7

AWS Management Tools & Cost

Management
AWS Management Tools
AWS Management Tools help users manage the components of the cloud and their accounts. These tools
allow users to programmatically provision, monitor, and automate all the components. There are four
types of Management Tools integrated with the AWS platform, from Amazon EC2 to DynamoDB. AWS
Management Tools enable users to control every aspect of their cloud infrastructure.

Types of Amazon Management Tools

Provisioning
AWS CloudFormation is a service that provides a common language to explain and provision all the
infrastructure resources in your cloud environment. It allows users to use documents that automatically
and securely provision these resources. Once everything is modelled, the document becomes the single
source of truth for the cloud environment. In AWS Service, users can create a set of allowed
CloudFormation files and a catalog that enables organizations to deploy only approved and compliant
resources.

Monitoring and Working

Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications running on
AWS. Users can gather and monitor data, including log files, and use CloudWatch to track changes in
AWS resources. This monitoring service provides a stream of events describing changes, which allows
users to react quickly to modifications in their applications.

Operations Management
AWS provides a collection of services for systems and operations management that allow users to
manage infrastructure resources with proper governance and compliance. Users can employ AWS
Systems Manager to view and monitor all their resources and automate common operational tasks, such
as patching or state management. AWS Systems Manager centralizes cloud operations activities in one
place. Additionally, AWS CloudTrail logs activities within the organization, while AWS Config lists all
configurations across resources.
Chapter 5

Managed Services
OpsWorks eliminates the need for users to operate their configuration management systems manually. It
integrates seamlessly with existing Chef and Puppet tools. OpsWorks automatically patches, updates,
and backs up Chef and Puppet servers, while also maintaining their availability. It is an ideal solution for
existing Chef or Puppet users.

AWS Management Tools Services

AWS CloudFormation
AWS CloudFormation allows users to manage and provision the entire cloud infrastructure using
programming languages. It permits users to use a simple file to model and provision, in an automated and
secure way, all the resources required for their applications across all regions and accounts. This file
serves as the single source of truth for the cloud environment.

AWS Service Catalog

AWS Service Catalog helps organizations manage catalogs of IT services that are commonly used on
AWS. These services include everything from virtual machine images, servers, software, and databases to
full multi-tier application architectures. The catalog enables users to centrally manage these services,
meet compliance needs, and ensure consistent governance.

Amazon CloudWatch
Amazon CloudWatch provides system-wide visibility into resource utilization, application performance,
and operational health. It monitors AWS cloud resources, such as Amazon EC2 instances, Amazon
DynamoDB tables, and Amazon RDS DB instances, as well as the applications users run on AWS.

AWS Systems Manager

AWS Systems Manager offers visibility and control of AWS infrastructure. It provides a program for users
to view operational data from multiple AWS services and automate tasks across AWS resources. It allows
users to group resources, such as Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS
instances, by application. This enables users to monitor operational data, troubleshoot issues, and take
action on resource groups.

AWS CloudTrail
AWS CloudTrail tracks user activity and API usage, offering governance, compliance, operational auditing,
and risk auditing for AWS accounts. The event history provided by CloudTrail simplifies troubleshooting,
security analysis, and resource modification tracking.

AWS Config
AWS Config helps users assess, audit, and evaluate the configurations of AWS resources. It monitors and
records AWS resource configurations and allows users to automate the analysis of recorded
configurations against desired settings. AWS Config provides benefits such as reviewing changes in
configurations, understanding relationships between AWS resources, and ensuring compliance with
internal guidelines. This makes compliance auditing, security analysis, change management, and
operational troubleshooting more efficient.

AWS OpsWorks
AWS OpsWorks is a configuration management service that offers managed instances of Chef and
Puppet. These automation platforms allow users to use code to automate the configurations of servers.
OpsWorks helps users automate how servers are configured, deployed, and managed across Amazon
EC2 instances or on-premises environments. OpsWorks provides three offerings: AWS OpsWorks for
Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

Copyrighted Material
 AWS Management Tools & Cost Management

AWS CloudWatch
AWS CloudWatch is one of the essential services for running your cloud operations. It allows you to
monitor your AWS workload and take action based on alerts. CloudWatch provides observability for your
AWS resources on a single platform across applications and infrastructure. Amazon CloudWatch is a
powerful monitoring service designed to help optimize your AWS resources and applications.

Capabilities of AWS CloudWatch

CloudWatch offers a wide range of capabilities, which include:

Data and Operational Insights

CloudWatch provides valuable insights into the performance and health of your AWS resources and
applications. With CloudWatch, you can collect and track metrics, monitor log files, and set alarms.

Resource Monitoring
CloudWatch can monitor various AWS resources, including Amazon EC2 instances, Amazon S3 buckets,
and Amazon RDS instances, allowing you to quickly identify and troubleshoot any issues that arise.

Custom Metrics
CloudWatch allows you to create custom metrics based on the data generated by your applications,
providing greater flexibility and control over the monitoring process.

Log Monitoring
CloudWatch can also monitor the log files generated by your applications, enabling quick identification
and troubleshooting of issues related to your application code.

