9 -> Also, part of Backup Audit Manager
1083.12 -> is the creation of custom controls.
1084.89 -> So you can define some controls
to your backup policies
1089.54 -> where you say, for
example, I would make sure
1092.75 -> that my backups are there
for at least seven years
1096.103 -> for certain types of resource.
1098.99 -> So you are able to go on
the framework creation
1102.23 -> when you are using AWS
Backup Audit Manager
1104.896 -> and define those controls,
1106.67 -> and define those parameters.
1108.23 -> You have to do that the first time.
1109.7 -> So you make sure that you have a framework
1112.4 -> that is representing the
requirements of your industry.
1116.33 -> And after you do that, all
you have to do is check
1119.03 -> the dashboard and also reports
available on Audit Manager.
1123.23 -> So you have periodic reports.
1124.97 -> We have on demand reports,
1126.71 -> and those reports we show
which research are protected
1130.487 -> by those different controls.
1136.37 -> The last use case is about
disaster recovery and more than
1140.45 -> disaster recovery, disaster recovery
1142.394 -> on a hybrid scenario
when the scenario I have
1145.445 -> on premises and Cloud at the same time.
1149.57 -> So let's start with the
left hand side here,
1153.35 -> talking about backups.
1156.17 -> Backups will provide disaster
cover solution for your data
1160.01 -> within with the RPO
1162.407 -> and RTO of a few minutes
to hours is a solution
1166.19 -> that will give you the option
1167.66 -> to restore different points in time.
1169.91 -> So you can go back in time and
select watch points you have,
1172.91 -> you want to restore for
ransomware protection,
1176.27 -> for example, multiple
customers need that type
1179.57 -> of historic of data to go back in time.
1184.43 -> When we have that scenario of backup
1187.1 -> on a hybrid environment,
1188.492 -> we have a traditional data center
1190.717 -> using traditional infrastructure,
traditional software,
1194.81 -> backup software, backup appliances.
1196.863 -> But the difference is we
point that backup applies
1200.78 -> or that backup software
towards target on the Cloud.
1205.76 -> We can do that in multiple ways.
1207.23 -> As you can see here, one
of them is using AWS,
1210.29 -> a storage gateway to replicate data in
1213.05 -> the volume level on the file level
1215.69 -> from your infrastructure all the way up
1218.15 -> to the Cloud.
1219.41 -> The second option is true on
the storage gateway family is
1222.835 -> the storage gateway, VTL,
or virtual tape library,
1226.725 -> which will emulate a tape library to
1228.92 -> the traditional backup softwares.
1230.533 -> But every, every time you
send data to that VTL,
1234.5 -> it'll be pushed to AWS on I3 bucket.
1239.03 -> We also have options available
1240.025 -> from partners, different
solutions available
1244.67 -> on marketplace that you can
use as target for your backups.
1248.09 -> And finally, AWS Backup gateway,
1250.76 -> which is part of AWS Backup solution,
1253.25 -> was a gateway created, created
1255.02 -> to protect specifically VMware
virtual machine workloads.
1260.48 -> So with a AWS Backup gateway right now,
1263.3 -> you can deploy appliance
on your ESX cluster
1267.157 -> and start protecting that cluster.
1270.11 -> All the virtual machines
available on that ESX
1272.78 -> will be listed on AWS Backup
dashboard and you were able
1277.4 -> to tag them and protect them
the same way you protect all
1280.91 -> the other services on the Cloud.
1285.02 -> The second scenario is when
you are looking for RTO and RPO
1289.64 -> closer to zero or sub millisecond RTO RPO.
1293.39 -> So for that case, we have, as part
1296.06 -> of AWS Data Protection
Solutions, Elastic DRS.
1299.99 -> Elastic DRS will provide
a continuous replication
1302.496 -> from your infrastructure
running on premises
1305.244 -> using agent that will talk
to your application to take,
1308.634 -> to create copies of your data
continuously to the Cloud.
