Management, governance, and other services. In this lesson, you will learn how to manage and govern your AWS services and which services such as machine learning don't often appear on the exam but are still worth knowing about. Previously, we learned about AWS services that gave you visibility into costs. But what about gaining visibility into all the other activity on AWS? Enterprises using AWS are in two positions: they either want to serve hundreds of millions of customers one day or they are serving hundreds of millions of customers right now. When we think about how to gain observability into these AWS estates, we need services that monitor activity at Cloud scale. If you're operating thousands of AWS accounts running thousands of resources, how do you keep track of them all? One way is to tag them with their function or another organizational scheme. Tags are key value pairs like "backup policy":"finance". When you tag related resources with the same tag, they become AWS Resource Groups. Once tagged, a service like AWS Backup sweeps through all the thousands of accounts and thousands of resources and take snapshots of the resources with the tags you designated. Beyond tags, there's many AWS services that help you manage and govern your resources, which I put into two categories. First, there are the audit services. Audit services give you observability, the ability to see what is happening in your AWS account. Second, there are automation services. These services allow you to automate how your worldwide AWS services run, so you can enforce uniform standards across your AWS environment. The first audit service we'll look at is Amazon CloudWatch. CloudWatch creates running logs of how your resources are doing, such as whether they're close to capacity and when was the last time they scaled in or out. You can also query the logs to investigate a particular resource. When I first started deploying applications to AWS, I made mistakes that would cause the applications to not deploy. So I would pull up my CloudWatch log and review the error messages, and those would tell me exactly what failed, helping me save a lot of time by narrowing down what I needed to fix. You can use CloudWatch to set metrics and alarms to monitor operational health and application performance. An example of a metric is when EC2 compute reaches 80 percent capacity. Once CloudWatch detects that EC2 compute has reached or has already exceeded 80 percent capacity, it will trigger an alarm which performs an action. The alarm's action could be to send you a notification using SNS, to auto-scale EC2 to launch more instances, or both. Finally, you can view dashboards in CloudWatch. They look like this. Whereas CloudWatch is a running log of what your AWS resources are up to, AWS CloudTrail is a running log of what your users are up to. Enterprises have people all over the world running all kinds of workloads on AWS, and sometimes, you need to investigate what happened to a certain resource or answer questions like, "who was the last person who touched this resource and what exactly did that person do?" That's when you open up your CloudTrail logs, find the resource, and look at which users performed what actions to it. A more precise definition is that CloudTrail is a log of API calls. API stands for application protocol interface, although many people call it application programming interface. A protocol is a set of rules that govern how different devices communicate to each other. Every AWS service has protocols. Here are some of the APIs for AWS Backup. When you perform an action on AWS, regardless of whether you're clicking a button in the console or running a command in the command line interface, you're making an API call. CloudTrail will record that along with the timestamp and your account ID. Our final audit service is AWS Trusted Advisor. Trusted Adviser gives you real-time guidance on your cost optimization, performance, security, fault tolerance, and service limits. Trusted Advisor is offered by AWS support, and you get more checks if you purchase the business or enterprise tiers of support. We'll cover the four support tiers in a future module. AWS Config automatically monitors your resource configurations and enforces Config rules, which are rules you define to govern how your AWS resources should behave. An example of a Config rule is, every EBS volume must be encrypted. If you currently have an EBS volume that's unencrypted, AWS Config will flag that specific EBS volume as noncompliant. You could also be compliant now, but in the future, someone turns off encryption on an existing volume or launches a new volume without encryption, AWS Config would also notice that and mark it as noncompliant. People call AWS config, "compliance as code." The process I just described where there are rules in place but resources eventually stop following those rules for whatever reason is called "drift." You can set up a perfect cloud environment today but there's no guarantee that it will remain that way over time. Services like AWS Config help automate the process of finding and correcting drift. AWS OpsWorks allows you to configure your EC2 servers by automating, patching, updating, and backup. There are two open source server configuration managers called Chef and Puppet, and OpsWork runs both of them. AWS Service Catalog allows you to manage a catalog of approved IT services such as AMIs, software, and even multi-tier applications. Administrators can control the contents of what goes in the catalog, while users can use the catalog to access the software that they need. CloudFormation allows you to launch multiple AWS resources at once using a code template. Why would you want to do that? As one example, when an enterprise already has an architecture and wants to expand into a new region, they can simply define the existing architecture and use CloudFormation to create a mirror image in the new region. The concept of launching an entire infrastructure from a code template is called "infrastructure as code." You don't need to code from scratch either. CloudFormation has a visual editor where you create an architecture diagram and it will translate that diagram into code for you. Just to share one of my interviewing techniques, when I interviewed at AWS, I wanted to demonstrate understanding of enterprise software. I did that by launching an enterprise infrastructure using CloudFormation, then running workloads on top of it. Maybe that technique will also work for your interviews. AWS Organizations is a very testable subject because it does a lot of things. At the most basic level, it allows enterprises to automate the process of creating and securing thousands of AWS accounts. Once created, it also allows you to control those accounts, called "member accounts" through a single "management account." Once you create these thousands of accounts using AWS organizations, you can use CloudFormation to populate all the accounts with resources. You can also use Organizations to group those accounts into organizational units, abbreviated OUs, into a structure that might resemble an org chart for easier management. Finally, AWS Organizations lets you consolidate your costs, you can receive a single consolidated bill rather than thousands of individual account bills. You can use Cost Explorer to review costs across all of your accounts. If any account in your organization buys a one-year or three-year savings plan, any other account in that organization can use that plan. At this time of recording, the highest level of consolidation is the organization itself, meaning that you cannot consolidate across multiple organizations.
