Finally, let's cover the two most distinctive pillars, cost optimization and security. The cost optimization pillar is the ability to run systems cost efficiently, as you might imagine. This is an important part of AWS and greater Amazon culture where one of our 16 leadership principles is frugality. This is the reason we usually do not develop luxury items like Apple. Instead, we focus on building services that anyone from a one-person startup to a college student to the 10 largest companies in the world can use. And we build those services in such a way that all of those customer personas can still save money using our services compared to building a separate version by themselves. This cost optimization pillar has five design principles. One, implement Cloud Financial Management. Cloud Financial Management is the combination of AWS services, programs, resources, and processes that allow you to become cost efficient. As we covered in the previous course, AWS cost management services include the AWS Pricing Calculator, Cost Explorer, and Cost and Usage Reports [and Budgets!]. Two, adopt a consumption model. This is one of the six benefits of cloud computing. A consumption model is the same thing as "pay as you go" or "pay for what you need" pricing. When you stop consuming resources by stopping or terminating AWS instances, you no longer get billed. This is the opposite of the forecasted model. In the forecasted model, you're trying to predict future usage needs based on past usage, and to use those predictions to build out your datacenter and buy software licenses. Three, measure overall efficiency. This is the same thing as having key performance indicators, abbreviated KPIs, for your business. KPIs measure your business's overall performance. You should measure your cloud spend against your KPIs to make cost decisions in the context of your business value. Otherwise you'd be making those cost decisions in a vacuum by looking at your AWS bill and randomly thinking whether your spending today is too much or too little. Instead, you should look at how your cloud spending changes are affecting how well your business performs. So, some increases in cloud spend are acceptable if they create much larger increases to your KPIs. Four, stop spending money on undifferentiated heavy lifting. This is another one of the six benefits for cloud computing and the focus of our Airbnb case study and our literature review. If you and your business are maintaining on-premises data centers, you should use AWS because you are spending money on maintaining your own data centers instead of growing your business. Meanwhile, competitors on AWS will be more agile than you. Five, analyze and attribute expenditure. Using AWS cost management tools and particularly AWS Cost Explorer tags, you can tag different resources "finance department," "marketing department," and so on. These tags allow you to attribute cost to the people and departments creating those costs on AWS. If those costs are unusual, you can follow up with the right people. This visibility and accountability helps create a feedback loop that you need to perfect your cost optimization strategies. The security pillar encompasses the ability to use cloud technologies to improve your security. The security pillar has seven design principles. One, implement a strong identity foundation. This means you grant least privilege, enforce separation of duties, centralize identity management, and require multi-factor authentication. For example, if you run a startup, you don't want one guy with access to everything because he might take everything down or steal it. Always think about how the AWS Shared Responsibility Model relates to your team and business. Two, enable traceability. This means you monitor, alert, and audit actions and changes to your environment in real time. You can use AWS governance services like CloudWatch, CloudTrail, and Config along with AWS security services to do all of these things. Three, apply security at all layers. This means you apply a defense in depth approach to your network. Examples include using NACLs on your subnets and using security groups for every instance of your AWS services. You also want to make sure you're current on your patching your applications and operating systems. Four, automate security best practices. Again, you can use many AWS security and governance services rather than trying to ensure the security of your data on AWS by yourself. Five, protect data in transit and at rest. You can use Macie to automatically classify your data into sensitivity levels, then apply mechanisms such as encryption and access control so that only authorized people are able to view the sensitive data. Six, keep people away from data. Generally, you don't want to leave your laptop open and unattended in a public place. You should carry that same sensibility with you to resources on the cloud. Make sure that your users and customers have access to only the data that they need. Finally, seven, prepare for security events. One of the best practices here is to stage a mock IT incident on a Friday night. Pretend that your servers went down due to ransomware and they're now encrypted. How long does it take to restore from your backups? Who do you need to call and page from your organization's leadership and its various teams to perform this work? Does your company's lawyer know who to call in law enforcement and what to say to them? What about the regulators? Does your company's public relations leader know what statement to issue and what to say in response to the press? In an exercise like this, you typically work into the weekend with experienced consultants observing your work. On Sunday, all of you will conduct a debrief with lessons learned. The more that you and your IT colleagues can prepare other leaders in your organization for an incident like this, the more you demonstrate your value to your overall organization and the more you improve its security.
