Module:5

AWS Management Tools & Cost

Management
AWS Management Tools
 AWS Management Tools helps the user to manage the
components of the cloud and their account. It
programmatically allows the user to provision,
monitor, and automate all the components.
 There are types of Management Tools which are
integrated with the AWS platform, this integration is
from Amazon EC2 to Dynamo DB.
 This AWS Management tools help the user to control
every part of the cloud infrastructure.
AWS CloudWatch?
 Amazon CloudWatch monitors your Amazon Web Services (AWS)
resources and the applications you run on AWS in real time. You can use
CloudWatch to collect and track metrics, which are variables you can
measure for your resources and applications.
 The CloudWatch home page automatically displays metrics about every
AWS service you use. You can additionally create custom dashboards to
display metrics about your custom applications, and display custom
collections of metrics that you choose.
 You can create alarms that watch metrics and send notifications
or automatically make changes to the resources you are
monitoring when a threshold is breached.
 For example, you can monitor the CPU usage and disk reads and writes of
your Amazon EC2 instances and then use that data to determine whether
you should launch additional instances to handle increased load. You can
also use this data to stop under-used instances to save money.
 With CloudWatch, you gain system-wide visibility into resource utilization,
application performance, and operational health.
Amazon CloudWatch
 Amazon Simple Notification Service (Amazon SNS) coordinates and manages
the delivery or sending of messages to subscribing endpoints or clients. You use
Amazon SNS with CloudWatch to send messages when an alarm threshold has been
reached.
 Amazon EC2 Auto Scaling enables you to automatically launch or terminate
Amazon EC2 instances based on user-defined policies, health status checks, and
schedules. You can use a CloudWatch alarm with Amazon EC2 Auto Scaling to scale
your EC2 instances based on demand.
 AWS CloudTrail enables you to monitor the calls made to the Amazon CloudWatch
API for your account, including calls made by the AWS Management Console, AWS
CLI, and other services. When CloudTrail logging is turned on, CloudWatch writes log
files to the Amazon S3 bucket that you specified when you configured CloudTrail.
 AWS Identity and Access Management (IAM) is a web service that helps you
securely control access to AWS resources for your users. Use IAM to control who can
use your AWS resources (authentication) and what resources they can use in which
ways (authorization).
AWS CloudTrail
 AWS CloudTrail is an AWS service that helps you enable
operational and risk auditing, governance, and
compliance of your AWS account.
 Actions taken by a user, role, or an AWS service are
recorded as events in CloudTrail.
 Events include actions taken in the AWS Management
Console, AWS Command Line Interface, and AWS SDKs
and APIs.
 CloudTrail is active in your AWS account when you create
it. When activity occurs in your AWS account, that
activity is recorded in a CloudTrail event.
AWS CloudTrail
 Event history – The Event history provides a viewable, searchable,
downloadable, and immutable record of the past 90 days of
management events in an AWS Region. You can search events by
filtering on a single attribute. You automatically have access to the
Event history when you create your account.

 CloudTrail Lake – AWS CloudTrail Lake is a managed data lake for

capturing, storing, accessing, and analyzing user and API activity on
AWS for audit and security purposes.

 Trails – Trails capture a record of AWS activities, delivering and

storing these events in an Amazon S3 bucket, with optional delivery
to CloudWatch Logs and Amazon EventBridge.
AWS Config
 AWS Config provides a detailed view of the configuration of AWS resources in your AWS
account. This includes how the resources are related to one another and how they were
configured in the past so that you can see how the configurations and relationships change
over time.
 An AWS resource is an entity you can work with in AWS, such as an Amazon Elastic
Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security
group, or an Amazon Virtual Private Cloud (VPC).

 AWS Config is a service that enables you to assess, audit, and evaluate the configurations of
your AWS resources. Config continuously monitors and records your AWS resource
configurations and allows you to automate the evaluation of recorded configurations against
desired configurations.
 With Config, you can review changes in configurations and relationships between AWS
resources, dive into detailed resource configuration histories, and determine your overall
compliance against the configurations specified in your internal guidelines.
AWS Config is designed to help you oversee your
application resources in the following scenarios:

