AWS SysOps Cookbook E-Book

AWS SysOps Cookbook Second Edition

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Karan SadawanaAcquisition Editor:Heramb BhavsarContent Development Editor: Alokita AmannaTechnical Editor: Dinesh PawarCopy Editor: Safis EditingLanguage Support Editor: Rahul DsouzaProject Coordinator: Vaidehi SawantProofreader: Safis EditingIndexer:Rekha NairProduction Designer:Deepika Naik

First published: April 2017 Second edition: September 2019

Production reference: 1260919

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83855-018-9

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Eric Z. Beard, a former United States Marine, has nearly two decades of experience in technology, leading diverse DevOps and solutions architecture teams. Eric is currently a manager at Amazon Web Services in Seattle, Washington, and holds nine AWS certifications.

Rowan Udell has been working in development and operations for 15 years. His travels have seen him work in start-ups and enterprises in the finance, education, and web industries in both Australia and Canada. He currently works as a Technical Director at Versent, an AWS Premier Consulting Partner, working with teams building cloud-native products on AWS. He specializes in serverless applications and architectures on AWS, and contributes actively in the AWS and serverless communities.

Lucas Chan has been working in tech since 1995 in a variety of development, systems admin, and DevOps roles. He is currently a senior consultant and engineer at Versent and was a technical director at Stax. He's been running production workloads on AWS for over 10 years. He's also a member of the APAC AWS warriors program and holds all five of the available AWS certifications.

About the reviewers

Ian Scofield, a former United States Army Officer, has a background in technology and communications. He is a Solutions Architect Manager at AWS and works with his team to build internal applications. He lives in Austin, Texas with his wife, an adorable labradoodle, and a grumpy cat.

Gajanan Chandgadkar has more than 13 years' IT experience. He has spent over 6 years in the USA, assisting large enterprises in architecting, migrating, and deploying applications in AWS. He's been running production workloads on AWS for over 6 years. He is an AWS certified solutions architect professional and a certified DevOps professional with 7+ certifications in trending technologies. Gajanan is also a technology enthusiast who has an extended interest and experience in a variety of topics, including application development, container technology, and continuous delivery.

Currently, he is working with a product company as a DevOps expert, having worked with the Wipro Limited in the past.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

AWS SysOps Cookbook Second Edition

Dedication

About Packt

Why subscribe?

Contributors

About the authors

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Get in touch

Reviews

AWS Fundamentals

Signing up for an AWS account

How to do it…

How it works…

There's more…

See also

Understanding AWS's global infrastructure

Regions and availability zones

Global resources

Using the web console

The menu bar

AWS logo

Services

Resource Groups

Pins

Alerts

Account

Region and support

Learning the basics of AWS CloudFormation

What is CloudFormation?

Why is CloudFormation important?

Infrastructure as Code (IaC)

The layer cake

CloudFormation templates

YAML versus JSON

A closer look at CloudFormation templates

Parameters

Resources

Dependencies and ordering

Functions

Fn::Join

Fn::Sub

Conditionals

Permissions and service roles

Cross-stack references

Updating resources

Changesets

Other things to know

Name collisions

Rollback

Limits

Circular dependencies

Credentials

Stack policies

Using the command-line interface (CLI)

Installation

Upgrade

Configuration

Default profile

Named profiles

Environment variables

Instance roles

Usage

Commands

Subcommands

Options

Output

JSON

Table

Text

Querying

Generating a CLI skeleton

Input

Output

Pagination

Autocomplete

There's more…

See also

Account Setup and Management

Setting up an automated landing zone with AWS Control Tower

How to do it…

How it works…

Accounts

There's more…

See also

Setting up a master account with AWS Organizations

How to do it…

How it works…

There's more…

Using the CLI

See also

Creating a member account

Getting ready

How to do it…

How it works…

There's more…

Accessing the member account

Service Control Policies

Root credentials

Deleting accounts

See also

Inviting an account

Getting ready

How to do it…

How it works…

There's more…

Removing accounts

Consolidated billing

See also

Managing your accounts

Getting ready

How to do it…

Getting the root ID for your organization

Creating an OU

Getting the ID of an OU

Adding an account to an OU

Removing an account from an OU

Deleting an OU

How it works…

There's more…

See also

Adding a Service Control Policy (SCP)

