Control for Your Cloud Environment Using AWS Management Tools Marketing... · AWS Service Catalog...

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT

Control for Your Cloud Environment Using AWS Management Tools

Jonathan WeissAmazon Web Services


Agenda

Overview of AWS management tools

Dive deep into individual services

Enterprise as code example


AWS Management Tools

Configuration

management

AWS OpsWorks

Integrated & interoperable


AWS CloudFormation

• Automate creation of over 250 types of AWS resources

• Update safely with stabilization and rollback

• Deploy many app architectures: Compute, containers, serverless

Code in YAML or JSON

directly or use sample

templates

Upload local

files or from an

S3 bucket

Create stack

using console, API

or CLI

Stacks and

resources are

provisioned


AWS Service Catalog

• Create & share immutable best practices templates

• Limit access to underlying AWS services

• Enable turn-key self-service solutions for all end-users

AWS

Service Catalog

product

AWS

Resource

Logging

Security

Encryption

Naming

Tag options

Immutable config

Parameter control

Access control

Best practices

standardized in

template


AWS OpsWorks

• Provides managed configuration management servers

• Supports Chef Automate and Puppet Enterprise

• Use configuration management DSL to enforce configuration


Amazon CloudWatch

Amazon CloudWatch is a monitoring service for AWS cloud resources, applications you run on AWS and on-prem

Monitor EC2Spot trends

Set alarms -events

Monitor & store logs

Create dashboards

Troubleshoot

Centralize monitoring


AWS X-Ray

• Analyze and debug service requests

• End-to-End Tracing, cross-service view

• Integration via agent/SDK or directly in Lambda


AWS Config & AWS Config rules

• Continuous recording & continuous assessment service

• Tracks configuration changes to AWS resources

• Alerts you if the configuration is non-compliant withyour policies

Changing resources AWS Config

AWS Config Rules

History, Snapshot

Notifications

API Access

Normalized


AWS CloudTrail

• Automatically recorded and centrally stored event logs of account activity

• Perform security audits and operational troubleshooting using API usage events

• Apply governance automatically in response to API events

• Raise alarms in response to account activity

Customer defines an Amazon

S3 Bucket for storage

Account event occurs

generating API activity

Events

AWS CloudTrail

CloudTrail captures and

records the API activity

A log with API calls is

delivered to S3 Bucket

and optionally delivered

to CloudWatch Events

and CloudWatch Logs


AWS Systems Manager

Resource groups

Run command

Inventory

Patch manager

Automation

Parameter store

Maintenance window

State manager

Session Manager

Distributor


Goal – Enterprise as code

Enterprise as code: Complete automation and codification

• Infrastructure as code

• Configuration as code

• Operations as code

• Compliance as code

• Application delivery as code


Application vs. infrastructure

Your application code

Your application configurationApplication

Infrastructure

Amazon Elastic Compute Cloud (Amazon EC2)

Amazon Elastic Container Service (Amazon ECS)

AWS Lambda

Amazon DynamoDB

Amazon Relational Database Service (Amazon RDS)

