"AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation. If you are new to AWS CloudFormation, get up to speed for this session by completing the Working with CloudFormation lab in the self-paced Labs Lounge.  "

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Abhishek Lal, Product Manager
Chris Whitaker, Development Manager
October 2015
DVO304
AWS CloudFormation Best
Practices

2. AWS CloudFormation
Create templates of the infrastructure
CloudFormation provisions AWS resources in order
Version control/replicate/update with infrastructure-as-code
Integrates with development, CI/CD, management tools

3. AWS CloudFormation Designer

4. Introducing AWS CloudFormation Designer
• Visualize template
resources
• Modify template with drag-
and-drop gestures
• Customize sample
templates

5. AWS CloudFormation Designer
demo – Visualize templates

6. AWS CloudFormation Designer
– Make updates

8. AWS CloudFormation Designer
– Authoring

10. CloudFormation Designer toolbar
Toolbar Navigation
Open: Local files/S3/stack
Save: Local files/launch stack
Validation: AWS resource
schema
Refresh: Synchronize JSON
text changes

11. CloudFormation Designer Resources
All supported resources
Organized by service
Drag and drop onto canvas
Color-coded icons

12. CloudFormation Designer canvas
Container Resources
e.g. EC2 VPCs, subnets
Connections between
resources
e.g. Ref, DependsOn, GetAtt
Contextual Resource menu
Code/Clone/Delete/Docs

13. CloudFormation Designer JSON Editor
Ctrl+Space : Within the Properties key of a
resource, lists all the available properties
for the resource
Ctrl+F : Search for a value in the JSON
editor.
Ctrl+ : Formats the text with proper
indentation and new lines
Ctrl+Shift+ : Removes all white space

14. New AWS Services Supported
by AWS CloudFormation

15. Use a wide range of AWS services
 Amazon EC2
 Amazon EC2 Container Service
 AWS Lambda (including event sources – New)
 Auto Scaling (including Spot Fleet - New)
 Amazon VPC
 Elastic Load Balancing
 Amazon Route 53
 Amazon CloudFront
 Amazon SimpleDB
 Amazon RDS
 Amazon Redshift
 Amazon DynamoDB
 Amazon ElastiCache
 Amazon RDS for Aurora (New)
 Amazon S3
 AWS IAM (including managed policies)
 Simple AD (New)
 Amazon Kinesis
 Amazon SNS
 Amazon SQS
 AWS CloudTrail
 Amazon CloudWatch
 AWS Data Pipeline
 AWS Elastic Beanstalk
 AWS OpsWorks
 AWS CodeDeploy (New)
 Amazon WorkSpaces (New)

16. AWS CloudFormation in Your
Organization

17. Managing your costs with budgets
https://console.aws.amazon.com/billing/home?region=us-east-1/budgets#/
ow.ly/T84qv

18. Audit logs for all operations
Store/
Archive
Troubleshoot
Monitor and Alarm
You are
making API
calls...
On a growing
set of AWS
services around
the world...
CloudTrail is
continuously
recording
API calls

19. AWS CloudFormation Advanced
Concepts

20. AWS CloudFormation language features

21. Extending AWS CloudFormation

22. Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarms
Web Analytics
Service
AWS
CloudFormation
Provision
AWS resources
“Create, Update,
Rollback, or Delete”
Extend with stack events
Worker
Amazon
SNS Topic
Stack Events

23. Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
Memcached cluster
Software pkgs,
config, & dataCloudWatch
alarms
Web Analytics
Service
AWS
CloudFormation
Provision
AWS Resources
"Resources" : {
"WebAnalyticsTrackingID" : {
"Type" : "Custom::WebAnalyticsService::TrackingID",
"Properties" : {
"ServiceToken" : "arn:aws:sns:...",
"Target" : {"Fn::GetAtt" : ["LoadBalancer",
"DNSName"]},
"Plan" : "Gold"
}
},
...
“Success” + Metadata
“Create, Update, Rollback, or Delete”
+ Metadata
Extend with custom resources
ow.ly/DiSXp

24. AWS Lambda-backed custom resources
Security group
Auto Scaling group
EC2
instance
Elastic Load
Balancing
ElastiCache
memcached cluster
Software pkgs,
config, & dataCloudWatch
alarms
Your AWS CloudFormation stack
// Implement custom logic here
Look up an AMI ID
Your AWS Lambda functions
Look up an VPC ID and Subnet ID
Reverse an IP address
Lambda-powered
custom resources

25. Security Best Practices

26. Security – Restricting user access
• Only allow specific templates and stack policies
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack",
"cloudformation:UpdateStack”
],
"Condition":{
"ForAllValues:StringLike":{
"cloudformation:TemplateUrl":
["https://.amazonaws.com/TestBucket/*"]
}
}
}
{
"Effect":"Allow”,
"Action":[
"cloudformation:UpdateStack”
],
"Condition":{
"ForAllValues:StringEquals":{
"cloudformation:StackPolicyUrl":
["https://.amazonaws.com/TestBucket/Foo.json
"]
}
}
}