Getting ready

How to do it…

How it works…

There's more…

See also

Setting up consolidated billing

How to do it…

How it works…

There's more…

Credits

Support charges

See also

AWS Storage and Content Delivery

Setting up a secure Amazon S3 bucket

How to do it…

Using the web console to create a bucket with versioning enabled

Using the CLI to create a bucket with cross-region replication enabled

Using CloudFormation to create a bucket

How it works…

There's more…

Athena

S3 Select

See alo

Hosting a static website

How to do it…

Creating S3 buckets and hosting content

Creating a hosted zone

Creating DNS records

Uploading website content

How it works…

There's more…

Delegating your domain to AWS

Cross-origin resource sharing (CORS)

See also

Caching a website with CloudFront

Getting ready

About dynamic content

Configuring CloudFront distributions

How to do it…

How it works...

Working with network storage provided by EFS

Getting ready

How to do it…

How it works…

There's more…

Amazon FSx for Windows File Server

Getting ready

How to do it…

How it works...

Backing up data for compliance

How to do it…

How it works…

There's more...

AWS Compute

Creating a key pair

Getting ready

How to do it…

How it works…

Launching an instance

Getting ready

How to do it…

How it works…

There's more…

See also

Attaching storage

Getting ready

How to do it…

How it works…

See also

Autoscaling an application server

Getting ready

How to do it…

How it works…

Scaling policies

Alarms

Creating security groups

Getting ready

How to do it…

There's more…

Differences from traditional firewalls

Creating a load balancer

How to do it…

How it works…

There's more…

HTTPS/SSL

Path-based routing

Using AWS Systems Manager to log in to instances from the console

Getting ready…

How to do it…

How it works…

There's more…

Creating serverless functions with AWS Lambda

How to do it…

How it works…

There's more…

See also

Monitoring the Infrastructure

AWS Trusted Advisor

How to do it…

How it works…

There's more…

Resource tags

How to do it…

How it works…

AWS CloudWatch

Getting ready

How to do it…

How it works…

Widget types

Billing alerts

Getting ready

How to do it…

How it works…

The ELK stack

How to do it…

How it works…

There's more...

AWS CloudTrail

How to do it…

How it works…

There's more…

Network logging and troubleshooting

Getting ready

How to do it…

How it works…

There's more…

Log format

Updates

Omissions

See also

Managing AWS Databases

Creating an RDS database with automatic failover

Getting ready

How to do it...

How it works...

There's more...

Creating an RDS database read replica

Getting ready

How to do it...

How it works...

There's more...

Promoting an RDS read replica to master

Getting ready

How to do it...

How it works...

Creating a one-time RDS database backup

Getting ready

How to do it...

How it works...

Restoring an RDS database from a snapshot

Getting ready

How to do it...

How it works...

There's more...

Managing Amazon Aurora databases

How to do it...

How it works...

There's more...

Managing Amazon Neptune graph databases

How to do it...

How it works...

Create a DynamoDB table with a global secondary index

How to do it...

How it works...

Calculating Amazon DynamoDB capacity

Getting ready

How to do it...

How it works...

There's more...

Burst capacity

Metrics

Eventually consistent reads

See also

AWS Networking Essentials

Creating a VPC and subnets

Getting ready

How to do it...

How it works...

There's more...

See also

Managing a transit gateway

Getting ready

How to do it...

How it works...

Creating a Virtual Private Network (VPN)

How to do it...

How it works...

There's more...

BGP

ASN

Setting up NAT gateways

Getting ready

How to do it...

How it works...

See also

Managing domains with Route 53

Getting ready

How to do it...

How it works...

There's more...