1314.906 -> The, the way that the the
solutions is architected,
1320.017 -> you will copy that data to a
lightweight server on the Cloud
1324.47 -> and a low cost storage,
creating a pilot light style
1328.944 -> of disaster recovery, which
means that you don't need to,
1332.24 -> you not be charged for the full capacity
1335.06 -> and the full performance
that you're looking
1336.68 -> on on the Cloud until you have to activate
1339.29 -> that disaster recovery environment.
1341.33 -> So that's what AWS
Elastic DRS can provide.
1345.92 -> With that said, and after talking
1347.78 -> about those three use case scenarios,
1349.664 -> I would like to invite here
to stage Matt Valentine
1354.29 -> from Asurion, who will share his journey
1356.66 -> around AWS Backup Manager.
1359.72 -> A round of applause for Matt Valentine.
1366.86 -> - Thank you, Marcus.
1368.99 -> I must say this is probably
the prettiest place I've ever
1371.09 -> talked about data protection.
1376.043 -> So my name is Matt Valentine,
1377.93 -> I'm a solutions architect for Asurion.
1382.58 -> Asurion is a global tech care company
1385.97 -> that provides insurance,
installation, repair, replacements,
1390.86 -> and 24/7 support for a
wide range of technology
1395.12 -> from cell phones and laptops
to household appliances.
1399.11 -> Our 12,000 experts are
available online, on the phone,
1403.52 -> in store, or will even come to you.
1407.122 -> Asurion and eliminates the fears
1409.49 -> and frustrations
associated with technology
1412.345 -> and ensures our 300 million
customers get the most out
1416.84 -> of their devices and connections.
1421.402 -> So our two biggest challenges
concerning data protection
1426.56 -> in AWS were one, ensuring
1430.94 -> that our data protection plans
1432.788 -> that are created in AWS adhere
1436.01 -> to our global protection
standards that we have
1439.22 -> in other platforms.
1440.99 -> So if I take a application
from on-prem and migrated
1446 -> into AWS, I need to make
sure that my backup schedules
1451.608 -> and my retention follow.
1453.92 -> The second is going to be
preventing data sprawl due
1458.87 -> to non-compliant retention
policies and orphan backups.
1463.73 -> So I am sure some of you
have had to write scripts
1468.44 -> to find those orphaned EBS
snapshots that have been sitting
1471.68 -> out there for a couple years.
1475.28 -> So our key goals when
investigating a solution
1479.66 -> to resolve these challenges
were the following,
1483.92 -> the need to report on
compliance per backup status
1489.02 -> and adoption with the ability
to extract or access that data
1494.45 -> for centralized reporting.
1496.79 -> And this goal right here
is what started the whole
1501.03 -> investigation into a
backup solution for AWS.
1506.45 -> You know, we're going
through a internal audit
1509.236 -> and we start looking through
our backup application
1513.92 -> that we have at the time and
1515.969 -> we start to realize, well wait,
1519.17 -> the host that was here is now over here,
1523.07 -> so now I've got two
different locations of trying
1525.65 -> to find out if I am compliant
or not on my backups.
1530.84 -> So that was a really big one for us.
1533.57 -> The next is the ability
to create a true air gap
1537.223 -> between production and backup data.
1540.71 -> The bad guys are not getting
nice or nicer or better,
1545.54 -> whichever, they're not good.
1547.58 -> So we need to make sure
1549.74 -> that our backup data totally separated
1553.478 -> from our production data.
1557.09 -> Deployment, adoption, and
management of the solution
1560.859 -> should be automated,
non-intrusive to the resource
1565.242 -> and easy to understand.
1567.788 -> No agents, none whatsoever.
1571.723 -> And then finally, and one
that was kind of important
1575.18 -> for me is we have years
1578.15 -> of backup experience
from the operations teams
1582.23 -> that I would love to combine
with software and engineering.
1586.22 -> So those were our key goals.
