AWS CloudFormation is an automation tool that helps deploy your AWS cloud resources by using a common language like JSON or YAML to describe your architecture. This provides a method to create reusable gold standard templates for common pieces of your environment.

These repeatable templates help to prevent problems associated with manual entry and ad hoc deployments. By creating cloud formation templates, you give yourself the power to document, index, version control, and manage your architecture just like code.

This includes the ability to peer review entire architectures for faults, and implement security audits that detect vulnerabilities just by sending a text file to the appropriate person. That's particularly hard to do in the on premises environment.

In case you have never seen a CloudFormation template here is a very simple example.

Here we are creating an AWS resource called “MyS3Bucket” that is of type- S3 bucket.  If we were to run this through CloudFormation, it would try to create an S3 bucket in whatever region you were currently selected in. As long as the name is available, Cloudformation will go ahead with creation, and fairly quickly you would have your brand new resource created automatically for you.

You can of course create far more complicated templates that build enterprise-level architectures all in one document. However, ideas such as encapsulation and segmentation of your architecture are still important, especially if you move forward with a microservice-based implementation. 

Now let's take a look at a more relevant example where we can deploy an RDS database using CloudFormation. 

As you can see here, there is a little bit more going on than in the previous template.

This CloudFormation template describes a very simple RDS database that allocates 20 gbs for storage, uses a t2.micro instance for the compute, and is running MySQL. 

Now those of you who are more security minded will have noticed a plain text Master user name and password. Leaving this kind of information within a CloudFormation template, or any code for that matter could lead to security breaches and loss of confidential information.

There are a few ways to get around this problem. One of the more common methods is to declare that section as a parameter, where the user will have to enter that information upon the creation of the CloudFormation stack. 

This removes the issue of having a plain text password within the document, but still puts some burden on the user to manually enter one more thing and to remember yet another password and username.

I think it would be super helpful to have the whole password and username business completely automated; Allowing us to remove the extra dependency of the human element out of the equation altogether. 

To accomplish this task, let's take a look at another service called AWS Secrets Manager. Where we will have the power to remove the hardcoded username and password from our CloudFormation template.

Lectures

Course Introduction - Why Automate? - Keeping Your Environment Secure with AWS Secrets Manager - Creating a Secret - Putting It All Together - Wrap Up