See also

AWS Account Security and Identity

Administering users with IAM

Getting ready

How to do it...

There's more...

See also

Deploying Simple Active Directory service

Getting ready

How to do it...

How it works...

There's more...

See also

Creating instance roles

How to do it...

How it works...

There's more...

Using cross-account roles

Getting ready

How to do it...

How it works...

There's more...

AWS CLI profiles

Storing secrets

How to do it...

How it works...

There's more...

Protecting applications from DDoS

How to do it...

How it works...

There's more...

Configuring AWS WAF

How to do it...

How it works...

There's more...

Setting up intrusion detection

How to do it...

How it works...

There's more...

Managing Costs

Estimating costs with the Simple Monthly Calculator

Getting ready

How to do it...

How it works...

See also

Estimating costs with the Total Cost of Ownership Calculator

Getting ready

How to do it...

How it works...

There's more...

See also

Estimating CloudFormation template costs

Getting ready

How to do it...

How it works...

See also

Reducing costs by purchasing reserved instances

Getting ready

How to do it...

How it works...

There's more...

Advanced AWS CloudFormation

Creating and populating an S3 bucket with custom resources

How to do it...

How it works...

There's more...

Using a macro to create an S3 bucket for CloudTrail logs

How to do it...

How it works...

There's more...

See also

Using mappings to specify regional AMI IDs

How to do it...

How it works...

There's more...

See also

Using StackSets to deploy resources to multiple regions

Getting ready

How to do it...

How it works...

There's more...

See also

Detecting resource drift from templates with drift detection

How to do it...

How it works...

There's more...

Unsupported resources and properties

Using the CLI

See also

AWS Well-Architected Framework

Understanding the five pillars of the Well-Architected Framework

Security

Operational excellence

Performance efficiency

Reliability

Cost optimization

Conducting a technology baseline review self-assessment

How to do it...

How it works...

There's more...

Using the Well-Architected Tool to evaluate a production workload

How to do it...

How it works...

There's more...

Working with Business Applications

Creating a place for employees to share files with WorkDocs

How to do it...

How it works...

There's more...

Hosting desktops in the cloud and allowing users to connect remotely using WorkSpaces

How to do it...

How it works...

There's more...

Giving your users a place to chat and conduct video calls with Chime

How to do it...

How it works...

There's more...

Exploring the use of Alexa for Business

How to do it...

How it works...

There's more...

Hosting your company's email with WorkMail

How to do it...

How it works...

There's more...

AWS Partner Solutions

Creating machine images with Hashicorp's Packer

Getting ready

How to do it...

How it works...

Template

Validating the template

Building the AMI

There's more...

Debugging

Orphaned resources

Deregistering AMIs

Other platforms

Monitoring and optimizing your AWS account with nOps

Getting ready

How to do it...

How it works...

There's more...

Using IOPipe to instrument your lambda functions

How to do it...

How it works...

Metrics dashboards

Alerting

Profiling

Labels and search

There's more...

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

The AWS platform is developing at a rapid rate and is being increasingly adopted across all industries and sectors. As the saying goes, friends don't let friends build data centers. No matter how you look at it, the model of pay-as-you-go computing, networking, and storage is here to stay. It's also becoming increasingly hard to argue against standing on the shoulders of giants, especially when you look at the rate at which features and enhancements are being added to the AWS platform compared to what you'd typically get out of other cloud providers or a so-called private cloud.

We work with many technical professionals who are highly knowledgeable in their domain, but who are often completely new to the AWS platform. Alternatively, they may be familiar with AWS, but are new to automation and infrastructure code practices.

We wanted to write a book for these people.

This book is intended to kick start your journey on AWS by providing recipes, patterns, and best practices across the areas we are often asked to help with on our consulting engagements. All the recipes and recommendations contained in this book are based on our personal experiences and observations from our time helping customers on the AWS platform.

