Summary and Quiz

• Landing Zones: Landing Zones are pre-configured, multi-account AWS environments based on AWS best practices, providing a standardized setup for AWS accounts and resources. They utilize AWS Organization service for account structuring, AWS CloudTrail for centralized logging, and AWS Single Sign-On for identity management. A Control Tower Landing Zone includes several organizational units (OUs) like Root OU, Security OU, Sandbox OU, and Production OU, each serving specific functions in management and security.

• GuardRails/Controls: Control Tower uses GuardRails (also known as Controls) for enforcing governance and compliance policies across AWS environments. There are two types:

  • Preventive GuardRails: Prevent policy violations using service control policies (SCPs).

  • Detective GuardRails: Detect and alert on non-compliance or policy deviations.

• Account Factory: This feature simplifies the process of creating and managing AWS accounts. It automates account provisioning, ensuring new accounts adhere to the organization’s compliance and security standards from creation.

• Control Tower Dashboard: Provides a centralized view of the AWS environment, offering insights into AWS accounts’ operational status and compliance. It displays information about account numbers, GuardRail status, and policy violations, aiding in monitoring and management.

AWS License Manager

AWS License Manager is an automated tool for centrally managing software licenses across AWS and on-premises resources, helping to streamline management and optimize licensing costs.

• Key features of AWS License Manager:

  • License Manager Dashboard: Provides real-time visibility into license usage.

  • License types: Includes granted licenses (purchased from AWS Marketplace) and self-managed licenses (purchased from third-party vendors).

  • License Manager rules: Guidelines set within the service to comply with licensing agreements.

  • Automated discovery rules: Automatically track software usage across resources.

  • User-based subscriptions: Manage licenses based on the number of users.

  • Dedicated instances and hosts: For applying existing software licenses with hardware-based requirements.

• Integration with Amazon EC2 and IAM: License Manager works mainly with Amazon EC2 for hosting software applications and AWS IAM for permissions and access management.

AWS Systems Manager

AWS Systems Manager is a centralized management and automation solution for AWS resources and on-premises applications, acting as an operations hub for these resources.

• Systems Manager services: AWS Systems Manager can be broken down into the following services: SSM OpsCenter, SSM Explorer, SSM Incident Manager, SSM Application Manager, SSM AppConfig, SSM Parameter Store, SSM Automation, SSM Change Manager, SSM Maintenance Windows, SSM Fleet Manager, SSM Session Manager, and SSM Patch Manager.

• SSM Parameter Store: A key service within Systems Manager, it manages credentials and configurations as parameters, providing secure, hierarchical storage for these values.

AWS Health Dashboard

AWS Health Dashboard provides crucial insights and real-time information about AWS service availability and performance, aiding users in monitoring and managing cloud infrastructure efficiently.

• Views on AWS Health Dashboard: The AWS Health Dashboard supports the following views:

  • Service Health: Shows the status of AWS services affecting all AWS users, including disruptions and maintenance activities.

  • Your Account Health: Tailored to individual AWS accounts, providing performance alerts and remediation guidance.

  • Your Organization Health: Aggregates health events across all AWS accounts in an AWS Organization.

• Types of AWS Health Events: AWS Health Events are of the following types:

  • Account-specific Events: Affect individual accounts or organizations, like compromised AWS access credentials.

  • Public Events: Affect AWS services on a broader scale, impacting all AWS accounts and organizations, like a service issue in a specific region.

AWS Compute Optimizer

AWS Compute Optimizer is an AWS service that provides machine learning-based recommendations for optimal AWS compute resource configurations to enhance performance and reduce costs.

• Supported AWS compute resources: AWS Compute Optimizer generates recommendations for EC2 instances, EC2 Auto Scaling groups, EBS volumes, Lambda functions, and ECS services on AWS Fargate, as well as commercial software licenses.

Amazon Managed services for Grafana and Prometheus

• Amazon Managed Grafana (AMG):

  • Amazon Managed Grafana (AMG) is a fully managed data visualization service.

  • Allows creation of Grafana dashboards for analyzing operational data from multiple sources including CloudWatch, OpenSearch Service, X-Ray, IoT SiteWise, TimeStream, and Managed Service for Prometheus.

  • Supports up to 5 Grafana workspaces per AWS account.

  • Features user and user group assignment to workspaces, with default view-only access.

  • Secures workspace access via SAML or AWS IAM Identity Center.

  • Network access can be controlled by IP address filtering or VPC endpoints.

• Amazon Managed Service for Prometheus (AMP):

  • Amazon Managed Service for Prometheus (AMP) is a fully managed monitoring service for container environments.

  • Scales automatically, supporting the Prometheus query language.

  • Offers multi-AZ deployment for high availability.

  • Allows multiple Prometheus workspaces per AWS account, each isolating access control for metrics ingestion, storage, and querying.

  • Stores Prometheus metrics for 150 days.

  • Ingestion methods include AWS-managed collectors and customer-managed collectors.

  • Metrics can be queried using Grafana or AMP APIs.

• AMP vs. AMG: AMP focuses on metrics collection and monitoring, while AMG provides a broader range of features, including metrics, logs, trace collection, and advanced visualization.

AWS Trusted Advisor

AWS Trusted Advisor is an AWS service that inspects our AWS account against several checks and gives recommendations to enhance the security, performance, availability, and cost.

• Trusted Advisor evaluation factors: Trusted Advisor validates and suggests changes to our AWS Account based on the following factors.

  • Cost Optimization

  • Performance

  • Security

  • Fault Tolerance

  • Service Limit

AWS Well-Architected Framework

The AWS Well-Architected Framework is a guide for building an operationally streamlined, sustainable, cost-optimized, high-performing, reliable, and secure application infrastructure based on AWS’s best practices.

• AWS Well-Architected Framework pillars: AWS Well-Architected Framework has the following six pillars:

  • Operational excellence

  • Security

  • Reliability

  • Performance efficiency

  • Cost optimization

  • Sustainability

• AWS Well-Architected Tool: The AWS Well-Architected Tool is a service offered by AWS that helps review the state of application workloads and compares them against AWS best practices defined by the AWS Well-Architected Framework.

Test your knowledge

Take a short quiz to validate that knowledge and to make sure you’ve not missed out on anything:

Congratulations! We’ve successfully reviewed the essential concepts of some of the AWS services for Management and Governance and refreshed our knowledge of them using a short quiz.