all right so we're running up governance today but um the past sessions the past two sessions I believe we have been basically looking at governance and how you can use governance or the tools and need of lawers to implement a secured and compliant multi account environment right that follows AWS best practices so um the first thing that I want to ask you guys is visualize yourself as someone that has in you let's let's just say you got a job today and you've been pulled into um a project as a consultant to help a customer who wants to needs to set up their Landing zone right so assume that this is a completely greenfill customer they have no experience on AWS or we can say that they have a little experience on AWS maybe they have just about an S3 bucket on AWS that they're backing up their data into into S3 and they want to they want to move beyond that level they want to do more on AWS besides using it as a disaster recovery environment they want to actually move their workloads into AWS and the customer brings you in to help them get started on AWS and they're bringing you in because they want you to help them do it the right way so assume that you find yourself in this in an environment like this let's have one or two people just tell us how they would approach a customer like this to get them to get themselves started anybody misso you want to try I can try yeah I I I'll I'll get to you Victor let's let's hear from one or two people and then we hear from Victor since Victor put his hands first I want I want somebody whose hand is not first up to try please can you come question sure so I was saying that you have been newly hired by AWS to help um Netflix set up their AWS environment and Netflix has just over the past years Netflix has just been using AWS to back up their databases and their EBS their storage on on on AWS they haven't really migrated workloads into a they don't have any applications running on AWS they don't have any real infrastructure is instances and all of those on AWS and they're looking to to expand to AWS right so AWS hired you as a consultant and they placed you on the Netflix project to help Netflix to set up that environment so um how would you approach Netflix in this case how would you approach them let me try this this is just similar to the project we have um first we have to um do a research to know what a um what Netflix have in their um in the data center that they want to move to AWS then um the next thing will be [Music] um to know what I just mentioned what they want to bring and also know how much they are willing to spend because first of all our cost will be part of of the uh will be part of what they are looking into then uh we'll start to plan about the migration I'm sorry I'm just I'm just blabbing because I very ready for it okay all right okay I'll just I'll give it a first okay sounds good thank you um let's take rofi and then oh Ado sorry which one is your first name is it ad or rofi I okay I all right let let you you go and then after so that Victor will go yeah for me I think uh one of the most important thing is communication you need to communicate with the customer okay and let them know importance of the service you going to use and as much Netflix is a what it called is a service that they have much more people on it so you them know okay in AWS we have something we call the Autos skill and I believe like n has shower because when some people at work you can't expect them to use Netflix so you let them know the security features of AWS and you also let them know the backup that AWS have and backup plans that they provided so I believe that the most thing is to communicate okay what do you want this is what this is how things are in AWS and okay okay we maybe we want like four five servers okay and we want to scale them we want five servers as our main server we want to aut skill in case of Rush Hour seven or it should not be more than seven in case of R so you communicate them and okay you get to know their own point and what they need okay we we need a backup we need backup we need and you tell them the security features AWS offer and you tell them how about the edge locations too and how they can use how they can get low latency to their customers because I believe for a company like Netflix they want to uh let their customers to be able to access their products very fast and easy so you tell them about those features and I know from there you start building up image of what uh take form of how to be what is awesome all right thank you Ado um you made a good point there on communication so we're going to talk about that but um let let's take take um Mara and then after that anther and then Victor Mara let's go ahead thank you very much Prof um first of all yeah I believe communication is very very important so um going in with my team you know a team of Consultants to sort of understand the company infrastructure in terms of and also emphasize and also break down the different services that when they come to AWS we can offer them I mean Netflix is a very big organization and since they're already using us for AWS backup um I'll you know suggest um I'll make recommendation on how we can improve on those particular services and also it could be that we can also run like uh we can also um run a section of their services on AWS maybe um yeah thank you okay thank you my yeah for me I will start with the discovery steps to really understand what is going on with the company where they having challenges the issues they facing then after going through that it will be like a workshop I think then after that I can now use it to design what I'm going to implement the awx services I'm going to introduce to them and I'll try as much as possible to give them like two options of the AWS Services then after that we will now take it from there and do the testing I think thank you awesome thank you Victor you want to go ahead uh yes I don't know if my is my microphone on can you hear me yeah okay so basically this is yeah Netflix I mean it's hypothetical so because Netflix already is a streaming I mean their their workflows are are definitely high intensity and uh and they have a lot of streaming servers but the first thing we would have is just have a sit down with the stakeholders uh talk about exactly where they want to go how much they want to spend so there's uh a budget would have to be first of all talked about uh we'll always also have to do an analysis of what the current state of their data centers are do an analysis a discovery there are very specific tools that AWS uses for those uh for those for those things um so we create a business case first of all that okay are you sure that moving to the um cloud or to the AWS will solve your problems and what are those problems you want us to solve is it the works is it a workflow do you want to optimize do you want to secure do you want to uh make it more performance oriented so those are the kind of questions you ask you talk about those workshops that Anita talked about you you speak to the database administrator you speak to the CTO you see where they want to go with this um this move and then uh you then set some key performance indicators basically just to find out what exactly are the Milestones you will reach so that you know when you reach them uh and then you plan the migration uh planning the migration basically involves you thinking about how the actual structure of this new environment will look like um how are you going to secure it because that is really key how you going to optimize uh bandwidth to make sure that things are accessible because Netflix is global so you're thinking okay how many accounts are you going to set up uh how many subnets how many regions are you going to have cloudfront you know just to make sure that people are able to access their videos quickly without having to Traverse the internet so you study all this and then you begin to make the push for the migration so now the migration now becomes the point where who's going to do the migration that will be probably my team of Consultants we'll go in there um start off with probably control tower um set up the various uh subnets the dev get a landing Zone um just like you taught us and then um we begin to put the the AWS infrastructure in place so so we're talking database what kind of database are they going to use um what's the sizing you know what's the cost how do we optimize cost such that when we deploy anything in AWS it's going to be Co cost Optimum then we're talking latency then we're talking also how much data are we going to move from this existing Place into AWS what kind of pipes do we build are we going to use Direct Connect are we going to use vpns uh what are the you know know the disadvantages of using one over the other how much is it going to cost so you you you have this ongoing conversation it might take you two three four weeks to even have this conversation before you actually start where we're going to start uh then you talk about compliance you know things like licensing you know geographical licensing of those movies some of them cannot Traverse geographical space like they cannot Traverse from one continent to the other or from one country to the other you put all those things in into the space and then um you you you figure out how you going to what skills do they actually have to do this thing um this particular migration and then you if there's training going to be involved you make sure you put that in perspective as well now the other thing is if you're going to migrate are you going to migrate uh live is it going to be a live migration or is it going to be shut it down and then move it but clearly you cannot get Netflix to go out of business just because they want to move um database or data centers and then you decide if it's live M migration then you do the lift and shift uh or you do the lift and refactor depending on the the the decisions you made in the earlier stages how you're going to make uh those work flows work in the new environment then you talk about post post migration then what how you going to optimize how you going to monitor how you going to make sure it's secure um maintenance of the various environments that you've put in place uh and then um uh you you you you you now make make make it interesting because I don't think that Netflix will probably ask you to sever their connections from the existing database to AWS you might actually have a hybrid you might have still some servers in on premises and then you have the others on AWS again they considerations regarding that um and there a few other things that you need to do to find you tune performance fine tune cost fine tune um latency making sure all the data is accessible from different countries and different geographical areas and then uh you can then evaluate your kpis that you set up in the beginning and see whether you hit those marks or not I'll stop here all right awesome awesome see just from what Victor said said it shows that he's been doing a lot of work on the project that you guys are working on clearly he has he has he has seen the whole picture of how you move from a service to building a whole Solution on AWS so um that is that is really that's amazing that's amazing and and if all of you can can look at things from that standpoint and understand exactly say if someone if you find yourself in an environment where the customer knows nothing a and they brought they bring you in to help them show them the way because you you're the one who holds The Mantel you're the one who holds the flashlight to show them the way and you know exactly how to guide them then you are you arrive for working in in any environment and you're not going to find yourself lost or confused or overwhelmed in any environment so that was that was excellent and good job to everybody body as well um you all touch really good good points and um researching about your clients business case is also important understanding what your client is doing in terms of their business so that you can relate it when you're doing anything from the infrastructure side you can relate it to their business case is also is also important understanding what their current infrastructure what they currently have in their data data Center is also important because you have to be able to mimic what they have so that the change is not going to be huge as they moving on the aw side and then communication um I think U somebody mentioned communication communication is huge too because if you don't have these clear Communications with your customer they might be asking you a and you're preparing B to give them and then at the end of the day they would what you're preparing what you present to them or what you demo to them is completely opposite from what they asked you so clear Communications and making sure that before you do anything it signed off all of those things are really important we're going to talk more about that when we get into migration but um yes so it all starts with this discovery cuse whatever project you're working on starts with this discovery calls where you sit with the customer in so many meetings because you don't want to make the meetings too long you don't want to go above an hour or above 90 minutes but again there's so much to know about that environment because you've never been there but you want to understand the environment right so you go through all of these Discovery calls you can set about spreading out in the space of one or two weeks and sit with them sit with different teams and try to understand exactly what their daily life looks like what challenges they are facing and that's why in the Service Solutions project that we gave you with started with a conversation that was happening between two people in most projects it's not just going to be a conversation between two people it's going to be a conversation with so many different people where they're telling you their pinpoints for you to understand so when it starts from there and then now you can start coming up with a proof of concept okay and those proof of the proof of concept covers different streams it covers different streams and one of the important streams which relates to what we're talking about is setting up governance and Landing zone right because like we said last week Landing zone is one of those things that it's always good to start with it so that you can give yourself that solid Baseline okay and in most projects before you even get into having this migration workshops to understand what they have in their in in their environment to understand what what kind of operating system the applications are using to understand the dependencies of these operating systems to understand what kind of tools they're using if you want and the kind of migration strategy you want to use for them the first thing is to basically make sure that they are able to implement some sort of governance in their AWS environment okay and control tower is something that you would want to talk to them about you can be the one to talk to them about control tower or you can bring in the control tower team to come and do like a whole control tower conversation with them but let's assume that you've been brought in to come and talk to them about control tower because right now you guys already know control tower uh control tower and you can have that conversation with them so you're going to to start with a kickoff call okay you start with what we call a kickoff call you start with a kickoff call and during this kickoff call you want to go over everything that the project is all about to make sure that everybody is aligned and like I said communication is very important because you want to sometimes in my experience I've seen cases where when you're in a Consulting engagement now this is for mostly for Consulting engagements because you're in an environment that's new if you're a direct hire let's say if you're a direct hire Netflix hired you you would stay over time you understand Netflix environment that will be easy for you to deliver but if you're working for a different company and then you're just brought into Netflix to deliver within the space of three four months and go you need some time to understand and get up to speed on what that environment is all about and that's what the the kickoff call and those workshops are all about so in the kickoff call the first thing is to make sure that all stakeholders are in that call all the stakeholders people have to introduce themselves and tell say their job titles so that you know that the right people are in the call you don't want to have that call with the wrong audience okay now when you have all of those stakeholders the first thing in that kickoff call is to go over the scope of the deliverables