CloudFormation is the AWS-native method for automating the (repeatable and reliable) deployment of AWS resources, and we use it extensively throughout this book. The recipes that follow will help you get well acquainted with CloudFormation and you'll soon be on your way to customizing and building your own templates. With so much power at your fingertips, there's a lot of potential for finding yourself in a rabbit hole. This book aims to steer you in the right direction and help you adopt the platform in a sustainable and maintainable way.

Who this book is for

This book is for anyone with a technical background who is interested in using AWS, either for moving existing workloads or deploying entirely new applications. Those who want to learn CloudFormation will also find this book useful.

What this book covers

Chapter 1, AWS Fundamentals, provides an overview of infrastructure as code, CloudFormation, and the AWS CLI tools.

Chapter 2, Account Setup and Management, includes everything you need to know to manage your accounts and get started with AWS organizations.

Chapter 3, AWS Storage and Content Delivery, shows how to back up your data and serve file objects to your users.

Chapter 4, AWS Compute, dives deep into how to run VMs (EC2 instances) on AWS, how to autoscale them, and how to create and manage load balancers.

Chapter 5, Monitoring the Infrastructure, provides an overview of how to audit your account and monitor your infrastructure.

Chapter 6, Managing AWS Databases, shows how to create, manage, and scale databases on the AWS platform.

Chapter 7, AWS Networking Essentials, introduces private networks, routing, and DNS.

Chapter 8, AWS Account Security and Identity, offers advice and practical solutions for managing identities and role-based access.

Chapter 9, Managing Costs, provides an overview of how to estimate your spend on the AWS platform as well as how to reduce your costs by purchasing reserved instance capacity.

Chapter 10, Advanced AWS CloudFormation, explains how to pursue plans that will enable you to customize the behavior of CloudFormation, and apply your scripts over various regions and accounts.

Chapter 11, AWS Well-Architected Framework, introduces the AWS Well-Architected Framework, which was created by AWS following years spent working with clients, to enable them to build secure, highly performant, and reliable systems.

Chapter 12, Working with Business Applications, enables you to gain proficiency with these services so that you can supplant costly on-premises assets with cloud-based options.

Appendix, AWS Partner Solutions, presents a few recipes covering products offered by members of the AWS Partner Network (APN).

To get the most out of this book

The recipes in this book show you how to deploy a wide variety of resources on AWS, so you'll need at least one AWS account with full administrative access. You'll also need a text editor to edit YAML/JSON CloudFormation templates and the AWS CLI tools, which are supported on common operating systems (macOS/Linux/Windows).

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

Support 

tab.

Click on

Code Downloads

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/AWS-SysOps-Cookbook-Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838550189_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Next, we define Resources parameters."

A block of code is set as follows:

Resources:

ExampleEC2Instance:

Type: AWS:EC2::Instance

Any command-line input or output is written as follows:

pip install --upgrade awscli

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Expand the Create individual IAM users section and click Manage Users."

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows.

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it…

This section contains the steps required to follow the recipe.

How it works…

This section usually consists of a detailed explanation of what happened in the previous section.

There's more…

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

AWS Fundamentals

Amazon Web Services (AWS) was the pioneer in cloud computing, launching its offering over a decade ago, and it continues to rapidly introduce new services and features based on customer demand. AWS was developed by Amazon.com when the company decided to turn its expertise in building large-scale, reliable, and cost-efficient internet systems into a product that could be used by customers to host their own sites and services.

At the time of writing, AWS has 136 services listed on its web console, ranging from foundational services such as Identity and Access Management (IAM) and Elastic Compute Cloud (EC2) to high-level machine learning services such as Rekognition. The breadth and depth of the services that are available make it possible to implement almost any idea quickly and efficiently – your imagination is the only true limit to what you can do. But all of those services mean that you – as a developer, systems administrator, or solutions architect – have a lot to learn!

Luckily, we are here to help, and if you stick with us throughout the next 12 chapters, you will have a solid foundation for establishing yourself as an AWS expert.