Real-Time Monitoring
Amazon CloudWatch can be used to monitor your AWS resources and applications in real time. It collects
and tracks metrics, creates alarms that send notifications, and makes changes to the monitored
resources based on rules you define. For instance, you might choose to monitor CPU utilization to decide
when to add or remove Amazon EC2 instances in an application tier. If a particular application-specific
metric is not visible, you can perform a PUT request to push that metric into Amazon CloudWatch. It
allows you to specify parameters for a metric over a time period and configure alarms and automated
actions when a threshold is reached. Actions can include sending a notification to an Amazon Simple
Notification Service (Amazon SNS) topic or executing an Auto Scaling policy.

Basic and Detailed Monitoring

Amazon CloudWatch offers either basic or detailed monitoring for supported AWS products. Basic
monitoring sends data points to Amazon CloudWatch every five minutes for a limited number of
preselected metrics at no charge. In contrast, detailed monitoring sends data points to Amazon
CloudWatch every minute and allows data aggregation for an additional charge. If you want to use
detailed monitoring, you must enable it, as basic is the default.

Supported AWS Services

Amazon CloudWatch supports monitoring and specific metrics for most AWS Cloud services, including:

• Auto Scaling

• Amazon CloudFront

• Amazon CloudSearch

Copyrighted Material
Chapter 5

• Amazon DynamoDB

• Amazon EC2 Container Service (Amazon ECS)

• Amazon ElastiCache

• Amazon Elastic Block Store (Amazon EBS)

• Elastic Load Balancing

• Amazon Elastic MapReduce (Amazon EMR)

and many more.

Metric Retrieval
Amazon CloudWatch metrics can be retrieved by performing a GET request. In detailed monitoring,
metrics can be aggregated across a length of time specified. Amazon CloudWatch does not aggregate
data across regions but can aggregate across Availability Zones within a region. It supports an Application
Programming Interface (API) that allows programs and scripts to PUT metrics into Amazon CloudWatch as
name-value pairs, which can then be used to create events and trigger alarms in the same manner as the
default Amazon CloudWatch metrics.

Key Features of CloudWatch

Key features of CloudWatch include the following:

• Metrics: CloudWatch allows you to collect metrics for your resources and applications, such as
CPU usage, network traffic, and disk reads/writes. You can view these metrics in the CloudWatch
console or use the CloudWatch API to retrieve them programmatically.

• Alarms: You can set alarms in CloudWatch to be notified when certain thresholds are breached.

• Logs: CloudWatch allows for storing and accessing your log files in a centralized location. You
can use CloudWatch Logs Insights to search and analyse your log data or use CloudWatch Logs
to export your log data to third-party tools for further analysis.

• Dashboards: You can use CloudWatch dashboards to create custom views of your metrics and
log data to quickly get an overview of your system’s health and performance.

CloudWatch Events
Amazon CloudWatch Events is a service that allows you to respond to changes in the state of your AWS
resources in real-time. It can monitor operational changes in your resources and automatically trigger
actions based on those changes. For example, you can create a CloudWatch Events rule that triggers an
AWS Lambda function whenever a new Amazon EC2 instance is launched in your account. This Lambda
function can perform actions like tagging the instance, configuring its security groups, or starting a set of
preconfigured applications on the instance. CloudWatch Events allows you to react to operational
changes in your AWS resources quickly and efficiently.

With CloudWatch Events, you can easily create rules that define the conditions that trigger your actions
and specify the targets for executing those actions. CloudWatch Events rules enable you to match event
patterns and take actions in response to those patterns. A rule can have one or more event patterns, and

Copyrighted Material
 AWS Management Tools & Cost Management

you can specify the type of action that CloudWatch Events takes when it detects a pattern. For instance,
you could set up a rule to send an email message when a new Amazon EC2 instance is launched or to
stop an Amazon EC2 instance when CPU utilization is too high. CloudWatch Events can also be used to
schedule automated actions that self-trigger at a specific time or when a specified event occurs. For
example, you can use CloudWatch Events to schedule the automatic stopping of Amazon EC2 instances
to avoid incurring charges for instances that are no longer needed.

CloudWatch Logs
Amazon CloudWatch Logs can be used to monitor, store, and access log files from Amazon EC2
instances, AWS CloudTrail, and other sources. You can retrieve log data and monitor it in real-time for
events. For example, you can track the number of errors in your application logs and send a notification if
an error rate exceeds a threshold. Amazon CloudWatch Logs can also be used to store your logs in
Amazon S3 or Amazon Glacier. Logs can be retained indefinitely or according to an aging policy that will
delete older logs when they are no longer needed.

A CloudWatch Logs agent is available that provides an automated way to send log data to CloudWatch
Logs for Amazon EC2 instances running Amazon Linux or Ubuntu. The Amazon CloudWatch Logs agent
can be installed on an existing Amazon EC2 instance to configure the CloudWatch Logs agent. After
installation is complete, the agent confirms that it has started and continues running until you disable it.

It is important to keep in mind that Amazon CloudWatch has some limits. Each AWS account is limited to
5,000 alarms per AWS account, and metrics data is retained for two weeks by default (at the time of this
writing). If you want to keep the data longer, you will need to move the logs to a persistent store like
Amazon S3 or Amazon Glacier.

CloudWatch Alarms
CloudWatch alarms are a powerful feature that enables you to receive notifications or automate actions
based on the rules you define. With CloudWatch alarms, you can monitor a wide range of metrics and set
up alerts that notify you when certain conditions are met. For example, you can send an email alert to the
admin whenever the average network latency of an Amazon RDS database exceeds 10 seconds or when
the CPU usage of an Amazon EC2 instance falls below 10%. You can also create more complex alarms
that automatically trigger actions, such as launching additional instances to handle increased traffic or
scaling down resources during periods of low demand.

