Monday, 21 March 2022

AWS Service Catalog

 

  • Allows you to create, manage, and distribute catalogs of approved products to end-users, who can then access the products they need in a personalized portal. 
  • Administrators can control which users have access to each product to enforce compliance with organizational business policies. Administrators can also set up adopted roles so that end users only require IAM access to AWS Service Catalog in order to deploy approved resources.
  • This is a regional service.

Features


  • Standardization of assets
  • Self-service discovery and launch
  • Fine-grain access control
  • Extensibility and version control

Concepts

  • Users
    • Catalog administrators – Manage a catalog of products, organizing them into portfolios and granting access to end users. Catalog administrators prepare AWS CloudFormation templates, configure constraints, and manage IAM roles that are assigned to products to provide for advanced resource management.
    • End users – Use AWS Service Catalog to launch products to which they have been granted access.
  • Products
    • Can comprise one or more AWS resources, such as EC2 instances, storage volumes, databases, monitoring configurations, and networking components, or packaged AWS Marketplace products.
    • You create your products by importing AWS CloudFormation templates. The templates define the AWS resources required for the product, the relationships between resources, and the parameters for launching the product to configure security groups, create key pairs, and perform other customizations.
    • You can see the products that you are using and their health state in the AWS Service Catalog console.
  • Portfolio
    • A collection of products, together with configuration information. Portfolios help manage product configuration, determine who can use specific products and how they can use them.
    • When you add a new version of a product to a portfolio, that version is automatically available to all current users of that portfolio.
    • You can also share your portfolios with other AWS accounts and allow the administrator of those accounts to distribute your portfolios with additional constraints.
    • When you add tags to your portfolio, the tags are applied to all instances of resources provisioned from products in the portfolio.
  • Versioning
    • Service Catalog allows you to manage multiple versions of the products in your catalog.
    • A version can have one of three statuses:
      • Active – An active version appears in the version list and allows users to launch it.
      • Inactive – An inactive version is hidden from the version list. Existing provisioned products launched from this version will not be affected.
      • Deleted – If a version is deleted, it is removed from the version list. Deleting a version can’t be undone.
  • Access control
    • You apply AWS IAM permissions to control who can view and modify your products and portfolios.
    • By assigning an IAM role to each product, you can avoid giving users permissions to perform unapproved operations, and enable them to provision resources using the catalog.
  • Constraints
    • You use constraints to apply limits to products for governance or cost control. 
    • Types of constraints:
      • Template constraints restrict the configuration parameters that are available for the user when launching the product. Template constraints allow you to reuse generic AWS CloudFormation templates for products and apply restrictions to the templates on a per-product or per-portfolio basis. 
      • Launch constraints allow you to specify a role for a product in a portfolio. This role is used to provision the resources at launch, so you can restrict user permissions without impacting users’ ability to provision products from the catalog.
      • Notification constraints specify an Amazon SNS topic to receive notifications about stack events.
      • Tag update constraints allow administrators to allow or disallow end users to update tags on resources associated with an AWS Service Catalog provisioned product.
  • Stack
    • Every AWS Service Catalog product is launched as an AWS CloudFormation stack.
    • You can use CloudFormation StackSets to launch Service Catalog products across multiple regions and accounts. You can specify the order in which products deploy sequentially within regions. Across accounts, products are deployed in parallel.

Security

  • Service Catalog uses Amazon S3 buckets and Amazon DynamoDB databases that are encrypted at rest using Amazon-managed keys.
  • Service Catalog uses TLS and client-side encryption of information in transit between the caller and AWS.
  • Service Catalog integrates with AWS CloudTrail and Amazon SNS.

Pricing

  • The AWS Service Catalog free tier includes 1,000 API calls per month.
  • You are charged based on the number of API calls made to Service Catalog beyond the free tier.