In this chapter, we will cover the following topics:

Signing up for an AWS account

Understanding AWS's global infrastructure

Using the web console

Learning the basics of AWS CloudFormation

Using the AWS CLI

Signing up for an AWS account

To follow along with the recipes in this book, you will need to set up an AWS account. Follow all of these steps to learn how to create an account that you will securely access with an IAM user and a Multi-Factor Authentication (MFA) device.

How to do it…

Follow these steps to create an AWS account:

Create an account at 

https://aws.amazon.com/

 by clicking on the

 Sign Up

 button and entering your details:

Before we get started using that shiny new account, let's go over some best practices regarding basic account security. The very first thing you should do as the owner of an AWS account is enable MFA on the root login:

As you can see, when you first visit the IAM console, AWS recommends that you

Activate MFA

as the next step to improve your security status. Expand the 

Activate MFA

section and click through it to get to your security credentials screen:

Choose the type of MFA device you prefer and complete the setup. If you choose to use a virtual device, note how the app on your phone saves your data. Some apps, such as Google Authenticator, don't back up your data to the cloud, so, if you lose your phone, you will no longer be able to log in to your account. Try apps such as Authy or LastPass Authenticator if you want your MFA device to be synced with an online account.

MFA is an essential extra layer of security that you should apply to all of your online accounts, not just AWS. Now that you have protected your root login with MFA, it's time to take your account security to the next level by creating an IAM account for routine access. Let's get started:

Expand the 

Create individual IAM users

section and click

Manage Users

:

Add a new user account:

This will be the user account that you use to complete the exercises in this book. On the next screen, you will be asked to create a group for this user.

Create a group called

Admins

and select 

AdministratorAccess

:

Once you have finished creating the new IAM user, make sure that you save these credentials so that you can access the CLI later.

One last thing we will do before logging out of the root is apply a password policy to the account so that all the users are required to have strong passwords:

Once you have done this and see five green checkboxes under 

Security Status

, log out of the root user and log back in as your newly created user.

How it works…

When you create an IAM user within your AWS account, you are addressing authentication, which answers the question, Who is this user? By itself, a user has no rights to accomplish anything in your account. Access management, or authorization, determines what the principal identities within your account can do. Authorization answers the question, What is this user allowed to do? In AWS, you create policies that define what those principals are allowed to do. Policies are attached to users, roles, and groups.

There's more…

Keep in mind that changes that are made to users, groups, and roles need to be consistent eventually. This means that those changes might not be immediately available across your entire account. AWS recommends that you do not include IAM changes in latency-sensitive code.

See also

Check out the 

AWS Organizations

and

AWS Control Tower

 recipes in

Chapter 2,

Account Setup and Management

, for an in-depth look at setting up multiple accounts for your company's cloud-based applications

Understanding AWS's global infrastructure

One of the primary benefits of building your applications on the AWS cloud is that you can deploy globally in minutes. The global infrastructure is divided up into segments called regions. Each region is completely isolated from other regions, meaning that a region has its own independent installations of AWS services, and customer data will never flow out of that region unless an application is designed to export it over the internet. At the time of writing, there are 20 regions around the world.

Regions and availability zones

A region is further subdivided into availability zones (AZ), of which there are currently 60. A typical region has three availability zones, which are closely placed clusters of data centers with link speeds high enough that all resources within an availability zone are essentially treated as a single local network. AWS carefully plans the location of data centers within an AZ so that the separate AZs within a region have unique geographic profiles – for example, flood plains are taken into consideration so that, if a rare natural disaster occurs, only one of the AZs within the region will be affected. However, AZs are still close enough together that the network connection between them is very fast.

The design of this global infrastructure allows customers to create highly fault-tolerant and performant applications. An example of the resilience that can be created by using multiple availability zones is Amazon S3, which achieves an incredible 11 x 9s of durability for objects stored by customers. That's 99.999999999%, which means that, in theory, if you stored 10 million objects in S3, you would expect to lose only 1 object every 10,000 years!