1. Resource Administration
 To exercise better governance over your resource
configurations and to detect resource
misconfigurations, you need fine-grained visibility into
what resources exist and how these resources are
configured at any time.
CONT,
2. Auditing and Compliance
 You might be working with data that requires
frequent audits to ensure compliance with internal
policies and best practices. To demonstrate
compliance, you need access to the historical
configurations of your resources. This information is
provided by AWS Config.
CONT
3. Managing and Troubleshooting Configuration
Changes
 When you use multiple AWS resources that depend on
one another, a change in the configuration of one
resource might have unintended consequences on
related resources. With AWS Config, you can view how
the resource you intend to modify is related to other
resources and assess the impact of your change.
 You can also use the historical configurations of your
resources provided by AWS Config to troubleshoot
issues and to access the last known good
configuration of a problem resource.
CONT
4. Security Analysis
 To analyze potential security weaknesses, you need detailed
historical information about your AWS resource configurations,
such as the AWS Identity and Access Management (IAM)
permissions that are granted to your users, or the Amazon EC2
security group rules that control access to your resources.

 You can use AWS Config to view the IAM policy that was
assigned to a user, group, or role at any time in which AWS
Config was recording. This information can help you determine
the permissions that belonged to a user at a specific time: for
example, you can view whether the user John Doe had
permission to modify Amazon VPC settings on Jan 1, 2015.
AWS Systems Manager
 AWS Systems Manager is the operations hub for your AWS applications and
resources and a secure end-to-end management solution for hybrid and multicloud
environments that enables secure operations at scale.
Systems Manager capabilities perform actions on your resources as the following,

 Access Systems Manager – Use one of the available options for accessing
Systems Manager.

 Choose a Systems Manager capability – Determine which capability can help

you perform the action you want to perform on your resources. The diagram shows
only a few of the capabilities that IT administrators and DevOps personnel use to
manage their applications and resources.

 Verification and processing – Systems Manager verifies that your user, group, or
role has the required AWS Identity and Access Management (IAM) permissions to
perform the action you specified. If the target of your action is a managed node, the
Systems Manager Agent (SSM Agent) running on the node performs the action. For
other types of resources, Systems Manager performs the specified action or
communicates with other AWS services to perform the action on behalf of Systems
CONT
 Reporting – Systems Manager, SSM Agent, and other AWS services
that performed an action on behalf of Systems Manager report status.
Systems Manager can send status details to other AWS services, if
configured.

 Systems Manager operations management capabilities – If

enabled, Systems Manager operations management capabilities such
as Explorer, OpsCenter, and Incident Manager aggregate operations
data or create artifacts in response to events or errors with your
resources. These artifacts include operational work items (OpsItems)
and incidents. Systems Manager operations management capabilities
provide operational insight into your applications and resources and
automated remediation solutions to help troubleshoot problems.
System Manager
AWS Cost Management
 AWS Billing and Cost Management provides a suite of features
to help you set up your billing, retrieve and pay invoices, and
analyze, organize, plan, and optimize your costs.
 To get started, set up your billing to match your requirements.
For individuals or small organizations, AWS will automatically
charge the credit card provided.
 For larger organizations, you can use AWS Organizations to
consolidate your charges across multiple AWS accounts. You
can then configure invoicing, tax, purchase order, and
payment methods to match your organization’s procurement
processes.
 You can allocate your costs to teams, applications, or
environments by using cost categories or cost allocation tags,
or using AWS Cost Explorer. You can also export data to your
preferred data warehouse or business intelligence tool.
AWS Cost Management
Billing and payments
Understand your monthly charges, view and pay invoices, and manage preferences
for billing, invoices, tax, and payments.
• Bills page – Download invoices and view detailed monthly billing data to
understand how your charges were calculated.
• Purchase orders – Create and manage your purchase orders to comply with
your organization’s unique procurement processes.
• Payments – Understand your outstanding or past-due payment balance and
payment history.
• Payment profiles – Set up multiple payment methods for different AWS service
providers or parts of your organization.
• Credits – Review credit balances and choose where credits should be applied.
• Billing preferences – Enable invoice delivery by email and your preferences for
credit sharing, alerts, and discount sharing.
AWS Cost Management
Cost analysis
Analyze your costs, export detailed cost and usage data, and forecast your
spending.
• AWS Cost Explorer – Analyze your cost and usage data with visuals, filtering,
and grouping. You can forecast your costs and create custom reports.
• Data exports – Create custom data exports from Billing and Cost Management
datasets.
• Cost Anomaly Detection – Set up automated alerts when AWS detects a cost
anomaly to reduce unexpected costs.
• AWS Free Tier – Monitor current and forecasted usage of free tier services to
avoid unexpected costs.
• Split cost allocation data – Enable detailed cost and usage data for shared
Amazon Elastic Container Service (Amazon ECS) resources.
• Cost Management preferences – Manage what data that member accounts
can view, change account data granularity, and configure cost optimization
preferences.
AWS Cost Management
Cost organization
Organize your costs across teams, applications, or end customers.
• Cost categories – Map costs to teams, applications, or
environments, and then view costs along these dimensions in Cost
Explorer and data exports. Define split charge rules to allocate
shared costs.
• Cost allocation tags – Use resource tags to organize, and then
view costs by cost allocation tag in Cost Explorer and data exports.
 Budgeting and planning
 Estimate the cost of a planned workload, and create budgets to
track and control costs.
 Budgets – Set custom budgets for cost and usage to govern costs
across your organization and receive alerts when costs exceed your
defined thresholds.
AWS Cost Management
Savings and commitments
Optimize resource usage and use flexible pricing models to lower your bill.
• AWS Cost Optimization Hub – Identify savings opportunities with
tailored recommendations including deleting unused resources,
rightsizing, Savings Plans, and reservations.
• Savings Plans – Reduce your bill compared to on-demand prices with
flexible pricing models. Manage your Savings Plans inventory, review
purchase recommendations, and analyze Savings Plan utilization and
coverage.
• Reservations – Reserve capacity at discounted rates for Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Relational Database Service
(Amazon RDS), Amazon Redshift, Amazon DynamoDB, and more.
AWS Free Tier
When you create an AWS account, you can try some AWS services
free of charge within certain usage limits.
Always free
 These free tier offers don't expire and are available to all AWS
customers.

