Formerly, organizations prioritized controlling costs, managing compliance and strengthening security on the cloud. Accelerating cloud-driven innovation and growth though essential remained untapped, restricting continuous modernization, especially in hybrid cloud environments. With AWS Cloud Management and Governance Services, organizations no longer had to choose between innovation and control, they could have both. AWS enables organizations to validate, deploy, and operate on the cloud for enhanced business efficiency, agility, cost-effectiveness and better governance control.
AWS constantly adds new features and services that are in line with advanced business needs, for its customers to experiment and innovate faster on a continuous basis. In this blog, we have attempted to provide you with a quick overview of the latest services introduced in the area of AWS management and governance.
AWS Auto Scaling
Amazon EC2 now helps in specifying a list of instance types to be used when choosing the instance types based on attributes for Auto Scaling Groups, EC2 Fleet, and Spot Fleet.
Attribute-based instance types can be selected to configure the set of instance types that will be used when requesting EC2 capacity. This selection is a feature of Amazon EC2 Auto Scaling, EC2 Fleet, and Spot Fleet that makes it easy to create and manage flexible capacity requests for instance types, allowing you to define your instance requirements, such as the number of vCPUs and memory, EC2 Auto Scaling, or your choice of fleet instances that meet your provisioned requirements. Previously, attribute-based instance type selection allowed you to exclude specific instance types from being selected by the list of excluded instance types, but not the other way around. Now, specific instance types can also be included. It is helpful for workloads with marginal instance type flexibility but limited to specific instance types when you want to have more control over which EC2 instance type to run on. This feature is now available in all public AWS Regions and AWS GovCloud (US).
AWS CloudFormation
1. Manage AWS Organizations Resources with AWS CloudFormation
AWS Organizations now support AWS CloudFormation, allowing customers to manage accounts, organizational units (OUs), and policies within their organization using CloudFormation templates.
This latest integration will allow customers to efficiently deploy multiple organizational elements into a stack, making it easier to scale across accounts when company policies are in place. Cloud architects and admins using Infrastructure as Code (IaC) now have additional CloudFormation capabilities to help manage their org. Stacks allow users to simplify infrastructure management, quickly clone or add multiple organizational resources simultaneously and easily control and track changes to accounts, organizational units, and policies.
2. Amazon RDS Multi-AZ Deployments with two readable standbys are now supported by AWS CloudFormation
AWS CloudFormation uses infrastructure as code to speed up cloud deployments. Using two readable standbys and the rest of the AWS infrastructure, you can provision and alter Amazon RDS Multi-AZ using AWS CloudFormation templates, securely and at speed.
Amazon RDS Multi-AZ deployments are ideal for production database workloads due to their increased availability and durability. Deploying Amazon RDS Multi-AZ with two readable standbys support transaction commits that are 2x faster than Multi-AZ deployments with one standby. With this configuration, automatic failover typically takes less than 35 seconds.
3. AWS CloudFormation StackSets improves the visibility of stack instances for stack set operations
AWS CloudFormation StackSets now provides better access to detailed information about stack instances for stack set operations. You can get the number of failed stack instances for a stack set operation with DescribeStackSetOperation. Listing as well as filtering stack instances can be done with ListStackInstances.
Customers use CloudFormation StackSets to deploy and manage stacks across multiple AWS accounts and Regions in a single operation. However, if the account has the same resources, the account has no IAM role dependencies, etc., the stack set will not provide or update the stack instance to the AWS account. Stack instances can be redeployed to the missing AWS accounts if a customer wants to know in which AWS accounts StackSets were not provisioned, or if stack instances were not updated. With this development, customers can use DescribeStackSetOperation during stack set deployment to get the number of failed stack instances.
AWS CloudTrail
1. Customer Managed KMS Keys are now supported for encryption by AWS CloudTrail Lake (CMK)
AWS CloudTrail now offers the capability to encrypt the activity logs kept in CloudTrail Lake using your Customer Managed KMS Keys (CMK). All data kept in CloudTrail Lake has always been automatically encrypted using AWS-owned KMS keys. To assist you in meeting the compliance and regulatory needs of your organization, this feature gives you the option of adding a self-managed security layer to your activity logs.
2. Delegated administrator accounts are now supported for AWS Organizations, according to AWS CloudTrail
To allow users to manage organization trails and CloudTrail Lake event data stores from an account other than the management account in AWS Organizations, AWS CloudTrail has announced support for a delegated administrator account. By allowing the management account to delegate CloudTrail administrative operations to an organization member account, such as their security and logging member account, delegated administrator support provides flexibility for customers. With this feature, the organization’s manager account retains ownership of all CloudTrail organization resources, even if a delegated administrator account is used to create and manage the organization’s trail or CloudTrail Lake event repository resources. This allows the customer to maintain the continuity of CloudTrail audit logs and avoid interruptions when changes are made to the organization in AWS Organizations.
AWS Management Console
1. Announcing New Application Widget on AWS Console Home Page
The new Application Widget on the Console home page provides one-click access to AWS Systems Manager Application Manager and their respective set of related AWS resources, code, and data.
The new Application Widget allows you to quickly access, visualize, and interact with your application resources in AWS Systems Manager Application Manager. Application Manager lets you view your applications and the resources that support your application costs using AWS Cost Explorer, CloudWatch Alarms, AWS Config Rules Compliance, etc. AWS Systems Manager Automation runbook is also available to perform actions on your application’s resources.
2. Announcement of AWS Resource Explorer
AWS Resource Explorer is a managed feature that enables easy search and discovery of resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Kinesis streams, and Amazon DynamoDB tables in the AWS Regions of your AWS accounts. AWS Resource Explorer is available at no additional charge.
AWS Control Tower
AWS Control Tower now shows compliance status for external AWS Config rules. This view shows AWS Config rules set by AWS Control Tower as well as those applied externally. You can check the compliance status of AWS Config rules that have been created.
Before this feature was introduced, you had to go to the AWS Config console to view the compliance status of your external AWS Config rules. With this introduction, you can now access the compliance status of external AWS Config rules by navigating to the account details page of your AWS Control Tower Manager account. This allows us to evaluate configuration settings for AWS resources without leaving the AWS Control Tower console.