Amazon AWS DevOps Engineer Professional – Policies and Standards Automation (Domain 4) Part 5
August 24, 2023

13. Config – Automations

So now let’s talk about all the automations you can do on top of aws Config. And so the first thing is that you have sms notifications that are available for aws config but these are all the notifications for all the things happening within the service aws config. So this is not something you can set at the rule level. And so all these notifications are sent to sns and they include all the following events events the configuration item change for resource, the configuration history for a resource, the configuration snapshot, the compliance state, the evaluation started for a rule against the resources and some failures for notification deliveries.

So if you go to settings in Config and you scroll down you can see in here that there is an Amazon sns topic and here you can enable it and this will stream the configuration changes and notifications to an sns topic and then you can create a topic. And so the use case for sns will be for example, if you need operational insights sent to a slack channel, for example, about what is going on within aws config as a whole. Okay, but if you want to get at the role level and click on this role, for example, there is no such thing as sms notifications for this role. So you have to remember that notifications are available for sns as a whole, for a list config.

So now the question is how do you go about remediating or doing stuff when rules get triggered and when compliance issues appear? And so obviously the answer again is going to be using Cloud Watch events. So Config is definitely integrated with Cloud Watch events and as such, whenever a rule has an issue you can enable cloudwatch events. So if you scroll down here you see that there is Amazon Cloudwatch event rules and it says okay, the first thing you need to do is set up a rule and then you can do whatever you want with it. So let’s go into Cloud Watch events.

And again Cloudwatch events in your exam is going to be the bread and butter of all the source of automation because we can set any kind of rules. So if we go to events and then rules and then we create a rule, we can see that config alice config oops, let’s just type config then is a service name for it and the event types you can have is configuration change, item rules, compliance change, rules revaluation and so on. So for example, we can have Config rules, compliance change, which is whenever compliance of a thing changes and then you can say okay, what kind of message types? So compliance change, notification, what type of rule.

So we can specify the rule name here. So we could say hey, my custom rule is what I want to get notified on or you can say any rule name, then the resource types if you wanted to get only easy to instances or whatever will say any resource type and then specific ids if you wanted to. So this rule right here is saying, okay, whenever there is a config rule compliance change for the configurable name my custom rule, then send me an event. And there’s no sample event for here. And so out of this we can add a target as for example say, okay, if there is a compliance rule change for this custom rule, then invoke a lambda function and choose a lambda function or start a step function step machine.

Or maybe do an ssm automation to run a document or maybe just do some easy to action such as terminating an instance or so on. So you’re really free to do any kind of integrations here. But the idea is that using Cloud Watch events you are able to filter the kind of notifications that sns would send as a whole and then choose the ones you need to filter on and then invoke the right targets. So this is something that the exam will definitely test you on. So make sure to remember that Cloud Watch event can be used with config to automate and reply and react to the rules being non compliant. Finally, this use case is so common to using config to remediate noncompliant resources that as of March 12, 2019, there is now a remediation capability within aws config rules.

And so they allow you to, if you go to a specific role, for example my custom role and I want you to edit this role, I’m able to scroll down. And so as you can see here, there’s a remediation action and so it’s achieved using aws ssm. So automations and you can say what do you want as an automation to happen as a remediation? Okay? And you can choose from a set of aws recommended remediation actions or you can do your own custom remediation actions that you would need to define an ssm first. So this is a newer feature and it may be in the exam already. So you can say okay, here’s a remediation action.

For example, I’m saying okay, you need to create a snapshot, maybe this is when an EBS volume is not correctly tagged and you just need to shut it down. So say create a snapshot and do auto remediation. And you can say how many times to retry and how many seconds, the rate limiting some resource parameter ID and so on and some more parameters if you wanted to using this value. And so this would allow you to use directly ssm within a list config to remediate any resources being noncompliant. And this can be really helpful, but it’s not as wide of a scope as it is with cloudwatch events because with cloud watch events you have the possibility of invoking any of these things and you’re a bit more free around what to do.

But the good thing about this remediation action is that it’s deeply integrated with systems manager automations and it’s also within the feature of aws config, which is quite nice when you want to reason about it instead of having some external cloud watch event rules, but both are definitely possible to achieve the same kind of goal. And so all these things together allow you to automate what happens in your aws config environment and audit your resources over time and react and remediate on top of these compliance issues. And that is a key point of the exam. So hopefully you can remember that and I will see you in the next lecture.

14. Config – Multi Account

Okay, so finally, because config is such an important service, and you kind of want to monitor all your resources across all your accounts and all your regions in one place, there’s this concept of multirecount, multiregion data aggregation. And it’s called an aggregator. And it allows you to connect multiple accounts, multiple regions, even an organization, as part of AWS organizations, to aggregate all their data into an aggregator. And you get an aggregated view where you can see all the compliance and all the noncompliant rules for each aggregator. So this is really important. Let’s see how we can just set this up very quickly.

