Control for Your Cloud Environment Using AWS Management Tools Marketing... · AWS Service Catalog...
Transcript of Control for Your Cloud Environment Using AWS Management Tools Marketing... · AWS Service Catalog...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Control for Your Cloud Environment Using AWS Management Tools
Jonathan WeissAmazon Web Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Agenda
Overview of AWS management tools
Dive deep into individual services
Enterprise as code example
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Management Tools
Configuration
management
AWS OpsWorks
Integrated & interoperable
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS CloudFormation
• Automate creation of over 250 types of AWS resources
• Update safely with stabilization and rollback
• Deploy many app architectures: Compute, containers, serverless
Code in YAML or JSON
directly or use sample
templates
Upload local
files or from an
S3 bucket
Create stack
using console, API
or CLI
Stacks and
resources are
provisioned
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Service Catalog
• Create & share immutable best practices templates
• Limit access to underlying AWS services
• Enable turn-key self-service solutions for all end-users
AWS
Service Catalog
product
AWS
Resource
Logging
Security
Encryption
Naming
Tag options
Immutable config
Parameter control
Access control
Best practices
standardized in
template
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS OpsWorks
• Provides managed configuration management servers
• Supports Chef Automate and Puppet Enterprise
• Use configuration management DSL to enforce configuration
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Amazon CloudWatch
Amazon CloudWatch is a monitoring service for AWS cloud resources, applications you run on AWS and on-prem
Monitor EC2Spot trends
Set alarms -events
Monitor & store logs
Create dashboards
Troubleshoot
Centralize monitoring
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS X-Ray
• Analyze and debug service requests
• End-to-End Tracing, cross-service view
• Integration via agent/SDK or directly in Lambda
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Config & AWS Config rules
• Continuous recording & continuous assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant withyour policies
Changing resources AWS Config
AWS Config Rules
History, Snapshot
Notifications
API Access
Normalized
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS CloudTrail
• Automatically recorded and centrally stored event logs of account activity
• Perform security audits and operational troubleshooting using API usage events
• Apply governance automatically in response to API events
• Raise alarms in response to account activity
Customer defines an Amazon
S3 Bucket for storage
Account event occurs
generating API activity
Events
AWS CloudTrail
CloudTrail captures and
records the API activity
A log with API calls is
delivered to S3 Bucket
and optionally delivered
to CloudWatch Events
and CloudWatch Logs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Systems Manager
Resource groups
Run command
Inventory
Patch manager
Automation
Parameter store
Maintenance window
State manager
Session Manager
Distributor
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Goal – Enterprise as code
Enterprise as code: Complete automation and codification
• Infrastructure as code
• Configuration as code
• Operations as code
• Compliance as code
• Application delivery as code
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Application vs. infrastructure
Your application code
Your application configurationApplication
Infrastructure
Amazon Elastic Compute Cloud (Amazon EC2)
Amazon Elastic Container Service (Amazon ECS)
AWS Lambda
Amazon DynamoDB
Amazon Relational Database Service (Amazon RDS)
…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Application & infrastructure pipelines
ApplicationApplication pipeline
InfrastructureInfrastructure pipeline
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Application & infrastructure pipelines
Application
Infrastructure
Develop
Provision
DeployBuild & test Monitor
Audit &
remediateMonitorConfigure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Application & infrastructure pipelines
Application
Infrastructure
AWS Cloud9
AWS CodeCommit
AWS
CloudFormation
AWS CodeDeployAWS CodeBuildAmazon CloudWatch
AWS X-Ray
AWS Config
AWS CloudTrail
AWS Systems ManagerAmazon CloudWatchAWS OpsWorks
AWS CodePipeline
CodePipelineAWS Resource
Groups
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Our example application
• Traditional instance-based Java application
• Using Amazon EC2, Application Load Balancing, and Amazon RDS
• Application source code in Git repository