AWS OpsWorks

 

  • A configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef.
  • AWS OpsWorks Stacks and AWS OpsWorks for Chef Automate (1 and 2) let you use Chef cookbooks and solutions for configuration management, while OpsWorks for Puppet Enterprise lets you configure a Puppet Enterprise master server in AWS.
  • With AWS OpsWorks, you can automate how nodes are configured, deployed, and managed, whether they are Amazon EC2 instances or on-premises devices:

opsworks-stacks

OpsWorks for Puppet Enterprise

  • Provides a fully-managed Puppet master, a suite of automation tools that enable you to inspect, deliver, operate, and future-proof your applications, and access to a user interface that lets you view information about your nodes and Puppet activities.
  • Does not support all regions.
  • Uses puppet-agent software.
  • Features
    • AWS manages the Puppet master server running on an EC2 instance. You retain control over the underlying resources running your Puppet master.
    • You can choose the weekly maintenance window during which OpsWorks for Puppet Enterprise will automatically install updates.
    • Monitors the health of your Puppet master during update windows and automatically rolls back changes if issues are detected.
    • You can configure automatic backups for your Puppet master and store them in an S3 bucket in your account.
    • You can register new nodes to your Puppet master by inserting a user-data script, provided in the OpsWorks for Puppet Enterprise StarterKit, into your Auto Scaling groups.
    • Puppet uses SSL and a certification approval process when communicating to ensure that the Puppet master responds only to requests made by trusted users.
  • Deleting a server also deletes its events, logs, and any modules that were stored on the server. Supporting resources are also deleted, along with all automated backups.
  • Pricing
    • You are charged based on the number of nodes (servers running the Puppet agent) connected to your Puppet master and the time those nodes are running on an hourly rate, and you also pay for the underlying EC2 instance running your Puppet master.

OpsWorks for Chef Automate

  • Lets you create AWS-managed Chef servers that include Chef Automate premium features, and use the Chef DK and other Chef tooling to manage them.
  • AWS OpsWorks for Chef Automate supports Chef Automate 2.
  • Uses chef-client.
  • Features
    • You can use Chef to manage both Amazon EC2 instances and on-premises servers running Linux or Windows.
    • You receive the full Chef Automate platform which includes premium features that you can use with Chef server, like Chef Workflow, Chef Visibility, and Chef Compliance.
    • You provision a managed Chef server running on an EC2 instance in your account. You retain control over the underlying resources running your Chef server and you can use Knife to SSH into your Chef server instance at any time.
    • You can set a weekly maintenance window during which OpsWorks for Chef Automate will automatically install updates.
    • You can configure automatic backups for your Chef server and is stored in an S3 bucket.
    • You can register new nodes to your Chef server by inserting user-data code snippets provided by OpsWorks for Chef Automate into your Auto Scaling groups.
    • Chef uses SSL to ensure that the Chef server responds only to requests made by trusted users. The Chef server and Chef client use bidirectional validation of identity when communicating with each other.
  • Deleting a server also deletes its events, logs, and any cookbooks that were stored on the server. Supporting resources are deleted also, along with all automated backups.
  • Pricing
    • You are charged based on the number of nodes connected to your Chef server and the time those nodes are running, and you also pay for the underlying EC2 instance running your Chef server.

OpsWorks Stacks

  • Provides a simple and flexible way to create and manage stacks and applications.
  • Stacks are group of AWS resources that constitute an full-stack application. By default, you can create up to 40 Stacks, and each stack can hold up to 40 layers, 40 instances, and 40 apps.
  • You can create stacks that help you manage cloud resources in specialized groups called layers. A layer represents a set of EC2 instances that serve a particular purpose, such as serving applications or hosting a database server. Layers depend on Chef recipes to handle tasks such as installing packages on instances, deploying apps, and running scripts.