you go over the scope of the deliverables because you want to make sure that you know what the client or the customer is expecting from you at the end of that project they are expecting that at the end of the project the application should be functioning on AWS you set that as a deliverable and itemize it if they're expecting that at the end of the project they should have a landing Zone set up and working and all of their accounts fully enrolled and registered into control tower you should leas that as a deliverable everybody has to be aligned so that if you have 10 deliverables at the end because if you don't have these measurable deliverables at the end of the project you'll not be able to gauge if you met the expectations or not okay so that's what that kickoff call is for for everybody to sit there and then you probably Eng the manage engagement management scrum Master would be sh sharing their screen and then you guys are having that technical deliverable cope conversation to talk about the scope of the project to make sure that it's aligned in terms of the timeline in terms of the work that needs to be done in terms of the resources that you have in terms of uh the one they expecting at the end of the call and then if it's uh if if the focus of that engagement or the focus of that project is on governance then you want to start with a few things on governance to make sure that okay how to gauge exactly what your audience know about governance on AWS so if we're talking about control tower you can ask them in that call to know exactly how much do you know about the control tower service how much do you know about the AWS organization service um how much do you know about Landing Zone as a whole and then just try to gauge where they are right because one of the things is you don't want to start talking about things that they already know it's good to know where what they know because now some people on the call might have heard about control tower but they don't know much about it some people may never may have never heard about control tower some people may have heard about it implemented it but but they don't just have the time to do it they're bringing you in to come do it for them so but it's good to know get the temperature of the room to know exactly where they are so that you know exactly where you want to come in because that will make you more valuable you don't want to be in the car and have a 20 slides presentation and people are dozing off because because they already know what you're saying you see that you're not adding value to them but you want to be very clear to know exactly what they are where they are in terms of their knowledge of the AWS serves and then assuming that you assuming that in that conversation they don't know so much about control tower you can give them a quick rundown of what control tower is and tell them why it's important for an organization that is just new on AWS highlight the things that control tower would would bring to them we talked about those last week right we said that control tower would set up their Landing Zone control tower would centralize the identity and uh access management control tower would establish some guard reals for them and all of those things so you dive into all of those and talk about the these components of control tower so we talk about the components of control tower talk about the components of to we talked about those last week we said one of the component is it set up your Landing Zone it establishes guard reals it centralizes your identity and access management and then it automates what you guys are following last week account provisioning plan account provisioning exactly Dr at compliant account provisioning so these are the four things that you want to highlight in that kickoff call right so that you get them get them to understand exactly where you're going you don't necessarily have to dive very deep into it because that kickoff call is just a one hour call in in in my in my experience most meetings Beyond 90 minutes get get unless you're in a walking session where someone is sharing their screen and the both you guys are troubleshooting something on that person's screen then you can go for four or five hours because you and take breaks in between and everybody will still be sharp on the call but when it has to do with the presentation or anything that's one person keeps talking you want to keep it short unless if if you don't keep it short Beyond between 90 minutes somebody will be on the meeting but the person will be doing something else the side so um you don't want this talk on control to to be long but you just want to highlight to them the four things that control tower gives to them and then you talk to them about next steps okay so the three main things that you cover in the kickoff call you cover the scope of the engagement you give them an intro of what control tower is and then you talk to them about what next steps will be so for next steps you tell them that okay we're going to split all of these different work streams and then we have workshops on these work streams and this is just about this is just about we're talking about governance right we're not talking about migration migration is a whole different ball game we're talking about how you implement governance in the in the in the environment before they start migrating so you want to talk about on that next steps now you talk about the workshop shs that you want to have with them in the different areas to understand exactly where they are and where they would like to be at the end of that project but that is the main thing the main thing is to understand where they are and where they would like to be okay there are four main workshops that you want to hold with the customer when it comes to implementing governance the first Workshop it's to talk about account structure the first Workshop is to talk about account structure okay in the account structure Workshop you want to dive deep into AWS organization you want to dive deep into what AWS organization is and how you can use AWS organization to set up your account structure and then in that call you make it in the form that that is a workshop because typically account structure conversations can go up depending on how large the organization is it can go up to like an hour or so but in that conversation you have to come up with your draw. iio and all of you brainstorm and talk about how you want how they want their account structured to be so if they tell you that okay you tell another okay if we're implementing control tower we have a management account we have a management account and then control tower will give us a security OU and then in that security OU we're going to have a log archive account and we're going to have an audit account and then now it depends on you how do you want the rest of your structure to be like and then they'll ask you they can ask you what do you recommend you can say okay in my experience past projects that I've worked on I've seen customers have a separate organizational unit they call it a shared organizational unit where they put their shared services inside then they'll ask you what do you mean by shared services you can say okay for example we can have a network account that is specific to our networking tools for example Transit Gateway you don't want to take transit Gateway and put in a in one of the dev or devops account because Transit Gateway is a networking Tool Direct Connect you want to take Direct Connect and put your direct connect Gateway create your direct current Gateway in your networking account DNS server you want to put all of those in your networking account Focus all of your networking Tools in one account it keeps things clean it gives you can give that account the access to that account just to the networking team and then people that don't need access to Transit Gateway will not have access to Transit Gateway it makes things in the organization completely clean and then inside the shared services you can also have devops account your devops account is the account that will start hosting things like your Jenkins pipeline all of your cicd tools whatever you're using for devops you can install those tools and have them in the devops account that's where the devops team will go in and be able to run all of their different pipelines in that account and then it will make sense and then and it's in the shared OU shared OU means that that organizational unit is shared by multiple teams it has tools that are used by multi multiple teams like for example Transit Gateway Transit Gateway is a networking tool that is basically there to connect all of the different networks so it's used by multiple teams and that's why it's in the shared OU and then now you can say Okay I want to you can have another OU and you call it your de OU your Dev o you now is where you put in all of your development tools all of your development accounts so we have five developers and all of those five developers all have five accounts you create those accounts and you put them in the def OU so that they would use it as their playground if they when they done with the account they you you terminate it and if you have a new developer you create a new one and you just put in the de on you it's also clean it's also good because when you have an SCP and you apply that SCP at the level of the organizational unit once you create an account and you put that account in that organizational unit then that SCP gets applied to that account automatically okay so it keeps keeps things easy for you you don't have to Define individual policies for individual accounts because you're already applying the policies at the O Level and then you can start having other environments maybe test OU maybe prepr OU maybe production OU but you it is in this account structure call that you sit with them and you dive deep into this you need to because if if you want to give them because you guys have specific deliverables that you have to give at the end of the project you don't want that at the end of the project they say I don't even know what I don't even know what Anita did here for the past six months and sometimes it's not because you don't know what you needed to do you were just focused on what they didn't need you to focus on so being clear on those deliverables and handling those deliverable precisely is what is important okay and after each of these calls what you need to do is send them an email send them an email and give a summary this is what we covered this is what we implemented this is what next steps will be that everybody on that call is aligned in my experience especially when you're on a Consulting project in my experience when you don't do this so many people will be misaligned on the project and they will say I I thought person said this I thought we agreed that we were going to do this I thought this was going to happen I thought we didn't we didn't we didn't say that we're going to have a shed o you and all of those but when you have all of these evidence and you put them all in an email and you send it over to them they would everybody would be on the same page okay so that's one of the key things that you want to cover in that account structure Workshop you want to cover AWS organizations you want to call cover all of the organizational units that they incorporate in their their new environment you want to cover how many accounts they would want you want to cover how many applications they would want another important thing is to cover the email addresses that will be used to create this account they should give you the email addresses that will be used to create that account if you don't give it to you then you can say okay next steps John is going to send the email address to create all of the 10 different accounts that we we said we were going to create okay any questions uh Obi yeah just um so correct me from wrong what I see us dra out here is sort of it feels like an architecture who's going to implement this who's going to go out there help them set up the management accounts and this all use and and all of that would it still be the solutions I somebody else implementation comes way after right if it's a long project if if this project is like a three four five months project then you probably be the one that will Implement okay most of the time the the person that does the design will be the one that will Implement okay because you are the one who is involved in those conversations you are the one who understand exactly what the customer wants and you are the one who will be better place to implement it if you have the skills if you don't have the skills then they'll probably look for somebody who has the skills to do the implementation okay but yes in most like I told you guys last time there's a gray line between architecture and implementation okay yeah there was there was there was one time that I had an interview and in that interview I said okay I'm I'm good with architecture coming up with design and I remember that hiring manager said okay we don't want someone that will just come and do designs and and Technical documentations and leave it we want someone that will take it end to end you want someone that will come in you'll be there in the discovery we'll be there in the design and then you go all all the way to the implementation and testing okay so that's why I tell you guys that don't just focus on being an architect but get into the other components of um the entire the the Stream okay the other streams that are involved any other question yes so um Prof so it's it's usually at this stage after you've kind of figured out exactly how how they operate and then you know which pieces of of their operations that you can even begin to do some decoupling um I mean that's not you have to talk some devops here too we're talking you know maybe um terraform mic Services those types of things that this is where the conversation actually starts right not necessarily that conversation will start when you are going deep into um migration costs we're going to talk about those migration costs tomorrow okay this one is mainly to set up governance governance okay this one is mainly to set up governance so what I've seen what I've seen we worked with um what's this company's name name it's a huge um airline company I can't remember the name but they've been existing I just want to give you guys some real life scenario something that really happened this I think two years back so they've been existing on premies for over 30 years and then the C the CEO just told the company that the CTO that by May next year here we want to be operating on AWS so this company the CTO came in and contracted AWS and we went in there and we had to help them migrate so we we got in there knowing that it was a migration project but now during the discovery we realized that okay a lot of things have to happen we have to we have we have to go through governance setup so that they understand governance on AWS before because they had it's a very huge environment and we know that when they get into if they don't have that governance set up first it will be difficult for them to really optimize and efficiently use AWS so because we're there for something else what we did is we brought in the control tower and the governance team to come help them to basically um get them up to speed on the control tower side and this is how the team approached it okay you start with all of these different workshops and then set up the account structure and then set up all of their cover their networking requirements cover their operations cover all of those different things but these different work sh cover those different components okay make sense yeah but Prof when you say you called in the control tower and um governance team that's AWS right or not from inside your consultancy no these are AWS folks from AWS okay yes I have another followup question if that's okay you just back to the first slide so this is probably a technical question has confused me since last week um is is there um intra you communication so in other words um Can a Dev a Dev one way you have it in the death or you um access or push anything to say the shared all you is there any sort of intra intra OU communication that's my first or or is this is a setup to literally isolate um these different accounts and that's it and the only inter communication have to go through the management account so how this is set up actually no communication goes through the management account okay okay this account can talk with this account seamlessly once you've configured it to do so and all you need to do is to give that create that cross account roles right you don't have to go through the management account to to to