AWS Well-Architected Review

AppZen

AppZen ensures its AWS environment is well-architected

AppZen, an Artificial Intelligence platform for modern finance teams, partners with Zuggand to ensure it is following AWS best practices by doing an AWS Well-Architected Review.

Customer

Leveraging patented AI technology, AppZen uses computer vision, deep learning, and natural language processing to automatically read and audit expense reports, receipts, invoices and contracts while cross-checking that information against hundreds of online data sources. This enables Accounts Payable and T&E teams to detect fraud, compliance issues, and pricing violations within minutes of an expense report or invoice submission.  The company was founded in 2012 and today works with more than 25 Fortune 1000 companies.

Problem Statement

AppZen’s auditing platform is currently hosted in AWS.  AppZen had a need to optimize their AWS Cloud environment focused on security, performance efficiency and cost. In addition, AppZen was using a bastion host to connect to resources in AWS and wanted a simpler and manageable solution to connect to AWS.  And finally, AppZen wanted experts to review their existing AWS resource utilization and recommended opportunities to right size them, as well as change the pricing model to lower their overall AWS costs.

 

High Level Requirements:

  • Determine and implement opportunities for cost savings.
  • Establish a secure way for Appzen staff to connect and Manage AWS resources.
  • Review current security controls and decrease the blast radius where possible.
  • Optimize storage costs for Database storage, object storage, block storage, and file storage.
  • Perform Price Modeling to find the optimal purchasing option, on-demand, reserved or spot instances.
  • Collect and monitor, logs and metrics from various AWS services.

Proposed Solution & Architecture

We proposed that Zuggand perform an AWS Well-Architected Review of AppZen’s existing workloads in AWS. This was extremely helpful with regards to understanding AppZen’s current infrastructure, their network and security architecture and specific challenges that needed to be remediated. The AWS Framework provides consistent approach to evaluate architectures, and implement designs that will scale over time. It also includes strategies to help compare the workload against AWS’ best practices and obtain guidance to produce stable and efficient systems.

Once the Well-Architected Review was performed, Zuggand presented their findings in a technical report and a plan for remediation. The remediation plan was broken out into three phases:

  • Short Term Goals: This included critical Items that needed immediate attention and could be remediated in a span of one to five days.
  • Medium Term Goals: This was a list of high- and medium-priority items that could be remediated within the next three months.
  • Long Term Goals: This was be a list of long-term goals that needed to be remediated within the next six months.

One of the requirements was to setup a VPN tunnel so that AppZen staff could securely access resources in AWS. The Aviatrix VPN solution was chosen as the solution to setup a user VPN with integration to Google IdP as the user store.

AppZen Architecture Diagram

List of AWS Services Used

The following AWS Services were implemented as part of the solution:

  • AWS VPN: An AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
  • Amazon CloudWatch: Amazon CloudWatch is a monitoring and management service that collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
  • Amazon S3: Amazon Simple Storage Service (Amazon S3) is the largest and most performant, secure, and feature-rich object storage service.
  • AWS Config: WS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
  • AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
  • AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
  • AWS Key Management Service (KMS): AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.
  • Amazon RDS: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.
  • AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
  • AWS CloudFormation: AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
  • AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
  • AWS WAF: A web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

List of Third Party Services Used

Third Party Services that were implemented as part of the solution

  • Avatrix VPN: A service for securely connecting on-premise client machines to AWS resources.

Results

Appzen was able to align their AWS cloud environment more closely to the Well Architected Framework and best practices recommended by AWS. In the process they also improves security, reliability, performance efficiency and operational excellence while optimizing costs

The User VPN setup using Aviatrix provides a secure and reliable method for their onsite staff to connect and manage resources in AWS.

 

Remedation Highlights:

  • Tightened up firewall rules in AWS environment.
  • Set up CloudTrail to collect logs and protect the S3 bucket where the logs are saved.
  • Implemented best practices to secure the root account.
  • Encrypted data at rest and in transit.
  • Enabled logging of VPC traffic, Elastic Load Balancers and S3 bucket access.
  • Optimized EC2 costs by leveraging Reserved Instance Pricing and the AWS EDP (Enterprise Discount Program).

Alignment to Well Architected Framework (WAF)

By optimizing the architecture around the five (5) WAF pillars, AppZen was able to gain the benefits of a well-architected design in the Cloud:

Cost Optimization:

  • Perform pricing model analysis and utilize Reserved Instances.
  • Match supply of resources with demand by provisioning resources dynamically and maximizing utilization.
  • Leverage S3 lifecycle policies to move less frequently used objects out of the standard tier into S3 IA or Glacier.
  • Optimize costs by using Managed services like RDS, Lambda, Route 53, Certificate Manager etc.
  • Monitor AWS Spend using billing alarms.
  • Right size instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.

Performance Efficiency:

  • Made architectural choices based on cost/budget, business needs and benchmarking.
  • Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
  • Selection of storage solution bases on access patterns, characteristics and requirements.
  • Proactively record and monitor performance related metrics and generate alarm based notifications.

Operational Excellence:

  • Determine priorities by extensively evaluating customer and compliance needs.
  • Implement application and user activity telemetry that feed live dashboards as well as trigger notifications when anomalies are detected.
  • Ensure operational readiness by training personnel to support production workloads.
  • Identify key performance indicators and define workload metrics.
  • Monitor the performance of resources through metrics collected in CloudWatch.

Security:

  • Control human access by granting least privileges.
  • Tighten firewall rules to protect compute resources by reducing the blast radius.
  • Regularly scan for vulnerabilities and patching using AWS Systems Manager.
  • Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
  • Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.

Reliability:

  • Regularly monitor and manage service limits with AWS Trusted Advisor.
  • Procure compute resources dynamically by provisioning using Auto Scaling Groups.
  • Perform data backups automatically and encrypt it using KMS keys.
  • Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.

Lessons Learned / Outcomes

AppZen had been a consumer of AWS for some time.  However, it was not taking full advantage of new features, services and capabilities that AWS is continuously releasing.  This is one of the major advantages of an AWS Well-Architected Review – by continuously assessing your AWS environment, you can ensure you are controlling and optimizing costs, as well as keeping at pace with AWS innovation.

Periodic reviews of your AWS architecture is important to the ongoing cost controls, enhanced security, and performance of your critical applications.  As a result of their architecture review, AppZen was able to meet all their objectives and can now focus more on adding business value through innovation.