Managing Content

CloudFormation

Description

• Allows to deploy/modify/update resources, applying version control to AWS infrastructure
• Use Cases
  • Quickly launch new test environments
  • Realiably replicate configuration between environments
  • Launch apps in new AWS regions
• Security
  • How to implement the principle of least privilege with CloudFormation StackSets

Components

Component	Description
TEMPLATE	Define resources and properties (JSON)
STACK	Manage collection of resources Parameters to handle variables Change Set: modify existing stack's template No deletion policy → resource deleted by default If resource can't be deleted → stack not deleted Access Control You can assign a service role, if you can iam:PassRole Anyone who can operate on that stack can leverage that role's permissions Even if they can't run it, they could modify it then someone else runs it Otherwise the user/role that is using the stack needs to have permission to perform all the operations
STACKSETS	Access Control Custom administration role, with identity policies that constrain iam:PassRole for that role to control who can use it Custom execution role, with limits on what resources it has action to, and a trust policy for specific administration role(s) in the admin account

---

Elastic Beanstalk

Description

• Developers can upload their application code, and the service automatically handles
  • Resource provisioning
  • Load balancing
  • Autoscaling
  • Monitoring
• Does retain full control over AWS resources
  • EC2 instance type
  • DB & storage options
  • Enable login access to EC2
  • Enable HTTPS on the load balancer
  • App server settings
  • Autoscaling settings

Components

Component	Description
APPLICATION	Logical collection of Beanstalk components (~folders): envs, versions, configs
APP VERSION	Specific, labeled iteration of deployable code, which points to an S3 bucket containing deployable code
ENVIRONMENT	App version that is deployable onto AWS resources Each environment runs only a single app version at a time
ENVIRONMENT CONFIGURATION	Collection of parameters

Supported

Languages	Java, PHP, Ruby, NodeJS, Python, Go
Web Containers	Tomcat, Passenger, Puma, Docker

---

Service Catalog

Create and manage catalogs of IT services that are approved for use on AWS

Components

• Portfolio: collection of catalogs
• Catalogs: collection of products
• Product: CloudFormation template

Characteristics

• Portfolios can be shared across accounts
• Access
  • Admin access control is via IAM
  • User access control is initially via IAM (ServiceCatalogEndUserAccess needed to use Service Catalog)
  • It doesn't support resource-level permissions nor resource-based policies
  • Portfolio access is managed within Service Catalog by associating IAM users/groups/roles with a Portfolio
• Launch role: a role that is used to run the templates, instead of the user having the necessary permissions

---

CodeArtifact

General Info

• Artifact management service for software development
• Securely store and share the software packages used in their development, build, and deployment processes
• Supported: Maven and Gradle (for Java), npm and yarn (for Javascript), and pip and twine (for Python)