communicate okay okay we can create cross account rules that's that's something I was missing okay we can create you guys saw the cross account role for oranization right think so I forgot okay the second request would be as we're going through this and the governance and all of that maybe towards the end if we can take custom trade just the um you know the project that we're working on and and just work through this using custom Tre as an example like if we're going to do this in custom Tre which which is a some sort of migration thinking about it now um we if we can use that as an example I think it would help us a lot to just kind of figure out how to to make sense out of some of this sorry what what what did you say we use I I didn't get last custom tri the project the project that we're working at it's called I the company is called custom tread right what's not custom tread they bought custom tread the um yeah but but you know what I mean yeah yep yep got it yeah okay thank you you're welcome any other question all right so account structure is one of those workshops that you would definitely want to dive into okay it's part of your migration plan but it's also something that you can you can Outsource that particular work stream and give it to the account structure because most of the time when you're brought into a project migration project you're focused on the applications that need to be migrated you're not focused on the governance and all of those things you you have a different work stream that is just focused on on governance okay the second Workshop that still is covered by the governance team is networking networking is covered by the governance team because you want to get an understanding of how which network will be talking to which network so that you can better align how the account structure is going to be laid out you can better you can also be aligned on the tools that will be implemented okay in that networking networking Workshop so networking networking Workshop so the goal of that networking Workshop is to talk about things around network connectivity Network routing IP address management do you have a hybrid environment or do you are you looking into having just all of your workloads on AWS are you dealing with other networks or just AWS are you dealing with other Cloud platforms or just AWS okay if they have a hybrid environment are they looking for those two environments to talk to each other or are they going to be siloed if they have to talk to each other which networking tools are you looking to use are you want do you want to use VPN do you want to use Direct Connect do you want to use other tools so it's in this networking Network connectivities Workshop that you dive into those things and most of these workshops always start with the client giving you a background of what they're currently doing right now telling you what they're currently doing what their current processes we have four networks we we're using this IP address R ranges we're using solar winds to manage our IP addresses we're using info blocks to manage our IP addresses this is how it's been done right now and then from there you know exactly where to come in you know exact exactly how to optimize what they're currently doing okay based on those networks that they have on premise how does it relate to AWS if they don't know exactly how networking is done in AWS this Workshop is an opportunity to give them a rundown of what the VPC is rown of what a subnet is just say VPC on the AWS side is just a net a whole network side block like what you have on premise give them a rundown of what how IP addresses are routed subnets route tables all of those things internet gateway so that they can match what they currently know on premise to what is on the AWS side making sure that everybody is in line most of the time these workshops are just educational workshops that you're helping them to understand or to connect their AWS services to their un Prem services to so that when they go there they will not be completely lost when they get there you talk about things like how VPC is set up you talk about things like VPC and points you talk about things like Ingress and egress routes so Ingress and ESS routing we talk about things like security groups and knackles say VPC setup VPC end points Ingress and ESS you talk about security groups you talk about IP address management if they are currently using something like info blogs you want to talk to them about AWS ipam AWS has a service that's called ipam ipam means IP address management so I ipam just works easily like info blocks which is mostly used in most on premis environment but the beautiful thing about ipam is it's integrated with AWS tools Cloud watch cloud trail all of those things so it it is already integrated with those tools which makes monitoring of those of the service really really seamless so some customers will say okay what what's the what's the point rather than using info blocks we just move into ipam but even if they don't have to or they don't want to move there this is the workshop for you to make that determination for them because in this Workshop you know exactly the things that you need to do if they tell you that okay we want to move into from from info blocks to ipam then you check that as one of the things that you need to migrate if they tell you that okay we want to use VPC endpoints for this service for this service for this service then you look into how the VPC endpoint is going to fit into the network architecture if they tell you that okay we're not using security groups I actually came I actually work with a customer one time that was not using security groups and the reason why they did not want to use security groups was because they had just two people in their networking team and they had a huge environment and they did not want to manage firewall rules at the level of Security Group it's just a lot of admin overhead for them they're not using security groups they're not using Knuckles but they want to use a third party tool that's called Palo at so they wanted to apply their firewall rules at the level of Palo Alto and then which means that every service within VPC will be able to just be talking to each other it wasn't the best scenario it wasn't really best practice but it's something that they would prefer at the moment where they they they get to hire somebody else or bring somebody else on the team so it is in these calls that you really dive deep into those minor minor things that you not know in a kickoff call that's why these workshops are important you need to be especially if you are the one owning the project or you're the one driving that that that engagement you need to be fully into it so that you know exactly where they are lying my recommendation is record these calls okay record the calls because you may not hear everything by the time that you're listening somebody might just ping you on slack and you get distracted and you don't really get what the person said or your phone might ring or something might happen so when recording the calls you can come back and then it's just like our class recording when you listen to our recording the second time you understand it better than when you listen to it in class okay so I always recommend that record these calls if you are in an environment where they don't record their calls because some of some when you get on a project that's in a in a government environment in a secured environment will tell you that no we're not recording these calls for um NDA you know and all of those things then find a way to just get your own personal recording after that you deleted you're not you're not you're not you're not recording it because for anything you're recording it because you want to help want you want to help your s to deliver on the project better okay so record the call and oh whenever I I always tell us when you start a job a very new job record every call every call because a lot of the things that will be talking in those calls will be technical Jons that you don't understand but now when you record it you can go now and then you Google it after and you try to understand okay this person was saying this this person said this this person said this and then the the subsequent course you you be able to know how to come in and also be more interactive in the course too okay Victor yeah I have two questions one is regarding this last thing you just said but let me ask the first one first so in those particular Workshop conversations that you're having with with the folks that are on site you're going to run into some people who do not want to depart from their you know structured ways of of doing things in other words they're trying to secure their job uh positions now as a consultant how do you address gently you know and benevolently that you know this particular direction that has been kind of mandated by by uh the CTO and CIO to go is the way to go and uh you know because it's it's it's kind of delicate because they might put stumbling blocks in your way just so you don't get too far into this project to keep their own jobs have you run into something like that absolutely absolutely honestly that project I'm talking about we had a whole lot of negative energy from the team you know when you're in a call and nobody's standing on the video and you're asking questions and nobody's as answering the question and you're like we have we have a job to do but the team on the ground is not just ready to even let us do their job and that's just because the team the old school they've been one person who has been on the company for 15 years is not willing to learn know AWS they they know what they've been doing they can do it in their sleep so they're not ready to learn new stuff they're not ready to to start learning and and they know that okay this if I don't want to learn it means that I'm in the process of losing my job and all of those it make the engagement was really uncomfortable it was a long engagement and I was pregnant at at that time so it was really it was one of my most difficult engagement to go through that for like 8 months or so so um you always come across things like that especially in Consulting you always come across things like that they'll bring you in in an environment where you just see everybody is just negative but you also come across areas where people are excited to learn new stuff especially when you're dealing with more Dynamic folks they're excited to learn new stuff and and it's always it helps when you the Consulting team you're a bunch of you you can sit back in your internal calls and then you just digest what happened in that call but it's very frustrating when you the only one in that project because you can come across the project where they place you on a client side and you're the only one there okay you're struggling on your own so if you if you are a couple of you there it's easy for you guys to digest but if you're the only one there can be challenging but my recommend my recommendation is be professional keep a positive attitude think of ways to just light up the room okay think of ways to light up light up the room in that engagement there was one guy who who just like he was so vocal on how he felt on the on the customer side he was very vocal and the another guy on our side was not willing to welcome that and some sometimes the calls get really heated but um always just wear a positive attitude okay that that's that's my recommendation because you definitely face it as a consultant yeah okay I think I can't remember the second question this was the the first one it was the last last thing you said was what I was going to talk about but I don't remember it now yeah the last thing I said I was talking about recording your um yes right yes record Rec in now recording do you surreptitiously do it say I have my cell phone and I just press the record button and just carry on with the meeting without letting anybody know that I'm recording it um is that legal to do or do I have to inform you know overtly tell people okay I would like to take a recording of this meeting so that I can make sure we don't miss anything in our review of of the of the meeting how how do you handle that I I tell I tell everybody that I want to record it okay so if I am not the owner of the meeting I because this is this is a meeting that you are navigating and it's meant to help you do your job well okay they will never say no to you recording it because they want you to help they want you to do do your job well right so just tell them that okay we're going to record this but it's not going to be shared it's just for me to be able to come back to anything that I missed I don't want to miss anything that you that we're talking about on this call and typically they'll never say no they'll never say no okay but the calls that I'm saying that you record is typically when you get into because like you guys right when you get a new job and you get into environment the first thing that you get hired a lot of conversation you be you be drawn into meetings that you probably don't understand what is being said in those meetings you don't want to be lost right you want to help yourself get up to speed in those cas I would say take your phone record listen to it after that you delete it because you're just helping yourself get up to speed if not because it's your new job it's the first time and and you're hearing a lot of technical drons that you've never heard before or that is very new or that's very specific to that environment and you need a second you need to listen to it sometimes a second time that's what happened to me though and and and it helped me a lot when you get into those calls and you you just listen to it maybe you sleep and get up in the night one spend one hour and just go over it again you can easily get up to speed okay thank you Emma uh yeah my question was actually on on recording I wanted to know how uh we could do that you just explained that you can always ask them to record that uh call if it's if they can do that and if if they can't um you can do the recording yourself and the other thing is recording is it this will be like when we're remote working remote from home and um I guess that's what you mean then that way we can actually record on our phone but what if you're hybrid and you're in the office what do you do if you're hybrid in the office then it's it's much easier because somebody who said something that you did not understand after the meeting you can walk up to that person's cubicle and meet that person and say okay I know that you mentioned this can you walk me through what you meant by this and stuff like that it's way easier when you have that when when you when you're meeting them physically to have that conversation with trust me and one of the reasons why I always say it's recorded you record is because sometimes you may not understand what people say in a car because of maybe like um how they say it how they explain it and so it just helps you to also get yourself up to speed on those things but if it's hybrid it's way easier because now you get that get you get to meet them physically and talk with them yeah I remember when I when I started in AWS AWS was not hybrid it was like five days a week in the office and and uh it was it was it was good but it was I think that was the most traumatizing experience I had ever working in the corporate War because when I started I started in January of 2020 and I was I relocated to to Dallas because of that job and then when I started AWS has something they put you on a probation I don't know if I talked to you guys about this they put you on a probation for six weeks so within those six weeks they expect you to achieve a lot of things okay they give you a whole project to deliver not a real life project give you a whole scenario and then your co-workers or your managers or a bunch of people about seven eight of them will make form part of the client team and then you'll be expect to you'll be expected to go through the workshops with them you'll be expected to go through the proof of concept with them you'll be expected to go through the implementation with them everything that you need is given to you everything okay and then you just need to go through that and when you go through the workshops they give their feedback if you didn't do well you repeat it and all of those things so it was really it was really tensed but it's just one of those things that you learn really fast you have to because you don't have a choice right unless you want to you want to you want to lose your job and then because it was not hybrid or because it was not remote I had the chance to meet with other people who have actually went through what I was going going through