Advanced CloudFormation Skills
AWS Systems Manager
AWS Secrets Manager
Parameter Store vs. Secrets Manager
AWS Service Catalog
AWS Control Tower
Managing Product Licenses
Amazon Managed Grafana
Amazon Managed Service for Prometheus
AWS Resilience Hub
The course is part of this learning path
This course provides detail on the AWS Management & Governance services relevant to the AWS Certified DevOps Engineer - Professional exam.
Want more? Try a lab playground or do a Lab Challenge!
- Learn how AWS AppConfig can reduce errors in configuration changes and prevent application downtime
- Understand how the AWS Cloud Development Kit (CDK) can be used to model and provision application resources using common programming languages
- Get a high-level understanding of Amazon CloudWatch
- Learn about the features and use cases of the service
- Create your own CloudWatch dashboard to monitor the items that are important to you
- Understand how CloudWatch dashboards can be shared across accounts
- Understand the cost structure of CloudWatch dashboards and the limitations of the service
- Review how monitored metrics go into an ALARM state
- Learn about the challenges of creating CloudWatch Alarms and the benefits of using machine learning in alarm management
- Know how to create a CloudWatch Alarm using Anomaly Detection
- Learn what types of metrics are suitable for use with Anomaly Detection
- Create your own CloudWatch log subscription
- Learn how AWS CloudTrail enables auditing and governance of your AWS account
- Understand how Amazon CloudWatch Logs enables you to monitor and store your system, application, and custom log files
- Explain what AWS CloudFormation is and what it’s used for
- Determine the benefits of AWS CloudFormation
- Understand what the core components are and what they are used for
- Create a CloudFormation Stack using an existing AWS template
- Learn what VPC flow logs are and what they are used for
- Determine options for operating programmatically with AWS, including the AWS CLI, APIs, and SDKs
- Learn about the capabilities of AWS Systems Manager for managing applications and infrastructure
- Understand how AWS Secrets Manager can be used to securely encrypt application secrets
Let’s deploy a template that creates an EC2 instance hosting an Apache web server and a security group. For ease and convenience, I’ll use the AWS Management Console. I’ll navigate to the CloudFormation dashboard. Then, I’ll click create new stack. From there, I can choose to upload a template file, use a sample template that CloudFormation creates for you, or create a template using a drag-and-drop diagram interface called CloudFormation designer.
Since I’m using a template I created, I'll choose to upload a template file, and select my web-server-with-security-group template and click next. Then, I'll have to name my stack - I’ll call it EC2InstanceWithSecurityGroup.
Then, I have to choose a value for each template parameter. While some parameters might have a default value specified, I can choose to overwrite them if I'd like. For my instance type, I'll click the drop-down and see I have three options, and I'll choose t2.nano. And for my key name, I'll specify a key I created outside of the course so I can ssh into my instance.
For the SSH location parameter, I can use the 0.0.0.0/0 value which will allow any remote IP address to reach my EC2 instance or I can choose to use a fixed IP address. If you're using fixed IP addresses, remember to use the CIDR notation. For example, If I want to only allow SSH traffic from my IP address, I’ll begin by specifying my IP, say 188.8.131.52 and then add on slash 32 to be in CIDR format.
Then I can click next. Here I will see additional stack options. I can create tags to apply to my resources, and I can also create an IAM role for CloudFormation to use to create my resources. If I don’t provide an IAM role, it will use my user permissions to create the infrastructure.
Additionally, there's Stack failure options that let me choose if I want to roll back all resources on failure or only roll back failed resources while preserving successfully created ones. You can see that the default behavior rolls back all resources - and I’ll keep that selected for this demo.
You can also choose to have CloudFormation use Amazon Simple Notification Service, or Amazon SNS, to notify you about stack events during the service creation or deletion. And then the stack policy field is useful if you want to prevent stack resources from being unintentionally updated or deleted during a stack update.
The stack policy is a JSON document that is similar to IAM policies. Like IAM policies, you define stack policies with the following elements: effect, action, principal, and resource. I'll paste in an example stack policy here, so you can take a look.
The effect field value can be either allow, or deny. Using action or not action, you can specify all the actions that you want, or don't want to allow or deny. Principal is a mandatory attribute, but it only supports the wildcard, which means the statement applies to all principals. And Resource contains the list of all resources to which the statement will be applied. Here you can see an allow all statement, which is allowing all resources to be updated.
However, I’m also including a Deny statement, which will prevent all updates, like replacement or deletion, to my EC2 Instance. Although the Allow statement specifies all resources, the explicit Deny statement overrides it for the resource with the EC2Instance logical ID.
Keep in mind, you can always decide to set a stack policy, and then edit it when you need to update the stack. For now, I’ll leave the stack policy blank, click next, review our options and then click create.
Now, let’s understand what’s happening under the hood here. The stack dashboard has several different tabs.
The current open tab is events, which lists all stack events. Here you can see the order that the resources are created. Once I kicked off the stack creation, it starts creating my instance security group, since the instance references that resource. Once the security group is created successfully, it then creates the EC2 instance.
As resources are created, you can also click the resources tab to gather more information and view the created resources. By clicking the EC2 instance physical ID link, it will take me to the EC2 dashboard, and I can see the appropriate information for my new instance. Some resources create quickly, while other resources like RDS database instances may take 10s of minutes to complete
Back in the CloudFormation dashboard, I can see that my stack status has been changed to create_complete. This means that all of my resources have been successfully created! Which leaves me one more thing to check out, the outputs tab. Here, I can see all the returned values that I specified as outputs in my CloudFormation template.
I can copy the public IP, open up a new browser window, specify http://, paste the IP in, and you can see our h1 header saying “Hello from cloud academy!”!
In summary, I provided CloudFormation two inputs, the template and the parameters, it processed those, and outputted a stack. From there, I can grab the information from the outputs of that stack and view the website. That's all for this one, see you next time!
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.