If you went into config, the first thing you need to do is go to aggregated view. And this is my let’s assume this is the aggregation account, okay. The aggregator accounts. And so I do add aggregator, and I say, okay, allow conflict to replicate data from source accounts into an aggregator account. And this would be like kind of your master accounts. Then you’re saying the aggregator name. So my demo aggregator. And then you would select the source accounts. So would it be individual account IDs or my organization altogether? So I say, okay, for example, individual account IDs and then the regions you want to monitor. So you would allow all these regions together.

And you could also include future AWS regions that would be supported by config. And then you click on save. So you need to add on obviously some account number. So let’s just add on this one account number. So you would go in your support, get the account number, and then add the source accounts in here. Excellent. And we have one account being monitored by this aggregator. And I’ll click on save. And so this is my aggregator. And then for the account. So imagine you have multiple accounts. For each single accounts, you need to go to authorizations and click on add authorization. You need to specify the number of the aggregator accounts and then the region that the aggregator is in, for example, from its Ireland.

And we add an authorization. And we’ve just added this authorization. You would need to do so in every single region. You would have a config enabled. So in each region you would enable config and add this authorization. And end of the day, your aggregator will start to show some aggregated view and so on. Okay? And this can take a little bit of time, obviously, but this gives you the idea that behind the config, you have this really nice multi account, multiregion data aggregation support. And this is something that can come up, because multiregion and multi account is something that DevOps exam will test you on. Okay, well, that’s it for this lecture. I will see you in the next lecture. bye.

15. Service Catalog – Overview

So let’s talk about a service that is I think minor for the exam but still very important for you to understand, which is the aws service catalog. So basically when you are a new user you can go two ways. Either like you, you want to learn, you take this course and you learn all about aws and you’re an expert after this, congratulations. Or you’re new to aws and you don’t want to learn from properly. And basically you start creating stacks that are not compliant, they are not with the rest of organizations, you don’t exactly know what you’re doing. And so basically this is too cumbersome for some users who are new to aws to start creating stuff on the fly.

So some users that just want a quick self service portal. So that’s what you have to remember it’s self service. And this self service portal basically only allows you to launch a set of authorized products that have been predefined by administrators, administrator, is you. And so for example, what can these products be? Well, it could be a virtual machine, but that is properly configured with way less options, a database, maybe some storage option, et cetera, et cetera. And so this is where service catalog comes in. So service catalog is actually very simple. It is basically restricting so many options for users.

So here’s what it looks like. As an admin we’re going to create a product and a product is a cloud permission template. So we’re going to create a product, but it’s called product here. And then we’re going to create a portfolio which is a collection of products. So the product can be whatever you want, it could be a stack, it could be a database, it could be easy to and we’re going to apply control. So for our users we can apply iam permissions only allowing them to access specific portfolios. And then as a user we are presented with a product list directly on the self service portal and this is basically all the stuff that iam authorizes to do.

Then we’ll see and then we just choose the product we want to launch. So we’ll launch it, we’ll parameterize it and then all of a sudden we get provisioned products which are ready to use, properly configured and properly tagged and this is exactly what we want to target. So for a user it’s actually very simple. We just get product list and say okay, do you want to launch a database, an easy to instance or maybe something else launch it and then here we go. It’s provision. But why we would do this is that we restrict the users the amount of knowledge they need to know.

They just get a product list and get a few parameters and then they’ll just launch it correctly. So service catalog basically will allow us to create and manage catalogs of It services that are approved internally by our organization on aws. Basically these products are super easy to make their cloud formation templates. So you can go as crazy as you want. You can create very complex one or very simple ones. And for example, you can be virtual machine images, servers, software, databases, region, IP, address range, whatever you want.

And the idea is that we use cloud formation so we can ensure consistency and some form of standardization from us. Now, all these products will be assigned to portfolios and portfolios can be directly linked, can be seen as a team, for example, and the teams will be presented with a selfservice portal, as we see in a second, where we can launch the products and all the products will be stretchedly, managed through this service catalog ui. The reason you would use this is for enhanced governance, compliance and consistency. Now, the reason as well, as I said, is finally our users can get access to launching products without requiring deep aos knowledge.

And there is integration of self service portals such as Service now, if you’re familiar with it. So this is the scope of service catalog at a high level overview. It’s a selfservice portal where we can only launch a predefined services defined by admins and you need to remember it’s selfservice and it can integrate with self service portals such as servicenow, etc, etc, etc. So in the next lecture, I just want to show you how it works to make things a little bit more concrete. But don’t sweat it, this is actually a very minor service for the exam.