• Software stack: Apache, Tomcat, OpenJDK …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Provisioning using AWS CloudFormation
Define necessary AWS infrastructure in template
• ALB for load balancing
• AWS Auto Scaling group for managing Amazon EC2 instance scaling
• Amazon RDS as data base
• CloudWatch alarms and dashboards for monitoring
• AWS Config rules for compliance auditing
• AWS Systems Manager Command Documents
• …
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation template
"WebServerGroup" : {
"Type" : "AWS::AutoScaling::AutoScalingGroup",
"Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : ""},
"LaunchConfigurationName" : { "Ref" : "LaunchConfig" },
"MinSize" : "1",
"MaxSize" : "3",
"LoadBalancerNames" : [ { "Ref" : ”ApplicationLoadBalancer" } ],
},…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Setting up AWS Resource Groups
• Create a matching resource group for the AWS CloudFormation stack
• Use this resource group to operate on in other services, for example CloudWatch, Systems Manager, and so on
$ aws resource-groups create-group \--name My-CFN-stack-group \--description "My first CloudFormation stack-based group" \--resource-query \'{"Type":"CLOUDFORMATION_STACK_1_0","Query":"{\"StackIdentifier\":\"arn:aws:cloudformation:us-
west-2:123:stack\/AWStestuseraccount\/EXAMPLE}"}'
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Configuration management using AWS OpsWorks
Leveraging Chef or Puppet to define on-instance configuration
• Apache 2.4.37 as the web server
• Tomcat 9.0.13 as the application server
• OpenJDK 11.0.1 for running Java
• Managing dependencies and software versions
Use community cookbooks to get started and override where needed
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apache2 community Chef cookbook
apache2_conf 'example' do
path '/random/example/path’
end
apache2_module "ssl”
web_app "my_app" do
template 'web_app.conf.erb'
server_name node['my_app']['hostname']
end
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Monitoring with CloudWatch
• Create CloudWatch dashboards for your resource groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Monitoring with CloudWatch• Create CloudWatch dashboards for your resource groups
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Audit with AWS Config & AWS Config rules• Create custom AWS Config rules to define company policies
• Get alerts for non-compliant resources
• View resource group specific dashboard
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example AWS Config rule
private boolean isOnExpectedDedicatedHost(JsonNode invokingEvent, JsonNode ruleParameters)
throws JsonProcessingException, IOException {
String expectedHostId = ruleParameters.path(HOST_ID).textValue();
String actualHostId = invokingEvent.path(CONFIGURATION_ITEM).path(CONFIGURATION).path(PLACEMENT).path(HOST_ID).textValue();
return StringUtils.isBlank(expectedHostId) ? true : StringUtils.equalsIgnoreCase(expectedHostId, actualHostId);
}
See https://github.com/awslabs/aws-config-rules/ for more examples
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Remediate with Systems Manager• Execute automation document against the resource group
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation document
"mainSteps": [{"name": "stopInstances","action": "aws:changeInstanceState","inputs": {"InstanceIds": "{{ InstanceId }}","DesiredState": "stopped”}
},{"name": "startInstances","action": "aws:changeInstanceState","inputs": {"InstanceIds": "{{ InstanceId }}","DesiredState": "running”}}
]
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
CodePipeline and CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code change
Step
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
CodePipeline and CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code change
Transition
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
CodePipeline and CodeBuild
• Fully managed continuous delivery service
• Model and monitor your release process
• Builds, tests, and deploys triggered by a code change Action
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
CodePipeline and CodeBuild
Promote and release changes of
• Application code: Redeploy app with CodeDeploy
• AWS CloudFormation template: Update infrastructure stack
• Chef cookbooks: Update instance configuration
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Goal – Enterprise as code
Enterprise as code: Complete automation and codification
• Infrastructure as code AWS CloudFormation
• Configuration as code AWS OpsWorks & Chef
• Operations as code Systems ManagerCloudWatch
• Compliance as code AWS Config rules
• Application delivery as code CodePipeline & CodeDeploy
Thank you!
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jonathan Weissjweiss@