CloudWatch alarms provide a flexible and customizable way to monitor your AWS resources and take
automated actions based on your specific needs. To monitor resource utilization, application
performance, or other key metrics, CloudWatch alarms can help you stay on top of your cloud
infrastructure and ensure that it is always running at peak performance. CloudWatch provides data for
the past two weeks, allowing access to historical data for analysis of past events. It also integrates with
other AWS services, such as Amazon EC2 Auto Scaling, Amazon SNS, and AWS Lambda, enabling you to
use CloudWatch to react to changes in your resources and applications.

AWS CloudTrail
AWS CloudTrail provides visibility into user activity by recording API calls made on your account. It
records important information about each API call, including the name of the API, the identity of the
caller, the time of the API call, the request parameters, and the response elements returned by the AWS
service. This information helps you to track changes made to your AWS resources and to troubleshoot
operational issues. AWS CloudTrail makes it easier to ensure compliance with internal policies and
regulatory standards.

Copyrighted Material
Chapter 5

Capabilities of AWS CloudTrail

• AWS CloudTrail captures AWS API calls and related events made by or on behalf of an AWS
account and delivers log files to an Amazon S3 bucket that you specify.

• You can configure AWS CloudTrail to deliver events to a log group monitored by Amazon
CloudWatch Logs.

• It is also possible to receive Amazon Simple Notification Service (Amazon SNS) notifications
each time a log file is delivered to your bucket.

• You can create a trail with the AWS CloudTrail console, the AWS Command Line Interface (CLI),
or the AWS CloudTrail API.

• A trail is a configuration that enables logging of the AWS API activity and related events in your
account.

Types of AWS CloudTrail

A Trail That Applies to All Regions:
When you create a trail that applies to all AWS regions, AWS CloudTrail creates the same trail in each
region, records the log files in each region, and delivers the log files to the single Amazon S3 bucket (and
optionally to the Amazon CloudWatch Logs log group) that you specify. This is the default option when
you create a trail using the AWS CloudTrail console. If you choose to receive Amazon SNS notifications for
log file deliveries, one Amazon SNS topic will suffice for all regions. If you choose to have AWS CloudTrail,
send events from a trail that applies to all regions to an Amazon CloudWatch Logs log group, events from
all regions will be sent to the single log group.

A Trail That Applies to One Region:

You specify a bucket that receives events only from that region. The bucket can be in any region that you
specify. If you create additional individual trails that apply to specific regions, you can have those trails
deliver event logs to a single Amazon S3 bucket.

Log File Management

By default, your log files are encrypted using Amazon S3 SSE. You can store your log files in your bucket
for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files
automatically. AWS CloudTrail typically delivers log files within 15 minutes of an API call. In addition, the
service publishes new log files multiple times an hour, usually about every five minutes. These log files
contain API calls from all of the account’s services that support AWS CloudTrail.

Use Cases and Benefits of AWS CloudTrail

External Compliance Audits:
Your business must demonstrate compliance with a set of regulations pertinent to some or all data being
transmitted, processed, and stored within your AWS accounts. Events from AWS CloudTrail can be used
to show the degree to which you are compliant with the regulations.

Copyrighted Material
 AWS Management Tools & Cost Management

Unauthorized Access to Your AWS Account:

AWS CloudTrail records all sign-on attempts to your AWS account, including AWS Management Console
login attempts, AWS Software Development Kit (SDK) API calls, and AWS CLI API calls. Routine
examination of AWS CloudTrail events will provide the needed information to determine if your AWS
account is being targeted for unauthorized access.

Overall Functionality of AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operations, and risk auditing for AWS
accounts by logging and monitoring account activity related to actions across the AWS infrastructure. By
using CloudTrail, you can continuously monitor and retain logs of all account activity, providing you with a
complete history of your AWS account’s event history. This event history includes actions taken through
the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. These logs can
be used to aid in governance, compliance, and risk management, providing a clear record of activity
across your AWS infrastructure. With CloudTrail, you can also create custom alerts and notifications to
help you identify and respond to potential security issues and compliance risks in real time.

AWS Config
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration
history, and configuration change notifications to enable security and governance. With AWS Config, you
can discover existing and deleted AWS resources, determine your overall compliance against rules, and
dive into configuration details of a resource at any point in time. These capabilities enable compliance
auditing, security analysis, resource change tracking, and troubleshooting.

Configuration Management
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This
includes how the resources are related and how they were configured in the past so that you can see how
the configurations and relationships change over time. AWS Config defines a resource as an entity you
can work with in AWS, such as an Amazon EC2 instance, an Amazon EBS volume, a security group, or an
Amazon VPC. When you turn on AWS Config, it first discovers the supported AWS resources that exist in
your account and generates a configuration item for each resource.

Configuration Items
A configuration item represents a point-in-time view of the various attributes of a supported AWS
resource, such as metadata, attributes, relationships, current configuration, and related events. AWS
Config generates configuration items when the configuration of a resource changes and maintains
historical records of the configuration items of your resources from the time you start the configuration
recorder. By default, AWS Config creates configuration items for every supported resource in the region. If
you don’t want AWS Config to create configuration items for all supported resources, you can specify the
resource types that you want it to track.

