-
Operational Excellence
-
- Resources have identified owners
- Processes and procedures have identified owners
- Operations activities have identified owners responsible for their performance
- Team members know what they are responsible for
- Mechanisms exist to identify responsibility and ownership
- Mechanisms exist to request additions, changes, and exceptions
- Responsibilities between teams are predefined or negotiated
-
- Executive Sponsorship
- Team members are empowered to take action when outcomes are at risk
- Escalation is encouraged
- Communications are timely, clear, and actionable
- Experimentation is encouraged
- Team members are encouraged to maintain and grow their skill sets
- Resource teams appropriately
- Diverse opinions are encouraged and sought within and across teams
-
- Use version control
- Test and validate changes
- Use configuration management systems
- Use build and deployment management systems
- Perform patch management
- Implement practices to improve code quality
- Share design standards
- Use multiple environments
- Make frequent, small, reversible changes
- Fully automate integration and deployment
-
- Have a process for continuous improvement
- Perform post-incident analysis
- Implement feedback loops
- Perform knowledge management
- Define drivers for improvement
- Validate insights
- Perform operations metrics reviews
- Document and share lessons learned
- Allocate time to make improvements
- Perform post-incident analysis
-
Security
-
- Separate workloads using accounts
- Secure account root user and properties
- Identify and validate control objectives
- Keep up-to-date with security recommendations
- Keep up-to-date with security threats
- Identify and prioritize risks using a threat model
- Automate testing and validation of security controls in pipelines
- Evaluate and implement new security services and features regularly
-
- Define access requirements
- Grant least privilege access
- Define permission guardrails for your organization
- Manage access based on life cycle
- Establish emergency access process
- Share resources securely within your organization
- Reduce permissions continuously
- Share resources securely with a third party
- Analyze public and cross-account access
-
- Perform regular penetration testing
- Deploy software programmatically
- Regularly assess security properties of the pipelines
- Train for Application Security
- Automate testing throughout the development and release lifecycle
- Manual Code Reviews
- Centralize services for packages and dependencies
- Build a program that embeds security ownership in workload teams
-
-
Reliability
-
- Be aware of service quotas and constraints in Cloud Services
- Manage service quotas across accounts and Regions
- Accommodate fixed service quotas and constraints through architecture
- Monitor and manage quotas
- Automate quota management
- Ensure sufficient gap between quotas and usage to accommodate failover
-
- Use highly available network connectivity for your workload public endpoints
- Provision Redundant Connectivity Between Private Networks in the Cloud and On-Premises Environments
- Ensure IP subnet allocation accounts for expansion and availability
- Prefer hub-and-spoke topologies over many-to-many mesh
- Enforce non-overlapping private IP address ranges in all private address spaces where they are connected
-
- Monitor end-to-end tracing of requests through your system
- Conduct reviews regularly
- Analytics
- Automate responses (Real-time processing and alarming)
- Send notifications (Real-time processing and alarming)
- Define and calculate metrics (Aggregation)
- Monitor End-to-End Tracing of Requests Through Your System
- Define and calculate metrics
- Send notifications
- Automate responses
-
- Monitor all components of the workload to detect failures
- Fail over to healthy resources
- Automate healing on all layers
- Rely on the data plane and not the control plane during recovery
- Use static stability to prevent bimodal behavior
- Send notifications when events impact availability
- Architect your product to meet availability targets and uptime service level agreements (SLAs)
-
-
Cost Optimization
-
- Establish ownership of cost optimization
- Establish a partnership between finance and technology
- Establish cloud budgets and forecasts
- Implement cost awareness in your organizational processes
- Monitor cost proactively
- Keep up-to-date with new service releases
- Quantify business value from cost optimization
- Report and notify on cost optimization
- Create a cost-aware culture
-
- Perform cost analysis for different usage over time
- Analyze all components of this workload
- Perform a thorough analysis of each component
- Select components of this workload to optimize cost in line with organization priorities
- Perform cost analysis for different usage over time
- Select software with cost effective licensing
-
-
Performance
-
- Learn about and understand available cloud services and features
- Evaluate how trade-offs impact customers and architecture efficiency
- Use guidance from your cloud provider or an appropriate partner to learn about architecture patterns and best practices
- Factor cost into architectural decisions
- Use policies and reference architectures
- Use benchmarking to drive architectural decisions
- Use a data-driven approach for architectural choices
-
- Use purpose-built data store that best support your data access and storage requirements
- Collect and record data store performance metrics
- Evaluate available configuration options for data store
- Implement Strategies to Improve Query Performance in Data Store
- Implement data access patterns that utilize caching
-
- Understand how networking impacts performance
- Evaluate available networking features
- Choose appropriate dedicated connectivity or VPN for your workload
- Use load balancing to distribute traffic across multiple resources
- Choose network protocols to improve performance
- Choose your workload's location based on network requirements
- Optimize network configuration based on metrics
-
- Establish key performance indicators (KPIs) to measure workload health and performance