AWS Training AWS OpsWorks 2

  • OpsWorks Stacks does NOT require or create Chef servers.
  • Features
    • You can deploy EC2 instances from template configurations, including EBS volume creation.
    • You can configure the software on your instances on-demand or automatically based on lifecycle events, from bootstrapping the base OS image into a working server to modifying running services to reflect changes.
    • OpsWorks Stacks can auto heal your stack. If an instance fails in your stack, OpsWorks Stacks can replace it with a new one.
    • You can adapt the number of running instances to match your load, with time-based or load-based auto scaling.
    • You can use OpsWorks Stacks to configure and manage both Linux and Windows EC2 instances.
    • You can use AWS OpsWorks Stacks to deploy, manage, and scale your application on any Linux server such as EC2 instances or servers running in your own data center.
  • Instance Types
    • 24/7 instances are started manually and run until you stop them.
    • Time-based instances are run by OpsWorks Stacks on a specified daily and weekly schedule. They allow your stack to automatically adjust the number of instances to accommodate predictable usage patterns.
    • Load-based instances are automatically started and stopped by OpsWorks Stacks, based on specified load metrics, such as CPU utilization. They allow your stack to automatically adjust the number of instances to accommodate variations in incoming traffic.
      • Load-based instances are available only for Linux-based stacks.
  • Lifecycle Events
    • You can run recipes manually, but OpsWorks Stacks also lets you automate the process by supporting a set of five lifecycle events:
      • Setup occurs on a new instance after it successfully boots.
      • Configure occurs on all of the stack’s instances when an instance enters or leaves the online state.
      • Deploy occurs when you deploy an app.
      • Undeploy occurs when you delete an app.
      • Shutdown occurs when you stop an instance.
  • Monitoring
    • OpsWorks Stacks sends all of your resource metrics to CloudWatch.
    • Logs are available for each action performed on your instances.
    • CloudTrail logs all API calls made to OpsWorks.
  • Security
    • Grant IAM users access to specific stacks, making management of multi-user environments easier.
    • You can also set user-specific permissions for actions on each stack, allowing you to decide who can deploy new application versions or create new resources.
    • Each EC2 instance has one or more associated security groups that govern the instance’s network traffic. A security group has one or more rules, each of which specifies a particular category of allowed traffic.
  • Pricing
    • You pay for AWS resources created using OpsWorks Stacks in the same manner as if you created them manually.

AWS Management Console

 

  • Resource Groups

    • A collection of AWS resources that are all in the same AWS region, and that match criteria provided in a query.
    • Resource groups make it easier to manage and automate tasks on large numbers of resources at one time.
    • Two types of queries on which you can build a group:
      • Tag-based
      • AWS CloudFormation stack-based
  • Tag Editor

    • Tags are words or phrases that act as metadata for identifying and organizing your AWS resources. The tag limit varies with the resource, but most can have up to 50 tags.
    • You can sort and filter the results of your tag search to find the tags and resources that you need to work with.

AWS Health

 

  • Provides ongoing visibility into the state of your AWS resources, services, and accounts.
  • The service delivers alerts and notifications triggered by changes in the health of AWS resources.
  • The Personal Health Dashboard, powered by the AWS Health API, is available to all customers. The dashboard requires no setup, and it is ready to use for authenticated AWS users. The Personal Health Dashboard organizes issues in three groups:
    • Open issues – restricted to issues whose start time is within the last seven days.
    • Scheduled changes – contains items that are ongoing or upcoming.
    • Other notifications – restricted to issues whose start time is within the last seven days.
  • You can centrally aggregate your AWS Health events from all accounts in your AWS Organization. The AWS Health Organizational View provides centralized and real-time access to all AWS Health events posted to individual accounts in your organization, including operational issues, scheduled maintenance, and account notifications.

