CloudFormation is an infrastructure code tool to manage aws services, using a text based file one can provision or update the resources. CloudFormation aka Resource Group or Resource Stack, it helps manage resources as single unit.

Using a template code (using json or yaml) to define the resource stack (vm, db, alb, buckets, iam policy etc) and this code can be reused. This template can be stored locally or s3 bucket. We dont need to create a template for each resource, instead, create a template for multiple resources (Stack, ex: LAMP).

Template Code Supports Parameters, Mappings, Conditions

CloudFormation Stack - to manage resources as a single unit, it can have Nested Stacks, Windows Stacks, StackSets

CloudFormation ChangeSets - Summary of potential changes to review before implementation.

Cloud Service Models

Its network based IT Service, comes with proper authentication and security services.

SLA - Contract between consumer and service provider to keep up the uptime guarantees and define the consequences of the downtime.

5 Cloud Characteristics

• On-demand self-service.
• Broad network access.
• Resource pooling.
• Rapid elasticity.
• Measured Service.

XaaS - Anything as a Service

Any network accessed service

IaaS

Moving Data Centers to cloud

• VMs
• CSP responsible for the hardware
• Customer responsible for the software

PaaS

Moving Platforms to cloud

• Web apps, CDN, IDEs, databases, Software development platforms

SaaS

Moving Software to cloud

• User productivity apps - Office365, SalesForce etc
• Accessible from thin clients

FaaS - Function as a Service

Typically used for microservice, pay-per-use apps and functions

SECaaS - Security as a service

Network access security a services, Cloud based DDoS mitigation, Cloud based firewall

IaaC - Infrastructure as a code

Allow IT infra much more manageable using code/configuration files using tools CloudFormation Complete automation for all the infrastructure resources. It supports version control and deployment control using CI/CD.

Using CloudFormation Templates, we can do below activities

• Manage
• Monitor
• Provision

Advantages

• It helps achieve Efficiency and Speed using the automated scripts with consistency for all env (dev, test, stage)

Risks

• Find out more

IaaC Automation

With the automation, engineer does not have to do any activity manually, everything would be automated using script and executed.

• Resource Provisioning (allocating new resources spun up) by script
• Instance Configuration (creating instances on the allocated resources, installing a software) by using script
• Workload configuration and deployment (Establishing service connections ex: web app to db, web app to cache etc), monitoring and management

CloudFormation Continuous Delivery using CodePipeline

It is a Automated Release methodology to delivery the build package constantly to achieve the speed and consistency.

CloudFormation Stacks

• Resource Collection managed as single unit under one account region
• Creating, Updating, Deletion of resources
• Stack Resources defined by Template
• Successful creation or deletion of all resources required
• Stack rolled back if resources cant be created
• Resources kept if a resource cant be deleted due to whatever reason
• Working with Stacks using
  • CloudFormation Console - It runs on web browser (create,monitor,update,delete)
  • CloudFormation API -
  • AWS CLI - It runs on terminal for scripting automation (create,monitor,update,delete)

CloudFormation StackSets

It is a Enhanced Stack functionality to manage multiple stacks across accounts and regions using single CloudFormation template. Helps to manage accros multiple stacks and regions using single cloudformation template

CloudFormation Templates

Provide resources to be provisioned It can be defined using JSON or YAML Use CloudFormation Designer to drag and drop resources (like a diagram) or use built-in text editor to define it

• Template Components
  • Format Version - which template version is being used as the template would under continuous improvements over the time
  • Description (optional
  • Metadata (optional) - any custom information about the template, any key.value pair, avoid any confidential data from exposing here
  • Parameters (optional) - to define the configuration parameters, ex: define a template once for dev, test, staging and pass parameter according to the env
  • Mappings (optional) - are like lookup tables to manage conditional values, contains key.value pair, you define key-value pairs and use them with the Fn::FindInMap intrinsic function in the Resources and Outputs sections. This is useful for scenarios where you need to adjust configurations based on conditions such as AWS Region or environment.
  • Conditions (options) - to define conditional logic
  • Transform - used in advanced functionalities
  • Resources
  • Output - defines the output values resulting of the template execution

• CloudFormation template can help automate creating users and IAM roles

CloudFormation Security

AWS Data Protection

AWS Implements a shared responsibility model - to keep the resources safe by keeping responsibility partly on aws and partly on the consumer/user/you

• AWS is responsible for managing the physical infrastructure (ex: s3 bucket) - You are responsible for the content stored in the platform infrastructure, to ensure that the data is not accessed by unauthorized users.
• Safe areas: Account Credentials, define proper roles in AWS IAM, configure MFA for user authentication, keep network secured by configuring SSL/TSL to ensure encryption in place.
• CloudTrail - Record of actions, centralized repo for capturing api calls as events and view them
• AWS Encryption - to keep the data secured from external attacks, it provides below capabilities to secure the data
  • Data at rest - data that stored in s3 bucket/volume
  • Data in transit (in flight data - public transit) - data that flows into a s3 bucket/volume
  • Internetwork privacy (in flight data within AWS network - private)
• Managed Security Services - for additional security such as web app firewall
• FIPS endpoints for encrypting data
• Identity and Access Management (IAM)
  • create users to control access
  • IAM can be used with CloudFormation - to manage the stacks, to allow or deny the users to perform operations
• CloudFormation Service Roles - are IAM roles for making resource calls, also to manage creation/updating/deletion of stack resources, also to specify explicit actions for cloudformation whether to allow the C.F template allow to create users or not
• Resiliency - users can lose data if the resource is not up and running, so ensuring the Availability zones and automatic failover for the resiliency
• Compliance - to make sure shared responsibility model (by aws and by user) is adhered. audited by 3rd party audits.

CloudFormation Pipeline

Automated way of creating stack by getting rid of manual intervention in creating the resource stack

Creating a stack using AWS CloudFormation Designer - using template designer