45f61e0153
* cdn/terraform/cloudfront.tf (charlie-distribution) <enabled>: Change to true. |
||
---|---|---|
.. | ||
terraform | ||
README.org |
- Overview
- How to Use Terraform
- How to use AWS without Terraform
- Deployment Plan
- Miscellaneous Information
- Questions and Concerns
- How can we improve on this?
Overview
The Guix project maintains an Amazon Web Services (AWS) account to provide a Content Distribution Network (CDN) for the berlin build farm. Our CDN is built using Amazon CloudFront.
We practice "Infrastructure as Code". Nearly all aspects of our AWS account are managed via Terraform. The "terraform" directory contains the Terraform configuration files that define our CDN's infrastructure. The few aspects of our AWS account which were not configured via Terraform are called out clearly either here in this README.org file or in the Terraform configuration files.
If you're new to Terraform, consider reading Terraform's official "Getting Started" guide first to get the basic idea. After that, read the "How to Use Terraform" section below to see how we use Terraform in practice. Once you're familiar with Terraform, hopefully you'll be able to understand the terraform/main.tf file. This file is the starting point of our infrastructure configuration. It's well documented. Try reading it and following the links if you need more information.
If you're new to AWS, that's not a problem. There's a ton of information available about AWS and its web services, so the best way to learn about them is to look up information as you need it. If you try to understand all of AWS up front - even just the services that Guix uses to build its CDN - it might be frustrating and unproductive.
By practicing Infrastructure as Code using Terraform and AWS, anyone can easily create a similar CDN in their own AWS account by following the instructions here. If you are doing that, you will probably need to customize a few things (e.g., you will probably have a different list of administrators), but it should be far easier to set things up by re-using this configuration than by starting from nothing.
How to Use Terraform
Prerequisites
To get started with managing Guix's AWS infrastructure using Terraform, you first need to do the following:
- Have a Guix project administrator create an IAM user for you and provide you with (1) the user's access keys for programmatic access to AWS and (2) the user's login password if you need to log into the AWS Management Console.
- Store the access keys in ~/.aws/credentials (or somewhere else if you prefer a non-default location). See the comments in terraform/main.tf for details about this, including an example.
- Install Terraform. Currently, it isn't packaged by Guix, but you can download a pre-built, stand-alone release binary from the Terraform website, or you can build it yourself manually.
Once you've done all those things, you can try running Terraform.
Running Terraform
Generally speaking, you always run the terraform command from the directory containing the terraform configuration (e.g., main.tf). You also need to set the AWS_PROFILE environment variable (see the comments in main.tf for details). In the commands below, we've omitted the AWS_PROFILE environment variable for brevity.
First, you must perform this initial one-time setup:
- "terraform init": to set things up and install the AWS provider if you don't have it already.
After that, the most common commands you will run will be:
- "terraform plan": to show the actions Terraform would take, without storing a new state in the backend.
- "terraform apply": to show the actions Terraform will take, and then take them if you say "yes" at the prompt. Stores a new state in the backend when you say "yes".
- "terraform show": to display information about the state. In particular, this prints out information such as the output from the last run, which can be useful.
A "backend" is the place where Terraform stores its state, which describes the current state of the infrastructure under management. We use the S3 backend with locking enabled, so that multiple project administrators can simultaneously manage the infrastructure from multiple computers without stepping on each others' toes. See the next section, titled "Notes about Terraform's S3 Backend," for more information.
You may notice that when creating or updating a CloudFront distribution, "terraform apply" will finish quickly. However, it seems this is an asynchronous operation, so the distribution may not return to the "Deployed" state for many minutes. To check on its progress, you can simply run "terraform apply" repeatedly (maybe saying "no" at the prompt if it doesn't exit immediately with a message saying there are no proposed changes), and eventually the distribution should arrive at the desired end state.
Examples for Specific Use Cases
Add an administrator
Suppose you want to give Alice administrative access to Guix's AWS Account. Here is the recommended way to do that:
- Obtain a copy of Alice's public PGP key. This will be used to encrypt her credentials so that you can send them to her securely.
- Optionally, strip the signatures from the PGP key, as described in the section "How to import keys without all the signatures" farther down in this document. This just makes it smaller.
- Add a new entry for Alice's PGP key to terraform/variables.tf, of the same form as the others.
- Add a new IAM user for Alice to terraform/iam.tf. You can just copy and modify the "resource" and "output" blocks from an existing administrator user.
- Add Alice's IAM user to the "administrators" IAM group by adding an entry for the user in the "administrators-membership" resource (also in terraform/iam.tf).
- Run "AWS_PROFILE=guix terraform apply" to see what will change.
- To actually make the changes, enter "yes" at the Terraform prompt. You will see output like the following:
alice-access-key-1-id = AKIA... alice-access-key-1-secret = wcBM... alice-name = alice alice-password = wcBMA...
- Send that output to Alice. Explain to her that the "id" is her IAM user's AWS Access Key ID, the "secret" is her IAM user's AWS Secret Access Key, the "name" is her IAM user's username, and the "password" is the password that she will use when logging into the AWS Management Console as her IAM user. These secret and password are encrypted with her PGP key and base64 encoded, so to use them she must first decrypt them - for example, like this:
echo "$the_secret" | base64 --decode | gpg --decrypt
Once Alice has obtained her access key, she can use Terraform, the AWS CLI, and any other normal mechanism for interacting with AWS. She can also log into the AWS Management Console with her password (see the section titled "IAM Login URL" elsewhere in this document).
Remove an administrator
To revoke Alice's access by deleting her IAM user, just delete the configuration for her user that you added above, and then run "AWS_PROFILE=guix terraform apply". When you say "yes" to the prompt, it will delete Alice's IAM user, and Alice will no longer be able to use her access key or password.
Update the CloudFront distribution
Make a change to the configuration in terraform/cloudfront.tf. Then run "AWS_PROFILE=guix terraform apply" and say "yes" at the prompt. Terraform will make the changes.
It might take a while (minutes) for the update to actually complete, even though the terraform command might exit quickly. In this case, you can run "terraform apply" or "terraform plan" multiple times to check on the distribution's status.
Subscribe to receive billing alerts
In AWS, usually an alarm works like this. When a CloudWatch metric, such as "total estimated charges for the month", exceeds an alarm threshold, CloudWatch will send a message to a Simple Notification Service (SNS) topic. To receive the message, you must be subscribed to the topic.
Terraform doesn't manage email subscriptions to SNS topics. Therefore, if you want to receive an alert via email, you must manually subscribe to the topic. The simplest way to do that is via the AWS Management Console, but it is probably possible to do it with the AWS CLI, also. Read here for details:
https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html#SubscribeTopic
Evict objects from CloudFront's cache
Sometimes, you might want to evict cached responses from the CloudFront distribution. CloudFront refers to this process as "invalidation". For details, see here:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
Note that invalidation costs an additional amount of money, but it is negligible if you are only doing a few invalidation requests. Notably, "the charge to submit an invalidation path is the same regardless of the number of files you're invalidating" - this means you can invalidate everything if you want, and it will cost basically nothing:
https://aws.amazon.com/cloudfront/pricing/
Here is an example that invalidates all cached objects for a distribution with ID E2LCS83UL0PPNA (change the ID and paths as needed):
[0] marusich@garuda.local:~ $ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront create-invalidation --distribution-id E2LCS83UL0PPNA --paths '/*' { "Location": "https://cloudfront.amazonaws.com/2017-03-25/distribution/E2LCS83UL0PPNA/invalidation/I2PCH5JZ52HUX7", "Invalidation": { "Id": "I2PCH5JZ52HUX7", "Status": "InProgress", "CreateTime": "2018-12-28T02:43:51.326Z", "InvalidationBatch": { "Paths": { "Quantity": 1, "Items": [ "/*" ] }, "CallerReference": "cli-1545965030-886799" } } } [0] marusich@garuda.local:~ $
You can also check on the invalidation status like so:
[0] marusich@garuda.local:~ $ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws cloudfront get-invalidation --id I2PCH5JZ52HUX7 --distribution-id E2LCS83UL0PPNA { "Invalidation": { "Id": "I2PCH5JZ52HUX7", "Status": "Completed", "CreateTime": "2018-12-28T02:43:51.326Z", "InvalidationBatch": { "Paths": { "Quantity": 1, "Items": [ "/*" ] }, "CallerReference": "cli-1545965030-886799" } } } [0] marusich@garuda.local:~ $
See the following for details:
https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-invalidation.html https://docs.aws.amazon.com/cli/latest/reference/cloudfront/get-invalidation.html
View estimated charges without using the AWS Management Console
Define a function like this:
# This metric is only available in the us-east-1 region. We use the # "--iso-8601=seconds" option because that format is always suitable # for input to the "-d" option. But note that the AWS CLI seems to # expect a "Z" at the end of its timestamps. To see more data, try # changing "$now - 6 hours" to something else, like "$now - 3 days". get_estimated_charges() { local now="$(date -u --iso-8601=seconds)" AWS_DEFAULT_REGION=us-east-1 aws cloudwatch get-metric-statistics \ --namespace AWS/Billing \ --metric-name EstimatedCharges \ --statistics Maximum \ --dimensions Name=Currency,Value=USD \ --unit None \ --period 21600 \ --start-time "$(date -u -d "$now - 6 hours" '+%FT%TZ')" \ --end-time "$(date -u -d "$now" '+%FT%TZ')" }
Run it like this (assuming you're using a non-default AWS_PROFILE):
AWS_PROFILE=guix get_estimated_charges
Example output:
$ AWS_PROFILE=guix get_estimated_charges { "Label": "EstimatedCharges", "Datapoints": [ { "Timestamp": "2019-01-11T23:15:00Z", "Maximum": 0.0, "Unit": "None" } ] }
How to use AWS without Terraform
Sometimes, it's useful to verify the result of Terraform's activities without using Terraform. There are at least two convenient ways to do that:
- Use the AWS CLI.