AWS Config Rules

An AWS Config Rule represents desired configuration settings for specific AWS resources or for an entire
AWS account. AWS Config continuously tracks your resource configuration changes and checks whether
these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags
the resource and the rule as noncompliant and notifies you through Amazon SNS. AWS Config makes it
easy to track resource configuration without the need for up-front investments while avoiding the
complexity of installing and updating agents for data collection or maintaining large databases.

Copyrighted Material
Chapter 5

Use Cases of AWS Config

• Discovery:
AWS Config will discover resources that exist in your account, record their current configuration,
and capture any changes to these configurations. AWS Config will also retain configuration
details for resources that have been deleted. A comprehensive snapshot of all resources and
their configuration attributes provides a complete inventory of resources in your account.

• Change Management:
When your resources are created, updated, or deleted, AWS Config streams these configuration
changes to Amazon SNS so that you are notified of all configuration changes. AWS Config
represents relationships between resources, so you can assess how a change to one resource
may affect other resources.

• Continuous Audit and Compliance:

AWS Config and AWS Config Rules are designed to help you assess compliance with internal
policies and regulatory standards by providing visibility into the configuration of a resource at any
time and evaluating relevant configuration changes against rules that you can define.

• Troubleshooting:
Using AWS Config, you can quickly troubleshoot operational issues by identifying the recent
configuration changes to your resources.

• Security and Incident Analysis:

Properly configured resources improve your security posture. Data from AWS Config enables you
to monitor the configurations of your resources continuously and evaluate these configurations
for potential security weaknesses. After a potential security event, AWS Config enables you to
examine the configuration of your resources at any single point in the past.

Key Features of AWS Config

AWS Config resolves the need to automatically record resource configuration information and will
evaluate any rules that are triggered by a change. The configuration of the resource and its overall
compliance against rules are presented in a dashboard. AWS Config integrates with AWS CloudTrail, a
service that records AWS API calls for an account and delivers API usage log files to an Amazon S3
bucket. If the configuration change of a resource was the result of an API call, AWS Config also records
the AWS CloudTrail event ID that corresponds to the API call that changed the resource’s configuration.
Organizations can then leverage the AWS CloudTrail logs to obtain details of the API call that was made—
including who made the API call, at what time, and from which IP address—to use for troubleshooting
purposes.

When a configuration change is made to a resource or when the compliance of an AWS Config rule
changes, a notification message is delivered that contains the updated configuration of the resource or
compliance state of the rule, along with key information such as the old and new values for each changed
attribute. AWS Config sends notifications when a Configuration History file is delivered to Amazon S3 and
when the customer initiates a Configuration Snapshot. These messages are all streamed to an Amazon
SNS topic that you specify. Organizations can use the AWS Management Console, API, or AWS CLI to
obtain details of what a resource’s configuration looked like at any point in the past. AWS Config will also
automatically deliver a history file to the Amazon S3 bucket you specify every six hours that contains all
changes to your resource configurations.

Copyrighted Material
 AWS Management Tools & Cost Management

AWS Config Activities

AWS Config performs the following activities for AWS resources: record, evaluate, and visualize.

• Record:
Configuration history of AWS resources: AWS Config records the details of changes made to your
AWS resources, providing you with a configuration history timeline. This enables you to track any
changes made to a resource’s configuration at any time in the past.
Resource relationship tracking: AWS Config can discover, map, and track relationships between
AWS resources in your account.
Configuration history of software: AWS Config can also record software configuration changes
within your Amazon EC2 instances and servers running on-premises or with other cloud
providers. It provides a history of both OS and system-level configuration changes and
infrastructure configuration changes recorded for Amazon EC2 instances.

• Evaluate:
Configurable and customizable rules: Assess your resource configurations and resource changes
for compliance against built-in or custom rules and automate the remediation of non-compliant
resources. You can customize pre-built rules provided by AWS Config or create your own custom
rules with AWS Lambda to define your internal guidelines and best practices for resource
configurations.
Conformance packs: Simplifies organization-wide deployment and reporting of compliance. It
deploys a pack of config rules and remediation actions to your AWS Organization.
Automatic remediation enables you to remediate non-compliant resources using Systems
Manager Automation documents.

• Visualize:
Cloud governance dashboard: Provides a visual dashboard that lets you easily identify non-
compliant resources and take the necessary corrective action. You can customize the dashboard
to monitor resources based on cost and security.
Multi-account, multi-region data aggregation: AWS Config allows you to aggregate data from
multiple AWS accounts and regions, providing you with a centralized view of your resources and
their compliance status with AWS Config rules. This feature is particularly useful for enterprise-
scale organizations.
Configuration snapshots: AWS Config can take snapshots of your resource configurations at
specific points in time. This allows you to quickly identify changes to your resources and
compare their configurations across different points in time.

AWS System Manager

AWS Systems Manager is a management service that allows you to take actions on your AWS resources
as necessary. It provides you with a quick view of operational data for groups of resources, making it easy
to detect any issues that could impact applications that rely on those resources. You can group resources
by various criteria, such as applications, application layers, or production versus development
environments. Systems Manager displays operational data for your resource groups on a single
dashboard, eliminating the need to switch between different AWS consoles. For example, you can create
a resource group for an application that uses Amazon EC2, Amazon S3, and Amazon RDS. Systems
Manager can check for software changes installed on your Amazon EC2 instances, changes in your S3
objects, or stopped database instances.

