Design an automated deployment pipeline for deploying ECS microservices for a multi-tenant platform. The services are built using Java, Python and NodeJS.

The following pipeline represents a simple web application deployment process.

• User pushes the code or commits a change to GitHub.

• Jenkins checks for any new changes on GitHub.
• If Jenkins finds changes, it will fetch the code from Github and will map with the job enabled for a specific task. DevOps can also trigger the respective Job manually in Jenkins.
• Jenkins clones all the files from the GitHub repository to the Jenkins server workspace directory.

• Build using Maven and create a Docker Image.

• Publish to a DockerHub repository.

• Once, image is successfully pushed to DockerHub, Jenkins will then stop the equivalent ECS task in AWS.
• As a result, the existing task will be stopped, resulting in spinning up of a new task.
• The New ECS task will pull a fresh image from DockerHub and deploy it in ECS Fargate.

• We can check the Target Group health checks to verify if the service deployment is successful or not.

Customer based in India wanted to conduct a cost optimization exercise for their Cloud deployments

• Complicated and multifaceted pricing structures
• High costs
• Continuous modifications to cloud offerings
• Excessive alternative architectures
• Lack of coherence across cloud platforms

• Evaluation: Go with a perfect cloud strategy for efficient cost evaluation
• Billing model: Compare, assess and determine vendors by region and service-specific costs
• Monitoring: Continuous monitoring is key to understanding infrastructure usage

Identify resources that are idle, orphaned and overprovisioned, along with reserved instances. These can be unused machine images, load balancers, unassociated IPs, unused data volumes, among others

• Identify resources
• Make resources visible
• Whitelist resources
• Schedule repeating instances
• Storage management
• Plan budgets
• Plan region-wise pricing

Implement infrastructure and application monitoring for India based customer on running systems on AWS

We made a checklist of all the Infra components and applications that need to be monitored. For each, we recommended the most appropriate and cost effective tool for monitoring the specific services. We finally used multiple tools.

We are using Cloudwatch for all the basic logging and monitoring for the AWS cloud. CloudWatch is good for gaining a quick overview of the status of AWS workloads. But it’s rarely sufficient for a complete log analytics and cloud monitoring strategy. To achieve the latter, we use Cloudwatch as the datasource for other tools (listed below) that offer features like multi cloud support, sophisticated alert configuration, storage flexibility and more.

We used it to monitor AWS lambda & debug Lambda timeouts.

Grafana Cloud is a cloud-based app for Grafana. We use this to monitor a wide range of AWS services such as EC2, ECS, Lambda, S3 etc.

It's a time-series database. InfluxData helps to get a wide range of data (metrics, events, and time series). InfluxDB can then be used as a datasource for tools like grafana for visual representation of all the metrics. We created Grafana Dashboards with InfluxDB.

With the growth in technology, there is always a threat to security breaches. These include components such as:

• Network, infra & security structure
• Storage & servers
• User & role management
• Business applications
• Operating systems
• Databases
• Compliance with the Information Security Policy
• Configuration of various other components, SSL, backups, patching etc.

We are using Google Workspace for email/chat communication, business applications, storages and SSO integration with AWS. It makes working together a lot easier.

• Add users, manage devices, and configure security and settings.

• The centralized administration makes setup and management fast and easy. We have used 2-step verification for security.

• We have used endpoint management to distribute apps on mobile devices, check usage, manage security settings and limit access on any endpoint.

Windows Active Directory is also used for local infra/servers user management, set up of group user and device policies.

We are following below options to manage users within Active Directory:

• Account Disabling: To disable a user account we set the 'AccountDisabled' property to 'True' in the User Management interface.
• Account Expiration: We set the account 'Expiration Date' property to the desired date value to set an expiration date to an account.
• Account Lockout: An account lockout is set if the number of failed logon attempts exceeds.
• User Cannot Change Password: Administrator decides if they will allow the user to have the ability to change their own password.

We are using Google Storage and S3 for backups. We keep scripts in place for daily and weekly backups. Lifecycle policies are also in place.

When there is a violation of the security policy. Example:

• Violation of a documented procedure by an associate
• Virus attack
• Loss of service

All such security incidents are logged into the Services Tracker. These will be escalated to the Security Team who will assign appropriate resources to do a Root Cause Analysis and take remedial action as needed. A security incident can lead to disciplinary action against an employee in which case the HR team will be informed.

Regular internal audits are carried out by the security team at a bi-annual frequency. Purpose of the audit is to Monitor all security measures to ensure conformance with organization policies.