Lab 5: Cost Optimization
© 2023 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.
Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Objectives
After completing this lab, you will be able to:
Create AWS Config rules.
Review and remediate AWS Config findings.
Apply preventative controls for compliance.
Prerequisites
This lab requires:
Use of a personal computer or laptop with Wi-Fi. The lab is not accessible using an iPad or tablet device, but you can use these devices to access the student guide.
Access to the administrator account on your local the computer.
Access to an internet browser, such as Chrome or Firefox.
ICON KEY
Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon:
Command: A command that you must run.
Expected output: A sample output that you can use to verify the output of a command or edited file.
Note: A hint, tip, or important guidance.
Additional information: Where to find more information.
WARNING: An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made).
Consider: A moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand.
Duration
This lab requires 60 minutes to complete.
Scenario
This lab guides you through the steps to use AWS Config to enforce tagging for Amazon Elastic Compute Cloud (Amazon EC2) instances and instance type standardization for non-production environments. The skills you learn help you control your cost and usage in alignment with the business requirements. You pay only for the computing resources you consume and need, which is fundamental according to the Adopt a consumption model design principle.
Detailed cost optimization design principles is found in the AWS Documentation
The architecture of the infrastructure you deploy by the end of the lab is diagrammed as follows:
The architecture is an Amazon VPC containing 2 Availability Zones. There are 6 total subnets in the environment, with each Availability Zone having 3 of the subnets. The subnets are labelled and divided per Availability Zone as such: 1 public subnet, 1 private subnet, and 1 db private subnet. Each of the private subnets is part of an Amazon EC2 Auto Scaling group and contains 1 web server each. Each of the db private subnets contain 1 Amazon RDS instance each. Internet traffic flows into an internet gateway, to an Application Load Balancer residing in the public subnets, then to the Amazon EC2 Auto Scaling group in the private subnets, and finally to the Amazon RDS primary instance in the db private subnet. Supporting management, automation & monitoring services for the environment are: Amazon CloudWatch, AWS CloudTrail, AWS CloudFormation, AWS Config, and AWS Systems Manager. Supporting security services for the environment are AWS Identity and Access Management, and AWS Secrets Manager.
Start lab
- To launch the lab, at the top of the page, choose Start lab.
You must wait for the provisioned AWS services to be ready before you can continue.
- To open the lab, choose Open Console.
You are automatically signed in to the AWS Management Console in a new web browser tab.
Do not change the Region unless instructed.
COMMON SIGN-IN ERRORS
Error: You must first sign out
If you see the message, You must first log out before logging into a different AWS account:
Choose the click here link.
Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
Choose Open Console again.
Error: Choosing Start Lab has no effect
In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:
Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
Refresh the page and try again.
Task 1: Use AWS Config
Before you can start monitoring your Amazon Web Services (AWS) resources for compliance, you must setup AWS Config for your AWS environment. AWS Config provides a detailed view of the configuration of AWS resources in your account. Additionally, you can observe how resources relate to one another, past configurations, and how the relationships change over time.
SET UP AWS CONFIG
At the top of the AWS Management Console, in the search bar, search for and choose
.
Choose Get started.
The browser displays the Settings page.
- On the Settings page, in the General Settings section:
For Resource types to record, choose Record specific resource types.
For Resource category, select AWS resources .
For Resource type, select AWS EC2 Instance . The dropdown displays Multiple Selected after the selection is made.
For AWS Config role, select Choose a role from your account.
For Existing roles, select ConfigServiceRole. This role might already be selected by default.
- On the Settings page, in the Delivery method section:
For Amazon S3 bucket, choose Choose a bucket from your account
For S3 bucket name, select the bucket that starts with a string like .
- Choose Next.
The browser displays the Rules page.
- No changes are necessary on this page. Choose Next.
The browser displays the Review page.
Choose Confirm.
If prompted, you can close the Welcome to AWS Config message window.
After a minute, the AWS Config dashboard is displayed.