16. Service Catalog – Hands On

So let’s get started with Service catalog. So I’ll just key clear and say Service catalog. Here we go. So what we are going to do next is click on it and as we can see, we are directly on this ui that is literally a service catalog. So we get the logo AWS service catalog right here and we can get product list, portfolio list, etc, etc. So let’s do something pretty cool at first. We’re going to change things. So we’re going to change your logo. And I want to use the logo of my company. And maybe I want to change also the primary color to something like blue. I’ll just use the blue of my company. Here we go. And apply. So this is literally to show you that it is a service catalog. And so you can brand it however you want.

So for whoever you work for, you can just brand service catalog and make it look like it’s yours. Okay? Now as an admin we’re going to be able to get provisioned products and portfolios. Where there’s a user, we can see the product list and the provision product list. So let’s get started. As an admin, as an admin I’m going to click on Product List and I want to upload a new product. Let me just close these prompts. Here we go. So this product is going to be called My Stack. Whatever you want, it could be whatever you want and say this is an example product provided by so you can say whoever provided this. So it could be an admin, it could be stefan.

And if there is a vendor, you can even set the vendor right here. But this is not a mandatory field. Click on Next and here we can enter some email contact if you wanted to for support. This is not something you have to do. And then a support link for supporting this product and the support description. But we don’t need this. Finally we need the version details so we can upload a template file. And here I’m going to click on choose File and I will choose so in my code there is a service catalog folder. I’ll select lamp stack. So this is just the stack we’ve launched before in cloud formation which contains just a lamp stack, very quickly made and that’s template constraint from AWS.

Okay, the version title will call it V 1. 0 and we can say first version as the description. Click on next. And now we’re done. We can review everything. So, okay, we have our stack. This is an example product. It’s provided by me. And here is my contact for support. And here is my version source and my version title and everything like this. This is perfect. I’ll create this product. And now we have our first product being created called My Stack. And it will appear after a few seconds. Here it is. Okay, now we have to assign this product to a portfolio. So as an administrator, I’m going to create a portfolio and I’ll call it my web devs. And this is for my web developers and so it’s a portfolio for apps for my web developers and the owner again is going to be myself.

So I click on create and now in this portfolio I’m going to be able to add product to it. So I can click on add product and upload my stack. Click on my stack and add the product to the portfolio. Okay, excellent. So now in this portfolio, my web devs, we start having some products. So if I refresh, as we can see now my stack is there. And here if we wanted to, we could add some users to be able to do stuff on our portfolio. So this is where we can set up some users. We could set up some constraints in the way the products are launched by users, but then more importantly, we can assign user groups and roles to be able to use this portfolio. So I click on add user group or Role.

In here I’m able to say okay, my admins and maybe the users TIFFAN and maybe some roles if you wanted to, are able to access this portfolio. So I click on add access and here we go. Now my users, group and roles can successfully access all the products within this portfolio. Okay, so how does it work now then I have to switch accounts, so I’m going to log in as my users defend. So for this I go to my sign in for my users. Here’s my account ID. I have an im username that I’ve created from before and the password and I just click on sign in. So I’m now signed in and I can go to my service catalog and in there in my portfolio, just make sure you are in the right region.

By the way, in my product list on the top left hand side, as a user I’m able to see my stack that was assigned as something I can create. So I can basically click launch the product. And here I say okay, what do I want to launch? So let’s say my stack launched and I’ll just not include any spaces. I will select version 1. 0 and I will just launch it as and you can just say whatever option you want. They’re the same as probably because I added twice the same user. Anyway, we’ll just launch this one. Click on next. The parameters is whatever parameter I want to set for my stack. So this is like cloud formation parameters just like before. So here the key name for my EC.

Two instances is going to be a base course. My database password is going to be password. My ss location is going to be from anywhere. My database is my database database user. I’ll call it stefan and the root password is going to be password. This looks good. And then the instance type is going to be a T, two micro. Here we go. Click on Next and Next here, we could have added some tag options if we wanted to. Next and then next. And here we go. This looks just like cloud formation. And click on next. And here basically what we’ve done is that we’ve provisioned this internal application directly through this self service.

And so this is just like a cloud formation template though it will get launched and what we get as a result is how we can use that product directly. So think of the possibilities that you can have when you have some users who don’t need to know AWS, but just need to access and launch cloud formation templates on demand. This is how they would do it. This is how they would do it through the service catalog. So now I have to wait for my stack to be created. So I’ll just wait a little bit. So now my stack has succeeded, the status has succeeded. And so if we scroll down, we can see that there is a website url we can access directly. That’s the outputs straight from my confirmation template.

So this is why outputs are super important when you start using service catalog. And here we go. I can start using my lamp stack and do whatever I want with this if I wanted to, but I don’t have to. But that’s if I wanted to. And so that’s it. That’s how service catalog works. And if you wanted to just stop using this application, you would click on Terminate and then it will just go ahead and terminate the entire application stack. So that’s it. You’ve seen service catalog. Just remember it’s literally a service catalog. So you create portfolios and products and then you allow users to provision them and that’s it. I will see you in the next lecture.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!