The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including AWS-SysOps: AWS Certified SysOps Administrator (SOA-C01) Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Managing EC2 at Scale - Systems Manager (SSM) & Opswork

9. SSM Parameter Store Overview

So let's talk about the AWS Parameter Store. And so to me, this is one of the most revolutionary services. It's underutilised by people, and you should know about it because the exam starts asking questions. So it's a way to securely store your configuration and your secrets. Think of it as what the name indicates: a parameter store. You have the option to use something called seamless encryption. And so you can use KMS to basically encrypt any configuration you put in the Parameter Store. As such, Parameter Store is a really good way to put database passwords somewhere. It's serverless, so you don't have to manage any servers. It's scalable. You can have tens of thousands of parameters. It's durable; you don't need to worry about the parameters going away. It's free, and there's a really easy SDK to use it, as we'll see in the hands-on lecture. On top of things, you're able to do version tracking of configurations and secrets. So if you erase a secret that has a password from a new one to an old one, you're still able to access, for example, the old database secret, which is really good. You can get all the configuration through IAM, and all the secrets are under Path. I'll show you what that means in the next slide. But that means that using IAM, you can restrict who can view which database passwords. And on top of it, because there is KMS integration, you also need to define KMS policies to allow someone to decrypt a secret. You can get notified of anything happening—for example, secrets changing or parameters changing—using the Cloud Watch events. And finally, there is an integration with cloud formation. If necessary, you could have Parameter Store feed into a cloud formation template. So here's what it looks like visually. Here's your application, and it could be whatever you want. It could be easy for you; it could be lambda; it could be your computer; it could be the CLI. And so it wants to interact with the Parameters Store. So it wants to retrieve parameters. So what we can do is just use the SDK and say, "Hey, Parameter Store," like you would get a plaintext configuration. Now, what happens is that the parameter store will go and check with IAM that I have the right to access that parameter in the configuration. And so if it's plain text, fine, it will just send it back. But the second use case is to use an encrypted configuration. So likewise, we'll say to Parameter Store, "Hey, we want this encrypted configuration." It will check the Im permissions that we have, and then if they're okay, it will also call the decryption service on the KMS side. So KMS will be used to decrypt it, and Parameter Store, if everything is fine, will send us back the configuration. And so that's pretty good because we don't need to directly interact with KMS to retrieve some encrypted data. We just interact with SSM, and the decryption happens seamlessly for us. In terms of hierarchy, the workflow versus KMS simplifies a little. Here's what the parameters look like. So for example, and you're afraidto name it however you want. For example, you have my department, and in my department, you have my app, you have the dev environment, and under there, you have the database URL and the database password. We may have a production environment in which you have a database URL and database password. So the same hierarchy But we can have other apps under my department, and we can have other departments. So think of it like a giant tree, and you can organise that tree however you want. Some people have a departmentcentric, somepeople have an app centric, somepeople have an environment centric. All that matters is that you define some kind of hierarchy and convention in how you define your parameters. So why do we do this? Assume we have a dev London function and want to obtain dev parameters. Then we would just use the "getparameters" or "Get parameters by path" API. So just remember these two APIs, and we will ask directly for the deaf parameters. But if we had a PROD London function, it would automatically ask for the PROD parameters. And so here we can see that we can differentiate different parameters for different environments, which is good because we have clear separation of duties and roles and etc., etc. So this is how easy that is, to be honest. You just need to remember that the stores are hierarchical, that you get encrypted and plaintext parameters, and that you can get, bypass, or get parameters. That's it. We're just going to practise this in the next lecture, just so you get a much better idea of how it works. Because this is one of these services, you need to see how it works to get a better idea of how things go. But you'll see, it's very easy, and I found it incredibly useful. So, until the next lecture.