Note: A warning message might appear at the top of the page requesting that you update the AWS Identity and Access Management (IAM) Policy used by AWS Config. This warning can be ignored for the purposes of this lab.
Congratulations! In this task, you set up the AWS Config service for the lab environment.
Task 2: Create AWS Config Rules
Now that AWS Config is set up, establish rules that check resource compliance with your organization’s published architecture standards.
TASK 2.1: ADD AWS CONFIG RULE TO ENFORCE REQUIRED TAGS
In this task, you create a rule that confirms required tags populated with appropriate values for each of your Amazon EC2 instances. Consistent tagging is a useful tool in managing costs associated with running different applications or workloads in your environment. It can also be helpful in allocating costs to different departments that deploy and operate resources in AWS.
- On the navigation menu at the left of the page, choose Rules.
Note: Be careful not to select Rules, under Aggregators.
The browser displays the Rules page.
- Choose Add rule.
The browser displays the Specify rule type page.
- On the Specify rule type page, in the Select rule type section:
- Choose Add AWS managed rule.
- On the Specify rule type page, in the AWS Managed Rules section:
Input
into the search box.
From the list of returned results, choose the required-tags rule.
- Choose Next.
The browser displays the Configure rule page.
- On the Configure rule page, in the Details section:
- For Name, input .
- On the Configure rule page, in the Trigger section:
- For the Resources, clear all entries except AWS EC2 Instance.
Note: If you accidentally delete AWS EC2 Instance resource from the list, you can manually add it from the Resource type combo menu.
- On the Configure rule page, in the Parameters section, use the following table to complete the tag configuration.
Note: The tag1Key field is already pre-populated. Complete the missing tag key and value pairs.
Key | Value |
tag1Key | |
tag1Value | |
tag2Key | |
tag2Value |
Note: Delete any unused tagKeys and tagValues by choosing Remove at the end of the line item.
WARNING: Confirm the correct casing and spelling is used for the values you entered.
- Choose Next.
The browser displays the Review and create page.
- On the Review and create page, choose Add rule.
The browser displays the Rules page.
A banner message like the following is displayed at the top of the page: The rule: RequiredTagsCompliance has been added to your account.
On the Rules page, the new RequiredTagsCompliance rule does not have a status under Detective compliance column. This status might take a couple of minutes to appear. At this time, AWS Config has started to evaluate resource configurations. Move on to the next step; you review compliance with this rule in another section of this lab.
TASK 2.2: ADD AN AWS CONFIG RULE TO ENFORCE APPROVED INSTANCE TYPES
The second rule you establish ensures that your Amazon EC2 instances use an approved instance type. Company architects selected this instance type to meet both the application performance requirements and fit the approved budget.
- Choose Add rule.
The browser displays the Specify rule type page.
- On the Specify rule type page, in the Select rule type section:
For Select rule type, choose Add AWS managed rule.
For AWS Managed Rules, input
into the search box.
From the list of returned results, choose the desired-instance-type rule.
- Choose Next.
The browser displays the Configure rule page.
- On the Configure rule page, in the Details section:
- For Name, input .
- On the Configure rule page, in the Trigger section:
For Scope of changes, choose Tags .
For Tag key, input
.
For Tag value, input
.
- On the Configure rule page, in the Parameters section:
- For Value, input .
This rule dictates the specific instance type to be used for the instances deployed in your environment when they have an Environment tag with a value of Development. This type of rule can be used to avoid unnecessary costs associated using unapproved instance types.
- Choose Next.
The browser displays the Review and create page.
- On the Review and create page, choose Add rule to save the rule.
The browser displays the Rules page.
A banner message like the following is displayed at the top of the page: The rule: DevelopmentInstanceType has been added to your account.
Instead of just identifying the noncompliant resources, you now want to resize the noncompliant instances automatically. This prevents them from incurring additional costs in your environment. To do this, implement an automatic remediation for the rule, so the noncompliant instances are resized appropriately.
