 Thank you for making it to the end of the day. It's been a long day already, but a lot of fun. Hopefully, those of you who use Amazon will enjoy this talk. So a little bit about myself is just how my background is in computational chemistry and kinematics, which probably doesn't resonate with any of you. And nor should it. It's very specialist. There's a lot of fun using chemistry to help design new drugs is the main part. I've been using Django for nearly five years now, which is slightly scary. But I picked up a few tips along the way and most recently, how to apply them on Amazon. So you've heard about my employer, OpenEye. But you probably have no idea what we do. We do molecular modeling and kinematics. Just more of the jargon words to keep throwing at you. But two interesting or important things are is after attending a talk from Russell at the previous Django con, OpenEye is now a Django software foundation corporate member. We're very proud to sponsor the Django foundation. And in keeping, we also are a technology partner with Amazon. So what does this OpenEye thing do? So here's one of our pieces of software. It's a 3D visualizer. That pretty picture in the middle shows you a protein and a drug and how they bind together. I'm not going to go into how we do all that, but that's the science that we look at doing OpenEye. So this is more the molecular modeling. And then we can use kinematics to take the information, which is notionally 3D. And we project it onto 2D images. So the image on the lower right is how we show a protein binding site in a flat way with a key and a legend and then the drug. If you want to talk about the science, grab me afterwards at the receptions or any time during the conference, I happily go through that with you. But I'm going to stick more to the IT for the rest of the talk. My previous employee before OpenEye was a pharmaceutical company known as AstraZeneca. Some of you may take some of the medications. If you ever doubt Django is used to enterprise, don't worry. AstraZeneca have revenues of $20 billion a year, and they use Django for some of their discovery projects. So you can rest assured it's been using for really good stuff. So on the left, you can see some of the chemists that work. This is from AstraZeneca's own library of images. It's not entirely true. Maybe you can read a real-life chemist, but it's not far off. And although this talk is about the cloud, more traditional enterprises prefer their own hardware. So the big box on the right is an IBM Blade Center. And that's one of the pieces of hardware that we actually deployed Django on when I was at AstraZeneca. So who here is a user or knows about AWS? Pretty much at least half of you have used it, I'd say. So it's something that keeps coming up time and time again. Clouds, one of those big buzzwords, can't avoid it. So OpenEye, we've really embraced Amazon. And one of the reasons is it's crazy, crazy size. So this was a quote from a year ago from the head of AWS. It's probably still true, to be honest. The amount capacity they have is five times more than all 14 major competitors, which we think about as just a huge amount of resource. And when you look at what Amazon has been doing for the last six years, I've pinched one of their corporate slides, but you can see this is a number of features released every year. And as the years go along, the numbers go up and up. And the last column is this year. So we're not even halfway through the year and already they will mismatch the number of releases for last year. So how would you keep up with 280 release updates a year? That is a lot of changes to their services. And each of the bold services is a brand new product. So they introduced a lot of seven new products last year. It's a very rapid pace. So I'm gonna just highlight some of the most useful products from their range. Some of them you may have heard of, some of them you won't. Apologies if that's all that you already know. But thinking specifically about making a website, the first thing is how'd you get there? You need a DNS entry. You need someone to register your domain name. Route 53 is their service for this. Traditionally just DNS, but since of last month, you can now register your domains with Amazon as well. Technically it's not Amazon doing it. They've got a contract with another company. But this way you can have your DNS and registry in one place so you can see when it expires. You don't lose your domain, which would be quite embarrassing I feel. And the DNS is incredibly handy because you control it through the API. Which when you're deploying new software, it's really handy to change things over programmatically. Already you've heard about Redis and Memcache and other talks of the useful tools for deploying your website. One click of Amazon, you can have a Redis server. Another click of Memcache server. Then maybe not that hard to install, but you don't have to maintain another server in addition to your web servers and your location servers, your databases. Elastocache is the Amazon product that gives you easy access to these very popular technologies. Maybe you fancy a bit of NoSQL. Amazon offer a service called DynamoDB. So this isn't NoSQL in the same way, like it's MongoDB, it's slightly different. But it's very powerful and incredibly fast. And if you want to use it with Python, you definitely want to check out one of my co-workers' libraries, which is PynomoDB, for a really easy way to access it, both in Python and using Django. Databases, talk of the day. Django 17 is now out. Those migrations are ready to roll, but you're gonna need a database to throw them at. So why I'm sure the four database servers there, you all have your own personal preferences. I'm pretty sure no one wants to actually install a database service, no matter which one you pick, they're not easy. All of