10. SSM Parameter Store Hands On (CLI)

So let's use the Systems Manager Parameter Store. Store. And for this, I'm just going to typeparameter, and parameter, and it takes me directly to Systems Manager. Manager. You could also type "type "Systems Manager"Manager" to find the UI. UI. So,So, within Systems Manager, to find the parameterparameterstore on store on the left hand side, you have to scrollall the all the way down, and you'll find it right here. here. secondsecond to last. last. Parameter store. store. TheTheparameter store parameter store is forsecrets and secrets and configuration data management. management. And this is a way to centralisecentralise allthese parameters these parameters within your AWS account, which is great. great. So here,here, you can see how it works. works. You create a new parameter, then you specifythe parameter the parameter type in value, and you reference theparameter from parameter from within your command inin your code, whichis exactly is exactly what we're going to do. do. So for this to get started, click on "on "Create Parameter." Parameter." So here I'll create a parameter called MyAppcalled MyApp, and it's in the Dev environment. environment. andand the first one is a database URL. URL. And so I'll say "database"database URL"URL" for my app in development. development. Okay, now we can have three different types of types. Okay, now we can have three different types of types. We can have a string, andwe can we can put whatever characters we want. String list. list. You have a list ofstrings using strings using commasor a or a secure string. string. When it's encrypted, let's go with string first. first. And so for example, here is a database URL. URL. So you can put whatever you want, want, but it has to be 4096 characters. characters. So let's say Devdatabaser.com, which is just something they chose at random. So let's say Devdatabaser.com, which is just something they chose at random. And maybe I'll add PortPort 3306. 3306. So it's just whatever you want it to be. be. Okay, so here's just a random URL for me. me. Dev database stiffeneteshare.com 3306. 3306. I'll go ahead and create that parameter. parameter. And so here the Create Parameter request succeededrequest succeeded, and we have our first parameter. parameter. It turnsIt turns out that we can see the descriptionthe description, the type, and also the version. version. So, if we ever change this parameter, we'll get a new last modified date, as well as the last modified user, so we can see who changed it. So, if we ever change this parameter, we'll get a new last modified date, as well as the last modified user, so we can see who changed it. What if I click on this again?? YouYouget a get a summary, you can see the history ofthe values, the values, and you can see the tags. tags. And we have our DB URL. URL. So what I want to do is maybe create another parameter. parameter. So I'll create a parameter, and this time Itime I'll callit a it a DB password for our database. database. So I'll just say database-password from a developing app. So I'll just say database-password from a developing app. andand here I have a secure string. string. So this time we're going to encrypt our secret. secret. And so we'll use KMSKMS to encrypt. encrypt. We can use our current accountor another or another account for the KMSKMS key source. source. We'll use our current account and the AWS-providedAWS-provided key. key. Okay, butwe can we can also useuse thethe key we've created before. before. So I've created a tutorial KMSKMS key from before, andand we can just use that one as well. well. It's whatever you prefer based onhow you how you want to manage your security. security. So I'll use my tutorial,tutorial, and here's the value,value, andI'll say I'll say this is the developerdeveloper password,password, and we don't seeit because it because it's a secret value and this will be encrypted. encrypted. So I'll create the parameter,parameter, and now we seethat we that we have a new parameter right here called devdb password. password. It's a secure string now, so that means encrypted,encrypted, andthe key the key idea is alias tutorial,tutorial, and the version is one. one. If I click on it, we can see that the value is hidden, hidden, but I can clickon "show," on "show," and this will decrypt the value on the fly and say this is the developerdeveloper password. password. So this is pretty cool now,now, becausewhat we what we can do is definitely copy them. them. And so we're going to do it againit again, but this time in production. production. So let's go ahead and create parameters. parameters. I'll create this in prod. prod. So I'll just change the path and saysay "database"databaseURL," or the URL," or the URL for my app in production. production. andand I'll just be quick, prod database:database: defendereacher.comport 3306 I'll create it,it, and I'lljust create just create one last parameter,parameter, and we're goingto create to create the DBS for it in production. production. And the description is goingto be to be in production withwith secure strings. strings. I'll use my same tutorialvalue, and value, and here I sayPROD as the PROD as the password. password. Okay, I'll create the parameter. parameter. So now we have four parameters,parameters, andwe want we want to be able to access them. them. So what we can do is access themaccess them, for example, using the CLI first. first. So we are going to use the CLI to get the parameters. parameters. So it's called get parameters,parameters,and you and you have to provide names. names. And for this,this, we have toprovide the provide the names of the parameters we want. want. So from me,me, I'll just say I want my DBURL and my D password and press Enter. Enter. And now weget two results get two results back from the API two results.We get the DB password back and the DB URL. URL. So, let's take a look at the output, shall we? The first thing to notice is that it's a string for the DB URL. So, let's take a look at the output, shall we? The first thing to notice is that it's a string for the DB URL. And here's the value of the string. string. And as you can see, because it was not encrypted, encrypted, the value comes back decrypted and the version is one. one. So that's perfect. perfect. We can see our database'sdatabase's URL and use this. this. But for the password,password, it's a secure string. string. And here is the value of itof it, which is an encrypted value. value. So for this,this, you basically need to decrypt it. it. And for this,this, you have a specialspecial parameterparameter thatthat's called "decryption." "decryption." So I'll dealdeal with decryption. decryption. And so this will check whether or notI have I have the KMSKMS permission to decrypt this secretthat was that was encrypted with the KMSKMS tutorial key. key. So I'll press Enter,Enter, and now thistime for time for my secure string, the value hasbeen decrypted been decrypted because I specifiedspecified the weave decryption parameter. parameter. And so this is pretty cool because very, very quickly, wequickly, we're able to have encrypted values thatthat people can'tcan't accessaccess because they don't have access to KMS. KMS. That protects my password. password. But if I have access to KMSKMS, I'll justprovide one provide one extra flag with decryption,decryption, and here we go. go. I get the value of my developerdeveloper password. password. So it's really, really neat. neat. The other thing we can do is do a SSMget parameterparameter bypass,bypass, and let's go to the help. help. So the get parameters bypass allows us to gothrough a through a path,path, and we have to provide the pathname, and name, and it has to start with a forward slash. slash. So, if we do get parameters by path and I delete this, I'll just keep my app dev and say, "Get parameters by path," and the path is this, then this will query for all the parameters under this path. So, if we do get parameters by path and I delete this, I'll just keep my app dev and say, "Get parameters by path," and the path is this, then this will query for all the parameters under this path. And this is why we have a tree structure. structure. And what we get out of it, obviously, are are the parameters we had before. before. So we could go one level up to just my app and do recursive now. So we could go one level up to just my app and do recursive now. To get all the parametersrecursively under recursively under my app, press Enter. Enter. And now we get our four parameters back. back. DB password, DB URL, DB passwordfor production, for production, and DB URL for production production So using this tree structure, we're basicallyable to able to organiseorganise our secrets and get themall at all at once, which is really neat. neat. So that's it. it. You can also,also, obviously,obviously, provide the with-decryptionwith-decryption flag and get the decryption. decryption. So that's just for the CLI. CLI. But in the next lecture, I just wantto show to show you how it works with a base lambdalambdabecause that because that is very simple as well. well. So see you in the next le. Bye.