- Use monitoring solutions to understand the areas where performance is most critical
- Define a process to improve workload performance
- Review metrics at regular intervals
- Load test your workload
- Use automation to proactively remediate performance-related issues
- Keep your workload and services up-to-date
-
-
Sustainability
-
- Scale workload infrastructure dynamically
- Align SLAs with sustainability goals
- Optimize geographic placement of workloads based on their networking requirements
- Stop the creation and maintenance of unused assets
- Optimize team member resources for activities performed
- Implement buffering or throttling to flatten the demand curve
-
- Optimize software and architecture for asynchronous and scheduled jobs
- Remove or refactor workload components with low or no use
- Optimize areas of code that consume the most time or resources
- Optimize impact on devices and equipment
- Use software patterns and architectures that best support data access and storage patterns
- Remove unneeded or redundant data
- Use technologies that support data access and storage patterns
- Use policies to manage the lifecycle of your datasets
- Use shared file systems or storage to access common data
- Back up data only when difficult to recreate
- Use elasticity and automation to expand block storage or file system
- Minimize data movement across networks
- Implement a data classification policy
- Remove unneeded or redundant data
-
- Articles coming soon
Perform patch management
Performing Patch Management for Compliance and Stability
Patch management is critical for keeping systems secure, gaining access to new features, addressing vulnerabilities, and ensuring compliance with governance requirements. By automating patch management, organizations can reduce the errors caused by manual patching, improve scalability, and decrease the effort required to keep systems up-to-date.
Automate Patch Management
Automate the process of patching operating systems, applications, and other components to ensure consistent and timely updates. Automation helps reduce manual errors, speeds up the patching process, and ensures that all systems are patched according to schedule. This reduces the risk of vulnerabilities being exploited due to missed or delayed patches.
Remain Compliant with Governance Requirements
Maintain compliance with industry standards and internal governance requirements by keeping systems up-to-date with the latest patches. Patch management helps organizations comply with security regulations and ensure that known vulnerabilities are addressed in a timely manner. Automated compliance reports can provide evidence of patch status during audits.
Gain Features and Address Issues
Regular patching ensures that software and systems benefit from the latest features and bug fixes provided by vendors. Patches often include performance improvements and new functionality that can enhance system performance and usability. Additionally, patching helps address known issues that may affect system stability.
Scale Patching Across Multiple Environments
Automate the scaling of patch management to cover multiple environments, such as development, testing, and production. Automated patching ensures consistency across environments, helping avoid discrepancies that can lead to issues during deployment. Scaling patch management also ensures that new systems are automatically brought into compliance with existing patch standards.
Schedule Patches to Minimize Impact
Schedule patch deployment to minimize the impact on operations. Automated scheduling allows patches to be applied during maintenance windows when the risk of disruption is low. This helps maintain system availability while ensuring that critical patches are applied promptly.
Supporting Questions
- How is patch management automated to reduce manual effort and errors?
- How does patch management ensure compliance with governance and security standards?
- How are patches scheduled to minimize impact on production systems?
Roles and Responsibilities
Patch Manager
Responsibilities:
- Automate the patch management process to ensure that all systems are updated consistently and on time.
- Monitor the status of patches and ensure that critical patches are applied promptly.
System Administrator
Responsibilities:
- Validate that automated patching processes are functioning correctly and troubleshoot any patch-related issues.
- Ensure that patches are tested in staging environments before deployment to production.
Compliance Officer
Responsibilities:
- Verify that patch management processes align with governance and compliance requirements.
- Generate compliance reports detailing the patch status of all systems for auditing purposes.
Artifacts
- Patch Management Policy: A policy document outlining patch management practices, including automation, scheduling, and compliance requirements.
- Patch Status Report: A report summarizing the patch status of all systems, including pending patches, successful patches, and any failed attempts.
- Maintenance Schedule: A schedule specifying maintenance windows for applying patches to minimize the impact on production systems.
Relevant AWS Tools
Patch Management Tools
- AWS Systems Manager Patch Manager: Automates the process of patching managed instances, ensuring that operating systems and applications are kept up-to-date and compliant.
- AWS Systems Manager Automation: Helps automate custom patching workflows to further streamline the patch management process.
Monitoring and Compliance Tools
- AWS Config: Tracks and records configuration changes, including patch status, ensuring compliance with governance policies.
- AWS Security Hub: Provides a centralized view of security findings, including patch compliance across your AWS environment, making it easier to identify systems that need attention.
Scheduling Tools
Amazon CloudWatch Events: Schedules patch automation workflows, ensuring that patches are applied according to a consistent and reliable timeline.
AWS Systems Manager Maintenance Windows: Allows for scheduling of patching activities during predefined windows, helping minimize the impact on production environments.