 Thank you so yeah, it's my first time at this meetup so kind of new to everyone and Today, I'm just gonna talk about how got that destination with AWS And I'm not as technical as the rest of them because you know I'm supposed to be vendor agnostic I'm gonna share with you guys how we do AWS But first I'm just gonna do a little bit of promotion for those that who do not know gaff tech This is the long word government technology agency of Singapore If you shorten it to GTA It's a totally different acronym. So we don't do we don't want that. That's why gaff tech and our logo is moving. So yeah Because we're bold Formerly known as IDA right For those who know IDA we do a lot of things. So Now it's split gaff tech is a branch that actually does a lot of engineering and software development hardware stuff So right on top we are awesome and happy and we try to bring that culture to everyone We're hands-on a job. So we do, you know, software development and all that So a job con is by one of our directors All that good stuff. I know I don't have a lot of time. So I'm just gonna blast. Hey, this is me I was giving a workshop at he was there at high. This is my my office actually very open very like it's like software startup kind of environment And we also have autonomous wheelchair. So maybe Amazon can help with that So I never gets around Yes, a use case would be in the hospital when nurses are actually nursing the victim Sorry the patient So they don't want to spend the time to actually push from point A to point B because the hospital might be a little bit big So you just set it on the map for them on the wheelchair of the girl package Yeah, like a magic all in her phone So and our building is in hive sang crawler Same as Lucas firms and Disney so we can actually see I am I don't know why Marvel is there, but Apparently they invaded Disney. So yeah Me well, you're out if you are interested in me just a little bit of background About me. I went to SMU boy and race in Singapore But I went to CMU for my master's degree and kind of stayed there for a while cause I like it Then I came back to serve the nation dish So right now I wear many hats today. I'm wearing my AWS accounts Engineer head where I talk to you from a point of how we use AWS and other good stuff Also, I do make martial arts and self-defense if you hire me you get digital and physical defense. So I was a medic in SAF Yeah, so there you go Disclaimer anything I say here doesn't actually represent my organization you know Disclaimer, so I don't Singapore is a fine country, right? I can be fine by actually standing here and it's a nonsense So, yeah humor is necessary. So I like to be candid and less casual as you can see This is how I dress and go to work All right, let's get down business. So Traditionally, we use data centers, right? Everything is tight You want to deploy something you have to buy a rack or hardware Then you get engineers to the part of the software problem. So we all know why moving to the cloud is good Because also we have a shift in mindset. So the government is trying to be as agile as the industry. So therefore the We're we're using private cloud at first. We build our own cloud and that was kind of cost inefficient per se or slow then we now are exploring public cloud. So Keeping up with industry and it is actually happening, right? Where we are at high So other factors are because moving to public cloud because everyone's using the same, you know, compute resource is cheap You want to be prudent because we're using taxpayers money. So very efficient. It's very scalable ish some things aren't and Sometimes security we have to consider that and balance that depending on how much risk the organization can accept, right? And they are really cloudy Requirements when it comes to choosing a cloud provider because different providers, you know, provide different stuff And I really know what you know. I really hope you know what it doesn't mean Because Azure is another competitor and Google Cloud is yet another cloud competitor. So, right This slides actually indicates about If you're an idea of how many humans we have three kind of a three to five Engineers doing the administration of AWS the creation and the deletion the management that made so I you know Actually just managing accounts But above all that we have tens of other engineers who don't actually get to get so hands-on on the management. So That's that's my role, right? I used to do more of the actual development on the Like lambda and you see to s3 by now. I try to do more of the engineering So consult dating on the accounts and security and monitoring how they use the How how should we use it or how do we use it? It's you know, governed by cloud policies because we are in the government includes a lot of security compliance and operations requirements Like tens and thousands of pages. So I don't want to bore you with that. So I just summarize all this and This is exactly the key point If you think about it is data classification, right? Because everyone's data is stored with us Sensitive or not then we have classified or unclassified. So right now. We only can process unclassified Right like population traffic data things that are kind of public Those we use the clock a lot Other than that like your personal IC number, etc We we don't do it in AWS. We still do it the traditional way in our own data center, right? so we are looking into more ways to kind of a tokenize You guys have heard of organization Just trying to anonymize data. So it becomes more public rather than identifiable. Yeah all right, so it's not where Anyway Okay, so we use all these Did anyone catch the wine right on top We use all these data and actually did these services and those that are available in Singapore obviously right, we don't always get the services first at first launch because You're laughing at something because US East and US West always gets it first, right? And today I was supposed to talk about AWS Badge I did play around with it, but I didn't have too much time to go into technical details Maybe next time I found it pretty interesting. So have you seen the truck use the snowmobile? Yeah, I just we don't we don't use it It's not it's it's not available here. I don't know you