1589.449 -> So now to the fun stuff.
So how did we do it?
1593.63 -> So with AWS Backup,
Asurion was able to deliver
1597.29 -> a standardized data protection
framework across 200 accounts
1602.87 -> in five regions.
1604.79 -> So as we can see in the diagram,
1607.49 -> I've got it broken out
into three sections.
1610.1 -> Each section represents an
account in our environment.
1614.96 -> So if we look at the
left, that first account,
1618.17 -> that's just a typical
account that has resources
1621.14 -> that need protection.
1622.79 -> In the middle, we've got
our organization's account
1625.34 -> for centralized management.
1627.38 -> And at the very end we have,
I call it a bit bunker,
1631.513 -> but you also refer to it as a data bunker.
1634.73 -> So that's my isolated
air gap copy account.
1638.96 -> So starting in the account
for the protected resources,
1643.67 -> we've got a CloudFormation
stack that goes out and deploys
1648.59 -> an IM role to manage the backups.
1652.61 -> We have a SNS topic that's deployed
1655.46 -> for immediate notifications
of backup failures.
1659.21 -> We have a KMS key that's created,
1661.85 -> and then we're also
creating a backup vault
1665.21 -> that has compliance lock applied.
1668.87 -> So moving over to our payer accounts
1671.9 -> or our organization's accounts,
1673.61 -> this is where we're managing
our backup policies globally.
1677.03 -> So this is where we're
creating our policies
1679.46 -> and attaching accounts where
the protection is needed.
1683.54 -> In the middle, and one
of the biggest pieces
1686.3 -> is the reporting.
1687.83 -> So in partnership with
our Cloud governance team,
1690.708 -> we were able to create a
lambda that runs periodically
1694.85 -> throughout the day and
scrapes the backup job status
1699.71 -> from all of the accounts and
inserts that into an RDS table.
1704.6 -> So with that RDS table, in a combination
1708.26 -> of multiple other RDS tables,
1710.378 -> we were able to create
a centralized dashboard
1714.77 -> that shows our backup status
and our adoption rates
1719.6 -> for resources that are
supported by AWS Backup.
1724.073 -> And, and then on top of that,
1726.2 -> we go down to our com compliance.
1728.99 -> So leveraging that same RDS
table, we have a weekly,
1733.73 -> a weekly lambda that runs and
it's looking for resources
1738.83 -> that have failed more than
two times in seven days.
1744.158 -> So if a resource or a backup
failure meets that criteria,
1748.64 -> what it's actually going to
do is open up a service now
1751.61 -> incident for compliance tracking.
1754.82 -> Hey, we've had multiple failures.
1756.715 -> Whenever auditors come in,
1758.78 -> they wanna see how did you fix that?
1761.21 -> And this is, this is how we track that.
1764.48 -> And then finally, in
our bit bunker account,
1768.65 -> you'll see that we've got a
workflow that communicates with
1771.59 -> that SNS topic in the other account.
1774.08 -> So that SNS topic is subscribed to that,
1778.16 -> to our SQS queue and
that bit bunker account
1781.64 -> that then takes that message,
1784.07 -> kicks off a lambda that
immediately posts to Slack
1787.46 -> or teams for instant notifications of say,
1790.91 -> tier one applications that
may have a backup failure
1794.18 -> or a copy failure, et cetera.
1797.84 -> And then finally, in
that bit bunker account,
1800.06 -> we've got two locks.
1801.92 -> So this is how we're managing
our air gap from production.
1806.51 -> So we've got one vault that
has compliance lock applied,
1811.88 -> and this is part of our
daily backup schedules.
1814.79 -> So this is where we're taking
copies of backups that are,
1818.69 -> are part of our tier one
applications and moving them
1822.47 -> into this account
1826.22 -> and ensuring that hey,
nobody else can touch 'em.
1829.13 -> And then the other vault
is a vault that's used
1833 -> for long term retention, our
final backup for resources.
