Defining infrastructure resource policies in an organized manner can help your company better manage its infrastructure resources.
This session will familiarize you with using AWS Lambda to process data and provide control logic for your infrastructure. You can use Amazon CloudWatch Events to monitor infrastructure resources in real-time, and you can use AWS Lambda to react to events based on a set of rules. We will demonstrate how you can build a rules engine for creating, monitoring, and managing policies.
3. AWS Dev Day - Serverless
Randall Hunt - @jrhunt
Developer Evangelist at AWS
randhunt@amazon.com
Formerly of SpaceX and NASA
4. Agenda
• Brief Overview of Lambda
• Why Automate?
• Why Lambda for Automation and Control Systems?
• Event-Driven Policy Enforcement
• Lambda as an Infrastructure Control Plane
• Best Practices
5. Operations and management Scaling
Provisioning and utilization Responsible for Availability
and fault tolerance
Owning Servers Means Dealing With ...
6. Serverless Compute: AWS Lambda
COMPUTE
SERVICE
EVENT-
DRIVEN
Run code
without
managing
servers
Code only runs
when it needs to
run
7. Code is all you need
(Native: Java/Python/NodeJS)
Event-driven scaling
Never pay for idle servers Availability and fault tolerance built in
Going Serverless with Lambda
8. Things To Remember: Lambda Function
Memory = “Power level”
• Higher levels offer more memory and more CPU power
Functions don’t have a notion of state
• Use DynamoDB, S3, or Elasticache
• Wrap your config in a function and call it from your published code
Use the right access control for downstream services
• IAM roles and permissions for AWS services
• VPC for private endpoints
16. Lambda as a building block for Automaton
Because Lambda is event-driven, it offers a very
powerful framework for Automated Infrastructure
Control Planes and Policy Engines.
AWS Lambda
Near real time reactionEvent
17. Benefits for Automation with AWS Lambda
Single knob configuration Easy to integrate Logging and Auditability
Rapid delivery and versioning Get started fast
18. Event-Driven Automation as a building block
Being proactive rather than reactive to changes in your
infrastructure is key. However, event-driven automation can
be part of the solution. We can remove human errors when
we need to be reactive through use of automation.
28. Identity and Access Management Enforcement
Lambda Policy Engine
Validate Role Path
AWS IAM
CreateRole
Verify No Role Elevation
Verify No Resource Level Elevation
Allow Role
Delete Roles
29. Tagging Enforcement
Lambda Policy Engine
instance instance instance
instance instance instance
RunInstances
Validate Team Tag
Validate Billing Group Tag
Validate Environment Stage Tag
StopInstances
SNS Notification
instance instance instance
instance instance instance
33. Automatic Security Group Placement
Lambda Policy Engine
instance instance instance
instance instance instance
RunInstances
Check VPC
Validate Security Group
Remove SG
Add Correct SG
instance instance instance
Do Nothing
34. Create/Update Route53 Records from Tag
Lambda Policy Engine
instance instance instance
instance instance instance
RunInstances
Do Nothing
instance instance instance
Check VPC
Update DNS
Get CNAME Tag
Add DNS Record
instance instance instance
38. Recap
• Event-Driven Response to Policy Management and Infrastructure Events
• AWS Config Rules backed by Lambda to visualize compliant versus non-compliant
infrastructure.
• Think outside the box. Number of available CloudWatch Events API Call triggers is
large.
• Don’t forget the ability to schedule AWS Config rule validation, as well as Scheduled
Cloud Watch Event Triggers to Lambda.
• CloudWatch Events can point to multiple Targets (Not just Lambda functions)