Management & Monitoring in AWS: IAM, CloudWatch, CloudFormation, KMS
Hello everyone!! I hope that you all are well and safe. Today’s blog revolves around the management and monitoring services that are provided by AWS.
AWS :
Amazon Web Services, commonly known as AWS, is the cloud computing platform provided by Amazon. It provides on-demand services. On-demand services mean that the cloud services are provided to the customers according to their needs and demands. One can use the services provided individually or as an organization. Also, the best part about AWS is that the user will only have to pay for the services that the user uses.
Monitoring: Monitoring services in AWS comprise the monitoring of all the resources and applications that are running/are in use in real-time. It does the complete analysis of the metrics and gives the result to the user according to the way in which it is configured. One of the commonly used services to analyze/ monitor the resources and applications in AWS is CloudWatch.
Management: For any company management plays an important role. When a user uses certain services of AWS, AWS provides the user with complete access to manage its work. The user(individual/organization) can decide whom they have to give access to and what access is to be provided to which agent. This could be done through the management services provided by AWS. In today's blog, we’ll discuss the services like IAM, KMS, and CloudFormation.
CloudWatch:
As we have seen, CloudWatch is a service provided by AWS to monitor/analyze the resources and the application in realtime. This service is primarily built for developers, DevOps engineers, IT managers, and Site Reliability Engineers(SREs). Cloudwatch is used to get the insights and data/figures to respond to system-wide performance changes, monitor applications/resources, get a unified view of operational health, and optimize resource utilization. It collects all the required information as metrics, events, and logs thus providing a united/merged view of all the resources, services, or applications that are running on-premises servers on the AWS.
We can use cloud watch to detect abnormal behavior in the environment, visualize metrics and logs simultaneously, troubleshoot issues, set alarms, discover insights, and take automated actions so that the applications and services keep running smoothly.
Benefits of CloudWatch:
- It shows the result related to all the resources and applications on a single platform in an integrated manner.
- This is the easiest way of collection readings/metrics on-premises or in AWS.
- It improves resource optimization and operational performance.
- One can easily derive insights that are actionable from the logs/metrics.
- User gets operational insights and visibility.
IAM:
AWS IAM(Identity and Access Management) is a service that is provided by AWS and it allows the users to manage their resources and applications and allow limited access to them to increase security and limit access.
IAM is a service through which one can create as well as manage groups and users. Also, one can allow or deny access to particular resources and applications using permissions. This feature is included and available to any user without paying any additional cost. One will only be charged if the users that have access use any resources/services.
Uses cases on IAM namely could be Grained access to AWS resources, MFA (Multifactor Authentication) for privileged users, Integrated with the corporate directory and Analyzing access.
IAM allows a user to:
- Manage IAM users and their access.
- Manage federated users and their permissions.
- Manage IAM roles and their permissions.
Best practices of IAM:
* Try to create individual users.
* Manage groups and permissions.
* Grant least privilege. Lesser the permission granted, lesser will be te chance of data leakage.
* Turn on CloudTrail for auditing.
* Keep a strong password always.
* For the privileged users, MFA should be enabled.
* Assign IAM roles to EC2 instances.
* For sharing access to anyone, make use of IAM.
* Security credentials should be rotated/changed on a regular basis.
* Privileges and access should further be restricted with conditions.
* The use of root should either be removed or reduced.
AWS CloudFormation:
As the figure above depicts, in this service of AWS, the infrastructure of a user’s/organization's resources is treated as a code. It makes it easier to model related third-party and AWS resources, provision them, and manage them throughout their life/lifecycle. What describes the desired resources and their dependencies is a CloudFormation template. One can easily configure them or launch them as a stack. Also, to create, delete and update the entire stack which means as a single unit, a template can be used. Stacks could be managed and provisioned accrose multiple AWS regions and accounts.
Basic steps to follow when using CloudFormation service:
> User needs to pick a template first.
> The items that are required for stack should be prepared
> Then, the user needs to create a stack.
> Continously monitor the progress of stack.
> Stack resources should be used.
> Clean Up in the end. Delete stack or any other resource that was being used.
Benefits of CloudFormation:
I. Best practices are applied automatically.
II. The infrastructure used can be scaled worldwide.
III. It could be integrated with other AWS services.
IV. One can manage private as well as third-party resources.
V. CloudFormation can be extended with the community.
KMS:
AWS KMS(Key Management Service) is the service that makes it easier for the user to manage and create cryptographic keys. User can also control the use access of these keys across user’s application(s) and a wide range of AWS services. KMS is a service which is secure and strong. It uses hardware security modules that are in the process of being validated or are already validated under FIPS140-2 to protect the user’s keys. In AWS, KMS is merged with Cloudtrail. This is done inorder to provide the user/client with logs of all the key usages, this is done to help the user meet compliance and regulatory needs.
Benefits of KMS:
- It does not cost much.
- It is/can be completely managed
- Used for managing Encryption for AWS services.
- It has centralized system for key management
- Can be used for digitally signing any data
- It has a feature for built in auditing.
- Used in meeting compliance needs
- It is Secure
Hope you built interest while reading this. Thank you!