and they succeeded so they they were in a position to say okay I know where you are I know how you feel I and they can give you real point pointers but sometimes when it's removed it's really hard to get somebody to really like open up to you because you ping the person and then the person is going to respond back to you at their own time and then you get on a call since it's virtual you know it's I think that the connection with virtual calls are not really as as close as the connection when you when you meet physically so yeah I think I think when you're when you're in the office it helps it really helps a lot and you get the opportunity to learn much faster okay any other question all right so that's the second Workshop that you want to dive into as far as setting up or implementing governance is concern then the third Workshop would be focused on things like on identity and access management okay identity and access management this is a workshop where you cover because identity and access management is one of the things that gets implemented with control tower so this is the workshop where you cover what they are currently using as their SSO tool are they using Microsoft active directory are they using Octor are they using any other third part tool that you they need to have that tool to manage a environment or to use it as an authentication into the AWS environment so if they they're using something like Octor they're using something like OCTA then you have to start having conversation about how they are going to integrate OCTA with IDC IDC means AWS identity Center because AWS has its own single sign on tool that's called identity Center and that single sign on tool is meant to manage authentication and authorization into all the different accounts within the a environment so when we if they want that if they don't want to use two tools if if they don't want to use Octor and they use IDC for AWS you can integrate Octor with identity Center they can integrate OCTA with identity Center and once that integration happens they would be able to use their oor to authenticate into an AWS environment okay they'll be able to use Octor to authenticate into the AWS environment and that's actually what we'll be doing tonight so tonight we're going to work work on integrating OCTA with identity Center and it's just for you guys to see how that works other environments use different tools but the process is the same the process is pretty much the same and AWS how is it documented on how you can integrate this most most organizations that are moving to AWS already have a single sign on to they already have some sort of an active directory that's being used to help Authentication into slack authentication into Outlook authentication into into Microsoft teams authentication into Salesforce authentication into all of the different tools that they're using now they just need to bring in AWS to come and join that tool so in helping understanding how that integration Works would also help okay in this two in this Workshop too you want to cover things like I am roles and policies I am roll and policies I am roll and polies cross account access which account needs to talk to which account which account needs to be able to authenticate and get into which account so you need to Define all of those in the IM am Workshop where you talk about cross account access you want to talk about groups ident active directory groups or ad groups and account access how many groups do we want to have we want to have a devops group we want to have a security group we want to have a networking group and then in those groups now you define exactly which accounts those group will be having accesses to okay and then you cover all of those things those are the key things that you want to cover in the IM Workshop now the the length of the workshop would would depend on the knowledge of the team if they're not very familiar with AWS then it it may go longer if they're familiar with AWS it may go sh shter and then in this Workshop you also want to cover guard rails all of the guard rails that control tower brings you want to highlight some AWS tools tools for data data response I mean data protection incident response tools for um detective control tools for security all of the different security tools you just want to highlight them so that they know that on the a of platform you have those tools present even if they're not implementing it but they can get to know know get to use it when they need to for them to understand that those tools are present okay and then the last Workshop the last Workshop is focused on operations and shared services the last Workshop is focused on operations and share services the last Workshop is focus on operations and self shared services any questions on security Workshop quick question quick question Prof I was going to ask are there any limitations when it comes to integrating some of these IM tools with um with AWS because there are so many out there are there some that are comptible or there some that are not compatible pretty much most of them are compatible right if they're not compatible it means a has documented that okay these are the mostly wide most widely used tools that are not compatible but the frequently used one AWS already has documentation on how you you do that implementation because what AWS does is AWS works with these the owners of these tools as partners right and then they come and come up with a process on how you you get those two tools integrated if they need to create like a connector between the two tools you need to install something on this side and then go install the other thing on this side so they can talk to each other then then that's what needs to to be done so in my experience I've not really seen any challenge with this integration with any of the integration because most most customers have either been using um Octor or um Point tail point tailo or um Microsoft active directory so if if there is a challenge on implementing it then what the customer does is they will say okay we're just going to manage ident we're just going to use identity Center for our AWS platform and then we use the the the other tool two authentication tools but if it can be seamlessly integrated then it helps them to make their life easy okay sounds good thank you Victor uh sorry I don't have my hands up but I just wanted to know that the this Federation thing that Abdullah just pointed out this is the same thing that extends towards um federating all the authentication with things like oh well Google and so on and so forth do they use those in corporate uh environment not not not really you you can use it for applications right applications that are hosted in corporate environment but if it's for employees to authenticate into an environment you not use like Google your Google Gmail to authenticate into it you can use Google Authenticator which is just like the MFA that we use to to to as a second level of authentication for for MFA you have Google Authenticator you have micros of authenticator you have different companies now are coming up with their own authenticator apps that you can use but that's different that's for MFA okay that's MFA all right thanks but but I understand what you mean by using Google to authenticate like for example you want to log into an application and then you will use your Gmail or your Google to authenticate into that application right yeah because why I bring it up is that we were doing one of the demos um the work um workbook the Run books the other day and some of us were having difficulty actually authenticating to uh AWS accounts but there was a third option there that said authenticate with the your the signin pin of your computer and some of us did that and we able to get in so I'm not sure whether there is a relationship with that and having a corporate uh feder Federated the account using OCTA and AD and all that so um I don't know I was just speculating that that might be something that some some some companies use yeah so in in most corporate environments they would always have your user created in their ad tool and then you use those credentials from there because those credentials need to be managed it needs to be rotated maybe it expires every 30 days and you need to change it they want it to have some special character requirements maybe special characters um uh special counts number of digits and all of those things so they want to set that passport policy they want to be the one to manage that password policy and not have a service like Google or Amazon to manage it for you okay y any other question all right the last Workshop is focused on operations right operations is where you want to focus on the operations tools on AWS you want to start this Workshop I always start this workshop with tagging with tagging we haven't really talked about tagging much on the AWS platform but tagging is one of the thing things that are really important because most of the times organizations don't know the importance of tagging until when they like halfway or some miles into expanding their Footprints and then they were like okay we didn't tag as well we should have done this or we should have done this to make our life easier today but tagging is it's it's in this operations Workshop that you you bringing to talk to them what tagging is tagging on the on the a BL on a BL has to do with key value so you have a key and then you put a value to that key so for example it's just a way it's just a way that you you you give your resources some meta data so that you can identify them and push whatever changes that you want to them so you can have a key and say okay call center key and then you have a value of your C Center you can have a key of owner and then you have a value of the owner you can have a key of date and then you have the value of the date you can have a key of Department you have a value of the department this helps a lot because when when when you want to first when you want to push automations it help to say okay I just want to push all of these changes to the death cost center or to cost center 100 or to cost center 200 you can use the tax if your resources are tagged properly you can use those taxs to push the automation to those resources or if you want to allocate cost if you say I want to see how much the finance department spent this month on AWS resources you can go into the billing console you export your your billing report and then you filter by tax so I just want to filter by finance department tax and then you see how much finance department spent you see how much accounting department spent so it really it's really important and it really helps a lot but it's just one of those things that they would not know until you until they get to know AWS better and it's your place to talk to them about it in this Workshop okay this is where you define it for them into some kind of formalized format right yes in this Workshop you can Define it for them but in my experience sometimes they'll tell you that okay we don't even know what we're going to do we need to sit back and think about what we want to apply as tax and then we'll get back to you so you put that as an action item yeah but in my experience most of the time they would not know what they want or they will not know what they want to mandate because another thing with tax is you don't want to have so many tax you don't want to mandate I don't want you to I don't want to say okay every time you create an S3 bucket give that S3 bucket 15 tags no I want to just highlight three four five tags that are really important maybe it's C Center maybe it's owner maybe it's Department something like that just three or four that that we know that whenever somebody is creating this resource you have to put their stats and those sometimes those decisions are not made in that call but they brought up for further conversations in that in that that Workshop make sense all righto um in this process that you just explained is there a way I know we did something similar to that is it possible to make it mandatory to to be that whenever you create a resources like S3 if you don't give it a tag you can't complete the equation of that uh res yep yep that's where service control policy comes in right you can use service control policy to mandate it and and this is the perfect time to implement that SCP because the organization is still new they don't have any existing resources but if you have if you go to an environment that already has some existing resources on AWS it may be hard to implement preventive tagging strategies like scps because it will be able it can easily break things that are already in place say maybe they have a cicd pipeline that is creating resources and then you have an SCP that prevents resources from being created if they not tagged properly then that cicd peline is always going to fail because when they C when the cicd peline or the Lambda function goes to create an E2 instance and and the E2 instance is not tged properly SCP is going to block it and then you you keep having uh um issues with that and then the de the developed team now will be angry G at you because you came and you break that process so sometimes it's very tricky when you have to deal with preventive but if you go in an environment that already have resources in place my recommendation is use AWS config because AWS config now would not stop the results from being created but it will detect that you have this number of resources that have not been tagged properly so when you use AWS config to tag to to to come up with your detective strategy and then you clean it up before you can now um say okay yes you can use scps going forward make sense any other question all right so tagging is one of the things that you talk about in that call the second thing that you want to talk about is patching okay because some sometimes they would be concerned about how they would get their their operating systems up to date on AWS so that's when you tell them that okay patch manager can help them do that or they can still Implement their on premise process on the AWS platform and you walk them through it it's also in this call that you want to talk them about logging centralized logging how do they want to implement logging do they want to have um um are they using a third party tool like Splunk or do they have other ways that they want to implement logging this is where you talk about that with them backups you going talk about their backup strategy their Disaster Recovery strategy okay so we we said we talked about tags tagging strategy talk about patching for instances and databases we talk about Dr strategy using AWS backups and then we talk about logs okay talk about logs it's also in this Workshop that you can also bring up things like what Victor talk about infrastructure as code tools I tools what I tools are they using are they going to be a terraform shop or are they going to be um um cloud formation one devops too for cicd as they use it you can also bring it up in this call okay now when you're done with this workshops all of these workshops you need to put everything together and be able to share it with them you can share with them as a PowerPoint presentation you can share with them in an email you go through that s where you make said okay in our Workshop this is the structure that we decided in our operations Workshop this is a stagging strategy this is the patching tool this is devop stud this this is the infrastructure as scod to in our security Workshop this is what we covered this is what we decided this is what we decided and so on and so forth you our networking Workshop this is what we covered this is what we decided on make sure that everybody on that call is aligned and then you can move into implementation and then you can move into implementation okay so it's really sorry to inter so how aggressively and this is just soft skills so you have a room full of people and you're you know you're you know you're like an AWS um protagonist if you will for want of a better word um and you are basically trying to tell them that there is this that will make their life a lot easier to do but they're not buying what you're selling so how aggressively or how forcefully do you actually try to push them to adopt some of these tools because there are many tools then they may not even be familiar with any of them so you don't have to be aggressive you just just have to give them a reason to okay you just have to give them a reason to they tell you that okay we're using this tool we're using this but we're not using this you just need to tell them why the aw to you're proposing for them is easier you can come from a cost standpoint you can come from a performance standpoint you can come from a