3.5 Management and Governance Services
Key Takeaways
- AWS CloudFormation is Infrastructure as Code (IaC) — define AWS resources in YAML or JSON templates and deploy them consistently.
- AWS Systems Manager provides a unified interface for managing AWS resources at scale, including patch management and parameter store.
- AWS CloudWatch monitors AWS resources and applications, collecting metrics, setting alarms, and providing dashboards.
- AWS Trusted Advisor provides real-time guidance across five categories: cost optimization, performance, security, fault tolerance, and service limits.
- AWS Health Dashboard shows the status of AWS services that affect your specific resources and account.
Management and Governance Services
Infrastructure as Code (IaC)
AWS CloudFormation
AWS CloudFormation lets you model and provision AWS resources using templates written in JSON or YAML.
Key benefits:
- Repeatable deployments — Same template creates identical environments every time
- Version control — Store templates in Git to track infrastructure changes
- Rollback — Automatically roll back on failure
- Free — You only pay for the resources CloudFormation creates
- Stacks — A collection of AWS resources managed as a single unit
Example use case: Deploy a complete web application (VPC, EC2, RDS, S3, CloudFront) with a single template. Delete the stack to remove all resources.
AWS CDK (Cloud Development Kit)
Define cloud infrastructure using programming languages (TypeScript, Python, Java, C#, Go) instead of YAML/JSON. CDK synthesizes CloudFormation templates.
Monitoring and Observability
Amazon CloudWatch
CloudWatch is the primary monitoring and observability service for AWS.
| Feature | Description |
|---|---|
| Metrics | Collect and track metrics from AWS services (CPU, network, disk) |
| Alarms | Set thresholds and trigger actions (e.g., scale out when CPU > 70%) |
| Logs | Centralize, search, and analyze log data |
| Dashboards | Create visualizations of metrics and alarms |
| Events / EventBridge | React to state changes in AWS resources |
Common CloudWatch use cases:
- Monitor EC2 CPU utilization and trigger Auto Scaling
- Set billing alarms to avoid unexpected costs
- Centralize application logs for troubleshooting
- Create operational dashboards
On the Exam: CloudWatch = monitoring, metrics, alarms, logs, dashboards. CloudTrail = API call logging. Do NOT confuse them.
AWS X-Ray
Analyze and debug distributed applications (microservices). X-Ray provides an end-to-end view of requests as they travel through your application.
Advisory and Optimization
AWS Trusted Advisor
Trusted Advisor provides real-time recommendations across five categories:
| Category | What It Checks |
|---|---|
| Cost Optimization | Idle resources, underutilized instances, unused EBS volumes |
| Performance | Overutilized resources, high-utilization instances |
| Security | Open security groups, MFA not enabled on root, exposed access keys |
| Fault Tolerance | Resources not using Multi-AZ, missing backups |
| Service Limits | Resources approaching service quota limits |
Trusted Advisor tiers:
| Tier | Available Checks |
|---|---|
| Basic & Developer Support | 7 core checks (S3 bucket permissions, Security Groups, IAM, MFA, EBS snapshots, RDS snapshots, service limits) |
| Business & Enterprise Support | ALL checks (~115+) + API access + CloudWatch integration |
On the Exam: Trusted Advisor = recommendations across cost, performance, security, fault tolerance, and service limits. Full checks require Business or Enterprise Support.
AWS Compute Optimizer
Analyzes resource utilization and recommends optimal AWS compute resources (EC2 instances, EBS volumes, Lambda functions, ECS on Fargate).
Account and Resource Management
AWS Systems Manager
Systems Manager provides a unified interface for managing resources at scale:
| Feature | Description |
|---|---|
| Session Manager | Secure shell access to EC2 without SSH keys or bastion hosts |
| Patch Manager | Automate OS and software patching |
| Parameter Store | Centralized storage for configuration data and secrets |
| Inventory | Collect metadata about your managed instances |
| Run Command | Execute commands across a fleet of instances |
AWS Health Dashboard
| Dashboard | What It Shows |
|---|---|
| Service Health Dashboard | General AWS service status across all Regions |
| Personal Health Dashboard | Events that affect YOUR specific AWS account and resources |
On the Exam: Personal Health Dashboard = events affecting YOUR account. Service Health Dashboard = general AWS service status.
Deployment and Developer Tools
| Service | Purpose |
|---|---|
| AWS CodeCommit | Managed Git repositories (deprecated — use GitHub, GitLab) |
| AWS CodeBuild | Fully managed build service (compile, test, package code) |
| AWS CodeDeploy | Automated code deployment to EC2, Lambda, ECS |
| AWS CodePipeline | CI/CD pipeline orchestration |
| AWS Cloud9 | Cloud-based integrated development environment (IDE) |
| AWS CloudShell | Browser-based shell with AWS CLI pre-configured |
Quick Reference Table
| Need | Service |
|---|---|
| Infrastructure as Code | CloudFormation or CDK |
| Monitor metrics and set alarms | CloudWatch |
| Optimization recommendations | Trusted Advisor |
| Patch management | Systems Manager |
| CI/CD pipeline | CodePipeline |
| Debug microservices | X-Ray |
| AWS service status | Health Dashboard |
Which AWS service allows you to define your cloud infrastructure using JSON or YAML templates?
AWS Trusted Advisor provides recommendations in which FIVE categories?
Which service should you use to set an alarm when your EC2 CPU utilization exceeds 80%?