Select the DevelopmentInstanceType rule.
Choose Actions , then choose Manage remediation.
The browser displays the Edit: Remediation action page.
Note: If you get an error stating AWS Config is currently experiencing unusually high traffic, refresh the page to select the following remediation action:
- On the Edit: Remediation action, in the Select remediation method section:
- Select Automatic remediation .
- On the Edit: Remediation action page, in the Remediation action details section:
For Choose remediation action, input
.
Select AWS-ResizeInstance.
- On the Edit: Remediation action page, in the Resource ID parameter section:
- Select InstanceId .
- On the Edit: Remediation action page, in the Parameters section:
For InstanceType, input
.
On the navigation panel to the left of these instructions, copy the LabAutomationRole Amazon Resource Name (ARN) value.
For AutomationAssumeRole, paste the copied LabAutomationRole ARN value in the Value field.
- Choose Save changes.
The browser displays the DevelopmentInstanceType details page.
A banner message like the following is displayed at the top of the page: Success! DevelopmentInstanceType has been updated..
On the Rules dashboard, the DevelopmentInstanceType rule has a Compliance status of Evaluating. It sometimes takes a while for AWS Config to evaluate the status of the resources in your environment.
Congratulations! In this task, you configured AWS Config rules to check for instance tag and instance type compliance. You also configured remediation actions for the instance type rule. In the next task, you check and remediate AWS Config findings.
Task 3: Review and Remediate AWS Config Findings
Now that you created your AWS Config rules, review the results of each rule to determine which resources are noncompliant.
- In the left navigation pane under AWSConfig, select Rules.
The browser displays the Rules page.
Note: Be careful not to select Rules under Aggregators.
- The RequiredTagsCompliance rule has a Noncompliant status. This is because the currently deployed development instance is not properly tagged according to the rule established in Task 2.1 of this lab. Also, the DevelopmentInstanceType rule does not have any compliance status. In this case, it is because AWS Config cannot determine if the instances have the correct instance type due to the lack of appropriate tags.
Note: If your rule does not show as Noncompliant, select the rule from the list, and reevaluate the rule using the Actions menu at the top of the page.
Add the required tags to the Amazon EC2 instance to bring it into compliance with rule.
At the top of the AWS Management Console, in the search bar, search for and choose .
On the navigation menu at the left of the page, under Instances, choose Instances.
The browser displays the Instances page.
From the instances list, select lab5-dev-instance.
In the lower half of the page, choose the Tags tab.
Choose Manage tags.
The browser displays the Manage tags page.
- Choose Add new tag.
For Key, input
.
For Value, input
.
Add a second tag.
- Choose Add new tag.
For Key, input
.
For Value, input
.
Note: Do not delete the existing Name tag.
- Choose Save.
The browser displays the Instance page.
A banner message like the following is displayed at the top of the page: Request to manage tags has succeeded..
For this lab, you focus on Development environment and assume that the Production instance tags are correct.
Now, validate whether the RequiredTagsCompliance rule changes to Compliant status.
- At the top of the AWS Management Console, in the search bar, search for and choose .
The browser displays the AWS Config dashboard page.
- On the navigation menu at the left of the page, select Rules.
The browser displays the Rules page.
A couple of minutes after adding the required tags in the instances, the Detective compliance status of the RequiredTagsCompliance rule must change to Compliant.
Note: You might need to refresh your browser a few times for the Compliant status to update.
The rule named DevelopmentInstanceType still has a Noncompliant status because, according to the rule configured in Task 2.2, an instance deployed in the development environment must use a t3.small instance type. In this case, the deployed instance is a t3.medium type. If the Compliance status does not match this, then you might need to reevaluate the rule using the Actions dropdown at the top.
- Choose the link for the DevelopmentInstanceType rule.
The browser displays the DevelopmentInstanceType details page.
Notice in the Remediation action section that the automatic remediation is in place. Expand this section on the page if necessary.