Simplicity standpoint you can come from an in um security standpoint and all of those things and then also give them reasons why AWS is better most of the times they they they they don't they don't know the benefit of the tools all they know is that okay operating the cloud is going to save us for some money but they don't know all the different features that that to offers for you for them for to make their life easy that's why when you come in as a subject matter expert you should really learn some of these tools and know exactly when you're presenting something to them you present it to them and then if you don't know it you tell them that okay let me dive into this and then I'll come back and then I'll let you know okay for example for example I was I was in a call two days ago and in that call the client was moving from AZ to and we're actually talking about Target and they had about four 14 or 15 TXS that they want to implement as scps and then one of the TXS that they had was like um date and then I all sudden okay these St a lot it's going to make your life really difficult down the road because when your engineers have to create one resource and they have to Target with 15 tax it's a lot of work for them to to go ahead and Target so I my recommendation is choose three four or five of those and and mandate it and then put the other ones as optional and they and then they they pointed some and then somebody was saying that they needed a the DAT T and then they asked me that um is there a way in AWS that AWS can just automatically put the date tag on every resource that's been created I know in my experience I've never seen I've never seen any automation on AWS that does that and then I was like okay I cannot tell you for sure that no because AWS comes up with new features but let me look into that and get back to you okay so that when you're coming back to them and telling them that okay no there's no future you're really sure that there's no future so some of those things so the point I'm trying to make is sometimes in this call where you're not very sure don't say certain things that you don't know it's okay to tell that okay I cannot really remember the last time I knew this is what was done but maybe things have changed let me check on that and get back to you and then you put it as an action item and come back to them okay but yes overall it's more about giving them a reason to you don't have to be aggressive you don't have to force them okay you just need to give them a reason to give them the benefits point to them that okay doing this will make your life easy doing this would would would benefit you in this way you you save money it brings you Simplicity and all of those things okay Sometimes some of these these customers that are um pushing back to change at the beginning of a session become your best friends at the end of the project because through that process you've been patient you've been kind you've been you've been always trying to be Jia and bringing in some light in the room they end up and they say okay at first and some of them will be honest say at first I really didn't like this but I think I like where this is going I'm enjoying the change and all of those things okay any other a question all right so a question before you proceed so in this case does it depend what kind of consultancy you are doing so I know there are some where you are just providing providing advisory service to them where you are coming in looking at their current infrastructure so for example if you're looking at their security posture you look at it and if it's if it's not you know up to standard or not the best then you would provide it for them and say hey this might cost you money but from my point of view not not only because you're selling AWS products right but you're are also there to provide them the best of products out there so doesn't really depend if you're providing advisory service or if you're just providing Consulting taking what they want and putting it into it of years and so in both cases right it's even when you're providing advisory service when you're providing advisory service it means they're looking to your recommendation to tell them what to do right so you may not necessarily be aggressive because they brought you de in in to come and help them to provide them to advise them on the best C of actions to take but in both cases it will be more around you giving them a reason to move to the direction that you're recommending to them if you just an advisory consultant you can tell me that okay I see right now that you guys are using a classic load balancer but I think that you can move to an application load balancer for so and so reason I see that on premise you're using an F5 load balancer but I think that when you move to AWS you use an application of load balancer for so and so reason I see that on on on on the on premise environment you're having challenges with scaling and that's why you're experiencing all of these latency issues so I think that when you move to AWS you have to incorporate an Autos Skilling group for so and so reason okay so when you highlight to them the reason why you want them to make that change at the benefits unless they have a specific reason why not to then they should they should because you've you've given them those reasons or those things that will benefit them okay got it thank you you're welcome any other question all right so for our session this afternoon or this evening we will be diving into integrating Octor with identity Center and again like I mentioned it's just for you guys to have a feel for how that integration works now when you get into an environment and they they're saying that okay you help with our integration and for you cannot just say okay you you don't you don't need to freak out and say okay I've never used this tool so you should know that it's it's most of these things are really easy processes or you just need to give yourself some time some leeway and then just get up to speed on those things okay and and and unless you really have to my recommendation is never say no especially when you have a learning mindset never say no to any challenge that comes your way even on a project unless you you say okay you're being given a choice never say know because you always have something to learn um in the process of that okay so let's take our break and then when we come back in 15 we'll do Octor integration with um identity Center and then that will end our governance and then tomorrow we'll look into migration we look into migration quickly before we go on break um if you um integrate identity center with OCTA will OCTA logs be captured in cloud trail no no not at all you not you not have OCT so the octs will go to whatever tool that you have may whatever same tool that you have maybe Splunk or any other third party tool that you're using but your IDC locks would be captured in Cloud got okay all right okay all right so let's take 15 we'll come back at five minutes after the hour and then we'll do our hands on it should be pretty quick straightforward so after like an hour of doing the hands off after like an hour we should be done and then tomorrow we'll dive into our next St and how how are your small groups going are you guys working or getting busy at the small group level yes try please keep it up okay those that's the key to to to you um now it's more about you articulating these things and then getting yourself ready to start crushing interviews okay so keep it up at a small group level you see that we don't you don't really have the opportunity to articulate more in class because we're trying to give you the knowledge but at a small group when you sit together try as much as possible to articulate it okay all right the uh before I um go you had said you were going to give us the wrong book for Macy last oh okay let me I'll put that in slack right now I just it it skied my mind let me put that in snack I have it in Google Drive I just Macy Macy okay security I think somebody sent me a message on that I saw a message and I was like okay I'm going to I'm going to do that and then again I just so many things going on and bro what's your um I don't know if you've used medium before so there's this platform it's called medium and a lot of people do like different projects it could be you know AWS could be devops projects and there's a ton of AWS projects on there that integrate different services do you think it would be a good um sort of source to go off and do like many many projects you say medium yeah it's called Med I'll put it on the um medium you put it in the chat yeah I put it in the chat there so many there are many tools out there I've never I don't I've never really used it it's a good resource to the extent that you know these are people who are putting those things in there so in other words it's not the de facto AWS thing um but they're really very good because you have a chance to see a variety of people's own experiences and interpretting of particular scenarios and projects that they've handled so so many of them in that meeting it's it's an open kind of open Forum if you will yeah I'm not used to it I've never interacted with it so many different I try to stick with AWS um documentation and you know the the the Bibles if you will from AWS as far as it goes but but those other things are useful too yeah yeah I I agree especially when you're looking for best practice you you I go with AWS because AWS has lots of tools but but also you you would find you can find different scenarios and different use cases some of this open source platforms that can also help to make things easy but yeah hang on is is it is is the medium focused on other things not just not just AWS but what I've found on there um of late is people bringing like real job scenarios challenges that they face and how they've used AWS to actually resolve that so they might have an architector just they think it's impossible right and then somebody comes and say oh this is how you would you would build it and this is how you integrate this aw7 to work with this other AWS services and at the end it would have like a whole it's it's like a um like a Blog they will have a whole blog not just writing about it but showing you how to actually execute that project and then each step there'll be some of them go even putting like images of what to click and and all that so I find it very very interesting it is it is can you filter out the things that the areas that you don't don't want yeah you can you can just um search AWS and then it will bring you like ton of projects oh okay okay oh I see I see this week in a community machine like creating Dynamo GB using python okay right so yeah projects like that oh okay oh that's nice yeah and these are real people too so of course these are real and and honestly there's no problem that you would meet in today's industry that somebody else hasn't met that same problem right so knowing how to navigate this open- Source community and just get answers to your questions is is the best way to deliver on your projects much faster I agree yeah I I'll take a look at this thank you for for mentioning that I'm done sometimes we get too busy that we just forget the the easiest resources that are out there at your fingertips for free for free yeah yeah and you can use all of these for your too like you can you can see they're already talking about amazone Bedrock here you can use most of this and come up with scenarios for your interviews true so when are we coming back 8:00 um yeah yeah 8:05 805 thank you all right talk to you guys soon yes if you remember last time when we doing control Tower uh we were using um the default identity Center um credentials to access our control tower portal and assigning permission sets to the users created in the control tower but the issue is let's say that you called upon to set up control tower in an environment and that company is already having some IDP uh um user management managing man give me a minute e than Echo um some sort of ident um identity management so you want to set up control tower but you do not want the uh users their Workforce to be managing multiple credentials so I would not like to have credential from accessing other tools in the company and one a separate credential just to access AWS so the goal for today is to be able to integrate control tower um not just control tower identity Center as a whole um because if you remember we said that control tower is a service that is built upon um different AWS services and identity Center is one of them and from its name identity Center is just a service that is used to manage and identities so we want to be able to integrate identity center with an external um IDP provider agency provider so that whatever users are inside the um external identity provider can be mapped into can be mapped and used with our AWS resources make sense yes yes indeed yes any any question good so um the this is a provider we are going to use for use today is called octar octar is one of the idps seen quite a few companies do use it so we're going to integrate octal today with our control tower with our identity Center and be able to access the control tower portal using users that are in Octa and um fory today we hope you still have your control tow set up there we would be needing that and you want to create um free OCTA account and I would share the link on the chat and we will sign up for [Music] OCTA in one or two minutes then we can integrate we can consider creation good so where's us guys so what's that hey this is the link I shared yeah which of them are we doing is it the free one so you're going to go for the free Developer Edition access to the Developer Edition okay so um you just continue with Gmail you can click on I'm not a robot you continue with Gmail for those that have um how do you call it GitHub then you can um set up access using your GI GitHub credentials already leard you're sharing so a little bit slow so that others could follow are we good is there somebody already having issues so are we are we um are we logging in or we sign creating an account yes you're creating an account in Octa okay you just say m is asking me password it's not saying create account please go back to Leonard and start all over again it says a business email required so good so scroll down you would see um the best the option for sign up a free Developer Edition still loging with GitHub or yeah so you have to take the free op the free developer editions option okay are we all here we good so you you select this option and click on sign up for free Developer Edition h leard go ahead saying good so in the sign up page have to check that I'm not a robot once you check that it's asking for a work email a work email would would work but since most guys might not have work email let's continue with continue with Google or you continue with GitHub [Music] okay please um leard most people not have G up already try Google please go up and let me see where you where it says work you don't have to type in the name and all that no you Google credentials would all be already the uh integrated once you do that the region side it doesn't matter what do you mean by region side Prof my own set forbidding 403 okay yeah I I got the same thing too email it doesn't give me that there's not a drop down I need to type um you say continue with Google account you need to continue with Google account continue with gole [Music] picture I'll be back okay thanks hopefully he doesn't face this issue the 403 you're talking about is something I face so I know what you mean did somebody SU not which states did you use looks like leard actually succeeded no 4 so go back to homepage so let's try GitHub can you try GitHub yeah let's try GitHub just use any region in the US doesn't matter yes yes you have to authorize looks like you already have a a GitHub account it yeah already have okay ER okay so um this is strange I don't know why this happens with OCTA because um um at times it works at times it doesn't work so probably most likely for the call we going to have to did did we have anybody succeed yeah M to say assess forbidden you don't have permission to access the page so 403 is a permission issue from the server side um any body succeeded in accessing creating the uh free the free account I guess silence means no no no sir then for the session we might need to have somebody use a known GitHub no no Prof the regular account with without a develop Edition works for me yeah but I want the um you want the one with the Developer Edition yeah I I want the Developer Edition the regular account with what yeah it also says developer though it says development there sorry development account no the regular so when you click on U you know you have