Copyrighted Material
Chapter 5

AWS Systems Manager provides detailed insights into the current state of your resource groups, allowing
you to understand and control them quickly. The Systems Manager Explorer and Inventory dashboards
offer various tools to view system configurations, such as operating system patch levels, software
installations, and application configurations. Moreover, it is integrated with AWS Config, allowing you to
track changes across your resources over time. AWS Systems Manager offers several features to help
maintain security and compliance in your environment. It can scan your instances against your patch,
configuration, and custom policies, helping you identify and address potential security issues.

Systems Manager also enables you to manage your servers at scale remotely without manually logging in
to each server. This feature can be especially helpful in large-scale environments, where managing
resources individually can be time-consuming and error prone. Systems Manager provides a centralized
store for managing your configuration data, including plain text items such as database strings and
secrets like passwords. By separating your secrets and configuration data from your code, you can help
reduce the risk of security breaches and simplify your development and deployment processes.

AWS Systems Manager is the hub of your operation for managing all your AWS applications and resources
along with your on-premises environments, keeping everything in one place for easy monitoring and
auditing. For more information, visit the AWS Systems Manager documentation.

AWS Cost Management

The AWS cost management process includes planning, organizing, reporting, analysing, and controlling
AWS resource usage and associated costs. AWS uses the term cloud financial management to cover the
ten cost management services, best practices, and cost optimization techniques it offers. The practice
also involves selecting and allocating just enough computing power, storage, and other cloud resources
to ensure a task runs smoothly with minimal cloud waste. Cost management in AWS is a continuous
process of improving cloud cost visibility. AWS billing is also based on usage, so cost management also
involves forecasting, budgeting, monitoring, and controlling AWS spending.

The cost management services cover three aspects: use case, capability, and ideal tool/resource.
Utilizing them will enable you to:

• Manage cloud financial planning.

• Forecast and budget costs.

• Use consolidated billing for cost control.

• Reduce your AWS bill using AWS pricing optimizations.

Viewing previous months’ usage metrics for each service is necessary to manage AWS costs. Logging in
to the Billing and Cost Management Dashboard will enable you to examine usage patterns with AWS Cost
& Usage Report and AWS Cost Explorer. Cost allocation in the AWS public cloud is based on factors such
as the type of Amazon EC2 instances deployed and usage per second.

AWS Cost Management Best Practices

• Using Reserved Instances and Savings Plans.

• Use predictive analytics for cost forecasting.

• Optimize resource utilization.

Copyrighted Material
 AWS Management Tools & Cost Management

• Take advantage of Free Tier and Spot Instances.

• Review and adjust cost allocation.

• Regularly audit and optimize.

• Implement detailed cost reporting.

• Educate your team.

AWS Free Tier

AWS Free Tier is automatically activated on each new AWS account. With the AWS Free Tier, you can try
out some AWS services free of charge up to a specific maximum amount of usage each month. Not all
AWS services are free. Some services launched under the Free Tier have usage limits. If you exceed the
usage limits, then you're charged at standard rates. Check the AWS Free Tier offerings to be sure that the
services you intend to use are covered and the applicable usage limits.

Types of Offers
• 12-Months Free: Only new customers are eligible for 12 months of free service. If you exceed the
allowed usage, then you will be charged according to pay-as-you-go service rates.

• Always Free: These services can be availed of by all old and new customers. They don’t expire
after 12 months of free usage. There are few limitations on usage but are very advantageous
when you perform POCs.

• Trials: Services are available for short-term and limited usage, and the Azure free trial starts from
the time you start using the service. After the period is over, you can still avail of all the services
by only paying pay-as-you-go service rates.

The Amazon Free Tier isn’t available within the AWS GovCloud (US) Regions or the China (Beijing) region
at this point. The Lambda free tier is available within the AWS GovCloud (US) Region.

Limits
All services provided with AWS Free Tier have limits, and the usage is capped. Many services have
multiple types of limits. For instance, Amazon EC2 has limits on both the type of instance you’ll use, and
the limited hours used every month for 12 months. Amazon S3 features a limit on how much storage
you’ll use and on how often you’ll call certain operations monthly; for instance, Amazon Free Tier covers
the first 20,000 times you retrieve a file from Amazon S3, but you’re charged for extra file retrievals. Each
service has limits that are unique to the service.

• Database Limits: AWS offers 4 DB Services that can be available in an Azure Free account with a
few limitations. RDS consists of two components, compute and storage. It is easier to set up,
operate, and scale databases in the cloud. It provides cost-efficient, resizable capacity in an
industry-standard electronic database and manages common database administration tasks.
DynamoDB pricing is straightforward: you’re charged a price per GB per month. This rate varies
across regions but is between $0.25 and $0.30 per GB-month in most regions. The second pricing
parameter, provisioned throughput, may be a little more novel.

• Analytics Limits: Amazon Kinesis Data Analytics is the easiest method to analyse streaming
data, gain actionable insights, and respond to your business and customer needs. Amazon
Kinesis Data Analytics reduces the complexity of building, managing, and integrating streaming

Copyrighted Material
Chapter 5

applications with other AWS services. AWS Data Pipeline supports automating the transport and
transformation of data. Pipelines reflect an ETL process that allows you to extract and transform
data across multiple sources via data extraction and data transformation downstream to Amazon
Web Services. Amazon Elasticsearch Service (Amazon ES) is a fully managed service that makes
it easy to deploy, secure, operate, and scale Elasticsearch within the AWS Cloud.

