As customers migrate to the cloud, IT needs to maintain structured compliance and governance while providing developers with the flexibility to manage cloud resources at scale. In this session, learn how AWS management tools provide a set of services to track changes to resources, audit actions, manage change, and gain insights. We also show how you can use built-in safety controls to automatically perform actions and remediation across multiple regions and accounts. This session is beneficial to IT and system administrators who are interested in using native AWS tools to operate secure and compliant infrastructure on AWS.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control for Your Cloud Environment
Using AWS Management Tools
Jonathan Weiss
Sr. Manager
Amazon Web Services
E N T 2 2 6 - R

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Overview of AWS Management Tools
Dive deep into individual services
Enterprise as code example

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Breakout repeats
Monday, November 26th
REPEAT-1 Control for your Cloud Environment Using AWS Management Tools
4:45 p.m. - 5:45 p.m. | Aria West, Level 3, Juniper 4

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Thursday, November 29th
DEV320 - Driving DevOps Transformation in Enterprises
11:30 a.m. - 12:30 p.m. | Aria East, Level 2, Mariposa 5
Thursday, November 29th
DEV326 - Building a DevOps Pipeline on AWS
2:30 p.m. - 4:45 p.m. | MGM, Level 3, Premier Ballroom 309

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Management Tools
Configuration
management
AWS OpsWorks
Integrated & interoperable

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation
• Automate creation of over 250 types of AWS resources
• Update safely with stabilization and rollback
• Deploy many app architectures: Compute, containers, serverless
Code in YAML or JSON
directly or use sample
templates
Upload local
files or from an
S3 bucket
Create stack
using console, API
or CLI
Stacks and
resources are
provisioned

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog
• Create & share immutable best practices templates
• Limit access to underlying AWS services
• Enable turn-key self-service solutions for all end-users
AWS
Service Catalog
product
AWS
Resource
 Logging
 Security
 Encryption
 Naming
 Tag options
 Immutable config
 Parameter control
 Access control
Best practices
standardized in
template

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS OpsWorks
• Provides managed configuration management servers
• Supports Chef Automate and Puppet Enterprise
• Use configuration management DSL to enforce configuration

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch
CloudWatch is a monitoring service
for AWS cloud resources,
applications you run on AWS and
on-prem
Monitor EC2Spot trends
Set alarms -
events
Monitor & store
logs
Create dashboards
Troubleshoot
Centralize
monitoring

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS X-Ray
• Analyze and debug service requests
• End-to-End Tracing, cross-service view
• Integration via agent/SDK or directly in Lambda

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config & AWS Config rules
• Continuous recording & continuous assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with
your policies
Changing resources AWS Config
AWS Config Rules
History, Snapshot
Notifications
API Access
Normalized

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
• Automatically recorded and centrally stored event logs of account activity
• Perform security audits and operational troubleshooting using API usage events
• Apply governance automatically in response to API events
• Raise alarms in response to account activity
Customer defines an Amazon
S3 Bucket for storage
Account event occurs
generating API activity
Events
AWS CloudTrail
CloudTrail captures and
records the API activity
A log with API calls is
delivered to S3 Bucket
and optionally delivered
to CloudWatch Events
and CloudWatch Logs

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager
Resource groups
Run command
Inventory
Patch manager
Automation
Parameter store
Maintenance window
State manager
Session Manager
Distributor

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goal – Enterprise as code
Enterprise as code: Complete automation and codification
• Infrastructure as code
• Configuration as code
• Operations as code
• Compliance as code
• Application delivery as code

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application vs. infrastructure
Your application code
Your application configuration
Application
Infrastructure
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Container Service (Amazon ECS)
AWS Lambda
Amazon DynamoDB
Amazon Relational Database Service (Amazon RDS)
…

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application & infrastructure pipelines
ApplicationApplication pipeline
Infrastructure
Infrastructure pipeline

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application & infrastructure pipelines
Application
Infrastructure
Develop
Provision
DeployBuild & test Monitor
Audit &
remediate
MonitorConfigure