12 months free
 You can use these offers for 12 months following your initial sign
up date to AWS.

Short-term trials
 You can use a free tier limit each month for less than 12 months.
Most short-term free trial offers start from the date that you
activate a particular service.
AWS Account Management
 An AWS account represents a formal business relationship you establish
with AWS. You create and manage your AWS resources in an AWS
account, and your account provides identity management capabilities
for access and billing.
 Each AWS account has a unique ID which differentiates it from other
AWS accounts.
 Your cloud resources and data are contained in an AWS account. An
account acts as an identity and access management isolation boundary.
 When you need to share resources and data between two accounts, you
must explicitly allow this access. By default, no access is allowed
between accounts.
 For example, if you designate different accounts to contain your
production and non-production resources and data, no access is allowed
between those environments by default.
AWS Account Management
 AWS accounts are also a fundamental part of accessing AWS services. As
shown in the following illustration, an AWS account serves two primary
functions:
• Resources container – An AWS account is the basic container for all the
AWS resources you create as an AWS customer. For example, an Amazon
Simple Storage Service (Amazon S3) bucket, an Amazon Relational
Database Service (Amazon RDS) database, and an Amazon Elastic
Compute Cloud (Amazon EC2) instance are all resources. Every resource is
uniquely identified by an Amazon Resource Name (ARN) that includes the
account ID of the account that contains, or owns, the resource.
• Security boundary – An AWS account is also the basic security boundary
for your AWS resources. Resources that you create in your account are
available to users who have credentials for your account. Among the key
resources you can create in your account are identities, such as users and
roles. Identities have credentials that someone can use to sign in
(authenticate) to AWS. Identities also have permission policies that specify
what a user can do (authorization) with the resources in the account.
AWS Budgets
 You can use AWS Budgets to track and take action on your AWS costs and usage. You can
use AWS Budgets to monitor your aggregate utilization and coverage metrics for your
Reserved Instances (RIs) or Savings Plans. If you're new to AWS Budgets, see Best practices
for AWS Budgets.
You can use AWS Budgets to enable simple-to-complex cost and usage tracking. Some
examples include:
 Setting a monthly cost budget with a fixed target amount to track all costs associated with
your account. You can choose to be alerted for both actual (after accruing) and forecasted
(before accruing) spends.
 Setting a monthly cost budget with a variable target amount, with each subsequent month
growing the budget target by 5 percent. Then, you can configure your notifications for 80
percent of your budgeted amount and apply an action. For example, you could automatically
apply a custom IAM policy that denies you the ability to provision additional resources within
an account.
 Setting a monthly usage budget with a fixed usage amount and forecasted notifications to
help ensure that you are staying within the service limits for a specific service. You can also
be sure you are staying under a specific AWS Free Tier offering.
 Setting a daily utilization or coverage budget to track your RI (Reserved Instances) or
Savings Plans. You can choose to be notified through email and Amazon SNS topics when
your utilization drops below 80 percent for a given day.
AWS Budgets
 AWS Budgets information is updated up to three times a day. Updates typically occur 8–12
hours after the previous update. Budgets can track your unblended, amortized, and blended
costs. Budgets can include or exclude charges such as discounts, refunds, support fees, and
taxes.

