Category: Case Studies

CloudWatch Alarms for BCCI Account
• To enhance infrastructure monitoring and ensure proactive management of the BCCI account, we have implemented a comprehensive set of CloudWatch alarms. These alarms are designed to alert the team to critical changes in various metrics, helping to maintain optimal performance and quickly address any issues.

Instance Health and Performance:
• For CPU utilization, alarms were configured with thresholds at different levels for various servers: one alarm was set to trigger at greater than 90%, another at greater than 80%, and a third at 50%. This tiered approach allows for proactive management of server load and helps prevent potential performance degradation.
• Memory utilization alarms were established with thresholds at greater than 90% and greater than 80%. These alarms enable timely identification and resolution of memory-related issues, ensuring smooth operation of applications and services.
• To monitor disk space, root disk utilization alarms were set with thresholds at greater than 90% and greater than 80%. This ensures that disk usage is kept in check, preventing storage-related disruptions.
• Additionally, alarms for HTTP errors were configured to monitor the health of web services. An alarm was set for 4XX errors with a threshold of 50 errors, and another for 5XX errors with a threshold of 10 errors. These alarms help quickly identify and address client-side and server-side issues, respectively, maintaining a high level of service availability and user satisfaction.
• Email notifications for IN10 Media BCCI’s pipeline actions and stages, ensuring that all critical events are promptly communicated via AWS SNS (Simple Notification Service) by email. The notifications cover various aspects of pipeline execution, including: Succeeded, Failed, canceled, Approved etc. These notifications ensure that IN10 Media BCCI’s team stays informed about the status of their CI/CD pipelines, enabling them to take prompt action when necessary to maintain seamless and efficient operations.
• We have developed a series of CloudWatch dashboards specifically designed for our customer, BCCI, to enhance their infrastructure monitoring capabilities. These dashboards provide comprehensive insights into various aspects of their system, enabling them to maintain optimal performance and quickly address any issues that arise. Below is a summary of the dashboards we have created for BCCI:

• BCCI-PreProd-Dashboard: Monitors the pre-production environment, providing visibility into the system’s health and performance before any changes are deployed to the production environment.
• BCCI-PROD: Focuses on the production environment, offering real-time monitoring and alerting to ensure the live system runs smoothly.
• BCCI-Prod-Dashboard: Another key dashboard for the production environment, providing detailed metrics and visualization to help in analyzing the production system’s performance.
• EC2-Uptime: Tracks the uptime and availability of EC2 instances, ensuring that the virtual servers are operational and performing as expected.
• IN10Media-Cloudwatch-Dashboard: Custom dashboard tailored for the IN10Media service, offering monitoring and insights relevant to its specific infrastructure needs.
• IPL-CloudWatch-Dashboard: Designed for the IPL infrastructure, this dashboard helps in monitoring the various components and services associated with the IPL operations.
• IPL-POLLS: Provides monitoring for polling services related to IPL, offering insights into their performance and reliability.
• IPL-PROD: Focuses on the IPL production environment, ensuring that all live services are running smoothly and providing real-time performance metrics.
• IPL-PreProd-Dashboard: Monitors the IPL pre-production environment, giving visibility into system performance and stability before changes are rolled out to production.

These dashboards are accessible via the shared link: CloudWatch Dashboards for BCCI, where you can view and interact with them to gain detailed insights into the performance and health of AWS infrastructure.

1.IAM Role Configuration

• Galaxy used AWS Identity and Access Management (IAM) to create granular roles and policies, specifying who could access the CodeCommit repositories and what actions they were authorized to perform. This included:

• Least Privilege Principle: Each role was configured to have the minimum necessary permissions, reducing potential security risks.

• Role-Based Access Control (RBAC): Roles were assigned based on team function, ensuring developers, testers, and admins had appropriate access levels.

2.Encryption at Rest and in Transit

To protect the code from unauthorized access, Galaxy implemented:

•Encryption at Rest: Utilizing AWS Key Management Service (KMS), all data stored in CodeCommit was encrypted using customer-managed keys, providing an additional layer of security and control.

•Encryption in Transit: All data transmitted to and from AWS CodeCommit was encrypted using TLS (Transport Layer Security), safeguarding data as it moved across networks.

•Multi-Factor Authentication (MFA): Galaxy enforced Multi-Factor Authentication for all users accessing the CodeCommit repositories. This practice added an extra verification step to prevent unauthorized access, particularly important when dealing with sensitive or critical project data.

3.Regular Audits and Monitoring

•CloudTrail Integration: AWS CloudTrail was enabled to log all activity in CodeCommit, including detailed information about API calls. This allowed for continuous monitoring and auditing of repository access and changes.

•Real-Time Alerts: Using Amazon CloudWatch and Zabbix , Galaxy set up alerts for any unusual or unauthorized access patterns, such as access at odd hours or rapid changes in repository contents.

• Data Volume: Initial audits showed 20 TB of data, predominantly consisting of large media files and application data.
• Performance Requirements: The existing system experienced access delays (15-20 minutes for large data batches), which needed significant improvement.
• Cost Structure: Ongoing maintenance and hardware costs were escalating, necessitating a more cost-efficient solution.
• EFS Configuration: Chose the General Purpose performance mode and the bursting throughput mode to optimize for the company’s workload, which involves frequent access to media files.
• Network Design: Established a secure AWS Site-to-Site VPN connection between the on-premises data center and AWS to ensure secure data transfer.
• VPN Setup: Configured the AWS Site-to-Site VPN for a secure and reliable connection to facilitate the data transfer.
• Secure Access: Use Systems Manager Session Manager for secure, encrypted shell access to EC2 instances, eliminating the need for managing SSH keys.
• Data Integrity Checks: Conducted comprehensive tests to ensure data integrity and completeness post-migration.

• Galaxy Team conducted a thorough assessment of EXFO’s IT environment, storage requirements, and performance needs.
• Based on the findings, Galaxy Team proposed a migration plan to move EXFO’s critical data and applications to EBS volumes, optimized for their specific workload demands.
• Galaxy Team experienced engineers seamlessly migrated EXFO’s data to EBS, minimizing downtime and disruption to their operations.