…


Application & infrastructure pipelines

ApplicationApplication pipeline

InfrastructureInfrastructure pipeline



Application

Infrastructure

Develop

Provision

DeployBuild & test Monitor

Audit &

remediateMonitorConfigure



Application

Infrastructure

AWS Cloud9

AWS CodeCommit

AWS

CloudFormation

AWS CodeDeployAWS CodeBuildAmazon CloudWatch

AWS X-Ray

AWS Config

AWS CloudTrail

AWS Systems ManagerAmazon CloudWatchAWS OpsWorks

AWS CodePipeline

CodePipelineAWS Resource

Groups


Our example application

• Traditional instance-based Java application

• Using Amazon EC2, Application Load Balancing, and Amazon RDS

• Application source code in Git repository

• Software stack: Apache, Tomcat, OpenJDK …


Provisioning using AWS CloudFormation

Define necessary AWS infrastructure in template

• ALB for load balancing

• AWS Auto Scaling group for managing Amazon EC2 instance scaling

• Amazon RDS as data base

• CloudWatch alarms and dashboards for monitoring

• AWS Config rules for compliance auditing

• AWS Systems Manager Command Documents

• …

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

AWS CloudFormation template

"WebServerGroup" : {

"Type" : "AWS::AutoScaling::AutoScalingGroup",

"Properties" : {

"AvailabilityZones" : { "Fn::GetAZs" : ""},

"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },

"MinSize" : "1",

"MaxSize" : "3",

"LoadBalancerNames" : [ { "Ref" : ”ApplicationLoadBalancer" } ],

},…


Setting up AWS Resource Groups

• Create a matching resource group for the AWS CloudFormation stack

• Use this resource group to operate on in other services, for example CloudWatch, Systems Manager, and so on

$ aws resource-groups create-group \--name My-CFN-stack-group \--description "My first CloudFormation stack-based group" \--resource-query \'{"Type":"CLOUDFORMATION_STACK_1_0","Query":"{\"StackIdentifier\":\"arn:aws:cloudformation:us-

west-2:123:stack\/AWStestuseraccount\/EXAMPLE}"}'


Configuration management using AWS OpsWorks

Leveraging Chef or Puppet to define on-instance configuration

• Apache 2.4.37 as the web server

• Tomcat 9.0.13 as the application server

• OpenJDK 11.0.1 for running Java

• Managing dependencies and software versions

Use community cookbooks to get started and override where needed


Apache2 community Chef cookbook

apache2_conf 'example' do

path '/random/example/path’

end

apache2_module "ssl”

web_app "my_app" do

template 'web_app.conf.erb'

server_name node['my_app']['hostname']

end


Monitoring with CloudWatch

• Create CloudWatch dashboards for your resource groups


Monitoring with CloudWatch• Create CloudWatch dashboards for your resource groups


Audit with AWS Config & AWS Config rules• Create custom AWS Config rules to define company policies

• Get alerts for non-compliant resources

• View resource group specific dashboard


Example AWS Config rule

private boolean isOnExpectedDedicatedHost(JsonNode invokingEvent, JsonNode ruleParameters)

throws JsonProcessingException, IOException {

String expectedHostId = ruleParameters.path(HOST_ID).textValue();

String actualHostId = invokingEvent.path(CONFIGURATION_ITEM).path(CONFIGURATION).path(PLACEMENT).path(HOST_ID).textValue();

return StringUtils.isBlank(expectedHostId) ? true : StringUtils.equalsIgnoreCase(expectedHostId, actualHostId);

}

See https://github.com/awslabs/aws-config-rules/ for more examples


Remediate with Systems Manager• Execute automation document against the resource group


Automation document

"mainSteps": [{"name": "stopInstances","action": "aws:changeInstanceState","inputs": {"InstanceIds": "{{ InstanceId }}","DesiredState": "stopped”}

},{"name": "startInstances","action": "aws:changeInstanceState","inputs": {"InstanceIds": "{{ InstanceId }}","DesiredState": "running”}}

]


CodePipeline and CodeBuild

• Fully managed continuous delivery service

• Model and monitor your release process

• Builds, tests, and deploys triggered by a code change

Step





• Builds, tests, and deploys triggered by a code change

Transition





• Builds, tests, and deploys triggered by a code change Action



Promote and release changes of

• Application code: Redeploy app with CodeDeploy

• AWS CloudFormation template: Update infrastructure stack

• Chef cookbooks: Update instance configuration


Goal – Enterprise as code

Enterprise as code: Complete automation and codification

• Infrastructure as code AWS CloudFormation

• Configuration as code AWS OpsWorks & Chef

• Operations as code Systems ManagerCloudWatch

• Compliance as code AWS Config rules

• Application delivery as code CodePipeline & CodeDeploy

Thank you!


Jonathan Weissjweiss@

Control for Your Cloud Environment Using AWS Management Tools Marketing... · AWS Service Catalog...

Documents

Transcript of Control for Your Cloud Environment Using AWS Management Tools Marketing... · AWS Service Catalog...