Deploying a CloudFormation Template Demo


Course Introduction
Amazon CloudWatch
AWS Config
What is AWS Config?
AWS Control Tower
AWS Control Tower
PREVIEW19m 56s
AWS Resource Access Manager
AWS Management
AWS Service Catalog
PREVIEW10m 34s
AWS Trusted Advisor Best Practices
AWS Health Dashboard
AWS Data Visualization
Finding Compliance Data with AWS Artifact
Observability in AWS
Start course
6h 2m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the AWS management and governance services relevant to the AWS Certified Solutions Architect - Professional exam. These services are used to help you audit, monitor, and evaluate your AWS infrastructure and resources and form a core component of resilient and performant architectures. 

Want more? Try a Lab Playground or do a Lab Challenge!

Learning Objectives

  • Understand the benefits of using AWS CloudWatch and audit logs to manage your infrastructure
  • Learn how to record and track API requests using AWS CloudTrail
  • Learn what AWS Config is and its components
  • Manage multi-account environments with AWS Organizations and Control Tower
  • Learn how to carry out logging with CloudWatch, CloudTrail, CloudFront, and VPC Flow Logs
  • Learn about AWS data transformation tools such as AWS Glue and data visualization services like Amazon Athena and QuickSight
  • Learn how AWS CloudFormation can be used to represent your infrastructure as code (IaC)
  • Understand SLAs in AWS

Let’s deploy a template that creates an EC2 instance hosting an Apache web server and a security group. For ease and convenience, I’ll use the AWS Management Console. I’ll navigate to the CloudFormation dashboard. Then, I’ll click create new stack. From there, I can choose to upload a template file, use a sample template that CloudFormation creates for you, or create a template using a drag-and-drop diagram interface called CloudFormation designer.

Since I’m using a template I created, I'll choose to upload a template file, and select my web-server-with-security-group template and click next. Then, I'll have to name my stack - I’ll call it EC2InstanceWithSecurityGroup. 

Then, I have to choose a value for each template parameter. While some parameters might have a default value specified, I can choose to overwrite them if I'd like. For my instance type, I'll click the drop-down and see I have three options, and I'll choose t2.nano. And for my key name, I'll specify a key I created outside of the course so I can ssh into my instance.  

For the SSH location parameter, I can use the value which will allow any remote IP address to reach my EC2 instance or I can choose to use a fixed IP address. If you're using fixed IP addresses, remember to use the CIDR notation. For example, If I want to only allow SSH traffic from my IP address, I’ll begin by specifying my IP, say and then add on slash 32 to be in CIDR format.

Then I can click next. Here I will see additional stack options. I can create tags to apply to my resources, and I can also create an IAM role for CloudFormation to use to create my resources. If I don’t provide an IAM role, it will use my user permissions to create the infrastructure. 

Additionally, there's Stack failure options that let me choose if I want to roll back all resources on failure or only roll back failed resources while preserving successfully created ones. You can see that the default behavior rolls back all resources - and I’ll keep that selected for this demo. 

You can also choose to have CloudFormation use Amazon Simple Notification Service, or Amazon SNS, to notify you about stack events during the service creation or deletion. And then the stack policy field is useful if you want to prevent stack resources from being unintentionally updated or deleted during a stack update.

The stack policy is a JSON document that is similar to IAM policies. Like IAM policies, you define stack policies with the following elements: effect, action, principal, and resource. I'll paste in an example stack policy here, so you can take a look. 

The effect field value can be either allow, or deny. Using action or not action, you can specify all the actions that you want, or don't want to allow or deny. Principal is a mandatory attribute, but it only supports the wildcard, which means the statement applies to all principals. And Resource contains the list of all resources to which the statement will be applied. Here you can see an allow all statement, which is allowing all resources to be updated. 

However, I’m also including a Deny statement, which will prevent all updates, like replacement or deletion, to my EC2 Instance. Although the Allow statement specifies all resources, the explicit Deny statement overrides it for the resource with the EC2Instance logical ID. 

Keep in mind, you can always decide to set a stack policy, and then edit it when you need to update the stack. For now, I’ll leave the stack policy blank, click next, review our options and then click create. 

Now, let’s understand what’s happening under the hood here. The stack dashboard has several different tabs.  

The current open tab is events, which lists all stack events. Here you can see the order that the resources are created. Once I kicked off the stack creation, it starts creating my instance security group, since the instance references that resource. Once the security group is created successfully, it then creates the EC2 instance. 

As resources are created, you can also click the resources tab to gather more information and view the created resources. By clicking the EC2 instance physical ID link, it will take me to the EC2 dashboard, and I can see the appropriate information for my new instance. Some resources create quickly, while other resources like RDS database instances may take 10s of minutes to complete 

Back in the CloudFormation dashboard, I can see that my stack status has been changed to create_complete. This means that all of my resources have been successfully created! Which leaves me one more thing to check out, the outputs tab. Here, I can see all the returned values that I specified as outputs in my CloudFormation template.  

I can copy the public IP, open up a new browser window, specify http://, paste the IP in, and you can see our h1 header saying “Hello from cloud academy!”! 

In summary, I provided CloudFormation two inputs, the template and the parameters, it processed those, and outputted a stack. From there, I can grab the information from the outputs of that stack and view the website. That's all for this one, see you next time! 

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.