these, again, one click, running. So maybe you prefer to develop on MySQL, but your client has to run Oracle. We don't have the licenses. Amazon gives you a really nice way just to go and fire up an Oracle database, test it, when you're done with it, close it down. Nice and easy. So I'm gonna take a quick tangent away from the services after talking to people at lunch about TLS. So you want to be having your communication securely between the different services you use within Amazon. RDS just comes as default, actually, now. I think I remember doing a few weeks ago. Once you've fired up your Postgres database, let's say, everything can be done through SSL, TLS communications. You just need to make a small change to your settings.py and do the options section to tell it, to do a full verification of the SSL certificate on the path and provide a location to the certificate that Amazon provide. This is the public key that you can easily download. You can then also use TLS on ELBs, their load balancers. It comes from CloudFront as S3 and on every endpoint. So it's really easy to ensure you're sending encrypted communications without having to go off your way. So perhaps the most well-known service Amazon has is S3, the simple storage service, where storage really is unlimited. It's quite crazy how much capacity they add on a daily basis to S3. It also has 11 nines of durability. So once it's in there, it's pretty much staying. This is a great place for your static assets. You've already heard from other talks today if people like to use S3 to throw in there. The assets there, it works ever so well. And it works even better if you couple it with CloudFront, which essentially gives you your own CDN. So Netflix pay crazy amounts of money, I'm sure, and so do Yahoo and everyone else. But you can get your own CDN for a really very small amount. You can use edge locations provided for you. So when your customers go to your website, they get the assets from the closest to your graphical location. And as I alluded to, TLS is available by default. The first time we were testing TLS for our own websites, we found the bar was not green, it was still yellow. It's like, well, why is it still yellow? It turns out the images weren't coming from an SSL source, which is why you don't get the green. You have to have everything from a TLS provider. So one change to CloudFront, and that's done. Email, or SCS, the simple email service. As the name says, Amazon send out email for you, very easy, and it's even easier with the Django SCS module, one line in your Python settings, well, two lines, install the app, add one line in the settings, and voila, your emails from Django being sent through Amazon's email provider. And the last one is VPCs, Virtual Private Clouds. This is part of EC2, so EC2 being the computer component. Virtual Private Clouds lets you carve out part of Amazon's network to enable you to have much more fine-grained control, which is great, it's also much more secure by default. There's no public-facing IPs standard. However, it is finishly complicated. I recommend you read the docs, you read the white papers, read them again, and again, and then you might understand what's going on. The part of the reason it's so complicated is because it can integrate with your on-premise computers. So we have an VPN connection from our OpenEye offices directly into Amazon. This is really handy, but it's not easy to set up. So you might need to find your network administrator to give you a hand with that. But once it's up and running, it's so, so much better. And it's something that Enterprise really, really likes. They're like carrying their data, their machines, things carved away in a safe, secure place. So that's just a highlight of some of the services, but how do you get access to them? I'm sure you've all heard of Boto. Boto itself had a big announcement a few weeks ago that they're now moving on to Python 3 support, which is great. That was one of the sort of the top 10 blockers of biggest powerful packages that didn't have Python 3 support. It also supports East2Rolls, which I'll cover in a few slides. The other thing Amazon has leased, I think the late last year, was the AWS CLI. So just a command line interface to access Amazon, which is great when you don't need an API. What you may not realize is it's also written in Python. So once again, Python is being key to Amazon's deliverables and two easy pip install commands in HeyPresto. You've got it. So if we think about Django website, we need a database, we need some application servers, low balance, cloud front, all sorts of things. So it might look something like this. These are little pieces which I borrowed from Amazon to put together a well-performing website that's scalable through scaling groups, has low balances, a fail-over database. So how long do you think that takes to set up? You have to install all these pieces by hand. So a lot of work, a lot of effort, there's maintain all of it. Amazon have some quick easy ways to serve this whole stack for you, as they call it. But it's a lot of work. So maybe you're more developer inclined than you are DevOps inclined. In which case, there is another product from Amazon called Elastic Beanstalk, which might be very handy for you. So this is sort of comparable to Heroku. If any of you have used that, it's much more about taking an app and deploying it. And you can do it in literally three easy steps. So step one, go to the page, press launch. It's not too hard. Wait for five minutes. And this page will load up, show you a running instance. So you get a temporary sort of URI, it's the one at the top right, it's a little bit small. This has created a database for you, an EC2 instance for you, it's put in a scaling group, it's putting a load balancer. You've not asked for any of these things, it's done all of it for