Lab 1: Operational Excellence

us-east-1.durian.bkr.team.aws.training/session/ck5hPicLLNMaWbjnxM173M

© 2022 Amazon Web Services, Inc. or its

affiliates. All rights reserved. This work may
not be reproduced or redistributed, in
whole or in part, without prior written
permission from Amazon Web Services,
Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property
of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab
environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Objectives
After completing this lab, you will be able to:

Use AWS Systems Manager according to the “Perform operations as code” design
principle.

You will create a Resource Group with two Amazon EC2 instances and use the “Run
command” option in SSM to install the Amazon CloudWatch agent for collecting logs and
getting some additional metrics.

You will be able to perform the following tasks:

Tag Amazon EC2 instances.

Create a Resource Group.
Use AWS Systems Manager for Amazon EC2 instances.
Install and Start Amazon CloudWatch agent with Systems Manager.
Validate custom metrics and log groups.

Prerequisites
This lab requires:

Access to a notebook computer with Wi-Fi and Microsoft Windows, Mac OS X, or

Linux (Ubuntu, SuSE, or Red Hat)
The lab environment is not accessible using an iPad or tablet device, but you can use
these devices to access the student guide.
For Microsoft Windows users: Administrator access to the computer
An Internet browser such as Chrome, Firefox, or IE9 (previous versions of Internet
Explorer are not supported)

1/16
 An SSH client such as PuTTY

Duration
This lab will require 60 minutes to complete.

Context

You are a Solutions Architect working for AnyCompany, a retail business. One of the main
apps for the company is a product catalog; a web application recently migrated to the
AWS Cloud from the on-premises environment. Even though the application is functional,
it is crucial to have an architecture with best practices applied, because the business is
growing. As part of the Well-Architected practitioners team, you are looking for an
architecture that meets the new performance requirements, mitigates risks, and saves
money. Automation is also a fundamental part of the solution.

The following is the initial architecture. Your mission is to improve upon it by applying
some of the Well-Architected principles, according to the company’s needs.

Architecture review

You proposed doing a Well-Architected Framework Review to better understand the

current status and needs. After that review, you identified some insights, the most
relevant of which are listed below:

1. Most of the operational tasks are performed manually. AnyCompany wants to

automate the process to provide visibility into some important performance metrics,
like memory or disk utilization. Additionally, a centralized log monitoring for DB
and App is needed.

2. A highly available architecture is required for the product catalog application.

3. Security is a top priority. The more insights available related to this topic, the better.

2/16
 4. They are not sure about the decision that they made when they chose a t2.micro
instance to run the application. Performance is something that they do not want to
sacrifice. AnyCompany people want to do some stress tests for the application,
especially because they are expecting an increase in the demand on the application
in the near future.

5. Cost matters. Some applications are not using approved instance types in
accordance with AnyCompany’s architecture standard. This has been driving
unnecessary cost due to over-provisioned resources in non-production
environment.

The information above is your starting point to help enhancing the architecture and
achieving organization objectives. You may identify more opportunities for improvement
in this architecture but, for the purposes of the workshop, just focus on these findings.

Target Architecture

After a Well-Architected Framework Review, you and AnyCompany have defined a target
architecture. This architecture will help you achieve their initial objectives. You are going
to utilize the five Well-Architected pillars to implement the following architecture:

Next you will start the first lab to get to that architecture and ensure AnyCompany
implements the appropriate solution according to Well-Architected best practices.

Scenario

The Operational Excellence pillar includes the ability to support development and run
workloads effectively, gain insight into their operations, and continuously improve
supporting processes and procedures to deliver business value.

3/16
Remember that one of the insights found in the Well-Architected Framework Review
(WAFR) was about the need to automate tasks. AnyCompany people are performing a
lot of operational tasks manually. One of the issues they mentioned was a lack of
visibility into important metrics like memory and disk utilization for the Amazon EC2
instances. They would like an automated process to get that information. Additionally,
they need a centralized log monitoring for the database and application instances.

Start lab
6. To launch the lab, at the top of the page, choose Start lab.

You must wait for the provisioned AWS services to be ready before you can continue.

7. To open the lab, choose Open Console.

You are automatically signed in to the AWS Management Console in a new web browser
tab.

Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different
AWS account:

Choose the click here link.

Close your Amazon Web Services Sign In web browser tab and return to your
initial lab page.
Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the
Start Lab button from working as intended. If you experience an issue starting the lab:

Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
Refresh the page and try again.

4/16
Task 1: Check the existing architecture
The product catalog is a core web application that was recently migrated from on-
premises to the AWS Cloud. Since it was migrated using a simple lift and shift process
into the AWS Cloud, this application consists of two Amazon EC2 instances, one for the
Web Server and other for the database (MariaDB). Users access the application via the
Internet.