AWS is steadily adding more regions throughout the world to give customers more options regarding where their applications are deployed. Some countries have strict compliance regulations that require data to be stored in a region within a country, so be sure to research those regulations before making your choice.

See https://aws.amazon.com/about-aws/global-infrastructure/ for the most up to date list of regions and availability zones.

Global resources

It's important to understand that there are some AWS services that are considered global, meaning that those services are configured once per account and apply to all regions. In the web console, look at the upper right-hand corner of the screen to see which region you are currently viewing:

Now, select the IAM service, and note that you are no longer referencing a single region. When you create users, groups, and roles in IAM, those entities apply to all AWS regions. It isn't necessary to recreate your IAM resources each time you deploy to a new region:

Other examples of global services are Amazon Route 53, Amazon CloudFront, and AWS WAF.

Using the web console

You have already had some exposure to the AWS administration console at https://console.aws.amazon.com. For some users, the web interface is all they ever need to create and administer their cloud resources. Later in this chapter, we will introduce CloudFormation and the command-line interface (CLI) as worthy options for using a web browser. As good practice for production accounts, we highly recommend automating all of your resource changes with a templating system such as CloudFormation.

However, for routine discovery and education, the web console is an excellent tool, so we will highlight some of its features here. Keep in mind that the UI evolves over time, so the screenshots you see in this section may not exactly match what you see when you log in:

The menu bar

Let's start by dissecting that top menu bar and see what it has to offer.

AWS logo

The AWS logo takes you back to the top-level page of the console. It actually ends up being very useful when you decide you want to open a new console window without leaving the page you are currently viewing – just middle-click it or right-click and open the page in a new tab:

Services

Expand the Services dropdown to see a screen with all the AWS services listed, and a recent history of the services you visited on the left. The search box will end up being the fastest way for you to find the service you are looking for:

Resource Groups

Resource Groups are a way to manage groups of resources – a topic that we will explore in detail inChapter 9, Managing Costs:

Pins

Click the pin icon to view a list of service widgets that can be added to the menu bar:

Alerts

The bell icon shows alerts and notifications that are relevant to your account:

Click View all alerts to see an event log of all the operational issues that may have affected your account recently.

Account

Click on your username to see links to the various screens related to your AWS account:

You already spent some time on the My Security Credentials screen when you created your account and set up security for the root login and your first IAM user. We will go into more detail about My Organization, My Billing Dashboard, and Switch Role in Chapter 2, Account Setup and Management and Chapter 9, Managing Costs.

Region and support

Click on the region selector to see all the regions that are available to you in your account:

Remember that selecting a new region takes you to a completely isolated AWS environment, so any regional resources you had set up in the previous region will no longer be visible. If you ever find yourself in a panic because it looks like one of your resources, such as an RDS database or an EC2 instance, seems to have disappeared, it's probably because you are in the wrong region.

Finally, we have the Support link, which exposes several support resources. 

Learning the basics of AWS CloudFormation

We'll use CloudFormation extensively throughout this book, so it's important that you have an understanding of what it is and how it fits into the AWS ecosystem. There should be enough information here to get you started, but, where necessary, we'll refer you to the AWS documentation.

What is CloudFormation?

The CloudFormation service allows you to provision and manage a collection of AWS resources in an automated and repeatable fashion. In AWS terminology, these collections are referred to as stacks. Note, however, that a stack can be as large or as small as you like. It might consist of a single S3 bucket, or it might contain everything needed to host your three-tier web app.

In this chapter, we'll show you how to define the resources to be included in your CloudFormation stack. We'll talk a bit more about the composition of these stacks and why and when it's preferable to divvy up resources between a number of stacks. Finally, we'll share a few of the tips and tricks we've learned over the years building countless CloudFormation stacks.

Why is CloudFormation important?

By now, the benefits of automation should be starting to become apparent to you. But don't fall into the trap of thinking CloudFormation will only be useful for large collections of resources. Even performing the simplest task of, say, creating an S3 bucket, can get very repetitive if you need to do it in every region.