1838.25 -> So with this, this vault,
we apply governance lock.
1842.51 -> So if any requirements
change for retention,
1845.78 -> we're able to quickly go in
and adjust those were needed.
1851 -> - [Marcos] So Matt, I
have a, I have a question
1852.847 -> around what you just mention
and the air gap solution.
1857.495 -> - Yes.
1858.328 -> - I bet a lot of customers
here thinking the same. I mean,
1862.16 -> this is a requirement for some industries
1864.5 -> for ransomware protection.
1865.953 -> - Uh huh.
1866.786 -> - How, how you implemented
that, that that a gap solution,
1872.63 -> and how was the challenges
that you faced from that?
1875.96 -> - Yes,
1876.793 -> so I cover a little bit in my
lessons learned because it was
1881 -> a massive lesson learned.
1882.822 -> Whenever we first started to roll out
1887.09 -> our backup framework, probably
the, you know, the mid 2019s,
1893.42 -> I didn't know any better and
I used the default KMS key
1898.49 -> for my vaults.
1900.53 -> So happy go lucky,
everything's working great
1903.95 -> until we get to the ability
to do Cross-account copies
1906.884 -> with vaults, I go to implement
and I'm unable to do it.
1912.59 -> So what we had to do then was
redeploy all of our stacks
1917.63 -> with a creation of a key
that has a policy attached
1921.41 -> that allows for that cross
copy for the air gap.
1926.6 -> - [Marcos] Makes sense, makes sense.
1929.398 -> And I'm assuming it was a huge
learning curve for your team
1932.63 -> to implement that.
1933.68 -> How, how was that adoption and how,
1936.11 -> how was the learning curve?
1937.91 -> - Yes.
1938.916 -> So my background is in infrastructure.
1942.11 -> I've worked for storage
for probably 20 plus years.
1947.099 -> So whenever we were
initially going through this,
1950.172 -> I took in my development
accounts, all right, so I,
1955.01 -> I've got my vault created, I've
got my backup plans created,
1959.76 -> you know, I've got my SNS
topic for notifications,
1962.93 -> my IM role, and they go, alright,
1966.916 -> now I've gotta do this 199
more times in other accounts,
1971.54 -> I had to learn CloudFormation.
1973.34 -> That was the only way that
I could do it at scale.
1977.27 -> - Awesome.
1978.103 -> So infrastructure as a
code was the, was the,
1979.91 -> was the way to do it.
1981.347 -> And one thing that I love about your,
1983.33 -> your bunker account is the
way that you are integrated
1986.06 -> with so many different services
and different primitives
1989.21 -> and taking advantage of the
lambda to hear or your, your,
1992.889 -> your events to, to,
1994.91 -> to trigger them based
on the backups and the,
1997.43 -> and the activities on
your backup strategy.
1999.945 -> And then bringing that
data somewhere else to use
2003.61 -> for different proposal.
2005.26 -> That's really the type of thing
that I was mentioned before,
2007.9 -> how AWS Backup can integrate
and create a full solution
2012.94 -> using additional primitive
services from AWS.
2016.75 -> - You know, it's, it's
the more you go down
2019.87 -> the rabbit hole of how
everything integrates,
2023.59 -> the brighter the light bulb gets.
2025.54 -> Hey, I can now do this
or I can now do that.
2028.75 -> And that's why you see I've
got SNS topics that are doing
2032.41 -> Cross-account not
subscriptions into SQS queues
2036.79 -> kicking off Lambdas, posting
to teams, posting to Slack.
2040.69 -> - Perfect.
2041.523 -> - I'm trying to use everything available
2043.69 -> to be more efficient with our backups.
2046.33 -> - Perfect.
2048.73 -> - Yeah, to, to sum it all up,
you know, lessons learned,
2051.964 -> Marcus, you and I just
talked about a couple
2053.98 -> of those CloudFormation
2056.461 -> or an IS solution, not
specifically, you know,
2059.92 -> it doesn't have to be CloudFormation,
2061.99 -> but this was the only way
that you could deploy at scale
2066.91 -> and make changes at scale.