Next you will review those instances:

8. In the AWS Management Console, choose the Services menu, and then choose
EC2. Alternatively, you can type the service name in the Search box to access the
service directly.

Note: Make sure that your AWS console session is in the Region that matches the value
of LabRegion to the left of these instructions. You must use the same Region
throughout the lab.

9. In the left navigation pane, in the Instances section, choose Instances.

You will see two EC2 instances, one for the web server and other one for the database:

Next, you will confirm that the Product catalog web application is running in the

instance.
10. In the instances list, choose wa-web-server.

The instance should appear in a Running state. The instance receives a public DNS name
that you can use to contact the instance from the internet.

11. In the Details tab, locate the Public IPv4 DNS section and copy the DNS address.

12. In a new browser tab’s address bar, type

, and then paste the DNS address you copied in the previous step. You should see
the following application screen:

Note: If you choose the open address link, your browser might try to browse the
application using

5/16
, and that won’t work. The application can only be accessed using
on port
.
13. Next, you will add at least 3 products to the list and, when complete, leave this
browser window open for later reference.

14. To add products to the database perform the following steps:

Enter a value in the Category field.

Enter a value in the Description field.

Enter a value in the Price field.

Choose the Update database button to insert the item.

Repeat these steps to insert as many items as desired.

Task 2: Tagging the EC2 instances

Amazon Web Services allows customers to assign metadata to their AWS resources in the
form of tags.

Each tag is a simple label consisting of a customer-defined key and an optional value that
can make it easier to manage, search for, and filter resources.

Tags are a great way to organize AWS resources, establish governance, enforce
permissions, and they are critical to cost attribution for cost optimization.

15. Return to the AWS Management Console.

16. Make sure the instance

is selected.
17. Navigate to the Tags tab in the details panel below. Then, choose Manage Tags.

6/16
 18. Using the Manage tags form. You are going to add 2 tags. These tags will be used
in the task.

19. Choose the Add tag button as needed to enter the following two tags:

Tag 1: Key:
, Value:
.
Tag 2: Key:
, Value:
.

20. Next, select the

instance, and repeat the previous steps to add the same tags to the instance.
21. Choose Save when you are finished adding the tags.

Next, you will create a resource group.

Task 3: Creating a Resource Group

A resource group is a collection of AWS resources in the same AWS Region that match a
tag-based criteria provided in a search query.

A resource group can represent an application, a software component, a business unit, an

environment, a team, or even an area of ownership.

You can use resource groups to perform bulk actions. For example, if you manage large
numbers of related resources, such as EC2 instances that make up an application layer,
you might need to perform bulk actions on these resources at one time.

Other examples of bulk actions include the following:

Applying updates or security patches.

Upgrading an application version.
Installing software (This is the action that we are going to perform in this lab).
Opening or closing ports to network traffic.
Collecting specific log and monitoring data.

22. In the AWS Management Console, choose the Services menu, and then choose
Resource Groups & Tag Editor. Alternatively, you can type the service name in
the Search box to access the service directly.

23. Choose Create a resource group.

24. For Group Type select Tag based.

Next, you will configure the Grouping criteria.

7/16
 25. For Resource types, choose

.
26. For Tags, type

in the Tag key field, and

in the Optional tag value field.
27. Choose Add.

28. Another another tag:

with a value:
using the same steps.
29. Choose Preview group resources.

You will see both EC2 instances. Those instance will make up your Resource group.

30. For Group details enter:

Group name:
.
Group description:
.

31. Choose Create group.

Next, you will use AWs Systems Manager for your EC2 instances.

Task 4: Enabling Systems Manager for EC2 instances

AWS Systems Manager is a service you can use to view and control your infrastructure
on AWS. AWS Systems Manager is the operations hub for AWS. Systems Manager
provides a unified user interface so you can track and resolve operational issues across
your AWS applications and resources from a central place.

AWS Systems Manager Agent (SSM Agent) is Amazon software that can be installed and
configured on an EC2 instance, an on-premises server, or a virtual machine (VM).
Systems Manager Agent makes it possible for Systems Manager to update, manage, and
configure these resources.

SSM Agent is preinstalled, by default, on the following Amazon Machine Images (AMIs):

Amazon Linux
Amazon Linux 2
Amazon Linux 2 ECS-Optimized Base AMIs
Ubuntu Server 16.04, 18.04, and 20.04

8/16
In this lab we will use Amazon Linux 2 AMIs. For manual installation of the SSM agent
review the following link:

Working with SSM Agent

Task 4.1: Reviewing the EC2 instance profile

By default, AWS Systems Manager doesn’t have permission to perform actions on your
instances. You can grant access by using an AWS Identity and Access Management (IAM)
role. With this IAM role information you can pass specific permissions to an Amazon
Elastic Compute Cloud (Amazon EC2) instance at launch.