AWS Config

 

  • A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

Features

  • Multi-account, multi-region data aggregation gives you an enterprise-wide view of your Config rule compliance status, and you can associate your AWS organization to quickly add your accounts.
  • Provides you pre-built rules to evaluate your AWS resource configurations and configuration changes, or create your own custom rules in AWS Lambda that define your internal best practices and guidelines for resource configurations.
  • Config records details of changes to your AWS resources to provide you with a configuration history, and automatically deliver it to an S3 bucket you specify.
  • Receive a notification whenever a resource is created, modified, or deleted.
  • Config enables you to record software configuration changes within your EC2 instances and servers running on-premises, as well as servers and Virtual Machines in environments provided by other cloud providers. You gain visibility into:
    • operating system configurations
    • system-level updates
    • installed applications
    • network configuration
  • Config can provide you with a configuration snapshot – a point-in-time capture of all your resources and their configurations.
  • Config discovers, maps, and tracks AWS resource relationships in your account.
    Ex. EC2 instances and associated security groups

Concepts

  • Configuration History
    • A collection of the configuration items for a given resource over any time period, containing information such as when the resource was first created, how the resource has been configured over the last month, etc.
    • Config automatically delivers a configuration history file for each resource type that is being recorded to an S3 bucket that you specify.
    • A configuration history file is sent every six hours for each resource type that Config records.
  • Configuration item
    • A record of the configuration of a resource in your AWS account. Config creates a configuration item whenever it detects a change to a resource type that it is recording.
    • The components of a configuration item include metadata, attributes, relationships, current configuration, and related events.
  • Configuration Recorder
    • Stores the configurations of the supported resources in your account as configuration items.
    • By default, the configuration recorder records all supported resources in the region where Config is running. You can create a customized configuration recorder that records only the resource types that you specify.
    • You can also have Config record supported types of global resources which are IAM users, groups, roles, and customer managed policies.
  • Configuration Snapshot
    • A complete picture of the resources that are being recorded and their configurations.
    • Stored in an S3 bucket that you specify.
  • Configuration Stream
    • An automatically updated list of all configuration items for the resources that Config is recording.
    • Helpful for observing configuration changes as they occur so that you can spot potential problems, generating notifications if certain resources are changed, or updating external systems that need to reflect the configuration of your AWS resources.
  • Configuration Item
    • The configuration of a resource at a given point-in-time. A CI consists of 5 sections:
      • Basic information about the resource that is common across different resource types.
      • Configuration data specific to the resource.
      • Map of relationships with other resources.
      • CloudTrail event IDs that are related to this state.
      • Metadata that helps you identify information about the CI, such as the version of this CI, and when this CI was captured.
  • Resource Relationship
    • Config discovers AWS resources in your account and then creates a map of relationships between AWS resources.
  • Config rule
    • Represents your desired configuration settings for specific AWS resources or for an entire AWS account.
    • Provides customizable, predefined rules. If a resource violates a rule, Config flags the resource and the rule as noncompliant, and notifies you through Amazon SNS.
    • Evaluates your resources either in response to configuration changes or periodically.
  • Config deletes data older than your specified retention period. The default period is 7 years.
  • Multi-Account Multi-Region Data Aggregation
    • An aggregator collects configuration and compliance data from the following:
      • Multiple accounts and multiple regions.
      • Single account and multiple regions.
      • An organization in AWS Organizations and all the accounts in that organization.

AWS Training AWS Config 2

Monitoring

  • Use Amazon SNS to send you notifications every time a supported AWS resource is created, updated, or otherwise modified as a result of user API activity.
  • Use Amazon CloudWatch Events to detect and react to changes in the status of AWS Config events.
  • Use AWS CloudTrail to capture API calls to Config.

Security

  • Use IAM to create individual users for anyone who needs access to Config and grant different permissions to each IAM user.

Compliances

  • ISO
  • PCI DSS
  • HIPAA
  • FedRAMP

Pricing

  • You are charged based on the number of configuration items recorded and on the number of AWS Config rules evaluations recorded, instead of the number of active rules in your account per region.. You are charged only once for recording the configuration item.

AWS CloudTrail

 

  • Actions taken by a user, role, or an AWS service in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are recorded as events.
  • CloudTrail is enabled on your AWS account when you create it.
  • CloudTrail focuses on auditing API activity.
  • View events in Event History, where you can view, search, and download the past 90 days of activity in your AWS account.

