# Management & Governance Tools {% hint style="info" %} Useful for: * Provisioning * Monitoring and Logging * Operations Management * Configuration Management {% endhint %} ## CloudFormation * Allow us to implement our infrastructure as code. *(`JSON` or `YAML` templates)* * Version control capability. * Template describes all the AWS resources and CloudFormation takes care of provisioning and configuring. ### Stacks * All of our related resources that are defined in our CloudFormation template or multiple templates can be managed as a single unit called `stack`. * `Stacks` are managed using the console. * Before making changes to your resources, you can generate a **change set**. * This allows you to view the changes to your resources on a review screen before you actually implement those changes. ### Template Sections * A template is made up of a number of different sections. * `Format Version`: Template conforms to. * What version of Template you are actually using. * `Description`: Must always follow Format Version. * Just a description of what the Template is about. * `Metadata`: JSON objects and keys that provide additional info. * If you want to put something specific in that Template, you could put that in as a Metadata. * `Parameters`: Allow values to be passed at stack creation. * Very useful if other people will be using your Template. * Used to define parameters so when the template and the Stack are begin created, the CloudFormation servkce can prompt the person that is deploying for parameters. * *E.g: What type of `EC2` instance you want to lauch.* * `Mappings`: Match keus to corresponding name value pairs. * `Transforms`: Optional transforms such as SAM, snippets. * To prepare this CloudFormation Template for other services, such as the serverless application model. * `Outputs`: Declares output values. * Can be very useful when you want to see what is going on with your CloudFormation Template. * You can put at different stages outputs that can output messages to the console. * `Resources (required)`: Declares the resources to be included for deploy. * `Conditions`: Define when a resource can be created or a property defined. * *E.g: You may put in a condition that an `EC2` resource cannot be deployed until the `VPC` has been created.* ## CloudFormation Designer * Visual tool that provides a drag-and-drop interface for adding resources to templates. * *Similar to UML templates.* * In the template you have: * `Boxes` indicating the type of resources. * `Arrows` linking resources indicate conditions or any relationships between them. * `Colored dots` to indicate some configurations on the resources. * Supports `JSON` and `YAML`. * Changes done on the visual representation are automatically converted to `JSON` or `YAML`. ### Service Catalog * Allow enterprises to catalog resources that can be deployed on the cloud. * This allows an enterprise to achieve common governance and compliance for its IT resources by clearly defining what is allowed to be deployed on the AWS cloud. ## CloudWatch {% hint style="info" %} **Mainly monitors performance.** {% endhint %} * The Monitoring and Observability service to: * Collect logs, metrics and custom metrics of AWS resources. * Monitor metrics, statistics and alarms in dashboards. * Act on alarms and events. Implement corrective action. * Analyze metrics with `CloudWatch Log Insights`. * Compliance and Security controlled with IAM and data encryption at rest and in transit. * It can be used for triggering scaling operations, or it can also be used for providing insight into your deployed resources. ### Monitor resources like * `EC2` instances. * `Autoscaling` groups. * `Elastic LoadBalancer`. * Health check of `Route 53`. * Monitor performance of `EBS` volumes. * `Storage Gateway` latency. * `CloudFront`. ### Custom Metrics * Publish your own metrics to `CloudWatch` using `AWS CLI` or an `API/SDK`. * Standard resolution, one-minute granularity. (Samples will be taken every minute) * High resolution, one-second granularity. (Samples will be taken every second) * Metrics produced by AWS services are **standard resolution by default**. * Metrics include: * CPU * Network * Disk * Status check ### Alarms * Billing alarms as well as resource alarms. * Integrates with `SNS`. * Three states: * `Ok` * `ALARM` * `INSUFFICIENT_DATA` * If a metric is above the alarm threshold for the number of time periods definied by the evaluation period, an alarm is invoked. ### Logs * Agent installed on instance. * Monitor, store, and access your log files from `EC2 instances`, `CloudTrail`, or other sources. * Search and Analyse data with `CloudWatch Log Insights`. ## Systems Manager * Provides a unified user interface that allows you view operational data from multiple AWS services and to automate tasks across those resources. * That helps to shorten the time to detect and resolve any operational problems. ## CloudTrail {% hint style="info" %} **Mainly monitors API calls done on AWS.