You can access more information using the following link:

Create an IAM instance profile for Systems Manager

As part of this lab, an instance profile has been provisioned for you. You will use this
instance profile in the EC2 instances, but first you will review the permissions it will
provide to your instances.

32. In the AWS Management Console, choose the Services menu, and then choose
IAM. Alternatively, you can type the service name in the Search box to access the
service directly.

Note: You might see some warnings or error messages at the top of the screen. You can
ignore those.

33. In the left navigation pane, in the Access management section, choose Roles.

34. In the search box type

.
35. The search should return a single result. Choose the

link from the results.

36. In the Summary page you can access different details about the role. Notice how in
the Permissions tab, the role has two attached policies:

(AWS managed policy)

(AWS managed policy)

These two policies will allow AWS Systems Manager to communicate with the instances
as well as run certain configuration commands in them. Feel free to expand them to see
the details of the policy. You can do this by choosing the icon.

Next, you will update the EC2 instances so they use this role.

Task 4.2: Modifying EC2 instance profiles

9/16
 37. In the AWS Management Console, choose the Services menu, and then choose
EC2. Alternatively, you can type the service name in the Search box to access the
service directly.

38. In the instances list, choose wa-web-server.

39. Next, choose Actions , Security, Modify IAM Role.

40. In the IAM role dropdown choose

.
41. Choose Save.

42. Repeat these steps on the

instance.

Next, you will Reboot both EC2 instances.

43. Ensure both instances are selected:

44. Next, choose Instance state , Reboot instance.

45. Choose Reboot.

Note: By rebooting the EC2 instances, you are ensuring that your instances will become
available in Systems Manager.

Task 4.3: Checking EC2 instances in Systems Manager

46. In the AWS Management Console, choose the Services menu, and then choose
Systems Manager. Alternatively, you can type the service name in the Search
box to access the service directly.

47. In the left navigation pane, in the Node Management section, choose Inventory.

48. Scroll down to the bottom page. In the Corresponding managed instances, you will
see your Amazon EC2 instances.

Now you can use Systems Manager to automate operational tasks on your EC2 instances.

Note: After modifying the instance profiles and restarting instances, it may take up to
5 minutes for the instances to appear in the managed instances inventory.

Make sure that both instances

and
appear in your inventory before moving to the next Task. If you do not see them, you
should reboot them.

10/16
Task 5: Installing Amazon CloudWatch agent with SSM
The CloudWatch agent monitors activity on your EC2 instance to collect logs and metrics.
The CloudWatch agent needs to be installed on the EC2 instance using AWS Systems
Manager Run Command. Run Command allows you to perform actions on EC2 instances
remotely. This tool is especially helpful at scale, where you can manage the configuration
of many instances with a single command.

49. In the AWS Management Console, choose the Services menu, and then choose
Systems Manager. Alternatively, you can type the service name in the Search
box to access the service directly.

50. In the left navigation pane, in the Node Management section, choose Run
Command.

51. Choose Run a Command.

52. In the Command document list, search for, then choose

.
53. In the Command parameters section, provide the following values (leaving the rest
with their default values):

For Action: select “Install” option.

For Name: type
.

54. In the Targets section:

For Targets option, select “Choose a resource group”.

For Resource group, select
(This was the resource group that you created earlier).

55. Choose Run.

You will see the installation progress for the Amazon CloudWatch agent in both EC2
instances. Just wait a few seconds and then refresh your browser. You will see the status
indicate Success.

Reference: Installing the CloudWatch agent on EC2 instances using your agent
configuration.

Task 6: Starting Amazon CloudWatch Agent

In this task you will start the Cloud Watch Agent using Systems Manager Run Command
feature.

11/16
 56. In the AWS Management Console, choose the Services menu, and then choose
Systems Manager. Alternatively, you can type the service name in the Search
box to access the service directly.

57. In the left navigation pane, in the Node Management section, choose Run
Command.

58. Choose Run a Command.

59. In the Command document list, search for, and select

.
60. In the Command parameters section:

For Action, choose configure

For Optional Configuration Source list, select ssm

For this task the lab has provisioned a configuration parameter store named

. For more information about the AWS Systems Manager Parameter Store, visit the
following link:
AWS Systems Manager Parameter Store

For Optional Configuration Location box, enter the parameter name

.
For Optional Restart, select yes

This is the JSON agent configuration file stored in Systems Manager Parameter store.
Please take a minute to review it and follow with the next step.