Trails

    • Create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources.
    • Types

      • A trail that applies to all regions – CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. This is the default option when you create a trail in the CloudTrail console.
      • A trail that applies to one region – CloudTrail records the events in the region that you specify only. This is the default option when you create a trail using the AWS CLI or the CloudTrail API.
    • You can create an organization trail that will log all events for all AWS accounts in an organization created by AWS Organizations. Organization trails must be created in the management account.
    • By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption. You can also choose to encrypt your log files with an AWS Key Management Service key.
    • You can store your log files in your S3 bucket for as long as you want, and also define S3 lifecycle rules to archive or delete log files automatically.
    • If you want notifications about log file delivery and validation, you can set up Amazon SNS notifications.
    • CloudTrail publishes log files about every five minutes.

Events

    • The record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail.
    • Types

      • Management events
        • Logged by default
        • Management events provide insight into management operations performed on resources in your AWS account, also known as control plane operations.
      • Data events
        • Not logged by default
        • Data events provide insight into the resource operations performed on or in a resource, also known as data plane operations.
        • Data events are often high-volume activities.
      • Insights events
        • Not logged by default
        • Insights events capture unusual activity in your AWS account. If you have Insights events enabled, CloudTrail detects unusual activity and logs this to S3.
        • Insights events provide relevant information, such as the associated API, incident time, and statistics, that help you understand and act on unusual activity. 
        • Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.
  • For global services such as IAM, STS, CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region.
  • You can filter logs by specifying Time range and one of the following attributes: Event name, User name, Resource name, Event source, Event ID, and Resource type.

Monitoring

    • Use CloudWatch Logs to monitor log data. CloudTrail events that are sent to CloudWatch Logs can trigger alarms according to the metric filters you define.
    • To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.

Price

    • The first copy of management events within each region is delivered free of charge. Additional copies of management events are charged.
    • Data events are recorded and charged only for the Lambda functions, DynamoDB tables, and S3 buckets you specify.
    • Once a CloudTrail trail is set up, S3 charges apply based on your usage, since CloudTrail delivers logs to an S3 bucket.

Limits

Resource

Default Limit

Comments

Trails per region

5

A trail that applies to all regions counts as one trail in every region.

This limit cannot be increased.

Get, describe, and list APIs

10 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

All other APIs

1 transaction per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

Event selectors

5 per trail

This limit cannot be increased.

Data resources in event selectors

250 across all event selectors in a trail

The total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors.

This limit cannot be increased.

AWS CloudFormation

 

  • A service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion.

Features

  • CloudFormation allows you to model your entire infrastructure in a text file called a template. You can use JSON or YAML to describe what AWS resources you want to create and configure. If you want to design visually, you can use AWS CloudFormation Designer.
  • CloudFormation automates the provisioning and updating of your infrastructure in a safe and controlled manner. You can use Rollback Triggers to specify the CloudWatch alarm that CloudFormation should monitor during the stack creation and update process. If any of the alarms are breached, CloudFormation rolls back the entire stack operation to a previously deployed state.
  • CloudFormation Change Sets allow you to preview how proposed changes to a stack might impact your running resources.
  • AWS StackSets lets you provision a common set of AWS resources across multiple accounts and regions with a single CloudFormation template. StackSets takes care of automatically and safely provisioning, updating, or deleting stacks in multiple accounts and across multiple regions.
  • CloudFormation enables you to build custom extensions to your stack template using AWS Lambda.

CloudFormation vs Elastic Beanstalk

  • Elastic Beanstalk provides an environment to easily deploy and run applications in the cloud.
  • CloudFormation is a convenient provisioning mechanism for a broad range of AWS resources.

Concepts

  • Templates
    • A JSON or YAML formatted text file.
    • CloudFormation uses these templates as blueprints for building your AWS resources.
  • Stacks
    • Manage related resources as a single unit.
    • All the resources in a stack are defined by the stack’s CloudFormation template.
  • Change Sets
    • Before updating your stack and making changes to your resources, you can generate a change set, which is a summary of your proposed changes.
    • Change sets allow you to see how your changes might impact your running resources, especially for critical resources, before implementing them.