** {% endhint %} * Monitors and logs AWS account activity, including actions taken through the AWS management console, the AWS software development kits, the command line tools, and other AWS services. * So, this greatly sympathize security and analysis of the activity of users of your account. * It can log calls to AWS services from the AWS API. * Logs are stored in a bucket and can be analysed (`Amazon Athena`, `EMR`, etc). It logs which `AWS Users` called, from what `IP address` and the `Date` of the call. ## AWS Config * Enables you to access, audit, and evaluate the configurations of your AWS resources. * This greatly simplifies compliance auditing, security analysis, change management and control, and also operational troubleshooting. ## OpsWorks * It is a configuration management service fully managed by AWS. * AWS OpsWorks for `Chef Automate`. * AWS OpsWorks for `Puppet Enterprise`. * AWS OpsWorks for `Stacks`. * Define different parts of an application with layers. * Chef Recipies define configuration of layers. * These allows us to define different parts of our application with layers. and each one of the layers will have a `Chef Recipe` to define the configuration and resources inside of those layers. * *`Chef` and `Puppet` can be used to configure and automate the deployment of AWS resources.* ### Example - with `Chef` or `Puppet` * Application instances are registered to a `Chef` or `Puppet` `OpsWork` instance. * `Chef` or `Puppet` configurations used to manage application instances. ### Example - with `Stacks` * A stack is divided into layers representing different parts of the application. * `Chef` recipes are used to define layer configurations. * Some AWS resources (e.g: `Amazon RDS`) need to be created ourside `OpsWork` and added to the layer. ## Elastic BeanStalk (Deployment Service) * Usually used for Web Apps. * *Uses `CloudFormation` under the hood.* * Allows to quickly deploy and manage applications on environments. * Automatically handles capacity provisioning, load balancing, scaling, and application health monitoring. * New versions of the code can be uploaded through the console or CLI, and also complete environments can be re-deployed. * Applications can be: * Docker containers. * Node.js, Java, .NET, PHP, Ruby, Python and Go. * On servers such as Apache, Nginx, Passenger and IIS. ### Highly Available & Fault Tolerant Architecture
* Beanstalk will automatically create one, without us having to do anything. ### Deployment Options * [#all-at-once-deployments](#all-at-once-deployments "mention"). * If you have like 20 EC2 instances, it will deploy on all of them at once. * Immutable (`All at Once - without downtime`). *(Two environments temporarily)* * It will duplicate the 20 EC2 instances as "temporary backup", while the 20 original ones are deploying at once. * It will double the resources, but will not have downtime. * [#rolling-deployments](#rolling-deployments "mention") *(a batch at a time)*, Rolling with additional batch. * It will deploy on batches of X instances at a time. * [#blue-green-deployment](#blue-green-deployment "mention") *(two environments)*. * It is like having two environments like "Development" and "Production" environment. * Then when ready for deploying, the "Development" will be deployed and will turn into the "Production", and the "Production" will become the "Development", so that there is no downtime. ## Trusted Advisor *Similar to* [#amazon-inspector](#amazon-inspector "mention"). * Is an online expert system that can analyze your AWS account **in real time** and the resources inside it, and then it can advise you on how to best achieve high security and best performance from those resources. * It helps you to reduce costs, raise performance and security, optmizing you AWS environment. ### Check Categories
Check CategoryMin. Support LevelDescription
Cost OptimizationBasic (Limited)Recommendations that can potentially save you money.
PerformanceBasic (Limited); Developer (Full)Recommendations that can improve the speed and responsiveness of your applications.
SecurityBasic (Limited); Business (Full)Recommendations for security settings.
Fault ToleranceBasic (Limited); Developer (Full)Recommendations that help increase the resiliency of your solutions.
Service LimitsBasic (Limited); Developer (Full)Checks the usage for your account and whether your account approaches or exceeds limits.
Operational ExcellenceBusiness (Full)Recommendations to help you operate your AWS environment effectively.