- In the Resources in scope section, select All .
In the Resources in scope section, the status should be “Action execution queued.” This means that
is being stopped to change the instance type tot3.small.
Note: Depending on how long it takes you to review the rule, you might miss the status update within the Resources in scope section. However, the resource eventually becomes compliant with a status of “Action executed successfully”, because the auto-remediation action took place. If after a few minutes the rule continues to show as Noncompliant, reevaluate the rule using the Actions dropdown at the top.
At the top of the AWS Management Console, in the search bar, search for and choose .
On the navigation menu at the left of the page, under Instances, choose Instances.
The browser displays the Instances page.
From the instances list, select lab5-dev-instance.
Verify Instance state as Running.
Verify Instance type as t3.small.
At the top of the AWS Management Console, in the search bar, search for and choose
.
The browser displays the AWS Config dashboard page.
- On the navigation menu at the left of the page, select Rules.
The browser displays the Rules page.
- Verify Compliance status for both rules is now Compliant.
Congratulations! In this task, you configured resources to be compliant the AWS Config rules and then validated all the AWS Config rules are in compliance.
Task 4: Activate Preventative Controls for Compliance
With AWS Config, you can detect and remediate noncompliant resources in a reactive manner. Now, use IAM to put proactive controls in place that prevent users from deploying noncompliant resources. With IAM, you can grant different permissions to different people for different resources. You use the capabilities of IAM to ensure that your application developers can launch new Amazon EC2 instances in the development environment as needed, but only if they select the appropriate instance type and configure the required tags at launch to be compliant with your organization’s standards.
TASK 4.1: REVIEW IAM USER GROUPS AND POLICIES
To efficiently manage multiple users that perform the same job duties as one, IAM groups are used. They collectively administer permissions for all users that are members of that group.
At the top of the AWS Management Console, in the search bar, search for and choose .
On the navigation menu at the left of the page, under Access management, choose User groups.
The browser displays the User groups page.
A user group for the application developers was created so users in that group can deploy Amazon EC2 instances that meet certain requirements. This means you can use self-service capabilities while maintaining compliance with your documented standards.
- Choose the link for the DeveloperGroup group.
The browser displays the DeveloperGroup summary page.
- Select the Permissions tab.
This user group has an inline policy that grants permissions to the users in the group.
- Choose the developer-policy link.
The browser displays the Edit developer-policy page.
- Choose the JSON tab.
Example: The inline policy used is like the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["ec2:Describe*"],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowToDescribeAll"
},
{
"Action": ["ec2:RunInstances", "ec2:CreateVolume"],
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "AllowRunInstances"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CostCenter": "CC1",
"aws:RequestTag/Environment": "Development",
"ec2:InstanceType": "t3.small"
}
},
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:instance/*"],
"Effect": "Allow",
"Sid": "AllowRunInstancesWithRestrictions"
},
{
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
},
"Action": ["ec2:CreateTags"],
"Resource": ["arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*"],
"Effect": "Allow",
"Sid": "AllowCreateTagsOnlyLaunching"
}
]
}
With this policy, users belonging to the group can launch an Amazon EC2 instance, as long as the instance is a t3.small and the instance has the following tags:
Key | Value |
CostCenter | CC1 |
Environment | Development |
- Choose Cancel at the bottom of the page.
The browser displays the DeveloperGroup summary page.
TASK 4.2: ADD DEVELOPER1 TO THE DEVELOPERGROUP IAM GROUP
Now that you reviewed the user group and inline policy attached to it, add the IAM user developer1 to the IAM group.
- On the navigation menu at the left of the page, under Access management, choose User groups.
The browser displays the User groups page.
- Choose the link for the DeveloperGroup group.
The browser displays the DeveloperGroup summary page.
- Choose Add users.
The browser displays the Add users to DeveloperGroup page.
Select the checkbox next to developer1.
Choose Add users.