actually have to submit a form to do that But but the top three are the are easy to S3 and ideas, which is really common because we are still pretty early in our deployment and usage of AWS, right? So the rest just basically plays a support role, but kind of is the backbone to Let's talk about the top three Like all Software shops we use softwares on top of AWS and those are common ones. We use the Alassian suit So everything sits on it we gain speed and agility Everybody knows that right? I don't have to go into too much details so The good thing is this line is kind of blurred now. So I sit right in the middle deaf ops So you manage development as well as ops all in one. So It's kind of where we are moving to it So this is also kind of our CI CD pipeline Nothing special. I mean you have seen it in a lot of deaf ops conference probably you put a code on one side You pipe it through We use telegram. So it's open source. It has spots. It actually tells us. Hey, you're built as fail or you're build is successful It comes out from the other end right also check It does our security scans and all that stuff integrated with our CI tools How do we actually deploy it so the CD part is kind of tough because we operate in a hybrid mode We can actually get pretty quick at a CI part All right, we can do all that built But then at the end you actually need humans who have clear clearance to go into the deployment center to deploy it and pass it in but It's no longer entirely in the agf environment right now kind of in a hybrid mode. So this is like kind of the overall No Maybe So I'm a security guy, so I use cloud trail a lot Which is like the first thing I turn on when I give somebody an account So from there you actually pipe it through S3 Set up all the cloud watch good stuff. You set your rules alerting. So whenever somebody is doing something kind of I Said rules so when they kind of trigger the rules, I get to know what they do and kind of tell them Hey From a education point of view, you know, we try not to enforce because that actually breaks our Openness culture right if you're enforcing me if you kind of like lock down and tied to a policy So but we're in the government There are some audits that we have to adhere to Things like that. So we can kind of just educate them say hey, don't open your security group part zero to six five three three five To slash zero because that's bad and attached it to all instance. So things like that. That's a Sure All right, Kibana dashboard AWS link this is by AWS themselves. I found it really useful. So thank you what you need to do is to put the Cloud formation stack into your confirmation and I think so it basically types of cloud trail all the way to a Kibana dashboard But like you said you know memory application thing that was interesting. So Once you get to this one. Yes, I am yeah, so I'm still kind of figuring it out Yeah Okay At least at least it makes my job easier rather than digging through culture Yes So it's really nice, it's all native to AWS and you don't you don't need to spend a whole lot of money on your SIEM Right like Splunk cost you a lot of money I Got it So also asset management one thing that I use like that for is to query all my assets within the account and write it to a flat file in S3 in CSV Telling me how many at this moment. How many C2 instances I have what are their ports open? what are the security groups and then I can find out what are the ports blah blah blah and Yeah, I am and how long have they been up? They've been up front and running for three years without patching Oh, okay, I need to take a little bit of things like that And then send an email to me notifying that they have done the job. So That's asset management for you in AWS 101 And this guy if you have time look at the The link that I provided he actually hacked lambda with the misconfigured permissions. It's kind of cool He managed to retrieve data from the RTS all the way to his console I don't have time to talk more, but Just be very careful about your permission that you put on your lambda function not not start up Yeah, I will share the slide so you guys can And one more thing about Something that I actually proposed is using a control plane pattern if you guys have heard of it. So These rectangles are actually one AWS account each So project A, B and C are at the bottom and the control account is at the top So there's nothing in a control account except for IEM users. So I log in as IEM user I get a temporary credentials in project A and I'm a admin By in project B and C I am an arrow. So I get temporary credentials. Why? One use case that I think of is in project A Things get compromised. What do you do? Do you? I don't know if your root key Your root access key gets compromised. This whole account is is gone, right? I have to wipe it. So that's our way of mitigating our risk containing our risk instead of having one account and many VPCs The root access key still can actually access all your VPC. So it's kind of a That's why we have the creation and deletion of accounts. That way we can manage those How much time do I have? Okay, so this is data.gov.sg our public one-stop government public data This is a blog post and this is a YouTube video. Palani, my co-worker, he went to 2016 AWS Summit and presented. This was from his slide. Not my credit. All his. He is the architect of all these so he Actually made this a development environment so they can rapidly test their code and deploy to data.gov.sg This is purely and highly hosted on AWS Nothing of the hybrid stuff because everything is public. Yeah, it's kind of cool Yeah, cloud is a long run So we will we are designing for scale and flexibility trying to be vendor-agnostic because we are the public sector Right experimenting with new cloud services is always exciting. But one thing that I would like to happen more is making people come for more DevOps meetups and education and also actually hands-on so This is just another funny slide that I have You guys get my humor Future users these are things that I want to implement in my organization just to save money manage secrets and Automation and all that good stuff. Oh, AWS. I really want this So you can help me with my Yes control control plane stuff. So one