- Use the AWS Management Console.
When you need to check something without using Terraform, you should prefer to use the AWS CLI if possible because it's definitely free software. The AWS Management Console might contain some non-free JavaScript - I haven't looked close enough at it to know for sure.
Using the AWS CLI
The AWS CLI is packaged in Guix. It's called "awscli". This tool lets you interact with the AWS services from your shell. Here's some documentation:
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html https://docs.aws.amazon.com/cli/latest/index.html
It understands many (perhaps all?) of the same environment variables that the Terraform AWS provider understands.
Invoke it like this (customize the environment variables as needed):
[0] marusich@garuda.local:~ $ AWS_DEFAULT_REGION=us-east-1 AWS_PROFILE=guix aws iam list-users { "Users": [ { "Path": "/", "UserName": "civodul", "UserId": "AIDAJXYCBKCDPUFEJVA3K", "Arn": "arn:aws:iam::354378008360:user/civodul", "CreateDate": "2018-12-27T07:37:19Z" }, { "Path": "/", "UserName": "marusich", "UserId": "AIDAJCXVTZTTRDUOTBAL2", "Arn": "arn:aws:iam::354378008360:user/marusich", "CreateDate": "2018-12-27T07:30:53Z", "PasswordLastUsed": "2018-12-28T01:36:32Z" }, { "Path": "/", "UserName": "rekado", "UserId": "AIDAIZK2BC4U6R53UVING", "Arn": "arn:aws:iam::354378008360:user/rekado", "CreateDate": "2018-12-27T07:37:19Z" } ] } [0] marusich@garuda.local:~ $
IAM Login URL
Log into this URL with your IAM user name and password:
https://354378008360.signin.aws.amazon.com/console
Alternatively, you can use this friendlier URL:
Deployment Plan
DNS
For information about how Guix has configured its DNS, please contact one of the system administrators or guix-sysadmin@gnu.org.
For now, we plan to use ci.guix.info as the entry point into the CDN. Currently, ci.guix.info points to the berlin build farm. To integrate ci.guix.info with the CDN, we must change ci.guix.info to be a CNAME that points to the CloudFront distribution.
HTTPS (TLS)
Because ci.guix.info and berlin.guixsd.org currently allow both HTTP and HTTPS (i.e., HTTP over TLS), we will do the same for the CloudFront distribution. However, in the future, to protect the confidentiality of connections between clients and our build farm (or the CDN), we should stop serving requests over HTTP.
In addition, because we want to support HTTPS, we will need to arrange for a TLS certificate for ci.guix.info to be used with the CloudFront distribution. For details on how this is done with CloudFront, see:
As of 2019-01-08, we have provisioned the certificate, and it is being used by the CloudFront distribution.
Currently, the server behind berlin.guixsd.org (which currently, like ci.guix.info, is a single A record pointing to 141.80.181.40) returns a Let's Encrypt certificate with the following two Subject Alternative Names:
- berlin.guixsd.org
- ci.guix.info
You can see this by running:
echo -n | openssl s_client ci.guix.info:443 | openssl x509 -text
We are not going to re-use this certificate. Instead, we are going to provision a new certificate using Amazon Certificate Manager (ACM). We will do this because if we use an ACM certificate, we gain the following benefits:
- ACM will automatically rotate our certificate.
- The ACM CA, like many CAs, is already trusted by Guix's client software and so requires no additional action for clients to use.
- By using ACM, we do not have to trust Amazon with the berlin.guixsd.org server's private key.
- Using ACM is a purely additive operation, so rollback is easy.
- This use of ACM incurs zero additional cost.
On the contrary, if we re-use berlin.guixsd.org's certificate, we must accept the following downsides:
- Certificate rotation must be done manually, or via a cron job of some kind that we would have to implement and maintain. Even if Let's Encrypt makes it easy to rotate the certificate, importing that certificate into AWS and using it with the CloudFront distribution will require additional steps.
- We must share the berlin.guixsd.org server's private key with AWS. If rolling back also means eliminating the risk introduced by sharing the private key, then rollback will also become more complicated.
We could provision a new Let's Encrypt certificate to make rollback easier, but we would still have to import it into Amazon ourselves and rotate it manually. It just makes more sense to use Amazon Certificate Manger for this test. Perhaps in the future, if we decide to stick with CloudFront for a long time, we will implement our own automatic rotation mechanism so that we can provision and manage our own certificate.
Finally, note that to provision a certificate with ACM will require access to both the AWS account and also the DNS provider account. This is because, as part of the certificate provisioning process, ACM requires us to demonstrate domain ownership. This can be done via email verification (in which ACM emails a bunch of admin emails associated with the domain) or DNS record verification (in which we create a nonce DNS record, specified by ACM, to demonstrate ownership).
Concrete Steps
Summary of deployment, validation, and rollback plan.
Pre-Deployment
Before deploying, make sure the following has been done:
- Fully prepare a working CloudFront distribution using Terraform.
- Run the validation steps successfully against the CloudFront distribution (i.e., via the "abcd1234.cloudfront.net" hostname instead of ci.guix.info).
- Additionally, add an entry to /etc/hosts for ci.guix.info that points to one of the distribution's addresses. Confirm that (1) you can successfully establish a TLS session to ci.guix.info and (2) when you do that, it is using the CloudFront IP address. This validates that the ACM certificate is working properly.
Deployment
Deploy as follows:
- Send an email to guix-sysadmin@gnu.org and info-guix@gnu.org, and notify the #guix chat room on Freenode, to let people know you are beginning.
- Update DNS so ci.guix.info is a CNAME pointing to the CloudFront distribution's DNS name.
Validation
Once you observe that ci.guix.info starts to resolve to the new value, perform the following validation activities:
- Using "guix download", download a substitute. Confirm it succeeds.
- Using "guix weather", check the weather of ci.guix.info. Confirm it succeeds and has more than 0% substitutes available.
- Using "guix build", build something using substitutes. Confirm that Guix successfully updates substitute information and downloads substitutes.
- After 24 hours, check the cache hit rate using the AWS Management Console and confirm that it is greater than 0%.
Rollback
Rollback as follows:
- Restore the original DNS record for ci.guix.info.
- Once you observe that ci.guix.info starts to resolve to the original address, repeat validation activities for ci.guix.info.
- After that, once at least 2x the TTL for ci.guix.info has passed since the DNS flip occurred, disable the CloudFront distribution. This step is only necessary if runaway charges are a concern.
- Send an email to guix-sysadmin@gnu.org and info@guix, and notify the #guix chat room on Freenode, to let people know you have rolled back.
Miscellaneous Information
Avoiding "Service as a Software Substitute"
Dave made an awesome Guile module for using CloudFormation:
https://lists.gnu.org/archive/html/guix-devel/2018-12/msg00102.html https://gist.github.com/davexunit/db4b9d3e67902216fbdbc66cd9c6413e
We could have used Dave's module. However, Terraform…
- is mature software - it has been around for years.
- has a vibrant ecosystem surrounding it already
- is popular and is used by lots of people
- avoids vendor lock-in by supporting many different providers
Finally, and most importantly: Terraform is free software that you can run on your own computer. On the other hand, CloudFormation is essentially a "service as a software substitute" (SaaSS) that solves the same problem by offloading the work to a service. There is no good reason to use CloudFormation when we can use or make free software like Terraform to do the job for us just as well - maybe even better:
https://www.terraform.io/intro/vs/cloudformation.html https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
Primarily because CloudFormation is SaaSS, and secondarily because Terraform is mature and widely used, I chose to use Terraform.
But if that's the case, then why are we using CloudFront, IAM, etc.? Aren't those services, too? Well, yes. They are. But they are not SaaSS. I will try to explain why.
CloudFront is a CDN, and you cannot do what a CDN does by running a program on your computer. To do what a CDN does would require a huge investment of capital and people power to build and operate an international network of computers. In this way, a CDN is not SaaSS.
IAM is also a service. But again, you cannot replace what it does by running software on your computer. IAM is Amazon's way of knowing who should be allowed to do what with the Amazon web services that you choose to use. For example, creating an IAM group for administrators, and an IAM policy saying they can do anything they want, and adding an IAM user to that group named "Chris Marusich", is analogous to calling up your electric company and saying, "Please let Chris Marusich do whatever he needs to do with this account." They record the information in their own system, and then when Chris calls asking them to change a billing address, they do some verification and determine that he's allowed to do that. IAM is the same. It doesn't replace software that you could have run on your own computer; it's an integral part of using the Amazon web services, and it has no function outside of that. Therefore, IAM is also not SaaSS.
Generally speaking, although SaaSS is bad because it takes freedom away from the computer user, services that are not SaaSS may be bad or good depending on the context. Services are different from software, so they must be treated differently. We shouldn't be afraid to use a service if (1) it isn't SaaSS and (2) it makes sense to use that particular service in that particular context.
Notes about Terraform's S3 Backend
Terraform stores state. Since this AWS Account is administered by more than one person using more than one computer, it makes sense to share state. The most sensible way to do this in Terraform is to use a so-called "backend" that enables everyone to coordinate even when using different computers. For details, see:
https://www.terraform.io/docs/state/index.html https://www.terraform.io/docs/state/remote.html https://www.terraform.io/docs/backends/config.html
Depending on the backend, it can also provide locking. The docs say this:
https://www.terraform.io/docs/state/locking.html "If supported by your backend, Terraform will lock your state for all operations that could write state. This prevents others from acquiring the lock and potentially corrupting your state."