A banner message like the following is displayed at the top of the page: Users added to this group..
The IAM user developer1 is now a member of the DeveloperGroup IAM group.
Note: You complete the rest of the lab as
.
TASK 4.3: VERIFY PREVENTATIVE CONTROLS
With the IAM user developer1 now a member of the DeveloperGroup IAM group, confirm that the inline policy is restricting permissions as intended.
From the navigation panel to the left of these instructions, copy the LoginURL value.
In a new private window or tab, paste the LoginURL value, and then press Enter
From the navigation panel to the left of these instructions, copy the DeveloperUserName value.
From the navigation panel to the left of these instructions, copy the DeveloperPassword value.
In the sign-in window:
IAM user name: Paste the DeveloperUserName value you copied from the lab instructions.
Password: Paste the DeveloperPassword value you copied from the lab instructions.
- Choose Sign in.
The AWS Console is displayed.
- At the top of the AWS Management Console, in the search bar, search for and choose .
You need to ensure that you are in the correct region before you create the instance.
In the navigation panel to the left of these instructions, confirm the LabRegion value.
At the top of the screen, near the right corner, choose the AWS Region that matches the LabRegion value.
On the navigation menu at the left of the page, under Instances, choose Instances.
The browser displays the Instances page.
- Choose Launch instances.
The browser displays the Launch an instance page.
- On the Launch an instance page, in the Names and tags section:
For Name, input
.
Choose Add additional tags.
Choose Add tag.
For Key, input
.
For Value, input
.
Choose Add tag.
For Key, input
.
For Value, input
.
You add tags to these instances to make sure they are compliant with your organization’s published architecture standards. This avoids flagging the instance as noncompliant based on the AWS Config rules you implemented.
- On the Launch an instance page, in the Instance type section:
For Instance type, input into the search box.
Select t3.small from the list.
- On the Launch an instance page, in the Key pair (login) section:
- For Key pair name - required, select Proceed without a key pair (Not recommended).
- On the Launch an instance page, in the Network settings section:
Choose Edit.
For VPC - required, select wa-lab-vpc .
For Firewall (security groups), choose Select an existing security group .
For Common security groups, select wa-lab5-server-sg.
- Choose Launch instance.
Consider: You receive an error message that the instance launch failed. Do you know why? The reason for failure is that you entered all the necessary tags, but entered an incorrect value for the Environment tag. The tag value needs to be Development instead of Dev.
Modify the configuration and try again.
Choose Edit instance config.
On the Launch an instance page, in the Name and tags section:
- Change the Environment tag value from Dev to .
- Choose Launch instance.
A banner message like the following is displayed at the top of the page: Successfully initiated launch of instance (i-06c2c9db8dbff3294).
- Choose View all instances.
The browser displays the Instances page.
Here, you can view all the instances running in your account, including the new instance.
- At the top of the AWS Management Console, in the search bar, search for and choose .
The browser displays the AWS Config Dashboard page.
- On the navigation menu at the left of the page, select Rules.
The browser displays the Rules page.
- Verify Compliance status for both rules is Compliant.
Congratulations! In this task, you assumed the identity of the IAM user developer1, and you deployed a new Amazon EC2 instance that is compliant with the AWS Config rules you created in this lab.
Congratulations! You completed the lab.
Using the appropriate services and resources for your workload is key to cost savings. A well-architected workload uses the most cost-effective resources, which can have a significant and positive economic impact. Managed services can reduce costs. AWS offers a variety of flexible and cost-effective pricing options to acquire instances from Amazon EC2 and other services in a way that best fits your needs.
In this lab, you learned how to:
Create AWS Config rules.
Review and remediate AWS Config findings.
Apply preventative controls for compliance.
End lab
Follow these steps to close the console and end your lab.
Return to the AWS Management Console.
At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.
Choose End lab and then confirm that you want to end your lab.
For more information about AWS Training and Certification, see aws.amazon.com/training.
Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS Training and Certification Contact Form.