• Compute Limits: Amazon EC2 charges based on hours of usage, not based on the number of
instances you’re running. Amazon EC2’s simple web service interface allows you to get and
configure capacity with minimal friction. Amazon EC2 Container Registry (ECR) is a secure, fully-
managed Docker container registry that makes it easy for developers to store, manage, and
deploy Docker container images. AWS Lambda fills the primary role of the compute service on
AWS. It also integrates with many other AWS services and, alongside API Gateway, DynamoDB,
and RDS, forms the basis for serverless solutions for those using AWS. Elastic Load Balancing
distributes incoming application or network traffic across multiple targets and can automatically
scale to accommodate most workloads.

• Storage Limits: AWS S3 is a secure, durable, and scalable object storage service, mostly used as
file storage. S3 has been highly used for hosting web content with support for high bandwidth and
demand. Scripts can also be stored in S3, making it possible to store static websites that use
JavaScript. Amazon EFS provides a simple, scalable, fully managed elastic NFS file system for
use with AWS Cloud services and on-premises resources. It scales on-demand to petabytes
without disrupting applications, growing and shrinking automatically as you add and remove
files.

Amazon CloudFront is a global Content Delivery Network (CDN) service that securely delivers a website’s
dynamic, static, and streaming content from a worldwide network of edge locations. Amazon Elastic
Block Storage is durable block-level storage used with EC2 instances in the AWS cloud. EBS Volumes are
mounted onto EC2 instances like you would do with a physical hard drive in an on-premises environment.

• Hourly Usage in the AWS Free Tier: Some services, like Amazon EC2, Amazon RDS, and Elastic
Load Balancing, charge for usage on an hourly basis. The AWS Free Tier for these services
provides you with a monthly allotment of hours for the first 12 months. For example, the AWS
Free Tier for Amazon EC2 provides you with 750 hours of usage of Linux (any combination of
t1.micro and t2.micro instances), plus 750 hours of usage of Windows (any combination of
t1.micro and t2.micro instances). In regions where t2.micro isn’t available, the t3.micro
equivalent is supported under AWS Free Tier.

AWS Billing Management

AWS Billing
AWS Billing and Cost Management provides a suite of features to help you set up your billing, retrieve and
pay invoices, and analyse, organize, plan, and optimize your costs. To get started, set up you’re billing to
match your requirements. For individuals or small organizations, AWS will automatically charge the credit
card provided. For larger organizations, you can use AWS Organizations to consolidate your charges
across multiple AWS accounts. You can then configure invoicing, tax, purchase order, and payment
methods to match your organization’s procurement processes. You can allocate your costs to teams,
applications, or environments by using cost categories or cost allocation tags or using AWS Cost Explorer.
You can also export data to your preferred data warehouse or business intelligence tool.

Copyrighted Material
 AWS Management Tools & Cost Management

Features
• Billing and payments

• Cost analysis

• Cost organization

• Budgeting and planning

• Savings and commitments

Billing and payments

Understand your monthly charges, view and pay invoices, and manage preferences for billing, invoices,
tax, and payments. The bills page allows you to download invoices and view detailed monthly billing data
to understand how your charges were calculated. Create and manage your purchase orders to comply
with your organization’s unique procurement processes. Understand your outstanding or past-due
payment balance and payment history. Set up multiple payment methods for different AWS service
providers or parts of your organization. Review credit balances and choose where credits should be
applied. Enable invoice delivery by email and set your preferences for credit sharing, alerts, and discount
sharing.

Cost analysis
Analyse your costs, export detailed cost and usage data, and forecast your spending. AWS Cost Explorer
lets you analyse your cost and usage data with visuals, filtering, and grouping. You can forecast your costs
and create custom reports. Create custom data exports from Billing and Cost Management datasets. Set
up automated alerts when AWS detects a cost anomaly to reduce unexpected costs. Monitor current and
forecasted usage of free tier services to avoid unexpected costs. Enable detailed cost and usage data for
shared Amazon Elastic Container Service (Amazon ECS) resources. Manage what data member accounts
can view, change account data granularity, and configure cost optimization preferences.

Cost organization
Organize your costs across teams, applications, or end customers. Map costs to teams, applications, or
environments using cost categories, and view costs along these dimensions in Cost Explorer and data
exports. Use resource tags to organize and view costs by cost allocation tag in Cost Explorer and data
exports.

Budgeting and planning

Estimate the cost of a planned workload and create budgets to track and control costs. Set custom
budgets for cost and usage to govern costs across your organization and receive alerts when costs
exceed your defined thresholds.

Savings and commitments

Optimize resource usage and use flexible pricing models to lower your bill. The AWS Cost Optimization
Hub helps identify savings opportunities with tailored recommendations, including deleting unused
resources, rightsizing, Savings Plans, and reservations. Reduce your bill compared to on-demand prices
with flexible pricing models through Savings Plans. Manage your Savings Plans inventory, review purchase
recommendations, and analyze Savings Plan utilization and coverage. Reserve capacity at discounted
rates for Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon
RDS), Amazon Redshift, Amazon DynamoDB, and more.

AWS Billing – Related Services

Copyrighted Material
Chapter 5

AWS Billing Conductor

Billing Conductor is a custom billing service that supports the showback and chargeback workflows of
AWS Solution Providers and AWS Enterprise customers. You can customize a second, alternative version
of your monthly billing data. The service models the billing relationship between you and your customers
or business units. Billing Conductor doesn't change the way that you're billed by AWS each month;
instead, you can use the service to configure, generate, and display rates to specific customers over a
given billing period. You can also use it to analyze the difference between the rates that you apply to your
groupings relative to the actual rates for those same accounts from AWS.