11. AWS Opsworks Overview

So a very quick lecture about OpsWorks Chef and Puppets are both open-source software, and they allow you to perform server configuration automatically or manually, including repetitive actions. And so they work amazing with EC Two and on premise VM. And in the AWS world, OpsWorks managed chefs and puppets. So apps are just another name for chefs and puppets. And overall, if you want to know exactly what it does, it's kind of an alternative to AWS SSM. It allows you to do a lot of similar things. Now, in this section of the course, there is no hands-on work because knowledge of a chef or puppets is not required for passing the exam. Basically, throughout the exam, you will notice that we must use Chef and Puppets at some point. This is you thinking, Hey, I need to use AWS OpsWorks, and that's about it. Otherwise, it would be way too complicated and unneeded for this course. Now, I still want to give you an update on what Chef and Puppet are. They basically help manage configurations of code. If you've heard of it. This is where you code everything that runs on your VMs on your machines. And that helps with having consistent deployments because the same code can be applied on many different machines. That works with Linux and Windows. And you can automate a lot of things such as user accounts, cron jobs, NTP packages, services, etc. for some wording a bit.In chefs, it's called recipes. And in PAD, it's called a manifest. So they leverage "recipes" or "manifest," which is basically code to apply. They are strikingly similar to some of its products, such as SSM Beatstal Cloud Formation. However, you would use Chef and Puppet in AWS because they are open source products that work across multiple clouds. So if you have Amazon Cloud, if you have Microsoft Azure, and maybe Google Cloud, you want to have one way of managing all your instances. And maybe that way is through chefs and puppets. And this is why it's offered on AWS as OpsWorks. But that's it. That's all you need to know about it. Just remember, for the exam, anytime you see Chef and Puppet, think OpsWorks. That's it. I will see you at the next lecture.

12. SSM Cleanup

Okay, so just a quick lecture around cleaning up what we've just done. So Systems Manager is free, so anything we've created in Systems Manager will not be billed. So the document that we have created is fine; you can just leave it, and we'll be using it in a future lecture, so please keep it. And so if you look at Systems Manager, overall we've had a good look at everything. We've looked at resource groups, inventory, compliance, run command, session manager, patch manager, and then managed instances, documents, and parameter store. So overall, we didn't cover everything. But as I told you in the exam, System Manager is very light. It's just how do we patch instances, and how do we run commands? Just that. But I wanted to give you a little sneak peek into some of the cool features that SSM has that you can use in your daily life when you become a system administrator. So a little bit of real-world example is there. Now for EC 2, we have three instances that we've created. We don't need them anymore. So what we can do is just terminate them. This way we don't pay for them, and this way you keep your costs under control. And that should be it for cleaning up this entire thing. We could also delete the Cloud Watch, but I'll just keep it for now. This is just fine. And all we have to do is have this SSM secureshelves and customers will come in love groups. No problems with that.So that's it for this section on SSM and UPS work. And we've cleaned up everything. I hope you enjoyed it, I hope you learned a lot, and I hope you will be using this in your daily job, such as as a shell session or session manager, for sure. And I will see you at the next lecture.