a three we have three options have three options here yeah the first one yeah for developer that works customer Cloud yes I but we wanted to try this with the the workforce identity Workforce identity Cloud um um I did not go through this um um how do you call it portal so I don't know I don't want to start figuring out that in this call we just have about barely one and a half hours to do that can we try this um um we sharing Le can you try up the free Developer Edition with um a non Gmail account you have um a company email we could use a a company email any email apart from Gmail uh let me see like a school a school email probably work as yeah yeah I think I think I have a school yeah I have a school you guys will just give me some minut let me just post and check on it I'm going to hold put a post on this recording for now like you notice like you notice you did not you were not able to set your password somewhere so you have to keep this this browser window open or each time you close that browser you have to come back here but the problem is after a couple of tryers the set power is going to stop working says the link is in seven days yes but actually after some time it can throw you an error so I can just create my account so um once we have our developer account please can you also log in in a new tab with your for [Music] your control tower you can log into the control tower portal I want to be done with this because I don't want to push it to tomorrow we have something else starting migration tomorrow so I want to get that it's over with you good so we want to go to be able to um change our identity Source because by default the control tower set up our identity source using um control manage directory so we will go to um identity Center so just um click on it and open a new tab I want this tabs open so duplicate your tab your iws tab and you go to the identity Center service so scroll down you should see I am ADD Center setup down yes right here and you confirm identity source so let's click on confirm identity Source because we want to change the identity Source yes once you click on confirm identity Source scroll down you will see that um click on actions actions where's my pen those that had the OCTA account please follow up click on actions and here you should see change identity Source just hold are we all all together for those that are following up yes good so you click on change identity Source once you click on change identity Source you see this is it identity Center directory this is the default um identity Center directory that control to this setup for us but we want to move it to active directory or to an external identity provider so we go to external identity provider provider there is the active directory um option a little bit different from ex identity because AWS I think in 2022 actually integrated this with uh Azure active directory so if you're using Azure active directory which is what my company used the um integration as is where's my pen in creation has been um set up I manage by by the two companies good so once we have our external identity sorry our external identity provider click on next then we we are here now on this page I'm going to we're going to need this information in octal so you can leave this tab open and we go back to octal so once in octal we want to be able to integrate um octal with our IM am identity Center so in OCT in Octo dashboard in Octa console sorry you click on applications so scroll down just right below directory applications and applications so applications and applications again so what we're doing here is we're trying to integrate OCTA and our I am identity Center and octal being an IDP has this um buil in plugins to integrate with different um tools and you integrate the different tools and in octar it's referred to as an application okay so a after clicking on applications we want to browse the application catalog so the different applications that can be be that are already known to the octal um plugin so browse application catalog then we search for identity Center so there's a search box there just type I am for identity Center you should be able to look see it so these are the different applications that can be integrated with with um um with the c what's it called Oar office 35 workday Salesforce Identity Guard and all the stuffs are we here Franchesca yes we're here I know you do have the OCTA thing are you here fres I'm waiting Prof yes I am sorry so once we have once we find the um AWS IM Iden Center in the OCTA catalog then we click on it and we add the integration so C here you can customize the integration name so so you can see a familiar name to you so if you want to call it JJ Tech I am integration or JJ Tech demo or whatever you have to you can customize integration name right here all and the application visibility you can check the box do not display application icon to users this will ensure that when the users are um trying to log in it doesn't ask them to set up MFA or something like that using the octav verifier because octav OCTA has its own um MFA tool so just like goor or Azure how it called Microsoft Ticor OCTA has the OCTA verify which you need to use to set up MF so we want to check that if you don't check it then you have to set that at some point so I think I said that was optional but let's check it so for Simplicity are we good so checking that box means you're not letting it do what it normally would with MFA yes it it means that the different users it will not force them to set up MFA okay so with the octav verify but they will be able to use their credentials to lock in okay so one okay we good for those following up yes sir if you do have a problem please scream once you have that then we can click on done to set up our JJ once we create the application we should be able to see the application name as one of the applications now in octal so if you go to Applications you should be able to see um our new application so click on applications again so if you remember before I am ident AWS I am identi Center was not part of the application so now we can we have it um good so this is where the the fun begins we want to integrate so this was just uh trying to activate icy Center in Octa now we want to integrate both so we click on the application so we can go to the application and and and and settings here you already have it here J te I am identity so just click on it then you have different TPS you have the general you have the sign you have provisioning import assignments and push groups we want to go to sign on so once you click on sign on you have the option to um pass in some details from I am ADD Center so we select edit once we click on edit you scroll down we want to be able to pass in some information from I am atten Center also OCTA generates dynamically generates the set of instructions for you so if you click on this if you click on The View summer setup instructions it should open you this instructions to do this setup in a new tab so um the steps are we following are actually from this um documentation that it generates for each and everyone that's trying to set up the integration so let's go back to our our OCTA console so we want to scroll down to the Advanced Sign on settings and we copy the AIC URL and the center issue URL from our identity Center do you see what I mean scroll up yeah so we have an SSO access URL and our issue URL so if you remember the dashboard when we activated the external identity provider we had the Three Links which I said we're going to need them in Octa we need those information here so the second the AIC ACS URL here and the third will be the you're too fast so we will need both URLs apart from the portal are we all together maybe I'm I'm the one that's too slow so let's copy the fres says she's lost did I say something I didn't say anything you need help speak up my friend Franchesco you good well I'm okay no no if you have an issue please stop us our our run book is not that complicated so I think continue please good all right so we need we need to copy the ACs URL into the different fields in Octa please um I would really appreciate that if we going through and you facing an issue where than staying back and just um especially for example o now that you do have access to the console where than staying back it can stop us it's always good you stop us immediately you're lost so we can bring you back onto the moving train so we need to paste in the SS ACS ASC access URL here and we also need the SSO issuer URL from Identity Center yes are we together yes sir abdalah are you the the other person following up any other person apart from abdalah I'm following no good following up good I'm glad to hear that so once we paste in the information here we want to update so scroll down and update so that this those settings are saved we'll save yeah so the integration is both ways now we we've in passed into issue an access URL from ID center here we also want to able to send this the signing certificates or the signing keys from um um OCTA to Identity Center so that identity Center is going to be able to trust OCTA as a an IDP provider do it make sense that's why we are doing this does it make sense yes good so let's scroll down yeah question please say it again just so I what we are trying to do is to build the trust between the two applications okay so now we uh we OCTA has its signing certificates we want to copy the signing certificates and pass it into um identity Center so that the identity Center will be able to trust octar as an IDP provider okay so this to this communication they can trust each other and we can they can use identi that are in in the oct IDP okay okay scroll down so in the Su signing certificates you click on actions so view IDP metadata good so it's going to give you this XM XML document we won't we have to copy this XML document and save it in our local because we need this information in Iden Center so you're copying the file but or the content of the file we copying the content this is not a file it's just open the XML thing on your browser so we want it on our local okay wait are you copying below the line or are we copying below the line yes if you copy U the um information inside is going to throw you an error so copy everything in the XML the XML content so the first one is just information right telling you something we good hello oh we we're good M abdala we good do we have this in our local yes we do so um I think I give an example name so this like the OCTA IDP XML document once we have the save we need to go back to Identity Center and put this um um information identity Center so Center contrust OCTA as we said so you scroll down to the identity provider metadata in the identity provider metadata a is going to requires this metadata to provide provided by this by octav to establish trust you see so we can choose so there's the option there to to pass [Music] in the document you save to the local I need this document in do X the extension has to be XML right XML not txt right XML I'm think it's a su file I don't know it should be an XML uh Prof are you still there you froze a little bit yeah he's Frozen R prop is first paused or frozen Play Frozen I know yeah I I thinken it's very cold in Germany so so I'm thinking you need to save that thing as an XML right or you did already yeah it changed already did he use note notepad Plus or you just use the regular txt and regular then save it add [Music] just okay I'm just sometimes I run into problems with that it still saves it as a txt oh you can use um your vs code what you have to do what you have to do is that once you save it just edit it and then take out a txt and put XML which application though whatever application you use EAS one is to use vs code it's gonna it's going to you know no what your yeah you right click I think if you just right click or just rename it and then um you move the uh txt txt put XML it will just do it yeah as long as it's all files the one on the right is all files so you see the type it is SM yeah so that's right so did you people get what I said before I was kicked out at all you have to repeat everything again no I was talking about the txt thing to XML so I can see he's already making the change yeah but we want to hear your version sir no it's actually the same thing I don't know if somebody figured it out in the call that it was a txt file because I'm not so sure that doesn't throw us an error once we try to test the connection yeah it would have but he's fix good um my network seems great I don't know Zoom just sto working so um once we we have the XML file uploaded into our identi Center then you click on next then you have to accept this um uh review the information next scroll down yes click on next if we all here scroll down you review and you create so the different things are going to happen so AWS is going to you're basically going to switch from the identities which you had before to Now using um identities in the OCTA so there are different things that are going to happen there okay so you can review then you click on accept to accept all the changes that will be made in Iden Center then you let me click on create uh change identity Source click on change identity Source thank you so once we change the identity Source we want to be able to enable [Music] um Auto provisioning so Auto provisioning basically would ensure that once we create users for groups in octar those users and groups are automatically pushed to uh uh they automatically autor provisioned and pushed to um identity Center so we're going to create our users in Octa in in how you in Octa we're going to create some groups in Octa and those users and groups should also be displayed in our um identity center console are we together so to enable auto provisioning still on the ident center console you scroll down on the settings then you should see enable auto provisioning so he already clicked on that yeah are we together we already did it yes so um once you enable autoprovisioning an API token is created for you and just like all these tokens you need to copy that in the console before you close once you close you can have it again except you but you can regenerate another another token so we need the token and the um end point URL in octar are we together which of these should I save for for the future which of what you mentioned the token that need to yeah you go to actions they you already closed it so you don't have the token again go to manage provisioning so this is the token which is gone can you can click on generate or you disable so other see what I was just go back to disable because here you can generate another token but click on disable to disable automatic provisioning and do it all over again so good so this this is where you manage the auto provisioning so just what this is what you will see if you've not enabled it before so you click on enable then they should generate all the keys that I'm talking about so here you have the endpoint and you also have the token so you need to click on show token then AWS will display the token to you click on access token so this is a learning session by default sessions you will not be leaving all the things open right okay what's what's the token used for it's used in octav to enable the oo provision we will need the token uh in octar because we the automatic provisioning is is is is is both ways okay so you save that to a kind of text file or something you can save it or you can just leave it on the console and we go back to OCT okay so we let's go back to OCTA and we also enable auto provisioning so scroll back go up in our application or the identity Center application which we integrated here after sign on you you can see the next St says provisioning so we want to enable provisioning you click on configure API integration then we enable API integration creation and this should now give you the uh where to put in the information from Identity Center so you put the API token here and we'll put the endpoint um uh endpoint here so Prof you said that at at any time when we don't have the token sorry when we don't have the token you can always generate a new token so you can generate a new token yeah so if that's the case we can always come in here to change the token right yes in that the case you can always come in here to check in change the token okay so the basic you do not have the O toen but once you set this up and it's working then there's no need to be changing tokens right but yeah I was going to say the base URL where did you get that from from from Identity Center so if you go back um Mao just show them where the base Ur is coming from so the base URL where you have the token it also gives you a URL that's say the end point yep yep yep yep I just missed when M copied