Presumably, this also means that the locking will prevent two people from mutating resources (e.g., IAM group membership) at the same time.
We use the S3 backend:
https://www.terraform.io/docs/backends/types/s3.html
For details on how it's configured, see main.tf.
S3 is an appropriate storage location since using it in this way is not SaaSS (it's only storing and publishing data), and we don't already have an installation of something else that can do the job (e.g., Consul). To support locking, we also use DynamoDB, which again is not SaaSS in this case (it's only storing and publishing data).
How to import keys without all the signatures
The file terraform/variables.tf contains some PGP public keys. Those keys are often very large, due to signatures. This section describes how to strip the signatures, which are not necessary when using the keys with Terraform.
In most cases, a person's public PGP key has many signatures. These aren't necessary for encrypting the AWS Access Key and password mentioned above. All we need is the public key, not the signatures. The presence of the signatures makes the variables.tf file very large. We can prune down the exported public key for someone by doing this, for example for someone named "marusich":
Use this function:
strip_sigs() { local owner="$1" local temphome="$(mktemp -d)" gpg --export "$owner" | GNUPGHOME="$temphome" gpg --import --import-options='import-clean' GNUPGHOME="$temphome" gpg --export "$owner" | base64 }
Use it like this:
strip_sigs cmmarusich@gmail.com
You can then copy the output into a new entry in the variables.tf file. It will be significantly smaller than if we hadn't cleaned up all the signatures.
Initial Set-Up
This section describes how the AWS account was initially set up - all the steps that had to be done outside of Terraform to set it up in the first place. You only need to read it if you're interested in reproducing that work, or if you're just curious.
Software Environment
The following software versions were used, on a GuixSD system:
Guix: f5d4c46c2c0ccd62f5c5b44a486af4511d395f8f (Also known as "v0.16.0-177-gf5d4c46c2" by "git describe")
IceCat: 60.3.0-gnu1 (/gnu/store/4p6nn4sbv1qw196wp55v5sgbhd4cpams-icecat-60.3.0-gnu1)
IceCat plugins installed:
- HTTPS Everywhere 2018.10.31
- NoScript 10.2.1
- Privacy Badger 2018.10.3.1
- GNU LibreJS 7.18.1
IceCat plugins explicitly disabled for the purpose of interacting with the AWS website, which breaks when they are enabled:
- NoScript
- GNU LibreJS
Keepass XC: 2.3.4
Some possibly relevant IceCat about:config details:
network.http.referer.spoofSource;false privacy.resistFingerprinting;false
Terraform version (not managed by Guix): v0.11.11 Terraform AWS Provider version (not managed by Guix): 1.54.0
Create an AWS Account
Website: https://aws.amazon.com/
Click on the "Sign Up" button.
Store the credentials in KeePass.
The website doesn't work when NoScript and LibreJS are enabled. There might be a way to selectively enable a minimal set of scripts to allow the website to do its job, but I don't know what that set is. Instead, I temporarily disabled NoScript and LibreJS for this website so that I could get this portion of the job done.
Click the box next to the sentence: "Check here to indicate that you have read and agree to the terms of the AWS Customer Agreement" - the link goes here:
https://aws.amazon.com/agreement/
A telephone number is required to complete the default sign-up process. It may be possible to sign up without a phone, but I did not try that. AWS displays a number on the website, an automated system calls the phone number you provide, you enter the displayed number, and then the process is complete.
Free Tier
For first 12 months (from 2018-12-26), this AWS account will have access to the "free tier", which gives discounts on some services:
Notable parts:
Data Transfer
15 GB of data transfer out and 1GB of regional data transfer aggregated across all AWS services*
Amazon CloudFront
50 GB Data Transfer Out, 2,000,000 HTTP and HTTPS Requests of Amazon CloudFront*
User Agreement
Here is a copy of the above agreement in full as it appeared on 2018-12-26:
*If your address is in India, please review the AISPL Customer Agreement, which governs your access to and use of the Service Offerings.
*Please note that as of July 1, 2018, customers located in Europe, the Middle East, or Africa contract with our European based AWS Contracting Party, as provided in Section 14. See the AWS Europe FAQ for more information. AWS Customer Agreement Last Updated: November 1, 2018 See What's Changed
This AWS Customer Agreement (this “Agreement”) contains the terms and conditions that govern your access to and use of the Service Offerings (as defined below) and is an agreement between the applicable AWS Contracting Party specified in Section 14 below (also referred to as “AWS,” “we,” “us,” or “our”) and you or the entity you represent (“you” or “your”). This Agreement takes effect when you click an “I Accept” button or check box presented with these terms or, if earlier, when you use any of the Service Offerings (the “Effective Date”). You represent to us that you are lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Agreement for an entity, such as the company you work for, you represent to us that you have legal authority to bind that entity. Please see Section 14 for definitions of certain capitalized terms used in this Agreement.
- Use of the Service Offerings.
1.1 Generally. You may access and use the Service Offerings in accordance with this Agreement. Service Level Agreements and Service Terms apply to certain Service Offerings. You will comply with the terms of this Agreement and all laws, rules and regulations applicable to your use of the Service Offerings.
1.2 Your Account. To access the Services, you must have an AWS account associated with a valid email address and a valid form of payment. Unless explicitly permitted by the Service Terms, you will only create one account per email address.
1.3 Third-Party Content. Third-Party Content may be used by you at your election. Third-Party Content is governed by this Agreement and, if applicable, separate terms and conditions accompanying such Third-Party Content, which terms and conditions may include separate fees and charges.
- Changes.
2.1 To the Service Offerings. We may change or discontinue any or all of the Service Offerings or change or remove functionality of any or all of the Service Offerings from time to time. We will notify you of any material change to or discontinuation of the Service Offerings.
2.2 To the APIs. We may change or discontinue any APIs for the Services from time to time. For any discontinuation of or material change to an API for a Service, we will use commercially reasonable efforts to continue supporting the previous version of such API for 12 months after the change or discontinuation (except if doing so (a) would pose a security or intellectual property issue, (b) is economically or technically burdensome, or (c) would cause us to violate the law or requests of governmental entities).
2.3 To the Service Level Agreements. We may change, discontinue or add Service Level Agreements from time to time in accordance with Section 12.
- Security and Data Privacy.
3.1 AWS Security. Without limiting Section 10 or your obligations under Section 4.2, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
3.2 Data Privacy. You may specify the AWS regions in which Your Content will be stored. You consent to the storage of Your Content in, and transfer of Your Content into, the AWS regions you select. We will not access or use Your Content except as necessary to maintain or provide the Service Offerings, or as necessary to comply with the law or a binding order of a governmental body. We will not (a) disclose Your Content to any government or third party or (b) subject to Section 3.3, move Your Content from the AWS regions selected by you; except in each case as necessary to comply with the law or a binding order of a governmental body. Unless it would violate the law or a binding order of a governmental body, we will give you notice of any legal requirement or order referred to in this Section 3.2. We will only use your Account Information in accordance with the Privacy Policy, and you consent to such usage. The Privacy Policy does not apply to Your Content.
3.3 Service Attributes. To provide billing and administration services, we may process Service Attributes in the AWS region(s) where you use the Service Offerings and the AWS regions in the United States. To provide you with support services initiated by you and investigate fraud, abuse or violations of this Agreement, we may process Service Attributes where we maintain our support and investigation personnel.
- Your Responsibilities.
4.1 Your Accounts. Except to the extent caused by our breach of this Agreement, (a) you are responsible for all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users), and (b) we and our affiliates are not responsible for unauthorized access to your account.
4.2 Your Content. You will ensure that Your Content and your and End Users’ use of Your Content or the Service Offerings will not violate any of the Policies or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Your Content.
4.3 Your Security and Backup. You are responsible for properly configuring and using the Service Offerings and otherwise taking appropriate action to secure, protect and backup your accounts and Your Content in a manner that will provide appropriate security and protection, which might include use of encryption to protect Your Content from unauthorized access and routinely archiving Your Content.
4.4 Log-In Credentials and Account Keys. AWS log-in credentials and private keys generated by the Services are for your internal use only and you will not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf.
4.5 End Users. You will be deemed to have taken any action that you permit, assist or facilitate any person or entity to take related to this Agreement, Your Content or use of the Service Offerings. You are responsible for End Users’ use of Your Content and the Service Offerings. You will ensure that all End Users comply with your obligations under this Agreement and that the terms of your agreement with each End User are consistent with this Agreement. If you become aware of any violation of your obligations under this Agreement caused by an End User, you will immediately suspend access to Your Content and the Service Offerings by such End User. We do not provide any support or services to End Users unless we have a separate agreement with you or an End User obligating us to provide such support or services.
- Fees and Payment.
5.1 Service Fees. We calculate and bill fees and charges monthly. We may bill you more frequently for fees accrued if we suspect that your account is fraudulent or at risk of non-payment. You will pay us the applicable fees and charges for use of the Service Offerings as described on the AWS Site using one of the payment methods we support. All amounts payable by you under this Agreement will be paid to us without setoff or counterclaim, and without any deduction or withholding. Fees and charges for any new Service or new feature of a Service will be effective when we post updated fees and charges on the AWS Site, unless we expressly state otherwise in a notice. We may increase or add new fees and charges for any existing Services you are using by giving you at least 30 days’ prior notice. We may elect to charge you interest at the rate of 1.5% per month (or the highest rate permitted by law, if less) on all late payments.