you. And you can click through and you will see a nice sample project they've given you. And if you wanna put your own Django application on there, it is as easy as just clicking in the middle where you have running version, upload and deploy. Upload your own files and the way it goes. It redeploys and just throws your code out. And there's a small extension you can add like a git push as well to it. So when you push on your code, it sends a copy to Amazon, they put it in S3, surprise, surprise, and then upload it and redeploy. So we looked at this, it's very handy for small applications. But it's only sort of one particular way of doing it. You have to have RDS, you have to have this and that. There's no way to do Reds easily and things like that. So if you need the rest of Amazon services and you probably need to use CloudFormation, well you have to write a JSON template to say I want an EC2 instance, I want a database of Oracle, I want ElastiCache, I want this, all these things. But how many of you write JSON by hand? It's not much fun. I had a quick look, we have one of them which is 2,000 lines long. I am so glad we did not have to write this. There's another Python package called TropusFair which lets you write Python and it will output the JSON for you which is hugely, hugely preferable since it is just so awful. So I want the reasons you want to do this because here is another architecture that Amazon talk about. This uses a few of our services such as Hadoop and DynamoDB, this one's for sort of online gaming and CloudFormation can be used very easily, far of all these different pieces in minutes opposed to you having to say install one machine, install the software, fire up another machine, install the software again. Makes it really powerful. If you got it wrong, it doesn't matter, just destroy it and start again. So I'm going to shift gears a little bit to security. So Amazon have a shared model so they will look after everything for under the hardware. Make sure it's secure, attackers can't get in, everything's patched. But once you're on the machine, specifically EC2, it's your responsibility. If you open every port on the firewall and wonder why you're being attacked, you know, tough, it's your fault. You've got to be careful and make unconscious and correct decisions. Likewise, they have another product which is called IAM, which is Identity and Access Management. And there's an excellent slide show they gave last year at their conference that covers the top 10 things you should really do with IAM. I'm going to run through them very quickly. A lot of them you're going to think this is so obvious because it really is that easy and it makes your life much easier as well. We didn't do them all at first, but I soon came around and have activated all 10 of these much easier to use hints. So the first one is just making users. So if you use Amazon, you know you get an API key, a user ID and a key essentially, but you can have more than one per account. By account, I mean something with a credit card attached to it. So open IAM, we have one account, one credit card, but like 30 users. Everyone has their own credentials. Everyone can see different permissions and they don't overlap. So that makes it far easier than having 30 bills appeared in the end of the month. Everyone belongs to a group. This way, once you've got your permissions right, you can make sure everyone gets them and everyone has the same one. We had a few cases where users had sort of custom permissions over some they could or couldn't do things and it wasn't clear why they couldn't do this. So just get rid of those, get everything to a group. Amazon follow the least privilege rule in terms of security. So if you don't need access to it, you don't get it. A lot of their templates are quite restrictive as well in terms of security and that really does work far better. No one's ever come to me and said, oh Craig, you give me too much permission. Please, can you revoke it? I mean, it's always that we're around. I'm not sure if they ask for extra access. Then I give up an accident and they inadvertently delete every website that we have running because I'm not gonna be happy and nor will they. So you do get passwords as well and you can set a really strong password policy, a symbol with length, things like that. But you don't actually need a password for the API. The password is purely for the management console. So if your users aren't allowed on the console, then don't give them a password. The best security policy is where there is nothing to break. MFA, multi-factor authentication, it's being around the news of ways of even MFA's can be broken around. But you definitely want to try and use MFA. So the root account is the account that you get when you first create Amazon an account with AWS that's one of the credit card on. That has to have an MFA, a real MFA. That's the best policy that you can possibly think of. And then after that, power users, those that can do a lot of your count. So for example, myself, I can do anything more or less than my count. So I have an MFA as well, but I choose my phone. So it's much easier than having a physical token. And if other users we decide or deem them as being power users, we make sure they have MFA as well. Roles is something which attaches to EC2. So once your code starts to run, using Botel or Django, you need your credentials to do anything. So all of a sudden you put Amazon credentials into your code on GitHub plain text. This does not sound good. Not to mention you need to change it as often anyway. So how do you go about doing that? But a role is basically injects a credential onto the instance locally. So you never need to actually type any passwords in. When you boot up the instance, you tell it has a role. That role has certain permissions. It can then access S3 or do whatever it