You can create the following types of budgets:

 Cost budgets – Plan how much you want to spend on a service.
 Usage budgets – Plan how much you want to use one or more services.
 RI utilization budgets – Define a utilization threshold and receive alerts when your RI usage
falls below that threshold. This lets you see if your RIs are unused or under-utilized.
 RI coverage budgets – Define a coverage threshold and receive alerts when the number of your
instance hours that are covered by RIs fall below that threshold. This lets you see how much of
your instance usage is covered by a reservation.
 Savings Plans utilization budgets – Define a utilization threshold and receive alerts when the
usage of your Savings Plans falls below that threshold. This lets you see if your Savings Plans
are unused or under-utilized.
 Savings Plans coverage budgets – Define a coverage threshold and receive alerts when your
Savings Plans eligible usage that is covered by Savings Plans fall below that threshold. This lets
AWS Trusted Advisor
 AWS Trusted Advisor is an online resource to help you reduce cost,
increase performance, and improve security by optimizing your
AWS environment.
 AWS Trusted Advisor provides real-time guidance to help you
provision your resources following AWS best practices.
 To help you maximize utilization of Reserved Instances, AWS
Trusted Advisor checks your Amazon EC2 computing-consumption
history and calculates an optimal number of Partial Upfront
Reserved Instances.
 Recommendations are based on the previous calendar month's
hour-by-hour usage aggregated across all consolidated billing
accounts.
 Note that Trusted Advisor does not provide size-flexible Reserved
Instance recommendations.
AWS Trusted Advisor
 Trusted Advisor draws upon best practices learned from serving hundreds
of thousands of AWS customers.
 Trusted Advisor inspects your AWS environment, and then makes
recommendations when opportunities exist to save money, improve
system availability and performance, or help close security gaps.
 If you have a Basic or Developer Support plan, you can use the Trusted
Advisor console to access all checks in the Service Limits category and six
checks in the Security category.
 If you have a Business, Enterprise On-Ramp, or Enterprise Support plan,
you can use the Trusted Advisor console and the AWS Trusted Advisor API
to access all Trusted Advisor checks. You also can use Amazon CloudWatch
Events to monitor the status of Trusted Advisor checks.
 You can use the Trusted Advisor Recommendations page of the Trusted
Advisor console to review check results for your AWS account and then
follow the recommended steps to fix any issues. For example, Trusted
Advisor might recommend that you delete unused resources to reduce
your monthly bill, such as an Amazon Elastic Compute Cloud (Amazon
EC2) instance.
On the Trusted Advisor Recommendations page, view the summary for
each check category:
 Action recommended (red) – Trusted Advisor recommends an action for
the check. For example, a check that detects a security issue for your
IAM resources might recommend urgent steps.
 Investigation recommended (yellow) – Trusted Advisor detects a
possible issue for the check. For example, a check that reaches a quota
for a resource might recommend ways to delete unused resources.
 Checks with excluded items (gray) – The number of checks that have
excluded items, such as resources that you want a check to ignore. For
example, this might be Amazon EC2 instances that you don't want the
check to evaluate.
To view check categories
 In the navigation pane, choose the check category.
 On the category page, view the summary for each check category:
 Action recommended (red) – Trusted Advisor recommends an action for the check.
 Investigation recommended (yellow) – Trusted Advisor detects a possible issue for
the check.
 No problems detected (green) – Trusted Advisor doesn't detect an issue for the
check.
 Excluded items (gray) – The number of checks that have excluded items, such as
resources that you want a check to ignore.
Download check results

 You can download check results to get an overview of Trusted Advisor in

your account. You can download results for all checks or a specific check.

To download check results from Trusted Advisor Recommendations

 To download all check results, in the Trusted Advisor Recommendations
or a check category page, choose Download all checks.
 To download a check result for a specific check, choose the check name,
and then choose the download icon ( Icon representing the action to
upload or share content, showing an arrow pointing upwards. ).
 Save or open the .xls file. The file contains the same summary
information from the Trusted Advisor console, such as the check name,
description, status, affected resources, and so on.