5.2 Taxes. Each party will be responsible, as required under applicable law, for identifying and paying all taxes and other governmental fees and charges (and any penalties, interest, and other additions thereto) that are imposed on that party upon or with respect to the transactions and payments under this Agreement. All fees payable by you are exclusive of Indirect Taxes. We may charge and you will pay applicable Indirect Taxes that we are legally obligated or authorized to collect from you. You will provide such information to us as reasonably required to determine whether we are obligated to collect Indirect Taxes from you. We will not collect, and you will not pay, any Indirect Tax for which you furnish us a properly completed exemption certificate or a direct payment permit certificate for which we may claim an available exemption from such Indirect Tax. All payments made by you to us under this Agreement will be made free and clear of any deduction or withholding, as may be required by law. If any such deduction or withholding (including but not limited to cross-border withholding taxes) is required on any payment, you will pay such additional amounts as are necessary so that the net amount received by us is equal to the amount then due and payable under this Agreement. We will provide you with such tax forms as are reasonably requested in order to reduce or eliminate the amount of any withholding or deduction for taxes in respect of payments made under this Agreement.
- Temporary Suspension.
6.1 Generally. We may suspend your or any End User’s right to access or use any portion or all of the Service Offerings immediately upon notice to you if we determine:
(a) your or an End User’s use of the Service Offerings (i) poses a security risk to the Service Offerings or any third party, (ii) could adversely impact our systems, the Service Offerings or the systems or Content of any other AWS customer, (iii) could subject us, our affiliates, or any third party to liability, or (iv) could be fraudulent;
(b) you are, or any End User is, in breach of this Agreement;
(c) you are in breach of your payment obligations under Section 5; or
(d) you have ceased to operate in the ordinary course, made an assignment for the benefit of creditors or similar disposition of your assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding.
6.2 Effect of Suspension. If we suspend your right to access or use any portion or all of the Service Offerings:
(a) you remain responsible for all fees and charges you incur during the period of suspension; and
(b) you will not be entitled to any service credits under the Service Level Agreements for any period of suspension.
- Term; Termination.
7.1 Term. The term of this Agreement will commence on the Effective Date and will remain in effect until terminated under this Section 7. Any notice of termination of this Agreement by either party to the other must include a Termination Date that complies with the notice periods in Section 7.2.
7.2 Termination.
(a) Termination for Convenience. You may terminate this Agreement for any reason by providing us notice and closing your account for all Services for which we provide an account closing mechanism. We may terminate this Agreement for any reason by providing you at least 30 days’ advance notice.
(b) Termination for Cause.
(i) By Either Party. Either party may terminate this Agreement for cause if the other party is in material breach of this Agreement and the material breach remains uncured for a period of 30 days from receipt of notice by the other party. No later than the Termination Date, you will close your account.
(ii) By Us. We may also terminate this Agreement immediately upon notice to you (A) for cause if we have the right to suspend under Section 6, (B) if our relationship with a third-party partner who provides software or other technology we use to provide the Service Offerings expires, terminates or requires us to change the way we provide the software or other technology as part of the Services, or (C) in order to comply with the law or requests of governmental entities.
7.3 Effect of Termination.
(a) Generally. Upon the Termination Date:
(i) except as provided in Section 7.3(b), all your rights under this Agreement immediately terminate;
(ii) you remain responsible for all fees and charges you have incurred through the Termination Date and are responsible for any fees and charges you incur during the post-termination period described in Section 7.3(b);
(iii) you will immediately return or, if instructed by us, destroy all AWS Content in your possession; and
(iv) Sections 4.1, 5, 7.3, 8 (except the license granted to you in Section 8.3), 9, 10, 11, 13 and 14 will continue to apply in accordance with their terms.
(b) Post-Termination. Unless we terminate your use of the Service Offerings pursuant to Section 7.2(b), during the 30 days following the Termination Date:
(i) we will not take action to remove from the AWS systems any of Your Content as a result of the termination; and
(ii) we will allow you to retrieve Your Content from the Services only if you have paid all amounts due under this Agreement.
For any use of the Services after the Termination Date, the terms of this Agreement will apply and you will pay the applicable fees at the rates under Section 5.
- Proprietary Rights.
8.1 Your Content. Except as provided in this Section 8, we obtain no rights under this Agreement from you (or your licensors) to Your Content. You consent to our use of Your Content to provide the Service Offerings to you and any End Users.
8.2 Adequate Rights. You represent and warrant to us that: (a) you or your licensors own all right, title, and interest in and to Your Content and Suggestions; (b) you have all rights in Your Content and Suggestions necessary to grant the rights contemplated by this Agreement; and (c) none of Your Content or End Users’ use of Your Content or the Service Offerings will violate the Acceptable Use Policy.
8.3 Service Offerings License. We or our licensors own all right, title, and interest in and to the Service Offerings, and all related technology and intellectual property rights. Subject to the terms of this Agreement, we grant you a limited, revocable, non-exclusive, non-sublicensable, non-transferrable license to do the following: (a) access and use the Services solely in accordance with this Agreement; and (b) copy and use the AWS Content solely in connection with your permitted use of the Services. Except as provided in this Section 8.3, you obtain no rights under this Agreement from us, our affiliates or our licensors to the Service Offerings, including any related intellectual property rights. Some AWS Content and Third-Party Content may be provided to you under a separate license, such as the Apache License, Version 2.0, or other open source license. In the event of a conflict between this Agreement and any separate license, the separate license will prevail with respect to the AWS Content or Third-Party Content that is the subject of such separate license.
8.4 License Restrictions. Neither you nor any End User will use the Service Offerings in any manner or for any purpose other than as expressly permitted by this Agreement. Neither you nor any End User will, or will attempt to (a) modify, distribute, alter, tamper with, repair, or otherwise create derivative works of any Content included in the Service Offerings (except to the extent Content included in the Service Offerings is provided to you under a separate license that expressly permits the creation of derivative works), (b) reverse engineer, disassemble, or decompile the Service Offerings or apply any other process or procedure to derive the source code of any software included in the Service Offerings (except to the extent applicable law doesn’t allow this restriction), (c) access or use the Service Offerings in a way intended to avoid incurring fees or exceeding usage limits or quotas, or (d) resell or sublicense the Service Offerings. You may only use the AWS Marks in accordance with the Trademark Use Guidelines. You will not misrepresent or embellish the relationship between us and you (including by expressing or implying that we support, sponsor, endorse, or contribute to you or your business endeavors). You will not imply any relationship or affiliation between us and you except as expressly permitted by this Agreement.
8.5 Suggestions. If you provide any Suggestions to us or our affiliates, we and our affiliates will be entitled to use the Suggestions without restriction. You hereby irrevocably assign to us all right, title, and interest in and to the Suggestions and agree to provide us any assistance we require to document, perfect, and maintain our rights in the Suggestions.
- Indemnification.
9.1 General. You will defend, indemnify, and hold harmless us, our affiliates and licensors, and each of their respective employees, officers, directors, and representatives from and against any Losses arising out of or relating to any third-party claim concerning: (a) your or any End Users’ use of the Service Offerings (including any activities under your AWS account and use by your employees and personnel); (b) breach of this Agreement or violation of applicable law by you, End Users or Your Content; or (c) a dispute between you and any End User. You will reimburse us for reasonable attorneys’ fees, as well as our employees’ and contractors’ time and materials spent responding to any third party subpoena or other compulsory legal order or process associated with third party claims described in (a) through (c) above at our then-current hourly rates.
9.2 Intellectual Property.
(a) Subject to the limitations in this Section 9, AWS will defend you and your employees, officers, and directors against any third-party claim alleging that the Services infringe or misappropriate that third party’s intellectual property rights, and will pay the amount of any adverse final judgment or settlement.
(b) Subject to the limitations in this Section 9, you will defend AWS, its affiliates, and their respective employees, officers, and directors against any third-party claim alleging that any of Your Content infringes or misappropriates that third party’s intellectual property rights, and will pay the amount of any adverse final judgment or settlement.
(c) Neither party will have obligations or liability under this Section 9.2 arising from infringement by combinations of the Services or Your Content, as applicable, with any other product, service, software, data, content or method. In addition, AWS will have no obligations or liability arising from your or any End User’s use of the Services after AWS has notified you to discontinue such use. The remedies provided in this Section 9.2 are the sole and exclusive remedies for any third-party claims of infringement or misappropriation of intellectual property rights by the Services or by Your Content.
(d) For any claim covered by Section 9.2(a), AWS will, at its election, either: (i) procure the rights to use that portion of the Services alleged to be infringing; (ii) replace the alleged infringing portion of the Services with a non-infringing alternative; (iii) modify the alleged infringing portion of the Services to make it non-infringing; or (iv) terminate the allegedly infringing portion of the Services or this Agreement.
9.3 Process. The obligations under this Section 9 will apply only if the party seeking defense or indemnity: (a) gives the other party prompt written notice of the claim; (b) permits the other party to control the defense and settlement of the claim; and (c) reasonably cooperates with the other party (at the other party’s expense) in the defense and settlement of the claim. In no event will a party agree to any settlement of any claim that involves any commitment, other than the payment of money, without the written consent of the other party.
- Disclaimers.
THE SERVICE OFFERINGS ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, OR TO THE EXTENT ANY STATUTORY RIGHTS APPLY THAT CANNOT BE EXCLUDED, LIMITED OR WAIVED, WE AND OUR AFFILIATES AND LICENSORS (A) MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE REGARDING THE SERVICE OFFERINGS OR THE THIRD-PARTY CONTENT, AND (B) DISCLAIM ALL WARRANTIES, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES (I) OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR QUIET ENJOYMENT, (II) ARISING OUT OF ANY COURSE OF DEALING OR USAGE OF TRADE, (III) THAT THE SERVICE OFFERINGS OR THIRD-PARTY CONTENT WILL BE UNINTERRUPTED, ERROR FREE OR FREE OF HARMFUL COMPONENTS, AND (IV) THAT ANY CONTENT WILL BE SECURE OR NOT OTHERWISE LOST OR ALTERED.