AWS Training AWS CloudFormation 2

  • With AWS CloudFormation and AWS CodePipeline, you can use continuous delivery to automatically build and test changes to your CloudFormation templates before promoting them to production stacks.
  • CloudFormation artifacts can include a stack template file, a template configuration file, or both. AWS CodePipeline uses these artifacts to work with CloudFormation stacks and change sets.
    • Stack Template File – defines the resources that CloudFormation provisions and configures. You can use YAML or JSON-formatted templates.
    • Template Configuration File – a JSON-formatted text file that can specify template parameter values, a stack policy, and tags. Use these configuration files to specify parameter values or a stack policy for a stack.
  • Through the AWS PrivateLink, you can use CloudFormation APIs inside of your Amazon VPC and route data between your VPC and CloudFormation entirely within the AWS network.

Stacks

  • If a resource cannot be created, CloudFormation rolls the stack back and automatically deletes any resources that were created. If a resource cannot be deleted, any remaining resources are retained until the stack can be successfully deleted.
  • Stack update methods
    • Direct update
    • Creating and executing change sets
  • Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. Use CloudFormation to detect drift on an entire stack, or on individual resources within the stack.
    • A resource is considered to have drifted if any if its actual property values differ from the expected property values.
    • A stack is considered to have drifted if one or more of its resources have drifted.
  • To share information between stacks, export a stack’s output values. Other stacks that are in the same AWS account and region can import the exported values.
  • You can nest stacks.

Templates

  • Templates include several major sections. The Resources section is the only required section.
  • CloudFormation Designer is a graphic tool for creating, viewing, and modifying CloudFormation templates. You can diagram your template resources using a drag-and-drop interface, and then edit their details using the integrated JSON and YAML editor.
  • Custom resources enable you to write custom provisioning logic in templates that CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks.
  • Template macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to extensive transformations of entire templates.

StackSets

  • CloudFormation StackSets allow you to roll out CloudFormation stacks over multiple AWS accounts and in multiple Regions with just a couple of clicks. StackSets is commonly used together with AWS Organizations to centrally deploy and manage services in different accounts.
  • Administrator and target accounts – An administrator account is the AWS account in which you create stack sets. A stack set is managed by signing in to the AWS administrator account in which it was created. A target account is the account into which you create, update, or delete one or more stacks in your stack set.
  • In addition to the organization’s management account, you can delegate other administrator accounts in your AWS Organization that can create and manage stack sets with service-managed permissions for the organization.
  • Stack sets – A stack set lets you create stacks in AWS accounts across regions by using a single CloudFormation template. All the resources included in each stack are defined by the stack set’s CloudFormation template. A stack set is a regional resource.
  • Stack instances – A stack instance is a reference to a stack in a target account within a region. A stack instance can exist without a stack; for example, if the stack could not be created for some reason, the stack instance shows the reason for stack creation failureA stack instance can be associated with only one stack set.
  • Stack set operations – Create stack set, update stack set, delete stacks, and delete stack set.
  • Tags – You can add tags during stack set creation and update operations by specifying key and value pairs.

Monitoring

  • CloudFormation is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in CloudFormation. CloudTrail captures all API calls for CloudFormation as events, including calls from the CloudFormation console and from code calls to the CloudFormation APIs.

Security

  • You can use IAM with CloudFormation to control what users can do with AWS CloudFormation, such as whether they can view stack templates, create stacks, or delete stacks.
  • service role is an IAM role that allows CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows CloudFormation to create, update, or delete your stack resources.
  • You can improve the security posture of your VPC by configuring CloudFormation to use an interface VPC endpoint.

Pricing

  • No additional charge for CloudFormation. You pay for AWS resources created using CloudFormation in the same manner as if you created them manually.