Scribd Logo
Upload

Welcome to Scribd!

  • 7 - Management and Governenace Services

    Uploaded by

    Ahmed Khaled
    45 views10 pages
    AWS Control Tower enables organizations to easily set up and govern new multi-account AWS environments according to best practices and compliance policies. It automates the provisioning of accounts and centralized services like logging, identity management, and compliance monitoring. Administrators can quickly establish a secure and policy-compliant landing zone for their AWS accounts with just one click.

    Original Description:

    Original Title

    7- Management and Governenace Services

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    AWS Control Tower enables organizations to easily set up and govern new multi-account AWS environments according to best practices and compliance policies. It automates the provisioning of accounts and centralized services like logging, identity management, and compliance monitoring. Administrators can quickly establish a secure and policy-compliant landing zone for their AWS accounts with just one click.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    45 views10 pages

    7 - Management and Governenace Services

    Uploaded by

    Ahmed Khaled
    AWS Control Tower enables organizations to easily set up and govern new multi-account AWS environments according to best practices and compliance policies. It automates the provisioning of accounts and centralized services like logging, identity management, and compliance monitoring. Administrators can quickly establish a secure and policy-compliant landing zone for their AWS accounts with just one click.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk

    auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain
    account activity related to actions across your AWS infrastructure. CloudTrail provides event
    history of your AWS account activity, including actions taken through the AWS Management
    Console, AWS SDKs, command line tools, and other AWS services. This event history
    simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can
    use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify
    operational analysis and troubleshooting.

    Note : an audit trail is a record of actions or 7agat ele 7aslt


    Amazon CloudWatch is a monitoring and management service that provides data and
    actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources.
    With CloudWatch, you can collect and access all your performance and operational data in form
    of logs and metrics from a single platform.

    Amazon CloudWatch Events delivers a near real-time stream of system events that describe
    changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set
    up, you can match events and route them to one or more target functions or streams.

    The Difference between CloudWatch and CloudTrail.:


    CloudWatch focuses on the activity of AWS services and resources, reporting on their
    health and performance. On the other hand, CloudTrail is a log of all actions that have
    taken place inside your AWS environment.

    AWS CloudWatch
    AWS CloudWatch is a monitoring service. That means it allows you to monitor the performance
    of your AWS resources and applications.

    Where would you use AWS CloudWatch?

     To analyze logs - CloudWatch is useful in exploring and analyzing logs. Why would you
    do that? By analyzing your logs, you might find issues that can be addressed to improve
    the performance of your applications. Besides that, when a resource/application fails, you
    can determine what happened and why by looking at the logs.
     To monitor your applications - For instance, you could monitor EC2 metrics such as
    CPU utilization, memory used, status check, network throughput, and more. It gives you
    insights about your application so you can act accordingly. For example, if you notice an
    EC2 instance is nearing capacity you can add another one to avoid degraded performance
    or downtime.
     To optimize your resources - With CloudWatch, you can specify what happens when a
    specific threshold is met or not. For example, terminate an EC2 instance if a condition is
    met. Or create additional instances to support more traffic.

    Moreover, AWS CloudWatch is made up of multiple monitoring tools such as:


     Events - You can trigger an action based on an event. For instance, we could create an
    event that sends an email to the administrator when a resource fails. You specify how and
    when to trigger an action. Then you define what action to trigger. Thus, CloudWatch
    events are very useful.
     Alarms - With alarms, you need to define a threshold, a condition, and what to trigger.
    The most popular scenario is an alarm for billing. That is, trigger an alarm if the
    estimated charges are greater than the threshold set.
     Logs - CloudWatch logs allow you to store the log files for various sources such as EC2
    instances, CloudTrail, and many more. You can then use these logs to detect issues, find
    leaks, patterns, and so on.

    Finally, AWS CloudWatch is an excellent service that you can use to monitor the performance
    and metrics of your resources and applications that run in AWS. It helps you to improve and
    scale your applications. It also enables you to stay within a budget, and thus not having unwanted
    costs. Consider CloudWatch as a person that watches your applications to make sure they work
    correctly, and at the best prices.

    AWS CloudTrail
    Consider AWS CloudTrail as a detective that watches over your AWS account and environment.
    It provides information on:

     What action was taken


     Who performed it
     When the action was taken
     Where the action was taken

    For instance, let’s say your S3 bucket was deleted by mistake. You can use AWS CloudTrail to
    see who deleted the bucket, when, and where (e.g. API Call or from the AWS Management
    console).

    Thus, the primary use case for AWS CloudTrail is to monitor the activity in your AWS
    environment. Additionally, CloudTrail is compliance support due to providing a history of
    activity in your AWS environment. So it’s easy to ensure your business is adhering to regulatory
    standards and internal policies.

    AWS Config is a service that enables you to assess, audit, and evaluate the configurations of
    your AWS resources. Config continuously monitors and records your AWS resource
    configurations and allows you to automate the evaluation of recorded configurations against
    desired configurations.

    AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view
    and control your infrastructure on AWS. Using the Systems Manager console, you can view
    operational data from multiple AWS services and automate operational tasks across your AWS
    resources.
    AWS CloudFormation is a service that helps you model and set up your Amazon Web Services
    resources so that you can spend less time managing those resources and more time focusing on
    your applications that run in AWS. You create a template that describes all the AWS resources
    that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS
    CloudFormation takes care of provisioning and configuring those resources for you. You don't
    need to individually create and configure AWS resources and figure out what's dependent on
    what; AWS CloudFormation handles all of that. The following scenarios demonstrate how AWS
    CloudFormation can help.

    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html
    What is an AWS CloudFormation template? A template is a declaration of the AWS resources
    that make up a stack. The template is stored as a text file whose format complies with the
    JavaScript Object Notation (JSON) or YAML standard. ... In the template, you declare the AWS
    resources you want to create and configure.

    A stack is a collection of AWS resources that you can manage as a single unit. ... All the
    resources in a stack are defined by the stack's AWS CloudFormation template. A stack, for
    instance, can include all the resources required to run a web application, such as a web server, a
    database, and networking rules.
    AWS OpsWorks is a configuration management service that provides managed instances of Chef
    and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate
    the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how
    servers are configured, deployed, and managed across your Amazon EC2 instances or on-
    premises compute environments. OpsWorks has three offerings, AWS Opsworks for Chef
    Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
    AWS Control Tower is a service that is intended for organizations with multiple accounts and
    teams who are looking for the easiest way to set up their new multi-account AWS environment
    and govern at scale. With AWS Control Tower, cloud administrators get peace of mind knowing
    accounts in their organization are compliant with established policies while builders provision
    new AWS accounts quickly in a few clicks.

    Using AWS Control Tower, cloud administrators can set up an automated landing zone that
    employs best-practices blueprints such as configuring multi-account structure using AWS
    Organizations, managing user identities and federated access with AWS Single Sign-on,
    enabling account provisioning through AWS Service Catalog, and creating a centralized log
    archive using AWS CloudTrail and AWS Config. For ongoing governance, they can enable pre-
    configured guardrails – clearly defined rules for security, operations, and compliance – that
    prevent deployment of resources that don’t conform to policies and continuously monitor
    deployed resources for nonconformance. AWS Control Tower’s dashboard provides centralized
    visibility into their AWS environment including accounts provisioned, guardrails enabled, and
    the compliance status of accounts.

    Administrators can set up a new multi-account environment with just a single click in the AWS
    Management Console. There are no additional charges or upfront commitments to use Control
    Tower; they pay only for AWS services enabled in order to set up a landing zone and implement
    selected guardrails.

    You might also like