We work with a lot of customers who have very tight controls and governance around their infrastructure, especially in the network layer (think VPCs, NACLs, and security groups). Being able to express their cloud footprint in YAML (or JSON), store it in a source code repository, and funnel it through a high-visibility pipeline gives these customers confidence that their infrastructure changes are peer-reviewed and will work as expected in production. Discipline and commitment to IaC SDLC practices are, of course, a big factor in this, but CloudFormation helps bring us out of the era of following 20-page run-sheets for manual changes, navigating untracked or unexplained configuration drift, and unexpected downtime that's caused by fat fingers.

Infrastructure as Code (IaC)

AWS CloudFormation is an Infrastructure as Code (IaC) service. IaC has emerged as a critical strategy for companies that are making the transformation to a DevOps culture. DevOps and IaC go hand in hand. The practice of storing your infrastructure as code encourages a sharing of responsibilities that facilitates collaboration.

There are many benefits to IaC, some of which are as follows:

Modeling your infrastructure as code gives you a single source of truth to define the resources that are deployed in your account.

Once there are no manual steps to create your resources, you can fully automate deployment. You can deploy changes to an existing environment or create a brand new environment from scratch automatically by launching stacks based on your CloudFormation templates.

Treating your infrastructure as code allows you to apply all the best practices of modern software development to your templates. Use code editors, distributed version control, code reviews, and easy rollbacks as part of your process.

The layer cake

Now is a good time to start thinking about your AWS deployments in terms of layers. Your layers will sit on top of one another, and you will have well-defined relationships between them.

Here's a bottom-up example of what your layer cake might look like:

VPC with CloudTrail

Subnets, routes, and NACLs

NAT gateways, VPN or bastion hosts, and associated security groups

App stack 1: Security groups and S3 buckets

App stack 2: Cross-zone RDS and read replica

App stack 3: App and web server autoscaling groups and ELBs

App stack 4: CloudFront and WAF config

In this example, you may have many occurrences of the app stack layers inside your VPC, assuming that you have enough IP addresses in your subnets! This is often the case with VPCs living inside development environments. So, immediately, you have the benefit of multi-tenancy capability with application isolation.

One advantage of this approach is that, while you are developing your CloudFormation template, if you mess up the configuration of your app server, you don't have to wind back all the work CloudFormation did on your behalf. You can just scrap that particular layer (and the layers that depend on it) and restart from there. This is not the case if you have everything contained in a single template.

We commonly work with customers for whom the ownership and management of each layer in the cake reflect the structure of the technology divisions within a company. The traditional infrastructure, network, and cybersecurity folk are often really interested in creating a safe place for digital teams to deploy their apps, so they like to heavily govern the foundational layers of the cake. 

Even if you are a single-person infrastructure coder working in a small team, you will benefit from this approach. For example, you'll find that it dramatically reduces your exposure to things such as AWS limits, timeouts, and circular dependencies.

CloudFormation templates

This is where we start to get our hands dirty. CloudFormation template files are the codified representations of your stack and are expressed in either YAML or JSON. When you wish to create a CloudFormation stack, you push a template file to CloudFormation through its API, web console, command-line tools, or some other method (such as the SDK).

Templates can be replayed over and over again by CloudFormation, thus creating many instances of your stack.

YAML versus JSON

Up until recently, JSON was your only option. We actually encourage you to adopt YAML, and we'll be using it for all of the examples that are shown in this book. Some of the reasons for this are as follows:

It's just nicer to look at. It's less syntax-heavy, and should you choose to go down the path of generating your CloudFormation templates, pretty much every language has a YAML library of some kind.

The size of your templates will be much smaller. This is more practical from a developer's point of view, but it also means that you're less likely to run into the CloudFormation size limit on template files (50 KB).

The string-substitution features are easier to use and interpret.

Your EC2 

UserData

(the script that runs when your EC2 instance boots) will be much easier to implement and maintain.