IAM
You can use AWS Identity and Access Management (IAM) to control who in your account or organization
has access to specific pages on the Billing and Cost Management console. For example, you can control
access to invoices and detailed information about charges and account activity, budgets, payment
methods, and credits. IAM is a feature of your AWS account, requiring no additional sign-up or charges to
use. When you create an account, you begin with one sign-in identity that has complete access to all AWS
services and resources in the account, called the AWS account root user, accessed by signing in with the
email address and password used to create the account.

AWS Organizations
You can use the consolidated billing feature in Organizations to consolidate billing and payment for
multiple AWS accounts. Every organization has a management account that pays the charges of all the
member accounts. Consolidated billing offers the following benefits:

• One bill: Get one bill for multiple accounts.

• Easy tracking: Track charges across multiple accounts and download combined cost and usage
data.

• Combined usage: Combine the usage across all accounts in the organization to share the volume
pricing discounts, Reserved Instances discounts, and Savings Plans. This can result in a lower
charge for your project, department, or company than with individual standalone accounts.

• No extra fee: Consolidated billing is offered at no additional cost.

AWS Pricing Calculator

The AWS Pricing Calculator is a web-based planning tool to create estimates for your AWS use cases. Use
it to model your solutions before building them, explore AWS service price points, and review the
calculations behind your estimates. The AWS Pricing Calculator helps you plan your spending, find cost-
saving opportunities, and make informed decisions when using AWS. It is useful if you’re new to AWS and
for those looking to reorganize or expand their AWS usage.

AWS Account Management

AWS Organizations is an AWS service that you can use to manage your AWS accounts as a group. This
provides features like consolidated billing, where all of your accounts' bills are grouped together and
handled by a single payer. You can also centrally manage the security of your organization using policy-
based controls.

Trusted access
When you use AWS Organizations to manage your accounts as a group, most administrative tasks for the
organization can be performed by only the organization's management account. By default, this includes
only operations related to managing the organization itself. You can extend this functionality to other AWS
services by enabling trusted access between Organizations and that service. Trusted access grants

Copyrighted Material
 AWS Management Tools & Cost Management

permissions to the specified AWS service to access information about the organization and the accounts
it contains.

Delegated admin
After enabling trusted access, you can designate one of your member accounts as a delegated admin
account for AWS Account Management. This allows the delegated admin account to perform the same
Account Management metadata management tasks for the member accounts in your organization that
were previously only possible by the management account. The delegated admin account can access
only the management tasks for the Account Management service and does not have all the administrative
access to the organization that the management account has.

Service control policies

When your AWS account is part of an organization managed by AWS Organizations, the administrator can
apply service control policies (SCPs) that can limit what the principals in member accounts can do. An
SCP never grants permissions; instead, it filters and limits what permissions can be used by the member
account. A user or role (a principal) in a member account can perform only those operations that are
allowed by both the SCPs that apply to the account and the IAM permission policies attached to the
principal.

Enable trusted access for AWS Account Management

Enabling trusted access for AWS Account Management allows the administrator of the management
account to modify the information and metadata (such as primary or alternate contact details) specific to
each member account in AWS Organizations. After trusted access is enabled, you can use the accountID
parameter in Account Management API operations that support it, provided the operation is called using
credentials from the management account or the delegated admin account if one is enabled.

AWS Management Console

To enable trusted access for AWS Account Management:

1. Sign in to the AWS Organizations console as an IAM user, assume an IAM role, or sign in as the
root user (not recommended) in the organization’s management account.

2. Choose Services in the navigation pane.

3. Choose AWS Account Management from the list of services.

4. Choose Enable trusted access.

5. In the dialog box, type “enable” to confirm it, then choose Enable trusted access.

AWS CLI & SDKs

To enable trusted access for AWS Account Management, run the following command. After executing it,
you can use credentials from the organization’s management account to call Account Management API
operations that use the –accountId parameter to reference member accounts in the organization.

AWS CLI: enable-aws-service-access --service-principal account.amazonaws.com

This command produces no output if successful.

To disable trusted access with Account Management

Only an administrator in the AWS Organizations management account can disable trusted access with
AWS Account Management. You can disable trusted access using only the Organizations tools, either

Copyrighted Material
Chapter 5

through the AWS Organizations console, an Organizations AWS CLI command, or by calling an
Organizations API operation in one of the AWS SDKs.

To disable trusted service access using the Organizations console

1. Sign in to the AWS Organizations console.

2. In the navigation pane, choose Services.

3. Choose AWS Account Management from the list of services.

4. Choose Disable trusted access.

5. In the dialog box, type “disable” to confirm it, then choose Disable trusted access.

6. If you are the administrator of only AWS Organizations, inform the administrator of AWS Account
Management that they can now disable that service using its console or tools.

AWS Account Management

AWS CLI & SDKs
To disable trusted service access using the Organizations CLI/SDK, you can use the following AWS CLI
commands or API operations to disable trusted service access:

AWS CLI: $ aws organizations disable-aws-service-access \

--service-principal account.amazonaws.com

This command produces no output when successful.

