As companies shift workloads into the cloud, IT organizations are required to manage an increasing number of cloud resources. AWS provides a broad set of services that help IT organizations with provisioning, tracking, auditing, configuration management, and cost management of their AWS resources. In this session, we will explore the AWS Management Tools suite of services that support the lifecycle management of AWS resources at scale and enable IT governance and compliance. The Deep Dive on AWS Management Tools session will benefit both new and experienced IT administrators, systems administrators, and developers operating infrastructure on AWS and interested in learning about the AWS resource management capabilities.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prashant Prahlad
AWS Product Management
April 20, 2017
AWS Management Tools: Deep Dive
Lifecycle management of cloud resources at scale

2. AWS Management Tools
• Management tools?
• Resource management lifecycle and DevOps
• Scaling governance, management the cloudy way
• Capabilities you will need
• Use cases and examples

3. Growth is good
2 devs
Few instances
1 app
100s of API actions
3 devs
Tens of instances
Few services
100s of API actions
10s of devs
Several apps and
services
1000s API actions
10s of customers
Several teams of devs
10s of apps/services
100,000 API actions
100s of customers
Experimenting Product launch 6 months 12 months

4. Growth is good…
Enable new users to
experiment and
make mistakes
Various devices
access or use the
cloud
Self-service access
to infrastructure
Global workforce
…..but make good investments early to scale well

5. Growth is also challenging
• Several new developers (some new to AWS)
• Mistakes can be very expensive
• Keeping developers productive becomes harder
• Operating and troubleshooting numerous flavors
• Noisy #slack channel

6. Your options
Decentralize and hope
• Self-serve, experiment,
innovate
• Promote agility
• DevOps is here
• Well-intentioned, but
dangerous
• Compliance subject to
interpretation by new users
Lockdown and approve
• Full control, reduced
experimentation
• Reduced agility
• Scales to number of
approvers
• Unappealing to developers

7. Try AWS Management Tools
Standardize, Decentralize and Monitor
• Self-service provisioning with templates/catalogs
• Monitor health, usage and configuration compliance
• Prevent severe issues and act immediately on bad
events
• Standardization is key element of scalability

8. AWS Management Tools

9. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

10. AWS CloudFormation
ResourceProvisioning
• Create templates of your infrastructure
• Version control /code review /update templates like code
• Provision AWS resources based on dependency needs
• Integrate with development, CI/CD, management tools
What can you do?What is it?
• CloudFormation gives developers and
systems administrators an easy way to
create and manage a collection of related
AWS resources, provisioning and updating
them in an orderly and predictable fashion
• No additional charge to use
• Administrators can author templates that developers can use –only recommended configurations
• DevOps Admins can use Code Pipeline integration to enable CI/CD for infrastructure
• Use CloudFormation Designer in JSON or YAML to provision resources
• Leverage AWS Serverless App Model (AWS SAM) (GitHub) to improve the dev experience
• Change sets and cross-stack references to enhance CloudFormation stack management
capabilities
Examples

12. AWS Service Catalog
ResourceProvisioning
• Quickly deploy approved IT services in a
self-service manner delegated by admins
• Create and govern catalogs of IT services
on AWS described as AWS
CloudFormation templates.
What can you do?What is it?
• Private Catalog for Organizing best practice
patterns and Launching Infrastructure &
Software Services on AWS in a controlled and
repeatable manner
• Enables cataloging of “infrastructure as code”
as products with versions.
Examples
• Portfolio: A collection of templates/products available to a user
• For Admins: Create a Portfolio of Products and Services, APIs to list and provision products, manage versions,
portfolios, access and more.
• For Users: APIs to view and manage launched products
• Share products and portfolios across AWS accounts within your organization
• Available in 10 regions

14. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

15. AWS EC2 Systems Manager
ConfigurationManagement
• Perform common administrative tasks remotely at
scale
• Understand and control the current state of your
EC2 instance and OS configurations
• Simplify your operating system patching process
What can you do?What is it?
• A set of capabilities that enable automated
configuration and ongoing management of
systems at scale, across all of your Windows
and Linux workloads, running in Amazon EC2
or on-premises
• Available now at no cost to manage both your
EC2 and on-premises resources
Examples
• Administrators/IT managers can use seven capabilities:
• Automation: Simplifies common maintenance and deployment tasks, such as updating AMIs
• Run Command: Enables you to remotely perform common administrative tasks at scale
• Parameter Store: Centralized location to store, access, and reference your configuration data
• State Manager: Define and maintain consistent OS configurations to comply with your policies
• Maintenance Window: Define a recurring time window for administrative and maintenance actions
• Inventory: Collect and query configuration and inventory information about software installed on instances
• Patch Manager: Select and deploy OS and software patches automatically across large groups of instances
• Use same tools for on-premises servers
• Enhanced Run Command with rate control, error thresholds.

17. AWS OpsWorks for Chef Automate
ConfigurationManagement
• Automate such software and operating system
configurations, package installations, database
setups, and more.
• Define configurations for your servers in a format
that you can maintain and version just like your
application source code.
What can you do?What is it?
• Managed Chef Server and Chef Automate
• Suite of automation tools that give you workflow
automation for continuous deployment,
automated testing for compliance and security
with Chef
• The Chef server gives you full stack automation
by handling operational tasks
Examples
• Define desired configuration of EC2 Instances or on-premises servers using cookbooks
• Tap into Chef community with over 3,000 different cookbooks
• Chef Workflow gives you a continuous deployment workflow for developing, testing, and
deploying cookbooks
• Chef Compliance helps you write and apply compliance tests against your nodes

18. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

19. Amazon CloudWatch
MonitoringandPerformance
• Collect and track host, app or custom metrics
• Collect, monitor, and search log files
• Set alarms that alert you when problems arise
• Create dashboards to stay on top of your application
• React automatically to events in your AWS resources
What can you do?What is it?
• A monitoring service for your cloud resources and
applications. CloudWatch helps you gain visibility
into resource utilization, app performance, and
operational health
• With CloudWatch, you can monitor metrics and logs
generated by AWS services or your own applications
and services, and get alerted when potential
problems occur
Examples
• Monitor resources you’ve provisioned with CloudWatch metrics
• CPU load, disk usage, and several standard metrics to operate effectively
• Enhancing dashboards: added new visualizations (number, area, and dark theme support)
• CloudWatch Logs to aggregate log information from applications, AWS services
• CloudWatch Events to react to meaningful events in the system

21. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

22. AWS CloudTrail
GovernanceandCompliance
• Simplify your compliance audits by automatically
recording and storing activity logs for your AWS account
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational
issues by capturing a comprehensive history of changes
that occurred in your AWS account
What can you do?What is it?
• A service that enables governance, compliance,
operational auditing, and risk auditing of your
AWS account
• With CloudTrail, you can log, continuously
monitor, and retain events related to API calls
and account activity events across your AWS
infrastructure
Examples
• Get full visibility across all regions: Turn on a trail in all existing and future AWS regions
• S3 Data Events: Get timely events for S3 object-level API activity for action and audit
• Event selectors to filter or add event types to a trail
• User identity included in AssumeRole calls, so you can trace IAM user, even in role-based APIs.
• Log File KMS Key Encryption and Integrity Validation
• PCI, ISO 270001/9001, ISO 27017, 27018, SOC1,2,3

23. AWS Config and Config Rules
GovernanceandCompliance
• Discover existing and deleted AWS resources
• Determine your overall compliance against rules, and
dive into configuration details of a resource at any point
in time
• Enable compliance auditing, security analysis, resource
change tracking, and troubleshooting
What can you do?What is it?
• AWS Config is a fully managed service that
provides you with an AWS resource inventory,
configuration history, and configuration change
notifications to enable security and governance
• Config Rules enables you to create rules that
automatically check the configuration of AWS
resources recorded by AWS Config
Examples
• Get history of all configuration changes to critical resources, including details about CloudTrail API activity
• Use one of 32 managed rules or author any custom rules to check the recorded configuration of resources
• Use best practices from AWS Config rules GitHub repository

25. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

26. AWS Trusted Advisor
ResourceOptimization
• Get insight into how and where you can get the most
impact for your AWS spend
• Find opportunities to reduce your monthly spend and
retain or increase productivity
• Receive guidance on getting the optimal performance
and availability based on your requirements
What can you do?What is it?
• An online resource to help you reduce cost,
increase performance and fault tolerance, and
improve security by optimizing your AWS
environment
• Developed using best practices, Trusted
Advisor provides real time guidance for specific
services
Examples
• CloudWatch Events Integration
• Filter TA checks and create reports using tags on resources
• 12 new service limits across 5 AWS products - RDS, IAM, EC2, CloudFormation, and Kinesis

28. AWS Management Tools
― AWS CloudFormation
― AWS Service Catalog
― AWS OpsWorks
― EC2 Systems Manager
― Amazon CloudWatch
AWS CloudTrail ―
AWS Config ―
AWS Trusted Advisor ―

29. Security and Governance with Management
Tools

30. Governance in 3 phases
Control Monitor Fix

31. Phase 1: Control
Prevent actions that could be bad
• CloudFormation
• Service Catalog
• IAM Policies
• Disable Root credentials
• Check on GitHub for access keys available publicly

32. IAM Policy to restrict instances
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeKeyPairs","ec2:DescribeVpcs", "ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{"Action": "ec2:*",
"Effect": "Allow",
"Resource": "arn:aws:ec2:us-east-1:232378813418:instance",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"t2",
"m4"
]
}
}
}
]
}

33. CloudTrail: Read-only permissions

34. Phase 2: Monitor
Get all meta data, apply lifecycle policies to control costs
• CloudTrail
• AWS Config
• CloudWatch Logs
• VPC Flow Logs

35. AWS Config: Inventory and compliance

36. AWS Config: Evaluate resource configurations

37. Phase 3: Fix using AWS services
Trusted
Advisor
AWS Config
Managed
Rules
AWS Config
Custom
Rules with
remediation
CloudWatch
Events with
Lambda
rules
Lambda
code with
various
triggers
Ease of getting started vs. customization and control

39. Where to find AWS Management Tools?

40. Summary
AWS Management Tools provide
• Services to manage the lifecycle of resources
• Standardization, self-service, automation
• Broad and deep visibility for security analysis
• Governance and Compliance as code
Find out more here:
https://aws.amazon.com/products/management

41. pprahlad@amazon.com

42. Config Rules Example

44. Add customer and partner examples

45. Backup

46. Why is this relevant?

47. Anything new to learn?

48. No

49. Is this a Portfolio?

50. Deck Guidelines
Fonts, sizes, colors, and layouts are all pre-built in this
template.
Color palette
Please do not use gradients, shadows, or outlines on shape elements.
Limit color use for chart graphics to grayscale plus one accent color.

51. Helpful Resources
AWS Logo (logos for both web and print)
AWS Simple Icons (product and simple icons for architectural diagrams)
Design Request (AWS Marketing Design wiki)
Deck Asset Repository (up-to-date deck assets and templates)

52. Copy & Paste Content
When pasting content from another presentation please paste using
“Destination Theme.”
Note: This works when copying entire slides from other presentations as long as the source presentation is also 16:9

53. Copy & Paste Code
When pasting content Code into a Code template please use the
“Keep Text Only Function” for Windows and “Destination Theme” for
Macs. If any additional coloring needs to be done to your code type
please do it after pasting it into your slide.

54. Assets Usage
Multiple assets can be combined to create one graphic
Deck_Box-
Files.png
Deck_Arrows1.png Deck_Buildings-
MediumBusiness.pn
g
Deck_Buildings-
Enterprise.png
Deck_Buildings-
SmallBusiness.png
Deck_Laptop-Dark-
Code.png
Deck_Certification-
Badge.png
Deck_App2.png Deck_Lock.pn
g

55. Resizing Assets
Always hold down shift key and drag from corner when
scaling assets
with Shift without Shift

56. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Presentation Title

57. Title Only

58. Title + Content

59. Code Snippet

60. Section Title

61. Two Content

62. Comparison

63. Three Content

64. Four Content - Graphics

65. Six Content - Graphics