- Limitations of Liability.
WE AND OUR AFFILIATES AND LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, REVENUES, CUSTOMERS, OPPORTUNITIES, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH: (A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SERVICE LEVEL AGREEMENTS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR (D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, EXCEPT FOR PAYMENT OBLIGATIONS UNDER SECTION 9.2, OUR AND OUR AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL NOT EXCEED THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE. THE LIMITATIONS IN THIS SECTION 11 APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
- Modifications to the Agreement.
We may modify this Agreement (including any Policies) at any time by posting a revised version on the AWS Site or by otherwise notifying you in accordance with Section 13.10; provided, however, that we will provide at least 90 days’ advance notice in accordance with Section 13.10 for adverse changes to any Service Level Agreement. Subject to the 90 day advance notice requirement with respect to adverse changes to Service Level Agreements, the modified terms will become effective upon posting or, if we notify you by email, as stated in the email message. By continuing to use the Service Offerings after the effective date of any modifications to this Agreement, you agree to be bound by the modified terms. It is your responsibility to check the AWS Site regularly for modifications to this Agreement. We last modified this Agreement on the date listed at the end of this Agreement.
- Miscellaneous.
13.1 Assignment. You will not assign or otherwise transfer this Agreement or any of your rights and obligations under this Agreement, without our prior written consent. Any assignment or transfer in violation of this Section 13.1 will be void. We may assign this Agreement without your consent (a) in connection with a merger, acquisition or sale of all or substantially all of our assets, or (b) to any Affiliate or as part of a corporate reorganization; and effective upon such assignment, the assignee is deemed substituted for AWS as a party to this Agreement and AWS is fully released from all of its obligations and duties to perform under this Agreement. Subject to the foregoing, this Agreement will be binding upon, and inure to the benefit of the parties and their respective permitted successors and assigns.
13.2 Entire Agreement. This Agreement incorporates the Policies by reference and is the entire agreement between you and us regarding the subject matter of this Agreement. This Agreement supersedes all prior or contemporaneous representations, understandings, agreements, or communications between you and us, whether written or verbal, regarding the subject matter of this Agreement (but does not supersede prior commitments to purchase Services such as Amazon EC2 Reserved Instances). We will not be bound by, and specifically object to, any term, condition or other provision that is different from or in addition to the provisions of this Agreement (whether or not it would materially alter this Agreement) including for example, any term, condition or other provision (a) submitted by you in any order, receipt, acceptance, confirmation, correspondence or other document, (b) related to any online registration, response to any Request for Bid, Request for Proposal, Request for Information, or other questionnaire, or (c) related to any invoicing process that you submit or require us to complete. If the terms of this document are inconsistent with the terms contained in any Policy, the terms contained in this document will control, except that the Service Terms will control over this document.
13.3 Force Majeure. We and our affiliates will not be liable for any delay or failure to perform any obligation under this Agreement where the delay or failure results from any cause beyond our reasonable control, including acts of God, labor disputes or other industrial disturbances, electrical or power outages, utilities or other telecommunications failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, acts or orders of government, acts of terrorism, or war.
13.4 Governing Law. The Governing Laws, without reference to conflict of law rules, govern this Agreement and any dispute of any sort that might arise between you and us. The United Nations Convention for the International Sale of Goods does not apply to this Agreement.
13.5 Disputes. Any dispute or claim relating in any way to your use of the Service Offerings, or to any products or services sold or distributed by AWS will be adjudicated in the Governing Courts, and you consent to exclusive jurisdiction and venue in the Governing Courts; except, if the applicable AWS Contracting Party is Amazon Web Services, Inc., any such dispute will be resolved by binding arbitration as provided in this Section 13.5, rather than in court, except that you may assert claims in small claims court if your claims qualify. The Federal Arbitration Act and federal arbitration law apply to this Agreement. There is no judge or jury in arbitration, and court review of an arbitration award is limited. However, an arbitrator can award on an individual basis the same damages and relief as a court (including injunctive and declaratory relief or statutory damages), and must follow the terms of this Agreement as a court would. To begin an arbitration proceeding, you must send a letter requesting arbitration and describing your claim to our registered agent Corporation Service Company, 300 Deschutes Way SW, Suite 304, Tumwater, WA 98501. The arbitration will be conducted by the American Arbitration Association (AAA) under its rules, which are available at www.adr.org or by calling 1-800-778-7879. Payment of filing, administration and arbitrator fees will be governed by the AAA's rules. We will reimburse those fees for claims totaling less than $10,000 unless the arbitrator determines the claims are frivolous. We will not seek attorneys' fees and costs in arbitration unless the arbitrator determines the claims are frivolous. You may choose to have the arbitration conducted by telephone, based on written submissions, or at a mutually agreed location. We and you agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated or representative action. If for any reason a claim proceeds in court rather than in arbitration we and you waive any right to a jury trial. Notwithstanding the foregoing we and you both agree that you or we may bring suit in court to enjoin infringement or other misuse of intellectual property rights.
13.6 Trade Compliance. In connection with this Agreement, each party will comply with all applicable import, re-import, sanctions, anti-boycott, export, and re-export control laws and regulations, including all such laws and regulations that apply to a U.S. company, such as the Export Administration Regulations, the International Traffic in Arms Regulations, and economic sanctions programs implemented by the Office of Foreign Assets Control. For clarity, you are solely responsible for compliance related to the manner in which you choose to use the Service Offerings, including your transfer and processing of Your Content, the provision of Your Content to End Users, and the AWS region in which any of the foregoing occur. You represent and warrant that you and your financial institutions, or any party that owns or controls you or your financial institutions, are not subject to sanctions or otherwise designated on any list of prohibited or restricted parties, including but not limited to the lists maintained by the United Nations Security Council, the U.S. Government (e.g., the Specially Designated Nationals List and Foreign Sanctions Evaders List of the U.S. Department of Treasury, and the Entity List of the U.S. Department of Commerce), the European Union or its Member States, or other applicable government authority.
13.7 Independent Contractors; Non-Exclusive Rights. We and you are independent contractors, and this Agreement will not be construed to create a partnership, joint venture, agency, or employment relationship. Neither party, nor any of their respective affiliates, is an agent of the other for any purpose or has the authority to bind the other. Both parties reserve the right (a) to develop or have developed for it products, services, concepts, systems, or techniques that are similar to or compete with the products, services, concepts, systems, or techniques developed or contemplated by the other party, and (b) to assist third party developers or systems integrators who may offer products or services which compete with the other party’s products or services.
13.8 Language. All communications and notices made or given pursuant to this Agreement must be in the English language. If we provide a translation of the English language version of this Agreement, the English language version of the Agreement will control if there is any conflict.
13.9 Confidentiality and Publicity. You may use AWS Confidential Information only in connection with your use of the Service Offerings as permitted under this Agreement. You will not disclose AWS Confidential Information during the Term or at any time during the 5-year period following the end of the Term. You will take all reasonable measures to avoid disclosure, dissemination or unauthorized use of AWS Confidential Information, including, at a minimum, those measures you take to protect your own confidential information of a similar nature. You will not issue any press release or make any other public communication with respect to this Agreement or your use of the Service Offerings.
13.10 Notice.
(a) To You. We may provide any notice to you under this Agreement by: (i) posting a notice on the AWS Site; or (ii) sending a message to the email address then associated with your account. Notices we provide by posting on the AWS Site will be effective upon posting and notices we provide by email will be effective when we send the email. It is your responsibility to keep your email address current. You will be deemed to have received any email sent to the email address then associated with your account when we send the email, whether or not you actually receive the email.
(b) To Us. To give us notice under this Agreement, you must contact AWS by facsimile transmission or personal delivery, overnight courier or registered or certified mail to the facsimile number or mailing address, as applicable, listed for the applicable AWS Contracting Party in Section 14 below. We may update the facsimile number or address for notices to us by posting a notice on the AWS Site. Notices provided by personal delivery will be effective immediately. Notices provided by facsimile transmission or overnight courier will be effective one business day after they are sent. Notices provided registered or certified mail will be effective three business days after they are sent.
13.11 No Third-Party Beneficiaries. Except as set forth in Section 9, this Agreement does not create any third-party beneficiary rights in any individual or entity that is not a party to this Agreement.
13.12 U.S. Government Rights. The Service Offerings are provided to the U.S. Government as “commercial items,” “commercial computer software,” “commercial computer software documentation,” and “technical data” with the same rights and restrictions generally applicable to the Service Offerings. If you are using the Service Offerings on behalf of the U.S. Government and these terms fail to meet the U.S. Government’s needs or are inconsistent in any respect with federal law, you will immediately discontinue your use of the Service Offerings. The terms “commercial item” “commercial computer software,” “commercial computer software documentation,” and “technical data” are defined in the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement.
13.13 No Waivers. The failure by us to enforce any provision of this Agreement will not constitute a present or future waiver of such provision nor limit our right to enforce such provision at a later time. All waivers by us must be in writing to be effective.
13.14 Severability. If any portion of this Agreement is held to be invalid or unenforceable, the remaining portions of this Agreement will remain in full force and effect. Any invalid or unenforceable portions will be interpreted to effect and intent of the original portion. If such construction is not possible, the invalid or unenforceable portion will be severed from this Agreement but the rest of the Agreement will remain in full force and effect.