27. Security – Restricting user access
• Only allow specific resource types
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack”
],
"Condition":{
"ForAllValues:StringEquals":{
"cloudformation:ResourceType":
[”AWS::EC2::Instance”…]
}
}
}
{
"Effect":"Allow”,
"Action":[
"cloudformation:CreateStack”
]
},
{
"Effect":”Deny”,
"Action":[
"cloudformation:CreateStack”
]
"Condition":{
"ForAnyValue:StringLike":{
"cloudformation:ResourceType":
[”AWS::IAM::*"]
}
}

28. Security – Controlling resource types
• Programmatically restrict access to resource types
• CreateStack and UpdateStack take a new parameter
• Restrict the set of resources that can be created
• Independent of any user policies
$ aws cloudformation create-stack … --resource-types=“[AWS::EC2::*, AWS::RDS::DBInstance, Custom::MyCustomResource]”

29. Best Practices for Templates

30. Reusing templates across AWS regions
• Consider environmental or regional differences
• Amazon EC2 image IDs
• VPC environment or “classic” environment
• Available instance types
• IAM policy principals
• Endpoint names
• Amazon Resource Names (ARNs)

31. Reusable templates – “Pseudo-parameters”
Use “pseudo-parameters” to retrieve
environmental data
• Account ID
• Region
• Stack Name and ID
"LogsBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "LogsBucket”},
"PolicyDocument": {
"Version": "2008-10-17",
"Statement": [{
"Sid": "ELBAccessLogs",
"Effect": "Allow",
"Resource": {
"Fn::Join": [ "", [ “arn:aws:s3:::",
{ "Ref": "LogsBucket" }, "/", "Logs",
"/AWSLogs/",
{ "Ref": "AWS::AccountId" },
"/*”
] ]
},
"Principal": …,
"Action": [ "s3:PutObject" ]

32. Reusable templates – Using mappings
Use mappings to define variables
• Single place for configuration
• Reusable within the template
"LogsBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {"Ref": "LogsBucket”},
"PolicyDocument": {
"Version": "2008-10-17",
"Statement": [{
"Sid": "ELBAccessLogs",
"Effect": "Allow",
"Resource": {
"Fn::Join": [ "", [
{ "Fn::FindInMap" : ["RegionalConfig",
{"Ref" : "AWS::Region"},
"ArnPrefix”]},
"s3:::”, { "Ref": "LogsBucket" }, "/", "Logs",
"/AWSLogs/”,
{ "Ref": "AWS::AccountId" }, "/*" ] ]
},
"Principal": {"AWS": { "Fn::FindInMap": [ "RegionalConfig",
{ "Ref": "AWS::Region"
”ELBAccountId" ] } },
"Action": [ "s3:PutObject" ]
}
“Mappings” : {
“RegionalConfig” : {
“us-east-1” : {
“AMI” : “ami-
12345678”,
”ELBAccountId":
"127311923021”,
“ArnPrefix” :
“arn:aws:”
},
“us-west-1” : {
“AMI” : “ami-98765432”
”ELBAccountId":
“027434742980"
“ArnPrefix” :
“arn:aws:”
},
:
}
}

33. Re-usable Templates – Using conditionals
Use conditionals to customize
resources and parameters
"DBEC2SG": {
"Type": "AWS::EC2::SecurityGroup",
"Condition" : "Is-EC2-VPC",
"Properties" : {
:
}
},
"DBSG": {
"Type": "AWS::RDS::DBSecurityGroup",
"Condition" : "Is-EC2-Classic",
"Properties": {
:
}
},
"MySQLDatabase": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
:
"VPCSecurityGroups": { "Fn::If" : [ "Is-EC2-VPC",
[ { "Fn::GetAtt":
"DBEC2SG", "GroupId" ] } ],
{ "Ref" :
"AWS::NoValue"}]},
"DBSecurityGroups": { "Fn::If" : [ "Is-EC2-Classic",
[ { "Ref": "DBSG"
{ "Ref" :
"Conditions" : {
"Is-EC2-VPC” : { "Fn::Or" : [
{"Fn::Equals" : [{"Ref" :
"AWS::Region"}, "eu-central-1" ]},
{"Fn::Equals" : [{"Ref" :
"AWS::Region"}, "cn-north-1" ]}]},
"Is-EC2-Classic" : { "Fn::Not" : [{
"Condition" : "Is-EC2-VPC"}]}
},

34. Thank you!
Abhishek Lal, Product Manager
Chris Whitaker, Development Manager

35. Remember to complete
your evaluations!

36. Related Sessions