both I was like how did he fill those two Fields simultaneously like that so let's go back to OCTA and we test the credentials make sure the integration is good so test API credentials good so our credentials are great once we have that then we can click on Save then our you see our OCTA to AWS provisioning is displayed to us so we need to change some settings for the auto provisioning so you go to two app the provisioning app it's already highlighted by default as you create it and we click on edit so we enable create users we enable update user attribute and we enable the the deactivate users so that the changes that we are making in Octa also replicated in the into identity Center once we enable those different attributes or different properties features then we can save if anybody have any issues with authenticating testing API credentials did you have yes I it says eror authenticated unauthorized and I thought I copyed the base you are correctly can you um um I'm see if your um did you disable give me a minute please um Mao save your your changes um OB I think you're the one yes go back to um identity Center go back to manage provisioning delete the provisioning recreative credentials okay so right here under identity Source come to manage provisioning can you see his screen yes uh wait a second yes actions manage provision yep disable provisioning that will clean up all the old credentials you already have then you reenable it again it would create you new credentials and you do you you do the copy and paste said all okay okay and then we would and so by the way the so the base URL is it this seim endpoint yes the SC endpoint okay um enable Okay so let's test this one more time and then shell [Music] token and then a API token API to toen so the SE basically stands for what is it again system for yeah I think cross domain identif identity management is this the API token what I just CED yes that's the no this is um the token ID you need to the Token when you create the the provisioning token is there you need to click on show token then it's ACH okay yes I'm good now I'm good that was why I was making a mistake I was using this access token ID instead of the there a token I this is a token ID this is not this is not actually the token itself okay got it now it's working yeah good good so once you have um once you have that then on your left you should you should have the um application which the a the provision and created because we enabled this you need to change the settings to enable provis to create users update users attribut and deactivate users so that once these changes are being made to users in groups in octar then those changes are replicated directly into identity Center we good together them yes check all the three buttons right the cre and deactivate users okay got it thank you I have an issue yes all my all my stuff are Just sh red red everything is red I thought you said everything is straightforward Le everything is red are you are you fing up yeah everything is Red from the beginning can you share for two seconds and let's see what because the information you're giving me I don't know what to uh can't make sense of it no no no okay okay I'm good I just find are you good L that yes I'm good I'm good I just find out what was the issue um my system freeze oh okay yeah so we want to push groups so if you see we've already created our um integration but identi Center doesn't know any groups yet in our uh how do you call it OCTA so if you have groups we have users in Octa I Center doesn't know it yet so we need to be a we need to configure OCTA to push all the groups and users that are in octal into our identity Center so still on the application console you scroll up after sign on ADD um provisioning there is also a tab called push groups so click on push groups and we want to configure the push groups so you click on push groups again the option push groups where's my pen so there are different ways you want to you can push groups right so you can put find groups by names so this means that you find if you know the group name in Octa then you can find the group and that specific group we can push it into identity Center you can also use a little bit of intelligence by creating a rule and um say we want to find groups that have a certain string or begin with a certain string or end with a certain string or stuff like that so let's find groups by roomle now Prof what are these groups are they like um all those different accounts or it's just like I am groups you remember you talked about I am groups in I am yeah these are also group groups of users in octal we do not have groups yet we just want to set set up the rule so once we create groups that matches the rule then those groups will be automatically pushed to our identity Center okay make sense M good so we want to uh find groups by by rule so you can give the group the rule a name and a name so here I call it AWS groups so group name you can see the group name starts with so click on the drop down menu excuse me so you can see um this are the different intelligence you can use you can create groups that begin with a second string ends with a certain string contains a certain string or stuff like that so let's just go with the first starts with ram AWS so click on start with ram AWS can you use realm AWS because we're going to create a group that has this name Ram AWS r e a l m is there anybody in the yeah is there anybody in the call that used to KY CL okay um I think the somebody said it was a developer I think it's also an IDP identity identity um an I am tool so if you've used kickl then you should you'll be familiar with the the word Ram because kickl actually groups everything in different reals so Ram AWS forgot about that Ram AWS or Ram again it should work Pi but um if you're putting this string realm AWS it means that it has to match this string in the different groups for it to push them into identi Center I hope you understand what the rule here does so you can play with it as you wish you can keep it does it matter if you have a space on I think it matters should do you the space on that no space as it is in the in um um right here so group starts with ram AWS is it Cas sensitive yes it should be Cas sensitive because it's going to match this rule remember we are saying that OCT this group this group is going to push this rule is going to push groups that starts with a specific string so we are seeing that any group that we create in octar that has this string called Ram AWS at the beginning of the group name octal is going to push it to our identity Center if you say contain it means that whatever the group name is if in the group name there is a string there's a some characters that match this that contains REM AWS is going to push down into identity Center okay I was expecting a COR answer yes yes yes yes sir good that's not a corus so we can leave the description empty so that it matches everything then um you click on immediately push groups found by this rule so each time this rule runs and in the background and it finds a group that matches our criteria then it pushes up it pushes that group to um um I am identity Center then we can click on create group create roomle okay so um the application which we created in OCT how we need to pass that application or give give it that application to some groups to be able to use it right or to some users to be able to use that application so let's go back to octar and click on create groups so you go to octal in the dashboard you go to a directory I think on the directory you should see create groups and groups and people so we want to create a group okay so is it because we already integrated with AWS when we click on groups uh it shows a lot of the groups yes at this um uh group groups that are probably in your AWS stuff okay so we want to create a group called um AWS users so we see how groups are created and um how uh the applications are assigned to groups so you click on ADD group you call the group AWS users or whatever so this is just we could also just create our other group immediately so C on AWS users give it a description it's optional you click on save so you see give me a sec give me a um um if you remember when you were creating the rule there was an option for for description so if you wanted the rule to also match the descriptions in the group then you will need to put past that but we left it empty yeah it's making sense so um refresh you should be able to see the group you just created so why you you have this group um the do we all have the group we just created so the group is still but we need to able to assign the different applications in octav for the users in this group to to specific applications in oown so you can either assign um the application ex um in this case our am Iden application that we created in Octa to the group or you can assign it directly to some users so let's assign it to the group so you click on the AWS users Group which you just created and uh go to Applications assign application so this is how you assign applications to a group okay so scroll down save and go back then click on done so here you can see that the group if you go to this adous groups if you go to the groups just click on groups itself you can see that the group which we just created it doesn't have any user but we've been able to assign applications to this group so this means that if subsequently we create any users and we add those users to the AWS users then those users would automatically have um um this able to use the identity Center application or which we which we which we we integr created here so you can either assign the application directly to the group or you can assign it to to users directly okay okay so what you're saying is when we create IM users in AWS it's no we're not talking about IM am users we're talking about users in octal so this is an octar so we we're saying that when once we create users here then those users are pushed to AWS okay yeah pushed and so this is for like uh when you're having like a migration and they already have OCTA and you're trying to move to AWS no this is when you're setting up AWS access but your they customize already using OCTA to manage users using St so we want to be able to integrate their ID identity provider with um AWS so that you do not have to have for example in your company you're using other tools and you guys already have single sign on in your company most companies are using active directory and stuff so you do not have to manage have credentials for AWS separate from credentials in other tools in your company so we are trying to integrate this so that the user that you already have in your identity provider can be gred and they can be used um in AWS does it make sense that's the whole thing we're trying to achieve today yep it's good this is very important because um if every tool or every application comes with its own um access management then I guess you have to have a one note somewhere just for credentials which makes no sense so life is easier if you can integrate those different things and and use one credential all over so each time you go to a s in the background it makes an API call to octal to authenticate that user then it comes back to um to to AWS this is actually what happens in most websites you go and you go there they say sign in with Google this is actually what they are doing because Google has already made that integration in the background or that application has already made that integration in the background when you say sign in with Google that application is actually calling Google Google stored your credentials your username your password somewhere so it's making that API call Google in the background you don't see that but those are things that are happening in the background Google authenticates that us that oh I know this user I know this this um um um what is it called this password I know this credentials you can trust trust this so that tool that you're using online is now able to trust the identity Source in Google because Google is also an idtp provider for most applications on the website now so it Tres that um uh uh IDP store that identity store from Google then it can let you in that's actually what happens when you go your website you're doing that stuff we're trying to do the same integration here so now when we go to AWS AWS is since you do not have AWS credential ad is going to make that call back to octar and say octar do you know this guy yes octar says I know then you are then able to access your environment from octar uh Prof Mak sense Prof yes there's a question that that kind of now sounds a little bit um important so because you've done this integration where is the login taking place is it in AWS or is it in OCT in Octa once you you will see that at the end once we go to AWS AWS is going to redirect use back to OCTA to lock in no I meant the say you were trying to track something with uh something that may have happened with the Authentication will the log files be resident in Octa or will they be resident in AWS I think your question will be answered Why by by the end of the demo because once we we s finish with this integration each time you want to access AWS now AWS because it doesn't know you it doesn't trust you it doesn't know you but you've already configured a an identity source for it to trust it's going to make that API call in the background to OCTA then you have to loog into to OCTA to tell OCTA that who I am who I say I am then octar is going to say oh I know this guy it let this person in then it let you in okay I think I got it Prof is it um is it safe to say that think of OCTA like your phone your phone has so many applications but before you get to those applications you need to put in your let's say your credentials your password once you get in then you see all these applications that you can easily go to without requiring your put in a password that's a simple nice analogy yeah if it so basically that is it single sign on because you're signing in somewhere then it lets you into everybody so that's the thing with with OCTA now all other things can can can can talk to Octor for example I am using active directory in my company we are using active directory to sign in to GitHub because we set up that that that into big bucket because we've set up that integration into confence into J into all everything into AWS because our active directory we've already built all this SSO SSO stands for single sign on in the name single sign on I sign on once and I can access everything once I go to this new application because we already made this integration it makes that API call in the background you don't see anywh that's what happens in the API level it makes those calls it establish that trust and it lets you in if it goes back to OCTA and OCTA says you put in wrong credentials in Octa it's going to tell a is going to tell that sorry there's a problem I can't lock you in because OCT noten toate you there was something so this is this is for authentication AWS now will now give you the the authorization we are going to do authorization using permission sets again so yes I guess I can take a quick question then we go ahead yeah this is basically there was something we did when we were setting it up I'm just doing this from memory there was a checkbox you did that said don't do MFA right yeah and my concern is if if it lets you if it gives you access to the kingdom without further authentication like MFA um isn't that a security risk it is like I said we did that for Simplicity so we don't complicate our demo but it's basically MFA once you do that OCTA verify it's a MFA just like Google Authenticator OCTA has his own MFA app they call it OCTA veryify so once you do that every obviously if you're setting up this up in a company you will ensure that every body uses multiple um authentication okay multiple authentication steps okay okay thanks multiactor authenticator that's the right way to put it so you're authenticating with your username and password you're also authenticating with your MFA and in Octa MFA they also have another authentication because you can say yes I I have the app but I need to authenticate that I am it's not just by typing in the credentials for my phone that I have access to OCTA verifier I need to also ensure that okay um in Octa verify it has face identification the app itself so you can say that once you still have access to my phone you still need to access to my face to be able to see octa's um um the MFA cod in Octa does that make sense yes or Biometrics as the case may yes so they have they they have different layers defense layers so you can you can set that up so for Simplicity the goal here is just so we see how we can integrate this and makees sense Franchesca