- Definitions.
“Acceptable Use Policy” means the policy located at http://aws.amazon.com/aup (and any successor or related locations designated by us), as it may be updated by us from time to time.
“Account Country” is the country associated with your account. If you have provided a valid tax registration number for your account, then your Account Country is the country associated with your tax registration. If you have not provided a valid tax registration, then your Account Country is the country where your billing address is located, except if your credit card account is issued in a different country and your contact address is also in that country, then your Account Country is that different country.
“Account Information” means information about you that you provide to us in connection with the creation or administration of your AWS account. For example, Account Information includes names, usernames, phone numbers, email addresses and billing information associated with your AWS account.
“API” means an application program interface.
“AWS Confidential Information” means all nonpublic information disclosed by us, our affiliates, business partners or our or their respective employees, contractors or agents that is designated as confidential or that, given the nature of the information or circumstances surrounding its disclosure, reasonably should be understood to be confidential. AWS Confidential Information includes: (a) nonpublic information relating to our or our affiliates or business partners’ technology, customers, business plans, promotional and marketing activities, finances and other business affairs; (b) third-party information that we are obligated to keep confidential; and (c) the nature, content and existence of any discussions or negotiations between you and us or our affiliates. AWS Confidential Information does not include any information that: (i) is or becomes publicly available without breach of this Agreement; (ii) can be shown by documentation to have been known to you at the time of your receipt from us; (iii) is received from a third party who did not acquire or disclose the same by a wrongful or tortious act; or (iv) can be shown by documentation to have been independently developed by you without reference to the AWS Confidential Information.
“AWS Content” means Content we or any of our affiliates make available in connection with the Services or on the AWS Site to allow access to and use of the Services, including APIs; WSDLs; Documentation; sample code; software libraries; command line tools; proofs of concept; templates; and other related technology (including any of the foregoing that are provided by our personnel). AWS Content does not include the Services or Third-Party Content.
"AWS Contracting Party" means the party identified in the table below, based on your Account Country. If you change your Account Country to one identified to a different AWS Contracting Party below, you agree that this Agreement is then assigned to the new AWS Contracting Party under Section 13.1 without any further action required by either party.
Account Country
AWS Contracting Party
Facsimile
Mailing Address
Any country within Europe, the Middle East, or Africa ("EMEA")*
Amazon Web Services EMEA SARL
352 2789 0057 38 Avenue John F. Kennedy, L-1855, Luxembourg
Any other country that is not in EMEA
Amazon Web Services, Inc.
206-266-7010 410 Terry Avenue North, Seattle, WA 98109-5210 U.S.A.
*See https://aws.amazon.com/legal/aws-emea-countries for a full list of EMEA countries.
“AWS Marks” means any trademarks, service marks, service or trade names, logos, and other designations of AWS and its affiliates that we may make available to you in connection with this Agreement.
“AWS Site” means http://aws.amazon.com (and any successor or related site designated by us), as may be updated by us from time to time. “Content” means software (including machine images), data, text, audio, video or images.
“Documentation” means the user guides and admin guides (in each case exclusive of content referenced via hyperlink) for the Services located at http://aws.amazon.com/documentation (and any successor or related locations designated by us), as such user guides and admin guides may be updated by AWS from time to time.
“End User” means any individual or entity that directly or indirectly through another user: (a) accesses or uses Your Content; or (b) otherwise accesses or uses the Service Offerings under your account. The term “End User” does not include individuals or entities when they are accessing or using the Services or any Content under their own AWS account, rather than under your account.
"Governing Laws" and “Governing Courts” mean, for each AWS Contracting Party, the laws and courts set forth in the following table:
AWS Contracting Party
Governing Laws
Governing Courts
Amazon Web Services EMEA SARL
The laws of the Grand Duchy of Luxembourg
The courts of the district of Luxembourg City
Amazon Web Services, Inc.
The laws of the State of Washington
The state or Federal courts in King County, Washington
“Indirect Taxes” means applicable taxes and duties, including, without limitation, VAT, Service Tax, GST, excise taxes, sales and transactions taxes, and gross receipts tax.
“Losses” means any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees).
“Policies” means the Acceptable Use Policy, Privacy Policy, the Site Terms, the Service Terms, the Trademark Use Guidelines, all restrictions described in the AWS Content and on the AWS Site, and any other policy or terms referenced in or incorporated into this Agreement, but does not include whitepapers or other marketing materials referenced on the AWS Site.
“Privacy Policy” means the privacy policy located at http://aws.amazon.com/privacy (and any successor or related locations designated by us), as it may be updated by us from time to time.
“Service” means each of the services made available by us or our affiliates, including those web services described in the Service Terms. Services do not include Third-Party Content.
“Service Attributes” means Service usage data related to your account, such as resource identifiers, metadata tags, security and access roles, rules, usage policies, permissions, usage statistics and analytics.
“Service Level Agreement” means all service level agreements that we offer with respect to the Services and post on the AWS Site, as they may be updated by us from time to time. The service level agreements we offer with respect to the Services are located at https://aws.amazon.com/legal/service-level-agreements/ (and any successor or related locations designated by AWS), as may be updated by AWS from time to time.
“Service Offerings” means the Services (including associated APIs), the AWS Content, the AWS Marks, and any other product or service provided by us under this Agreement. Service Offerings do not include Third-Party Content.
“Service Terms” means the rights and restrictions for particular Services located at http://aws.amazon.com/serviceterms (and any successor or related locations designated by us), as may be updated by us from time to time.
“Site Terms” means the terms of use located at http://aws.amazon.com/terms/ (and any successor or related locations designated by us), as may be updated by us from time to time.
“Suggestions” means all suggested improvements to the Service Offerings that you provide to us.
“Term” means the term of this Agreement described in Section 7.1.
“Termination Date” means the effective date of termination provided in accordance with Section 7, in a notice from one party to the other.
“Third-Party Content” means Content made available to you by any third party on the AWS Site or in conjunction with the Services.
“Trademark Use Guidelines” means the guidelines and trademark license located at http://aws.amazon.com/trademark-guidelines/ (and any successor or related locations designated by us), as they may be updated by us from time to time.
“Your Content” means Content that you or any End User transfers to us for processing, storage or hosting by the Services in connection with your AWS account and any computational results that you or any End User derive from the foregoing through their use of the Services. For example, Your Content includes Content that you or any End User stores in Amazon Simple Storage Service. Your Content does not include Account Information.
Privacy Policy
AWS also has a privacy policy, which it mentions when you sign up for an account:
https://aws.amazon.com/privacy/
Here is the contents, as of 2018-12-26:
Privacy Notice Last Updated: November 1, 2018
This Privacy Notice describes how we collect and use your personal information in relation to AWS websites, applications, products, services, events, and experiences that reference this Privacy Notice (together, “AWS Offerings”).
This Privacy Notice does not apply to the “content” processed, stored, or hosted by our customers using AWS Offerings in connection with an AWS account. See the agreement governing your access to your AWS account and the AWS Data Privacy FAQ for more information about how we handle content and how our customers can control their content through AWS Offerings. This Privacy Notice also does not apply to any products, services, websites, or content that are offered by third parties or have their own privacy notice.
Personal Information We Collect How We Use Personal Information Cookies How We Share Personal Information Location of Personal Information How We Secure Information Internet Advertising and Third Parties Access and Choice Children’s Personal Information Retention of Personal Information Contacts, Notices, and Revisions EU-US and Swiss-US Privacy Shield Additional Information for Certain Jurisdictions Examples of Information Collected
Personal Information We Collect
We collect your personal information in the course of providing AWS Offerings to you.
Here are the types of information we gather:
Information You Give Us: We collect any information you provide in relation to AWS Offerings. Click here to see examples of information you give us. Automatic Information: We automatically collect certain types of information when you interact with AWS Offerings. Click here to see examples of information we collect automatically. Information from Other Sources: We might collect information about you from other sources, including service providers, partners, and publicly available sources. Click here to see examples of information we collect from other sources.
How We Use Personal Information
We use your personal information to operate, provide, and improve AWS Offerings. Our purposes for using personal information include:
Provide AWS Offerings: We use your personal information to provide and deliver AWS Offerings and process transactions related to AWS Offerings, including registrations, subscriptions, purchases, and payments. Measure, Support, and Improve AWS Offerings: We use your personal information to measure use of, analyze performance of, fix errors in, provide support for, improve, and develop AWS Offerings. Recommendations and Personalization: We use your personal information to recommend AWS Offerings that might be of interest to you, identify your preferences, and personalize your experience with AWS Offerings. Comply with Legal Obligations: In certain cases, we have a legal obligation to collect, use, or retain your personal information. For example, we collect bank account information from AWS Marketplace sellers for identity verification. Communicate with You: We use your personal information to communicate with you in relation to AWS Offerings via different channels (e.g., by phone, email, chat) and to respond to your requests. Marketing: We use your personal information to market and promote AWS Offerings. We might display interest-based ads for AWS Offerings. To learn more, please read our Interest-Based Ads notice. Fraud and Abuse Prevention and Credit Risks: We use your personal information to prevent and detect fraud and abuse in order to protect the security of our customers, AWS, and others. We may also use scoring methods to assess and manage credit risks. Purposes for Which We Seek Your Consent: We may also ask for your consent to use your personal information for a specific purpose that we communicate to you.