2068.14 -> This was a big piece for us.
2071.41 -> Another one is easy to
understand backup policy naming.
2078.43 -> So this was something
that, that's alright.
2080.59 -> So we're starting to
work on our backup plans.
2083.14 -> We have backup plans that
maybe doing a daily backup
2087.61 -> with only a seven day retention.
2089.4 -> We may have others that now
2091.27 -> are including cross copy accounts,
2093.31 -> Cross-Region accounts, et cetera.
2095.62 -> How do we make it easy for
everybody to understand
2097.912 -> which backup plan does what?
2100.84 -> So what we did is we implemented
2102.404 -> the precious metals naming convention.
2105.76 -> So I've got bronze, I've
got silver, I've got gold,
2110.08 -> and I've got platinum.
2111.7 -> And each one increases its
retention requirements,
2115.84 -> maybe its frequency on the,
2118.357 -> the backups and provides additional copies
2122.201 -> to either Cross-account or Cross-Region.
2126.82 -> So that was, that was very important.
2129.7 -> Marcos, we just co, you know,
we just covered KMS key.
2134.079 -> I will tell you like
CloudFormation KMS takes some time
2139.81 -> to learn.
2141.331 -> I can't tell you how many times
that we try to not only do
2146.62 -> the copy into the bit
bunker, bit bunker account,
2151.66 -> but then do the copy back into
the production account and
2155.35 -> then there's always one
action that's missing.
2157.75 -> So it's like, okay, let me go
back and figure out which one.
2160.927 -> No, my Cloud gov team
will not let me use Star.
2165.19 -> So that, that was a challenge.
2166.93 -> And I highly recommend, hey, taking
2168.37 -> the time to really understand,
2170.14 -> because I think with with KMS,
2172.343 -> that is what's going to
define your true air gap.
2176.05 -> So if I've got a production resource,
2178.99 -> it's using its own custom
key in a production account
2182.744 -> and now that I want to move
it into or copy a backup
2187.72 -> into that bit bunker account,
2189.95 -> not only am I moving it
into an isolated account
2193.39 -> for that air gap, but now
I'm using a separate KMS key.
2197.452 -> So even if that production
KMS key gets compromised,
2200.14 -> I'm still able to recover
the data over here.
2202.99 -> That was really big for us.
2205.72 -> Next is implementation
of cost allocation tags
2210.165 -> on recovery points.
2212.528 -> You would be, may or may not,
2215.92 -> but whenever doing engagements
with applications teams
2219.4 -> to drive adoption of AWS Backup,
2222.302 -> one of the first things that comes up
2224.74 -> is how much is this gonna cost me?
2228.37 -> So what we did is we
applied cost allocation tags
2233.95 -> to each one of the recovery points.
2236.26 -> So now what we do is we leverage
Cost Explorer that pulls
2240.91 -> that data out and adds
it to that dashboard
2243.94 -> we were talking about.
2246.25 -> So now in that dashboard,
2248.207 -> we're tracking job runs, our job status.
2252.19 -> We're tracking adoption rates
across all of our resources
2256.18 -> as well as spend.
2258.37 -> And not only has it really
been beneficial just
2261.55 -> to track spend, but it also
2264.61 -> the ability to immediately
see the impact of a change.
2268.36 -> So say I need to increase the refrequency
2271.21 -> of a backup schedule, or I need to extend
2274.51 -> the retention period.
2276.43 -> I can then see what that
impact was financially.
2279.4 -> So that was really important to us.
2283.09 -> And then AWS Backup is just a part
2286.87 -> of your recovery strategy.
2288.22 -> So take the time to
learn your RTOs and RPOs
2292.24 -> for your applications.
2294.04 -> Likely AWS Backup is just going
2295.737 -> to be a piece.