Emma Kenna I have a feeling today is a very quiet class maybe it's because so many people did not get the O account yeah that's why but Prof I just have a a question since we're doing this on two separate uh systems um what how do you do like a login um like cloud trail cloud trail would Trail will log or record all these um API calls uh for user access and all that in AWS right how so cloud cloud trail is AWS remember there's a difference between authenticate and author um you authenticate and authorization so there's a difference between authentication and authorization OCTA OCT authenticates you but it doesn't authorize you in AWS in AWS you need permission set to be able to do whatever you want to do in AWS we're going to get to that so octar need to first of all say I know this person this person is who they say they are then awss says yes now you can have access to this account whatever you are doing in that account you need authorization so you've authenticated using OCTA you need authorization in AWS to make those AWS API cost and it there are those API call that cloud TR is loging okay so what if you have your user house login issues which where it will be from OCTA you it would be from OCTA you need to go fix that in Octa okay so it's octo expensive this is the the the fre tier version we are trying to use obviously I think the paid version I've not used it but you can also check okay okay let's go ahead we can take the questions at the end okay where did we stop good so we created um rule that said we should push users that have um string called a ram AWS in here to to to to AWS to Identity Center so let's create a group with that with that match that meets those criteria so if you go back to go to just like we created the AWS users let's create let's go to add groups and we want to call the group real AWS fups users for example so Financial guys this is the group they going to use then we you can give it a um descriptions called cross account Financial operations so this is how you actually group things in your environmental the things look easier but in the context of why working it makes sense because if you remember we were using anyway let's talk about this in the book and the after the after the so we'll put in the description then we click on save so we'll create a group called REM AWS finops users if you refresh you should be able whatever description cross account Financial operation users this is what we have here it's in the it's in the run you can just copy and paste I could also put it in the chat if you want so most descriptions are op unated you're describing it in a way that when you see it you know where is my chat window you know what we're talking about you click on save so if you refresh you should be able to see the the the group we just created I expect you now to go back to um uh if you go to push groups if you go to push group so if you go to application the application which we integrated so go back to application and the AWS application so push groups go to push group we should be able to see the group here because of the matching strings go to push groups you're under assignments go to push groups where's my pen push groups so now you can see that a group The REM AWS SP UPS is here and it is active because it matches the rule which we created does it make sense yeah it's an Octor in both of them so this group now should also be in identity Center so if you go to Identity Center in the groups in identity Center in I am in I am identi Center you should see a group there called fups something something yeah this is so that is what this is what this is what happens it is right there I already saw it right there good yeah so now so sir the the realm that you are pending before the the name of the groups is that in this case it makes makes it's just um a name it doesn't the REM here doesn't doesn't have any technical significance significance that's why I asked if somebody has used key clo because this word REM in KY clo means something else key clo spell that please key cloak c l o a k so that's also another IDP too okay okay I have a custo couple of customers using that okay and key cloak is good because you can deploy key cloak with microservices that's why I've worked with it a lot because most you can deploy key cloak using containers and putting yours clust and stuff like that but forget about that let's go ahead so now we have our group in in in AWS so we want to create permission sets so that users in this group will be able to after authentication have the necessary AWS permissions to do whatever they need to do in in AWS so we go to permission sets just like we did last week create permission sets I will send you guys um another copy of this run book immediately after the chat I noticed that there are some things which so create permission set so we let's use the predefined permission set and we take take the a manage perm policy billing so create permission set we did this last week right ma W class yes good so we want to scroll down and select billing next next then we click on create so these are the different PR permission sets that was set up when we set up our Landing zone so you can also create custom permission sets I think we we tried that last week so once we create our permission set we have to assign the permission set to groups or to users and to an account so you go to the a account so under multi account permissions go to accounts where is my pen so um in an organization where is our bills where our bill is going to be management pardon management account good so let's select the management account because if you remember we saying that those guys should have access to billing so we have to take the management account so if you want to give them access to specific account to any other account you will go into the organization and you select the account that they should have access to so for this case our management account you click go to groups so assign users or groups top right let's check the group that we want them to have access to this so the group that is coming from OCTA look for it Ram AWS something you check that is it right there so check next next then you submit wait wait wait next we don't have to you have to you have to check check the billing exactly you have to check billing so that the billing permission set is passed to that account because you have to tie a permission set to a specific account so creating the permission set is one thing telling tying that permission set because it's just like I am policy you create the IM am policy then you can then attach the IM am policies to different users does it make sense the analogy so we creating a permission set for control tower Iden Center you're creating a permission set then you need to tell that you need to tie that permission set to a specific account so that those that access that account and have those permission sets can use them in those accounts so you check billing you click on next and uh yes the users and groups REM AWS fops yes the permission said billing and you click on submit so now we've created a group in octal created the authorization for that group in the AWS so now there should be authentication and authorization no authentication and authoriz link authentication and authorization setup so now now we need to create a user because after everything is just a group we need to put users in the group so let's go back to octar and create a user that would aate that would authenticate into AWS and use a permissions from the permission set we just created so you go back to the octar portal go back to people add persons this this looks different I hope I sent you guys the updated run book so we need um a user email so you can use one of your Gmail's Gmail account so um what is it Mao Gmail you can use a dynamic uh thing okay so only Ma at only ma plus plus something at gmail.com only Ma plus OCTA or whatever at gmail.com and groups we need to put this user in the phobs group so just search for phobs or Ram AWS I think is how we called it so we'll put the user in the finops group select the group yes and we want to activate now and we want to also set a password so check the set password set our set password so you give the password and name so this is the password that this user so in this case you're adding a user to your octal then you want that user to be able to lock in so you give it the password for the user but you're also telling the user that user will change the password in the first login that's what that check mark does then we save so quick question yes that email was that how that that email was it just is that a fictitious email or a real email no it's a real email remember this are the dyamic email so it's going to push um whatever notification to the yes oh yes oh yes you remember yes certainly yes good the reason I was saying I was wondering who the de or was that just another name that you picked up from the from the group oh yes yes one of us okay that's fine thanks what do you mean boy I'm not seeing what you're talking about about the user oh okay that's his username and um uh first name and last name this is going to be displayed in Octa and in AWS okay yes I recognize that name so I want to know it from good so um let's see aome good once we save we want to be able to assign the application again to this user remember we the first time was to the uh group so let's go back to those people so click on the person which we just created so that is it right here the new person you just created I hopefully I pronounced that right then we assign applications assign applications you select the application which we integrated in Octa scroll down if everything is default you can check the different features that are there save and go back then you click onone and this user should be able to have the application and also belong to a group so just click on people so we see that everything looks good select the select the user itself click on the user good so now we can test yes you said that the user will be assigned to a group which group is it the finance group or yes the fin UPS group right here we already assigned it to the real AWS fups Group which we created okay M so go back to Iden Center and let's see I expect to see this group which this user which you created in your users yeah is there good so this is what happen so now when everybody joins your company they just put them in their main IDP if we want that user to be talking to AWS then we just put the user in the AWS Related Group and that user is also duplicated in uh identity Center then that user can lock into AWS because in the fin UPS group that was created in AWS we also attach a permission set to it and attach it to an account then that user can talk to that account using that permission set does it make sense does the flow make sense yes great so now we are able one that's not clear is where you now have to attach an application where does that come coming you said that was the last thing we did I know user into two groups and then of course uh uh the application part what does that sign what does that do so that the user can actually be able to loog in and use Iden Center you need to always put um attach the user to this Iden Center remember we said that you can attach applications at the level of group and at the level of users you remember the first we created a group called AWS users and they I was showing you how to attach to assign those applications to the other level of the group but if you remember when we created the finops we did not assign the application to the finops group but we have assigned it to the finops user oh you can do that at different levels does it make sense yeah that's why I got a little confused all right so now let's log into the AWS portal using the our octal user so go back to Identity Center in dashboard you should be able to see your Port down go to dashboard no go to dashboards and um access portter URL so this is your where is my pen good yes you access portter URL n Go back to go to incognito because in this browser you already lock in as um uh so go to inconito what what are you using Windows yeah okay I don't know the command yeah click yeah click on that three yeah right yeah that's it one incog to window put in the portal then we need to log in as our octar user hopefully we did everything right so you see here it's redirecting you to OCTA did you see that a it was saying it there redirecting redirecting you to the identity provider so now it has taken you to OCTA now you need to log in as the user in Octa and if everything is good then you send back to AWS username is um what the user you created the email Mao plus something something that's the user whe you created the password you're creating that user and you check checked the box for the user to change the password so here it's going to tell you that that password is not working you need to set a new password so it's email address to sign bu you is set up on authenticator set up your auen so you set up your new password yeah so now you need to set up authenticator so set up octav verify so just go back go to your Google or to your Android and look for the app called octav verify so um Prof yes so it's asking us for verify even though we we kind of didn't check the box yeah I think uh some of the user this user that you're creating some of the default settings override I don't um need to check okay but just set up the OCTA verify then you should be able to lock us in so this will be using Google Authenticator right not opy no OCTA verify there is an application called OCTA verify in your Play Store look for it that download OCTA verified then you add um this account to it not not Google Authenticator OCTA uses his own MFA app okay are we good could we have used QR code sir could we have used that QR code in our pH yes you use you use the QR code because just like Google Authenticator you have the option to scan the ql so that everything is added to the U right OCTA verify also has that and if you're using OCTA verify you also see that there's an option for you to set set up face ID so if you want that at some point if you want to get your MFA code person needs to not just know your password to your phone but also have your face sometimes if you if you have makeup so now you can see that we have access to the account because this the only account that if you remember when we setting the permission sets we added that permission set to this account so we and we Al see the permission set which we had here so billing so the person would also will have access to our billing so you can click in and you now lock into our management account and you can see billing information you should not be able to see do anything in ec2 because the permission s did not say anything about ec2 so click on billing then they should lock you into the account interesting so you're authenticated and authorized so now this is the authorization the o o thing at the end that was the what is it authentication MH so now the billing is the authorization so you can see some information here so we're good I think that's the end of the demo I one it's good pardon no I was just actually acknowledging that it was uh the end of the the class good so um this is really important I would strongly encourage you all to to do this and master it and have it like a story in your setup because trust me most environments I would say 80 90 environments that are using when anyway that in my experience that are using AWS they are not very good with governance they are not they don't have controls they don't have control tow set up they don't have security Hub set up they don't have all those guard rid set up and if you're selling yourself to an environment and you tell them that oh when I come in I can security is a big deal right you've been able to set set up set up this governance in place you set up set up this config rules in place and all this alerting tells you when something is going wrong whoever is doing something wrong you've been able to kill because if you have this and you go into an environment and they have this and I've actually seen a customer that is having that had this and also have I am users so once you go this you clean up you set this you integrate this to whatever IDP they using then you can remove all those IM am users AWS right now now recommends using identity Center users than I am users wow so you can you can clean clean up and so that you can manage all this thing and I think that's a big plus if people know that they can I hire this guy can hit the ground running and imp uh improve our security posture can I ask for can I ask for a favor sir sure can you give us a run book for um active directory as well so that that in our priv I will I will prepare that thank you good