Cookies
To enable our systems to recognize your browser or device and to provide AWS Offerings to you, we use cookies. For more information about cookies and how we use them, please read our Cookies Notice. How We Share Personal Information
Information about our customers is an important part of our business and we are not in the business of selling our customers’ personal information to others. We share personal information only as described below and with Amazon.com, Inc. and the subsidiaries that Amazon.com, Inc. controls that are either subject to this Privacy Notice or follow practices at least as protective as those described in this Privacy Notice.
Transactions Involving Third Parties: We make available to you services, software, and content provided by third parties for use on or through AWS Offerings. You can tell when a third party is involved in your transactions, and we share information related to those transactions with that third party. For example, you can order services, software, and content from sellers using the AWS Marketplace and we provide those sellers information to facilitate your subscription, purchases, or support. Third-Party Service Providers: We employ other companies and individuals to perform functions on our behalf. Examples include: delivering AWS hardware, sending communications, processing payments, assessing credit and compliance risks, analyzing data, providing marketing and sales assistance (including advertising and event management), conducting customer relationship management, and providing training. These third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process that information in accordance with this Privacy Notice and as permitted by applicable data protection law. Business Transfers: As we continue to develop our business, we might sell or buy businesses or services. In such transactions, personal information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the individual consents otherwise). Also, in the unlikely event that AWS or substantially all of its assets are acquired, your information will of course be one of the transferred assets. Protection of Us and Others: We release account and other personal information when we believe release is appropriate to comply with the law, enforce or apply our terms and other agreements, or protect the rights, property, or security of AWS, our customers, or others. This includes exchanging information with other companies and organizations for fraud prevention and detection and credit risk reduction. At Your Option: Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share the information.
Location of Personal Information
Amazon Web Services, Inc. is located in the United States, and our affiliated companies are located throughout the world. Depending on the scope of your interactions with AWS Offerings, your personal information may be stored in or accessed from multiple countries, including the United States. Whenever we transfer personal information to other jurisdictions, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws. How We Secure Information
At AWS, security is our highest priority. We design our systems with your security and privacy in mind.
We maintain a wide variety of compliance programs that validate our security controls. Click here to learn more about our compliance programs. We protect the security of your information during transmission to or from AWS websites, applications, products, or services by using encryption protocols and software. We follow the Payment Card Industry Data Security Standard (PCI DSS) when handling credit card data. We maintain physical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of personal information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.
Internet Advertising and Third Parties
AWS Offerings may include third-party advertising and links to other websites and applications. Third party advertising partners may collect information about you when you interact with their content, advertising, or services. For more information about third-party advertising, including interest-based ads, please read our Interest-Based Ads notice. Access and Choice
You can view, update, and delete certain information about your account and your interactions with AWS Offerings. Click here for a list of examples of information that you can access. If you cannot access or update your information yourself, you can always contact us for assistance.
You have choices about the collection and use of your personal information. Many AWS Offerings include settings that provide you with options as to how your information is being used. You can choose not to provide certain information, but then you might not be able to take advantage of certain AWS Offerings.
Account Information: If you want to add, update, or delete information related to your account, please go to the AWS Management Console. When you update or delete any information, we usually keep a copy of the prior version for our records. Communications: If you do not want to receive promotional messages from us, please unsubscribe or adjust your communication preferences in the AWS Management Console or the AWS Email Preference Center. If you do not want to receive in-app notifications from us, please adjust your notification settings in the app or your device. Advertising: If you don’t want to see interest-based ads, please adjust your Advertising Preferences. Browser and Devices: The Help feature on most browsers and devices will tell you how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Sellers and Amazon Partners: Sellers and Amazon Partner Network members can add, update, or delete information in the AWS Marketplace and APN Partner Central, respectively.
Children’s Personal Information
We don’t provide AWS Offerings for purchase by children. If you’re under 18, you may use AWS Offerings only with the involvement of a parent or guardian. Retention of Personal Information
We keep your personal information to enable your continued use of AWS Offerings, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, as may be required by law (including for tax and accounting purposes), or as otherwise communicated to you. How long we retain specific personal information varies depending on the purpose for its use, and we will delete your personal information in accordance with applicable law. Contacts, Notices, and Revisions
If you have any concern about privacy at AWS or want to contact one of our data controllers, please contact us with a thorough description, and we will try to resolve it. You may also contact us at the addresses below:
For any prospective or current customers of Amazon Web Services, Inc., our mailing address is: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal For any prospective or current customers of Amazon Web Services EMEA SARL, our mailing address is: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg, ATTN: AWS EMEA Legal For any prospective or current customers of Amazon Internet Services Private Limited, our mailing address is: Amazon Internet Services Private Limited, Ground Floor, Eros Corporate Towers, Nehru Place, New Delhi, 110 019, India, ATTN: AISPL Legal
If you interact with AWS Offerings on behalf of or through your organization, then your personal information may also be subject to your organization’s privacy practices, and you should direct privacy inquiries to your organization.
Our business changes constantly, and our Privacy Notice may also change. You should check our website frequently to see recent changes. You can see the date on which the latest version of this Privacy Notice was posted. Unless stated otherwise, our current Privacy Notice applies to all personal information we have about you and your account. We stand behind the promises we make, however, and will never materially change our policies and practices to make them less protective of personal information collected in the past without informing affected customers and giving them a choice. EU-US and Swiss-US Privacy Shield
Amazon Web Services, Inc. participates in the EU-US and Swiss-US Privacy Shield frameworks. Click here to learn more. Additional Information for Certain Jurisdictions
We provide additional information about the privacy, collection, and use of personal information of prospective and current customers of AWS Offerings located in certain jurisdictions.
For any prospective or current customers of AWS Offerings in Canada:
Your Rights. Subject to applicable law, you have the right to:
ask whether we hold personal information about you and request copies of such personal information and information about how it is processed; request that inaccurate personal information is corrected; request deletion of personal information that is no longer necessary for the purposes underlying the processing, processed based on withdrawn consent, or processed in non-compliance with applicable legal requirements; and lodge a complaint with us regarding our practices related to your personal information.
You can exercise your rights of access, rectification, erasure, restriction, or complaint by contacting us. If you wish to do any of these things and you are an AWS customer, please contact us. If you are not an AWS customer, please contact us at the address stated under Notice and Revisions above.
For any prospective or current customers of AWS Offerings in the European Economic Area (EEA):
Controller of Personal Information. Amazon Web Services EMEA SARL, 5 rue Plaetis, L-2338 Luxembourg, is the data controller of personal information collected or processed through AWS Offerings. Amazon Web Services EMEA SARL, is the authorized representative of Amazon Web Services, Inc. in the EEA.
Processing. We process your personal information on one or more of the following legal bases:
as necessary to enter into a contract with you or a legal entity you represent, to perform our contractual obligations, to provide AWS Offerings, to respond to requests from you, or to provide customer support; where we have a legitimate interest, as described in this Privacy Notice (see How We Use Personal Information above); as necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders; or with your consent.
Your Rights. Subject to applicable law, you have the right to:
ask whether we hold personal information about you and request copies of such personal information and information about how it is processed; request that inaccurate personal information is corrected; request deletion of personal information that is no longer necessary for the purposes underlying the processing, processed based on withdrawn consent, or processed in non-compliance with applicable legal requirements; request us to restrict the processing of personal information where the processing is inappropriate; object to the processing of personal data; request portability of personal information that you have provided to us (which does not include information derived from the collected information), where the processing of such personal information is based on consent or a contract with you and is carried out by automated means; and lodge a complaint with our principal supervisory authority, the Commission Nationale pour la Protection des Données in Luxembourg www.cnpd.lu, or with a local authority.
You can exercise your rights of access, rectification, erasure, restriction, objection, and data portability by contacting us. If you wish to do any of these things and you are an AWS customer, please contact us. If you are not an AWS customer, please contact us at the address under Notice and Revisions above.
When you consent to our processing your personal information for a specified purpose, you may withdraw your consent at any time, and we will stop any further processing of your data for that purpose.
Cookies. Please refer to our Cookies Notice.
Transfers outside of the EEA. When we transfer your personal information outside the EEA we do so in accordance with the terms of this Privacy Notice and applicable data protection law. This may include the transfer of data in accordance with the EU-US and Swiss-US Privacy Shield frameworks (for transfers to the US) or pursuant to data transfer agreements that incorporate the Standard Contractual Clauses approved by the EU Commission.
For any prospective or current customers of AWS Offerings in Japan:
Any personal information provided to or gathered by Amazon Web Services Japan K.K. is controlled primarily by Amazon Web Services Japan K.K. Any personal information collected by Amazon Web Services, Inc. is controlled primarily by Amazon Web Services, Inc. We use information in accordance with this Privacy Notice jointly with our domestic and foreign subsidiaries of Amazon.com, Inc., including Amazon Web Services, Inc., Amazon Web Services Japan K.K., Amazon Web Services EMEA SARL, and other global entities. Amazon Web Services Japan K.K. is the business operator primarily responsible for managing jointly used information. We might create de-identified information using your email address, name, address, customer ID, order ID, session ID, and other information.
For any prospective or current customers of AWS Offerings in South Korea:
AWS has contracts in place with the following third party service provider(s) to perform functions on behalf of AWS in Korea, and they may have access to your personal information as needed to perform their functions described below:
Name of Party
Description of Function
Marketo
Customer communications
Salesforce
Customer relationship management
PaymentTech
Payment instrument processing
When deleting personal information, AWS will take standard commercially reasonable measures to make the personal information practically irrecoverable or irreproducible. The specific manner of deletion will depend on the information being deleted, how the information was collected and stored, and your interactions with us. Electronic documents or files containing personal information will be deleted using a technical method that makes recovery or retrieval of such information practically impossible or renders the data no longer personally identifiable. Non-electronic documents or files containing personal information will be shredded, incinerated, or both.