2297.76 -> We leverage DRS for EC2.
2300.85 -> We leverage Global DB for,
2303.843 -> I think it's Aurora, global
tables for DynamoDB, et cetera.
2309.52 -> So take the time to understand, hey,
2311.86 -> what are my SLAs for recovery?
2314.47 -> And where as AWS Backup fit?
2316.48 -> AWS Backup is not going to be
your solution for say a SLA
2323.47 -> of under an hour, but
it's probably maybe a fit
2326.44 -> for 24 hours plus.
2327.906 -> So it's kind of, you know, give and take
2330.67 -> on which best protection
solution meets your
2335.56 -> first year recovery requirements.
2338.17 -> And then lastly also your
retention requirements.
2342.55 -> And then something I don't have up here,
2344.44 -> which was really important to
me is this engagement gave me
2349.27 -> the opportunity to build
relationships with a lot of teams.
2352.51 -> I probably wouldn't
have had the chance to.
2354.94 -> And you know, whenever I'm
building this relation,
2357.7 -> these relationships, you know,
2358.9 -> I'm working with our data governance team,
2361.48 -> I'm tied at the hip with
our Cloud governance team,
2364.424 -> our DBAs are our biggest customers.
2367.84 -> So whenever I'm working with these teams,
2370.75 -> not only am I helping them
protecting their data,
2374.2 -> but it's also opening up
other opportunities to, hey,
2378.04 -> let me help you with
your high availability,
2381.49 -> let me help you with your cost savings.
2383.71 -> It just opens the door
for more opportunities
2386.2 -> to spread AWS knowledge
across all regions.
2391.523 -> So thank you.
2393.85 -> I greatly appreciate the
opportunity to to speak and Palak,
2397.48 -> I guess I'll turn it back over to you.
2398.71 -> - [Marcos] Yeah, Palak
will do some announcements
2400.54 -> around AWS Backup.
2401.95 -> And I'll ask Matt, just sit a little bit,
2403.3 -> because we have some time for some Q&A
2405.55 -> at the end of the session.
2407.282 -> Thanks so much, Matt.
2408.85 -> - All right, thank you.
2409.99 -> Thank you Matt. It's a great story.
2415.03 -> So this week we have a
bunch of announcements,
2418.03 -> bunch of launches that have come out.
2420.04 -> We have launched Amazon S3, backup for S3,
2422.74 -> Cross-Region Cross-account backups.
2424.81 -> We've also launched Amazon FSx
on NetApp, on ONTAP backups,
2431.361 -> and Amazon FSx for OpenZFS.
2432.91 -> I'm not gonna read
through the entire slide,
2434.59 -> but the point here is
with all this launches,
2436.672 -> we have now covered a hundred
percent of our storage
2439.96 -> services in AWS natively.
2442.09 -> We can now protect a hundred
percent of our storage services
2444.7 -> natively on AWS.
2446.345 -> Like Matthew mentioned,
2448.18 -> compliance is a key requirement
for many of our customers.
2451.57 -> And we hear you loud and clear.
2453.46 -> And as a result of which working backwards
2455.65 -> from customer requirements, we
have announced more controls
2460.21 -> on AWS Backup Audit Manager.
2462.7 -> We've also announced new retention modes,
2465.58 -> for AWS Backup Vault Lock.
2471.438 -> AWS Backup has helped customers protect
2473.73 -> over an exabyte of data natively in AWS.
2477.73 -> And with the support of application
2479.8 -> of our support for CloudFormation,
2481.54 -> we are extending our support
for modern applications.
2485.05 -> Through the application of our support
2486.062 -> for CloudFormation and infrastructure
2488.17 -> is code customers can now protect failover
2491.8 -> and recover their entire applications.
2494.2 -> Moreover, we have also extended support
2496.24 -> for databases through Amazon
supporting Amazon Redshift,
2499.78 -> which is a data warehouse
solution that allows customers
2503.35 -> to analyze an exabyte of data
and run complex analytical,
2506.383 -> analytical queries on top of that data.