A closer look at CloudFormation templates

CloudFormation templates consist of a number of parts, but these are the four we're going to concentrate on:

Parameters

Resources

Outputs

Mappings

Here's a short YAML example:

AWSTemplateFormatVersion: '2010-09-09'

Parameters:

EC2KeyName:

Type: String

Description: EC2 Key Pair to launch with

Mappings:

RegionMap:

us-east-1:

AMIID: ami-9be6f38c

ap-southeast-2:

AMIID: ami-28cff44b

We declare a parameter and mappings to start the template. Mappings will be covered in Chapter 10, Advanced AWS CloudFormation. Next, we define Resources:

Resources:

ExampleEC2Instance:

Type: AWS:EC2::Instance

Properties:

InstanceType: t2.nano

UserData:

Fn::Base64:

Fn::Sub': |

#!/bin/bash -ex

/opt/aws/bin/cfn-signal '${ExampleWaitHandle}'

ImageId:

Fn::FindInMap: [ RegionMap, Ref: 'AWS::Region', AMIID ]

KeyName:

Ref: EC2KeyName

Then, in the final section of the template, we define WaitHandle, WaitCondition, and Outputs:

ExampleWaitHandle:

Type: AWS::CloudFormation::WaitConditionHandle

Properties:

ExampleWaitCondition:

Type: AWS::CloudFormation::WaitCondition

DependsOn: ExampleEC2Instance

Properties:

Handle:

Ref: ExampleWaitHandle

Timeout: 600

Outputs:

ExampleOutput:

Value:

Fn::GetAtt: ExampleWaitCondition.Data

Description: The data signaled with the WaitCondition

Outputs give you a way to see things such as auto-generated names, and, in this case, the data from the wait condition.

Parameters

CloudFormation parameters are the input values you define when creating or updating a stack, similar to how you provide parameters to any command-line tools you might use. They allow you to customize your stack without making changes to your template. Common examples of what parameters might be used for are the following:

EC2 AMI ID

: You may wish to redeploy your stack with a new AMI that has the latest security patches installed.

Subnet IDs

: You could have a list of subnets that an autoscaling group should deploy servers in. These subnet IDs will be different between your dev, test, and production environments.

Endpoint targets and credentials

: These include things such as API hostnames, usernames, and passwords.

You'll find that there are a number of parameter types. In brief, they are as follows:

String

Number

List

CommaDelimitedList

In addition to these, AWS provides some AWS-specific parameter types. These can be particularly handy when you are executing your template via the CloudFormation web console. For example, a parameter of the AWS::EC2::AvailabilityZone:: type causes the web console to display a dropdown list of valid AZs for this parameter. In the ap-southeast-2 region, the list would look like this:

ap-southeast-2a

ap-southeast-2b

ap-southeast-2c

The list of AWS-specific parameter types is steadily growing and is so long that we can't list them here. We'll use many of them throughout this book, however, and they can easily be found in the AWS CloudFormation documentation.

When creating or updating a stack, you will need to provide values for all the parameters you've defined in your template. Where it makes sense, you can define default values for a parameter. For example, you might have a parameter called debug that tells your application to run in debug mode. Typically, you don't want this mode enabled by default, so you can set the default value for this parameter to false, disabled, or something else your application understands. Of course, this value can be overridden when you're creating or updating a stack.

You can – and should – provide a short, meaningful description for each parameter. These are displayed in the web console, next to each parameter field. When used properly, they provide hints and context to whoever is trying to run your CloudFormation template.

At this point, we need to introduce the built-in Ref function. When you need to reference a parameter value, you use this function to do so:

KeyName:

Ref: EC2KeyName

While Ref isn't the only built-in function you'll need to know about, it's almost certainly going to be the one you'll use the most. We'll talk more about built-in functions later in this chapter.

Resources

Resources are your actual pieces of AWS infrastructure. These are your EC2 instances, S3 buckets, ELBs, and so on. Almost any resource type you can create by pointing and clicking on the AWS web console can also be created using CloudFormation.