If you have any privacy questions or requests please contact:
AWS Korea Privacy Email: aws-korea-privacy@amazon.com
Examples of Information Collected Information You Give Us
You provide information to us when you:
search for, subscribe to, or purchase AWS Offerings; create or administer your AWS account (and you might have more than one account if you have used more than one email address when using AWS Offerings); configure your settings for, provide data access permissions for, or otherwise interact with AWS Offerings; register for or attend an AWS event; purchase or use content, products, or services from third-party providers through the AWS Marketplace (or other similar venues operated or provided by us); offer your content, products, or services on or through AWS Offerings or the AWS Marketplace (or other similar venues operated or provided by us); communicate with us by phone, email, or otherwise; complete a questionnaire, a support ticket, or other information request forms; post on AWS websites or participate in community features; and employ notification services.
Depending on your use of AWS Offerings, you might supply us with such information as:
your name, email address, physical address, phone number, and other similar contact information; payment information, including credit card and bank account information; information about your location; information about your organization and your contacts, such as colleagues or people within your organization; usernames, aliases, roles, and other authentication and security credential information; content of feedback, testimonials, inquiries, support tickets, and any phone conversations, chat sessions and emails with or to us; your image (still, video, and in some cases 3-D), voice, and other identifiers that are personal to you when you attend an AWS event or use certain AWS Offerings; information regarding identity, including government-issued identification information; corporate and financial information; and VAT numbers and other tax identifiers.
Automatic Information
We collect information automatically when you:
visit, interact with, or use AWS Offerings (including when you use your computer or other device to interact with AWS Offerings); download content from us; open emails or click on links in emails from us; and interact or communicate with us (such as when you attend an AWS event or when you request customer support).
Examples of the information we automatically collect include:
network and connection information, such as the Internet protocol (IP) address used to connect your computer or other device to the Internet and information about your Internet service provider; computer and device information, such as device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting; the location of your device or computer; authentication and security credential information; content interaction information, such as content downloads, streams, and playback details, including duration and number of simultaneous streams and downloads; AWS Offerings metrics, such as offering usage, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs; the full Uniform Resource Locators (URL) clickstream to, through, and from our website (including date and time) and AWS Offerings, content you viewed or searched for, page response times, download errors, and page interaction information (such as scrolling, clicks, and mouse-overs); email addresses and phone numbers used to contact us; and identifiers and information contained in cookies (see our Cookies Notice).
Information from Other Sources
Examples of information we receive from other sources include:
marketing, sales generation, and recruitment information, including your name, email address, physical address, phone number, and other similar contact information; subscription, purchase, support, or other information about your interactions with products and services offered by us, our affiliates (such as AWS training courses), or third parties (such as products offered through the AWS Marketplace) in relation to AWS Offerings; search results and links, including paid listings (such as Sponsored Links); and credit history information from credit bureaus.
Information You Can Access
Examples of information you can access through AWS Offerings include:
your name, email address, physical address, phone number, and other similar contact information; usernames, aliases, roles, and other authentication and security credential information; your subscription, purchase, usage, billing, and payment history; payment settings, such as payment instrument information and billing preferences; tax information; email communication and notification settings; and if you participate in the AWS Marketplace or Amazon Partner Network (or other similar venues operated or provided by us), your account, your status, subscriptions, and other information.
Customers can access the information above through AWS Offerings, such as the AWS Management Console (including the My Account, Billing Dashboard, Bills, Payment Methods, Payment History, Preferences and Tax Settings pages), the AWS Email Preference Center, AWS Marketplace, and APN Partner Central.
Bootstrap the AWS Account Manually
Create a temporary administrative user
Create a user named safe-to-delete-admin and attach an IAM policy to it that lets it do anything. We'll delete this in a little bit.
Put the credentials in ~/.aws/credentials, like this: You must set up an AWS Credentials file a profile of the same name (i.e., "guix"). For example, put this in your ~/.aws/credentials:
[guix] aws_access_key_id=ACCESS_KEY_ID aws_secret_access_key=SECRET_ACCESS_KEY
See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html
That documentation AWS CLI documentation, but the same ideas apply generally to other AWS SDKs and tools.
Now, run "terraform init" in the directory containing the file "main.tf", and Terraform will download the AWS provider if you don't already have it.
Then run "terraform plan", and Terraform will tell you what changes it will make.
After that, let's try creating it by running "terraform apply".
It worked, hooray! Now we can update ~/.aws/configuration with the newly created access key (you have to decrypt its secret part from the output using GnuPG) and then delete the safe-to-delete-admin user manually (without using Terraform). After that, we can control nearly all aspects of the AWS account and its resources via IAM users.
Enable IAM users to view billing information
Some activities cannot be done by an IAM user, even an administrator, without taking some manual steps first to allow it. Read more here:
https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
These tasks must be performed by the so-called "root user". The "root user" is a term that AWS uses to refer to, essentially, the entity that owns and has truly full control over all aspects of the account. It is not an IAM user.
One of these activities is viewing billing info, which is useful. Let's let IAM users do that:
Once that's done, all administrators can now also view the billing information. In addition, it is now possible to define new IAM policies to grant the specific permission to view the billing information (but not anything else). For example, we could create a group called "accountants" that contains users who need access to view billing information (but nothing else).
Get invoice as PDF via email
To further reduce the need to run JavaScript just to view your invoice, follow these instructions to have the invoice mailed to you as a PDF file:
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/emailed-invoice.html
I have done this for our account. It seems this cannot be configured using Terraform or any existing AWS API.
Enable cost explorer
This is Cost Explorer: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/ce-what-is.html
To ensure I have the ability to drill into the costs we might incur, I've enabled this for now. It isn't possible to enable it (yet) with Terraform configuration.
Enabling it adds no additional cost to our bill, even if we choose to use the Cost Explorer tool in the AWS Management Console. However, if we choose to use the Cost Explorer APIs, those do cost extra.
Enable "Receive billing alerts"
It is necessary to enable "receive billing alerts" in order to create alarms on billing-related metrics. I've manually enabled this for our account. It isn't possible (yet?) to configure this in Terraform configuration. For details, see:
Update the billing Contact Information if necessary
It seems any further customization of the billing information (e.g., contact address) must be made manually using the AWS Management Console.
Configuration structure
There can be multiple files (*.tf, *.tfvars), or just one file. Name doesn't matter, as long as it ends in .tf or .tfvars. We could probably move our "variables.tf" into some kind of "variables.tfvars" file, but I haven't thought very much about the structure beyond that. It works, so that's good for now.
Configuration files can contain things like this:
- provider(s)
- resource(s)
- module(s)
- variable(s)
- output(s)
For now, we have a file called "main.tf", which configures some high-level aspects of Terraform (e.g., the region to use). Service-specific configuration is split into service-specific files; for example, the "iam.tf" file contains IAM-specific configuration. Finally, the file "variables.tf" contains variables that are referenced by resources in the other files.
See: https://learn.hashicorp.com/terraform/getting-started/variables "Note: that the file can be named anything, since Terraform loads all files ending in .tf in a directory. "
Questions and Concerns
Resources not managed by Terraform
Some resources cannot currently be managed by Terraform.
ACM Certificate Validation
Initial validation of the ACM certificate requires manual creation of DNS records. See the comment next to charlie-certificate in the file "cloudfront.tf" for details.
Alarm Notifications via Email (i.e., SNS Topic Email Subscriptions)
CloudWatch can send alerts via email. It does this by sending a notification to an SNS topic. To receive an email from a topic, you must subscribe to the topic. To do that, you must follow this procedure:
https://docs.aws.amazon.com/sns/latest/dg/sns-getting-started.html#SubscribeTopic
Terraform doesn't support the creation of email subscriptions to SNS topics, and it probably won't ever. See here for details:
https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html
Terraform-specific Problems
Downloads pre-built binaries
https://learn.hashicorp.com/terraform/getting-started/build By default, "terraform init" downloads and installs "plugin" binaries. It would be better if they were packaged individually in Guix.
terraform registry
A collection of 'modules':
Questions
Guix build farm (berlin)
- Does it ever return 3xx (e.g. redirects)? Will those be interpreted as redirects to the CloudFront distribution, or will it cause clients to send requests directly to the build farm (which would be undesirable)? I think the asnwer is "no", it doesn't return redirects.
- Are there any URLs that are not returning a Cache-Control (or Expires) header but should be? The CloudFront distribution is currently configured to cache a response for 24 hours if it omits such a header. There are no such URLs as far as I can tell.
- Are there any URLs that are returning a Cache-Control (or Expires) header but either (1) should actually omit the header or (2) is specifying an unreasonable value? There are no such URLs as far as I can tell.
- Should we include "Cache-Control: max-age" or "Cache-Control: s-maxage" in responses we want to be cached? It seems the difference only matters when caching results in a web browser. For our use case, I don't think we need to bother using s-maxage at all.
- Is it OK to ignore query parameters, headers, and cookies when deciding whether or not to cache? We don't cache anything that needs these, so it's OK to ignore them.
Terraform
- What does Terraform store in its "state"? Does it store anything sensitive, like secrets? Depending on the configuration, it might store secrets, and those secrets might be encrypted (e.g., by someone's PGP key) in the state file. This is independent of any server side encryption that might also be happening within the S3 bucket, in the case of the S3 backend.
How can we improve on this?
- Package Terraform
- Package the AWS Provider plugin for Terraform
- Simplify variable definitions by using .tfvars file?
- Use origin failover to serve requests via the CDN from berlin first, and hydra second? https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html
- Support HTTPS only (i.e., drop support for HTTP without TLS).