needs to do. And Amazon automatically rotate them three times a day. So this is really a really good way to ensure your keys are public and they get changed all the time. Sharing is a great technique to share credentials between accounts. So if you have two accounts, let's say the business group and your marketing group, and you just want to share access to S3 with the developers to marketing, you can do so using roles as well. Rotating keys is really important. So the roles is automatic. But with users, whatever policy you have for changing passwords, you should also do for API keys. So for every software you should go through and reassign your user's new API access keys. You can have multiple ones at once. So there's like a nice seamless transition. You can add conditions to your permissions as well. So there's a really sense to things like terminate EC2 instances. You might want to say you can only do that if your username is Craig and you have an MFA and you're using a security LS API point and you're on particular IP address. For example, your office IP. So you can do quite granular restrictions as well. And the root account, the first one you get, the general rule is just don't use it. It's too dangerous. So by default, Amazon now don't give you API keys with it, they've taken them away because it's such a security risk. You can look in the news, people have had their root credentials hacked and all of a sudden they're held up for ransom because you can do anything for those credentials. You can delete the data, you can terminate instances. It's just too bad. Just don't have them, then you can't lose them. Definitely have the physical MFA as well. So AWS support is a paid extra. Something that gives you email in 24 hours, although I find it's normally a lot less and you can access to telephone and chat which is pretty much instant. It's been really useful for us. Amazon released a lot of new features and very often they update the API and the website. But as I've talked about using CloudFormation, they don't add CloudFormation always straight on to a new feature. So an example is the ELBs have a timeout which you can now configure but only manually. So I wrote in as an email and said, you know, this is super but we really need it as CloudFormation as a feature request. And Amazon were really customer driven. So you do have to be very proactive when you're saying, you know, this is important to us and they do get around to slowly changing it. If you are serious about using Amazon, I'd recommend joining the partner network as well. It costs $2,000 a year, but they give you $2,000 credit. So it works out, you know, an easy win. Get access to some training and things like that too. And if you're really serious, get an account manager. They've been hiring like crazy. Get an NDA signed and then they'll tell you things down the road map as well as well as getting access to private beaters. So some of the products you see today we had access to early, which is really good to test them out, good feedback and finding about road map features is very handy because it can go wrong where you might make a larger order of new network hardware and then find out the next day that that feature is now part of Amazon and your life was hard way to deal with. So it's good to be in the know. So as I said, I'm keeping up is a tough part, but there's quite a few ways that I found that seems to be relatively successful. So there's the main Amazon blog as we're following. They have a few other blogs as well, which are like Pacific on topics like security, Java, big data. There's a mailing list. Once you've joined, they'll soon find you. So they'll start mailing you anyway. Their Twitter account is very useful. And like the blog, there's some sub accounts for IMA for their top tips. They do summits around the world. It's like one day conferences in Tokyo, Singapore, London, San Francisco, places like that. And then reinvent is the annual customer conference. So that's also worth going out for three day, much like DjangoCon. It's a lot of information thrown at you. So when was the last new feature for Amazon? Well, this morning, obviously. So I checked on Twitter this morning, Jeff Barr, their senior evangelist, who's blogged about and shared a quick tweet about a slight change to the interface for EC2 and how you can filter instances. There's only a small incremental change, but one day you might come in and find the feature you've been waiting for for months is now there. So just to conclude, Amazon is really easy to prototype with. The services, they're not exactly for you. Maybe you want Postgres in a slightly different flavor than they offer. But just to get going with it, it's so easy just to fire it up and use it. And then when you're ready to roll your own, if that's suitable for our PC2 and whatever you like. Get your IAM settings right from day one. It's really easy. There's top 10 tips you can do in an afternoon, and you will, grateful. Things do change. So what, 280 changes last year? We're already well on the way to taking that over already this year. So you're going to have to keep up. And just as they release new features, there's also price drops. So there's been over 45 price drops so far. So you'll get new features, and your bill overall is always going down. So it really is worthwhile. And if you're new to Amazon, there's a free tier, which lasts for a year, includes lots of storage and all sorts of things. So it's worth trying that too. So just before I finish up, I'm going to do a shameless tag for a never open night presentation tomorrow. One of my co-workers is talking about OAuth 2. I think we've found it very important for us to open night. I'm going to thank you for your attention at the end of the day. If you've got any questions, feel free to ping me on Twitter. If not, I'll be reached at 10 now.