Management Tools for AWS

These are my notes and thoughts on management tools for AWS.

Cloud Computing books on Amazon

AWS Management Console

The AWS management console is the main resource where you can control all of your services and perform any operations. To access the console, go to https”//console.aws.amazon.com and log in with your credentials. The console has many menus that point to their many services. On any screen, in the upper right corner of the console is a dropdown menu to change regions that you are viewing. For some services that are global in nature, you will not see regions displayed within the dashboard for that service. 

As you are learning about the AWS core services, keep track of which ones are global in nature and not bound to regions. Many services are offered at a global level, and no selection or configuration in regard to regions or availability zones is necessary.

AWS CLI

The AWS command line interface provides a way to manage AWS services and perform many administrative functions without having to use the web based management console. Through the use of the command line interface, users can also script and automate many functions through whatever programming language they are familiar with or desire to use for automation. Each AWS service has command line interface commands that are pertinent to it and can be found in the AWS documentation. 

Developer Tools

AWS CodeBuild is a fully featured code building service that will compile and test code as well as build deployment packages that are ready for implementation. Codebuild is a fully managed service that will automatically scale to the needs of developers, alleviating their need to manage and scale a system. 

AWS CodeCommit is a managed service for secure Git repositories. With the popularity of Git for code versioning, the AWS service allows users to be up and running quickly and in a secure environment, without having to configure and manage their own repository systems. It will automatically scale to the needs of users and is completely compatible with any tools and software that have Git capabilities.

AWS CodeDeploy is a managed deployment service that can deploy code fully across AWS services or on-premises servers. The service is designed to handle complex deployments and ensure that all pieces and configurations are properly deployed, allowing a savings in time spent on verification after rollouts. It will fully scale to any resources that are needed.

Configuration Management

The AWS systems manager allows you to consolidate data from AWS services and automate tasks across all of your services. It allows for a holistic view of all of your services, while also allowing you to create logical groups of resources that can then be viewed in a consolidated manner. Within the Systems Manager there are many components that allow you to perform different administrative tasks. 

OpsCenter provides a consolidated view for developers and operations staff to view and investigate any operational issues. Data from many different resources are all centralized. It allows for a quick view of your entire environment and helps diagnose problems as quickly as possible. 

Explorer is a customizable dashboard that provides information on the health of your entire AWS environment and can consolidate data spanning multiple accounts and regions. 

AWS AppConfig provides an API and console method for applying configuration changes across AWS services from a centralized service. This is done in much the same way code is deployed out to multiple locations. AppConfig can quickly deploy configuration changes to different instances of compute services and ensure they are applied in a uniform and consistent manner.

Resource Groups allow for logical grouping of resources within AWS for how they are presented within Systems Manager. This allows a user to group services by application, department, tier, or any other manner they find useful, rather than looking at all resources collectively.

Keep in mind the concept of resource groups, especially with large deployments within AWS. The use of resource groups can help segment services to specific applications and groups and assist with monitoring your services within AWS.

Global Infrastructure

AWs runs a very large cloud infrastructure that is distributed throughout the world. This network is divided into different segments that are geographically based, such as region and availability zones. AWS also runs a network of Edge services throughout the world that serve a portion of AWS services and are optimized for low-latency and responsiveness to requests.

AWS organizes resources throughout the world in regions. Each region is a group of logical data centers called Availability Zones. While each region may seem like it is a data center or physical location, it is actually a collection of independent data centers that are grouped and clustered together, providing redundancy and fault tolerance.

When you provision resources within AWS, they can exist in only one region and are hosted on the physical hardware present at it. That does not mean you cannot replicate instances and virtual machines across multiple regions and around the world, but each individual instance only exists in one region. 

Core AWS Services

AWS offers a large number of core services that are widely used and well known throughout the world. It offers robust monitoring and auditing tools that span the breadth of all AWS service offerings. Monitoring systems are designed to collect and consolidate event data and auditing information from any services allocated under your account and provide them to you from a uniform and centralized dashboard. 

CloudWatch is the AWS service for monitoring and measuring services running within the AWS environment. It provides data and insights on application performance and how it may change over time, resource utilization, and a centralized and consolidated view of the overall health of systems and services. It is very useful to developers, engineers, and managers. Within any IT system, large amounts of data are produced in the form of system and application logs, but also data on performance and metrics. 

Across large systems, this can result in a large amount of data that is coming from many different sources. This can pose considerable challenges ranging from anyone looking to synthesize the data and formulate a picture of system health and performance, down to developers looking for specific events or instances within applications.

It collects and consolidates all of this data into a single service, making it much easier and more efficient to access. With this consolidation, developers and managers can see a picture of their overall systems and how they are performing, versus looking at individual systems or components of systems separately. 

CloudTrail is the AWs service for performing auditing and compliance within your AWS account. It pairs with CloudWatch to analyze all of the logs and data collected from the services within your account, which can then be audited and monitored for all activities done by users and admins within your account. This enables a full compliance capability and will store an historical record of all account activities. Should any investigations become necessary, all of the data is preserved and easily searchable. 

CloudTrail will log all account activities performed, regardless of the method through which they are done. It logs all activity through the management console, command line interface, and any API calls that are made, along with the originating IP address and all time and date data. If unauthorized changes are made, or if a change causes a disruption in services or system problems, the logs and reports available can enable an admin to quickly determine what was done and by whom.

AWS Shield

This provides protection from and mitigation of DDOS attacks on AWS services. It is always active and monitoring services, providing continual coverage without needing to engage AWS support for assistance should an attack occur. It comes in two different service categories, Standard and Advanced. Standard coverage is provided at no additional charge and is designed to protect against common DDOS attacks, especially for any accounts utilizing CloudFront or Route 53. This will protect websites and applications from the most frequently occurring attacks and virtually all known attacks on layer 3 and 4 against CloudFront and Route 53.

AWS WAF

AWS WAF is a web application firewall that protects web applications against many common attacks. It comes with an array of preconfigured rules from AWS that will offer comprehensive protection based on common top security risks, but you also have the ability to create your own rules. The WAF includes an API that can be used to automate rule creation and deployment of them to your allocated resources. Also included is a real time service view into your web traffic that you can then use to automatically create new rules and alerts. It is included at no additional cost for anyone who has purchased the AWS Shield Advanced tier. If you are not utilizing the Advanced Shield tier, you can use AWS WAF separately and will incur costs based on the number of rules you create and the number of requests they service. Remember the difference between Shield and WAF. Shield operates at the layer 3 and 4 network levels and is used to prevent DDOS attacks, versus WAF that operates at the Layer 7 level and can take action based on the specific contents of web traffic and requests.