Skip to content

Managing Content




Component Description
TEMPLATE Define resources and properties (JSON)
  • Manage collection of resources
  • Parameters to handle variables
  • Change Set: modify existing stack's template
  • No deletion policy → resource deleted by default
  • If resource can't be deleted → stack not deleted
  • Access Control
    • You can assign a service role, if you can iam:PassRole
      • Anyone who can operate on that stack can leverage that role's permissions
      • Even if they can't run it, they could modify it then someone else runs it
    • Otherwise the user/role that is using the stack needs to have permission to perform all the operations
  • Access Control
    • Custom administration role, with identity policies that constrain iam:PassRole for that role to control who can use it
    • Custom execution role, with limits on what resources it has action to, and a trust policy for specific administration role(s) in the admin account

Elastic Beanstalk

  • Developers can upload their application code, and the service automatically handles
    • Resource provisioning
    • Load balancing
    • Autoscaling
    • Monitoring
  • Does retain full control over AWS resources
    • EC2 instance type
    • DB & storage options
    • Enable login access to EC2
    • Enable HTTPS on the load balancer
    • App server settings
    • Autoscaling settings


Component Description
APPLICATION Logical collection of Beanstalk components (~folders): envs, versions, configs
APP VERSION Specific, labeled iteration of deployable code, which points to an S3 bucket containing deployable code
  • App version that is deployable onto AWS resources
  • Each environment runs only a single app version at a time
ENVIRONMENT CONFIGURATION Collection of parameters


Languages Java, PHP, Ruby, NodeJS, Python, Go
Web Containers Tomcat, Passenger, Puma, Docker

Service Catalog

Create and manage catalogs of IT services that are approved for use on AWS

  • Portfolio: collection of catalogs
  • Catalogs: collection of products
  • Product: CloudFormation template
  • Portfolios can be shared across accounts
  • Access
    • Admin access control is via IAM
    • User access control is initially via IAM (ServiceCatalogEndUserAccess needed to use Service Catalog)
    • It doesn't support resource-level permissions nor resource-based policies
    • Portfolio access is managed within Service Catalog by associating IAM users/groups/roles with a Portfolio
  • Launch role: a role that is used to run the templates, instead of the user having the necessary permissions


General Info
  • Artifact management service for software development
  • Securely store and share the software packages used in their development, build, and deployment processes
  • Supported: Maven and Gradle (for Java), npm and yarn (for Javascript), and pip and twine (for Python)

Systems Manager (SSM)

General Info
  • Group resources of different types together based on a query (e.g. an application)
  • Inventory: applications, files, network configurations, Windows services, registries, etc.
  • Many features require the Agent installed
    • EC2 instances need an instance profile for a role that has the necessary permissions to allow the agent to interact with SSM


Run Command
  • Manages a fleet of EC2 at scale, without having to login to each instance
  • Commands can be applied to a group of systems based on AWS instance tags or by selecting manually
  • SSM agent needs to be installed on all your managed instances
  • Integrations
    • Logs via CloudTrail
    • Can be triggered by CloudWatch Events
Session Manager
  • Browser based shell w/ IAM & CloudTrail
  • Can log session data to S3 and/or CloudWatch Logs
Patch Manager
State Manager Specify OS configuration, rollout schedule, compliance reporting
Parameter Store
  • Pass confidential information to EC2 as a bootstrap script
  • Types
    • String (plain text)
    • String List (plain text)
    • Secure String: encrypts data using KMS
  • Can be tagged + organized in a hierarchy
  • KMS for encryption (users need KMS permissions to use the corresponding CMK)

Secrets Manager

Service which securely stores, encrypt and rotates DB credentials and other secrets
  • Encryption in transit and at rest using KMS
  • Automatically rotates credentials
  • Apply fine grained access control using IAM policies
  • Apps can make API calls to Secrets Manager to retrieve secrets programmatically
Secrets Manager Parameter Store
Database credentials, API/SSH keys Password, DB strings, license codes, parameter values, config data
Built-in integration with RDS (MySQL, PostgreSQL, Aurora) User defined parameters
Built-in rotation of RDS secrets, support for non-RDS using Lambda Values may be clear text or encrypted
Charged: $0.40 secret/pcm + $0.05 per 10,000 API calls No additional charge
Integrated with Secrets Manager