12/16
{

"agent": {

"metrics_collection_interval": 60,

"run_as_user": "root"

},

"logs": {

"logs_collected": {

"files": {

"collect_list": [

"file_path": "/var/log/messages",

"log_group_name": "messages",

"log_stream_name": "{instance_id}"

},

"file_path": "/var/log/httpd/access_log",

"log_group_name": "httpd_access_log",

"log_stream_name": "{instance_id}"

},

"file_path": "/var/log/mariadb/wa-db-server.log",

"log_group_name": "db_general_query_log",

"log_stream_name": "{instance_id}"

},

"file_path": "/var/log/mariadb/mariadb.log",

"log_group_name": "mariadb_log",

"log_stream_name": "{instance_id}"

},

"metrics": {

"append_dimensions": {

"AutoScalingGroupName": "${aws:AutoScalingGroupName}",

"ImageId": "${aws:ImageId}",

"InstanceId": "${aws:InstanceId}",

"InstanceType": "${aws:InstanceType}"

},

"metrics_collected": {

"disk": {

"measurement": ["used_percent"],

"metrics_collection_interval": 60,

"resources": ["*"]

},

"mem": {

"measurement": ["mem_used_percent"],

"metrics_collection_interval": 60

},

"statsd": {

"metrics_aggregation_interval": 60,

"metrics_collection_interval": 10,

"service_address": ":8125"

13/16
 }

61. In the Targets section:

For Targets, select Choose a resource group

For Resource group, select
(This was the resource group that you created earlier)

62. Choose Run.

You will see the Run Command result. Use the refresh option to update the status until it
displays Success.

You have now installed and started the CloudWatch agent on both EC2 instances using
the “Perform Operations as Code” design principle.

Reference: Installing the CloudWatch agent on EC2 instances using your agent
configuration.

Task 7: Validating custom metrics and log groups

63. In the AWS Management Console, choose the Services menu, and then choose
CloudWatch. Alternatively, you can type the service name in the Search box to
access the service directly.

64. In the left navigation pane, expand the Metrics section, and choose All Metrics.

Note: It may take up to 5 minutes for metrics to appear in the dashboard. Refresh your
browser in case you don’t see CWAgent after a couple of minutes.

65. In the All metrics tab, in the Custom Namespaces section, choose

.
66. Choose the first metrics group (ImageId, InstanceId, InstanceType, device…).

67. Select one of the instances. This will cause it to start graphing disk utilization above.
It is normal for graphed metrics to be empty, as your environment is new.

(Optional) Task 7.1: Validating custom metrics and log groups

You can check memory utilization for your EC2 instances.

Next, you will navigate through
log groups.

68. In the left navigation pane, expand the Logs section, and choose Log groups.

In this section, you can view the events happening in your instances’ operating system
and applications (Apache and MariaDB).

14/16
 db_general_query_log
httpd_access_log
mariadb_log
messages

69. Next, you will access the application web server using the public DNS or IP you used
on the first task in this lab.

70. To update the database, make some inserts using the application as follows:

Enter a value in the Category field.

Enter a value in the Description field.

Enter a value in the Price field.

Choose the Update database button to insert the item.

Repeat these steps to insert as many items as desired.

71. Make sure you’re on the CloudWatch page.

72. In the left navigation pane, expand the Logs section, and choose Log groups.

73. Choose the httpd_access_log link, then choose the Log stream link. You will see
your public IP listed (you can use What’s my IP to figure out what your public IP is.

74. Go back to the log list and and choose the db_general_query_log link. You will
see logged the database inserts you just made.

Lab Complete
Congratulations! You completed the lab.

15/16
In a traditional environment you would have to set up the systems and software to
perform administration activities. You would require a server to execute your scripts. You
would need to manage authentication credentials across all of your systems.

Operations as code reduces the resources, time, risk, and complexity of performing
operations tasks and ensures consistent operation, so your organization can focus on
delivering more value to customers vs reacting to emergencies. You can take
operations as code and automate operations activities by using scheduling and event
response. Through integration at the infrastructure level you avoid processes that require
multiple interfaces and systems to complete a single operations activity.

End lab
Follow these steps to close the console and end your lab.

75. Return to the AWS Management Console.

76. At the upper-right corner of the page, choose AWSLabsUser, and then choose
Sign out.

77. Choose End lab and then confirm that you want to end your lab.

For more information about AWS Training and Certification, see

https://aws.amazon.com/training/.

Your feedback is welcome and appreciated.

If you would like to share any feedback, suggestions, or corrections, please provide the
details in our AWS Training and Certification Contact Form.

16/16