AWS API: DisableAWSServiceAccess

Enabling a Delegated Administrator Account for Account Management

When you designate a member account to be a delegated administrator for the organization, users and
roles from the designated account can manage the AWS account metadata for other member accounts in
the organization. If you don't enable a delegated admin account, then these tasks can be performed only
by the organization's management account.

AWS CLI & AWS API

If you want to configure a delegated administrator account using the AWS CLI or one of the AWS SDKs,
you can use the following commands:

AWS CLI: $ aws organizations register-delegated-administrator \

--account-id 123456789012 \

--service-principal account.amazonaws.com

AWS SDK: Call the Organizations RegisterDelegatedAdministrator operation and provide the member
account's ID number, identifying the account service principal account.amazonaws.com as parameters.

AWS Budgets
AWS Budgets allows you to track and take action on your AWS costs and usage. You can use AWS
Budgets to monitor your aggregate utilization and coverage metrics for your Reserved Instances (RIs) or
Savings Plans. AWS Budgets enable simple-to-complex cost and usage tracking.

Copyrighted Material
 AWS Management Tools & Cost Management

Example:

o Setting a monthly cost budget with a fixed target amount to track all costs associated with your
account.
o Setting a monthly cost budget with a variable target amount, with each subsequent month
growing the budget target by 5 percent.
o Setting a monthly usage budget with a fixed usage amount and forecasted notifications to help
ensure that you are staying within the service limits for a specific service.
o Setting a daily utilization or coverage budget to track your RI or Savings Plans.

Types
• Cost Budgets: Plan how much you want to spend on a service.

• Usage Budgets: Plan how much you want to use one or more services.

• RI Utilization Budgets: Define a utilization threshold and receive alerts when your RI usage falls
below that threshold. This lets you see if your RIs are unused or under-utilized.

• RI Coverage Budgets: Define a coverage threshold and receive alerts when the number of your
instance hours that are covered by RIs falls below that threshold. This lets you see how much of
your instance usage is covered by a reservation.

• Savings Plans Utilization Budgets: Define a utilization threshold and receive alerts when the
usage of your Savings Plans falls below that threshold. This lets you see if your Savings Plans are
unused or under-utilized.

• Savings Plans Coverage Budgets: Define a coverage threshold and receive alerts when your
Savings Plans eligible usage that is covered by Savings Plans falls below that threshold. This lets
you see how much of your instance usage is covered by Savings Plans.

AWS Budgets
You can set up optional notifications that warn you if you exceed, or are forecasted to exceed, your
budgeted amount for cost or usage budgets. Notifications can be sent to an Amazon SNS topic, to an
email address, or to both. In consolidated billing within an organization, if you own the management
account, you can use IAM policies to control access to budgets by member accounts. A budget is only
visible to users with access to the account that created the budget, and with access to the budget itself.

AWS Trusted Advisor

AWS Trusted Advisor draws upon best practices learned from the aggregated operational history of
serving over a million AWS customers. It inspects your AWS environment and makes recommendations
when opportunities exist to save money, improve system availability and performance, or help close
security gaps. AWS Trusted Advisor provides best practices in four categories: cost optimization, security,
fault tolerance, and performance improvement.

AWS Trusted Advisor Checks

All AWS customers have access to four AWS Trusted Advisor checks at no cost. The four standard AWS
Trusted Advisor checks are:

Copyrighted Material
Chapter 5

• Service Limits: Checks for usage that is more than 80 percent of the service limit. These values
are based on a snapshot, so current usage might differ and can take up to 24 hours to reflect
changes.

• Security Groups – Specific Ports Unrestricted: Checks security groups for rules that allow
unrestricted access (0.0.0.0/0) to specific ports.

• IAM Use: Checks for your use of AWS IAM.

• MFA on Root Account: Checks the root account and warns if MFA is not enabled.

Customers with a Business or Enterprise AWS Support plan can view all AWS Trusted Advisor checks—
over 50 checks. There may be occasions when a particular check is not relevant to some resources in
your AWS environment. You have the ability to exclude items from a check and optionally restore them
later at any time. AWS Trusted Advisor acts like a customized cloud expert, helping organizations
provision their resources by following best practices while identifying inefficiencies, waste, potential cost
savings, and security issues.

Benefits of AWS Trusted Advisor

• Align with AWS Best Practices: Identify deviations from AWS best practices and receive
recommended actions to remediate.

• Prioritize Important Recommendations: Prioritized recommendations from your AWS account

team, based on your business priorities, critical applications, and urgency of recommendation,
available to Enterprise Support customers.

• Streamline Collaboration Across Your Organization: Achieve better alignment in your teams
through greater visibility, monitoring, and tracking of prioritized recommendations, available to
Enterprise Support customers.

• Optimize Your AWS Resources at Scale: Gain an aggregated view of recommendations across
your organization or integrate programmatically with Trusted Advisor APIs.

AWS Trusted Advisor Use Cases

• Optimize Cost and Efficiency: Identify unused resources and opportunities to lower your costs.
Assess your AWS environment and take actions to continuously optimize for efficiency.

• Address Security Gaps: Assess your AWS environment against security standards and best
practices.

• Improve Performance: Analyse usage and configuration of your AWS environment to improve
the speed and responsiveness of your applications.

• Improve Resilience: Examine your AWS environment to check for redundancy shortfalls and
overused resources.

• Track Service Limits: Check the usage for your account and get notifications when your account
approaches or exceeds your service limits.

Copyrighted Material