2509.29 -> And a preview for SAP HANA on EC2.
2513.01 -> Also, you know, as you scale the rules
2515.41 -> around handling data this week we are
2517.96 -> also launching support for
delegated administrators
2520.438 -> at the AWS organization
level that allows customers
2524.82 -> to push the responsibilities
and permissions of managing
2530.89 -> and recovering data
closer to the personas,
2533.29 -> to the persons closer to the
applications without the need
2537.01 -> of member accounts accessing
the management account.
2544.66 -> Like Matthews mentioned,
compliance is key.
2547.54 -> So last year we had launched
AWS Backup Audit Manager.
2551.892 -> This year we are launching
three new capabilities.
2555.757 -> One is Cross-Region,
2557.44 -> Cross-account support for
organization wide monitoring,
2560.23 -> which allows customers to now
monitor global organizations
2563.612 -> across regions and across accounts, right?
2567.76 -> This is exactly the same
use case that Matthews had,
2570.37 -> is to be able to monitor
and report on the compliance
2574 -> of your data protection policies globally.
2577.15 -> Moreover, moreover, we have
also introduced legal hold
2578.02 -> that prevents deletion
2578.853 -> of data from your worlds.
2584.02 -> Even though the lifecycle policies around
2584.893 -> that data has expired,
2588.07 -> you can only go ahead and delete
2588.903 -> that data once that legal
hold has been removed
2589.736 -> from that world.
2593.383 -> Moreover, AWS WorkLock has been certified
2594.354 -> by Cohasset Cert Associates
2600.173 -> to be used in environments
subject to Sec-17A, FINRA
2606.949 -> and CFTC regulations.
2608.44 -> This is what our customers in the banking,
2610.81 -> in the financial industries
and the brokerage funds
2613.18 -> have been asking of us.
2614.29 -> And we have worked backwards
from that requirements
2616.09 -> and that certification is now done, right?
2621.419 -> So simplicity is one of the key tenants
2624.22 -> of the AWS Backup architecture, right?
2627.13 -> And it's super simple to get started
2628.63 -> with the with the product.
2630.04 -> So all you have to do is first start
2632.02 -> by defining what your backup plan is
2633.76 -> and your backup policies
are within that plan.
2636.01 -> Like Marco was mentioned,
2637.54 -> you start with your backup plans,
2639.22 -> define your retention policies
within those backup plans.
2641.646 -> The second step is you go
ahead and assign a resource.
2644.82 -> So for example, if you want to protect S3,
2646.91 -> you go ahead and assign S3
resource to that backup plan.
2650.636 -> If you already have a backup
plan that you want to reuse,
2654.276 -> then you can skip step one
and just go ahead and assign
2657.31 -> that resource to that backup plan.
2659.23 -> And that's it. You're done.
2660.563 -> AWS Backup will now start
managing your data based
2664.102 -> on the policies that you have defined
2666.4 -> for that particular resource.
2668.5 -> Moreover, step three is an important one
2670.542 -> where you can go ahead and
2672.64 -> manage and monitor, monitor, audit,
2675.25 -> and report on the compliance
of data protection policies
2678.34 -> through AWS Backup Audit Manager.
2683.2 -> There are plenty of resources
that are available to you
2685.72 -> to learn more about AWS Backup.
2687.46 -> Please do leverage them.
2689.2 -> And also, you know, if you
are an AWS Backup customer
2692.35 -> and you want to come up
here next year on stage
2694.041 -> and share your story with us,
2696.61 -> we'll we'll be very glad
to have you on stage.
2698.95 -> So please connect with your account teams.
2703 -> Thank you. And I'm gonna
open it up for questions.
2705.22 -> There are two mics up in
front on the left and right,
2709.75 -> so if there are any questions,
we'll take them now.
Source: https://www.youtube.com/watch?v=IueibThMeD0