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application & infrastructure pipelines
Application
Infrastructure
AWS Cloud9
AWS CodeCommit
AWS
CloudFormation
AWS CodeDeployAWS CodeBuild
Amazon CloudWatch
AWS X-Ray
AWS Config
AWS CloudTrail
AWS Systems Manager
Amazon CloudWatchAWS OpsWorks
AWS CodePipeline
CodePipeline
AWS Resource
Groups

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our example application
• Traditional instance-based Java application
• Using Amazon EC2, Application Load Balancing, and Amazon RDS
• Application source code in Git repository
• Software stack: Apache, Tomcat, OpenJDK …

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Provisioning using AWS CloudFormation
Define necessary AWS infrastructure in template
• ALB for load balancing
• AWS Auto Scaling group for managing Amazon EC2 instance scaling
• Amazon RDS as data base
• Amazon CloudWatch alarms and dashboards for monitoring
• AWS Config rules for compliance auditing
• AWS Systems Manager Command Documents
• …

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation template
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : ""},
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"MaxSize" : "3",
"LoadBalancerNames" : [ { "Ref" : “ApplicationLoadBalancer" } ],
},
…

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up AWS Resource Groups
• Create a matching resource group for the CloudFormation stack
• Use this resource group to operate on in other services, for example
CloudWatch, Systems Manager, and so on
$ aws resource-groups create-group
--name My-CFN-stack-group
--description "My first CloudFormation stack-based group"
--resource-query
'{"Type":"CLOUDFORMATION_STACK_1_0","Query":"{"StackIdentifier":"arn:aws:cloudformation:us-
west-2:123:stack/AWStestuseraccount/EXAMPLE}"}'

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuration management using AWS OpsWorks
Leveraging Chef or Puppet to define on-instance configuration
• Apache 2.4.37 as the web server
• Tomcat 9.0.13 as the application server
• OpenJDK 11.0.1 for running Java
• Managing dependencies and software versions
Use community cookbooks to get started and override where needed

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apache2 community Chef cookbook
apache2_conf 'example' do
path '/random/example/path’
end
apache2_module "ssl”
web_app "my_app" do
template 'web_app.conf.erb'
server_name node['my_app']['hostname']
end

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring with Amazon CloudWatch
• Create CloudWatch dashboards for your resource groups

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring with Amazon CloudWatch
• Create CloudWatch dashboards for your resource groups

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit with AWS Config & AWS Config rules
• Create custom AWS Config rules to define company policies
• Get alerts for non-compliant resources
• View resource group specific dashboard

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example AWS Config rule
private boolean isOnExpectedDedicatedHost(JsonNode invokingEvent, JsonNode ruleParameters)
throws JsonProcessingException, IOException {
String expectedHostId = ruleParameters.path(HOST_ID).textValue();
String actualHostId =
invokingEvent.path(CONFIGURATION_ITEM).path(CONFIGURATION).path(PLACEMENT).path(HOST_ID).textValue();
return StringUtils.isBlank(expectedHostId) ? true : StringUtils.equalsIgnoreCase(expectedHostId, actualHostId);
}
See https://github.com/awslabs/aws-config-rules/ for more examples

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediate with Systems Manager
• Execute automation document against the resource group

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation document
"mainSteps": [
{
"name": "stopInstances",
"action": "aws:changeInstanceState",
"inputs": {
"InstanceIds": "{{ InstanceId }}",
"DesiredState": "stopped”
}
},{
"name": "startInstances",
"action": "aws:changeInstanceState",
"inputs": {
"InstanceIds": "{{ InstanceId }}",
"DesiredState": "running”
}
}
]

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CodePipeline and AWS CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code
change
Step

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CodePipeline and AWS CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code
change
Transition

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CodePipeline and AWS CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code
change Action

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CodePipeline and AWS CodeBuild
Promote and release changes of
• Application code: Redeploy app with AWS CodeDeploy
• AWS CloudFormation template: Update infrastructure
stack
• Chef cookbooks: Update instance configuration

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goal – Enterprise as code
Enterprise as code: Complete automation and codification
• Infrastructure as code  AWS CloudFormation
• Configuration as code  AWS OpsWorks & Chef
• Operations as code  AWS Systems Manager
Amazon CloudWatch
• Compliance as code  AWS Config rules
• Application delivery as code  AWS CodePipeline &
AWS CodeDeploy

40. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jonathan Weiss
jweiss@

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.