AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provision and update them in an orderly and predictable fashion
CloudFormation consists of
is an architectural diagram
a JSON or YAML-format, text-based file that describes all the AWS resources you need to deploy to run your application
is the end result of that diagram, which is actually provisioned
is the set of AWS resources that are created and managed as a single unit when CloudFormation instantiates a template.
CloudFormation template can be used to set up the resources consistently and repeatedly over and over across multiple regions
Resources can be updated, deleted and modified in a controlled and predictable way, in effect applying version control to the infrastructure as done for software code
AWS CloudFormation Template consists of elements :-
List of AWS resources and their configuration values
An optional template file format version number
An optional list of template parameters (input values supplied at stack creation time)
An optional list of output values like public IP address using the Fn::GetAtt function
An optional list of data tables used to lookup static configuration values for e.g., AMI names per AZ
CloudFormation supports Chef & Puppet Integration, meaning that you can deploy and configure right down the application layer
CloudFormation provides a set of application bootstrapping scripts that enable you to install packages, files, and services on the EC2 instances by simply describing them in the CloudFormation template
By default, automatic rollback on error feature is enabled, which will cause all the AWS resources thatCloudFormation created successfully for a stack up to the point where an error occurred to be deleted. However, charges would be applied for the resources the time they are up and running
CloudFormation provides a WaitCondition resource that acts as a barrier, blocking the creation of other resources until a completion signal is received from an external source e.g. application, or management system
CloudFormation allows deletion policies to be defined for resources in the template for e.g. resources to be retained or snapshots can be created before deletion useful for preserving S3 buckets when the stack is deleted
AWS CloudFormation Concepts
AWS CloudFormation, you work with templates and stacks
Templates act as blueprints for building AWS resources.
CloudFormation template is a JSON or YAML formatted text file, saved with any extension, such as .json, .yaml, .template, or .txt.
Templates have additional capabilities to build complex sets of resources and reuse those templates in multiple contexts for e.g. use input parameters to create generic and reusable templates
Name used for a resource within the template is a logical name but when CloudFormation creates the resource, it generates a physical name that is based on the combination of the logical name, the stack name, and a unique ID
Stacks manage related resources as a single unit,
Collection of resources can be created, updated, and deleted by creating, updating, and deleting stacks.
All the resources in a stack are defined by the stack’s AWS CloudFormation template
CloudFormation makes underlying service calls to AWS to provision and configure the resources in the stack and can perform only actions that the users have permission to do.
Change Sets presents a summary of the proposed changes CloudFormation will make when a stack is updated
Change sets help check how the changes might impact running resources, especially critical resources, before implementing them
CloudFormation Access Control
IAM can be applied with CloudFormation to access control for users whether they can view stack templates, create stacks, or delete stacks
In addition to it, IAM permissions need to be provided to the user to the AWS services and resources provisioned, when the stack is created
Before a stack is created, AWS CloudFormation validates the template to check for IAM resources that it might create
A service role is an AWS IAM role that allows AWS CloudFormation to make calls to resources in a stack on the user’s behalf
By default, AWS CloudFormation uses a temporary session that it generates from the user credentials for stack operations.
For a service role, AWS CloudFormation uses the role’s credentials.
When a service role is specified, AWS CloudFormation always uses that role for all operations that are performed on that stack.
Template Resource Attributes
is invoked during the associated resource creation
can be associated with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded
helps to wait on resource configuration actions before stack creation proceeds for e.g. software installation on an EC2 instance
preserve or (in some cases) backup a resource when its stack is deleted
By default, if a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource
To keep a resource when its stack is deleted,
specify Retain for that resource, to prevent deletion
specify Snapshot to create a snapshot before deleting the resource, if the snapshot capability is supported for e.g RDS, EC2 volume etc.
helps specify that the creation of a specific resource follows another
resource is created only after the creation of the resource specified in the DependsOn attribute
enables association of structured data with a resource
defines AWS CloudFormation handles updates to the AWS::AutoScaling::AutoScalingGroup resource
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
What does Amazon CloudFormation provide?
The ability to setup Autoscaling for Amazon EC2 instances.
A templated resource creation for Amazon Web Services.
A template to map network resources for Amazon Web Services
None of these
A user is planning to use AWS CloudFormation for his automatic deployment requirements. Which of the below mentioned components are required as a part of the template?
A large enterprise wants to adopt CloudFormation to automate administrative tasks and implement the security principles of least privilege and separation of duties. They have identified the following roles with the corresponding tasks in the company: (i) network administrators: create, modify and delete VPCs, subnets, NACLs, routing tables, and security groups (ii) application operators: deploy complete application stacks (ELB, Auto -Scaling groups, RDS) whereas all resources must be deployed in the VPCs managed by the network administrators (iii) Both groups must maintain their own CloudFormation templates and should be able to create, update and delete only their own CloudFormation stacks. The company has followed your advice to create two IAM groups, one for applications and one for networks. Both IAM groups are attached to IAM policies that grant rights to perform the necessary task of each group as well as the creation, update and deletion of CloudFormation stacks. Given setup and requirements, which statements represent valid design considerations? Choose 2 answers
Network stack updates will fail upon attempts to delete a subnet with EC2 instances (Subnets cannot be deleted with instances in them)
Unless resource level permissions are used on the CloudFormation: DeleteStack action, network administrators could tear down application stacks (Network administrators themselves need permission to delete resources within the application stack & CloudFormation makes calls to create, modify, and delete those resources on their behalf)
The application stack cannot be deleted before all network stacks are deleted (Application stack can be deleted before network stack)
Restricting the launch of EC2 instances into VPCs requires resource level permissions in the IAM policy of the application group (IAM permissions need to be given explicitly to launch instances )
Nesting network stacks within application stacks simplifies management and debugging, but requires resource level permissions in the IAM policy of the network group (Although stacks can be nested, Network group will need to have all the application group permissions)
Your team is excited about the use of AWS because now they have access to programmable infrastructure. You have been asked to manage your AWS infrastructure in a manner similar to the way you might manage application code. You want to be able to deploy exact copies of different versions of your infrastructure, stage changes into different environments, revert back to previous versions, and identify what versions are running at any particular time (development, test, QA, production). Which approach addresses this requirement?
Use cost allocation reports and AWS Opsworks to deploy and manage your infrastructure.
Use AWS CloudWatch metrics and alerts along with resource tagging to deploy and manage your infrastructure.
Use AWS Beanstalk and a version control system like GIT to deploy and manage your infrastructure.
Use AWS CloudFormation and a version control system like GIT to deploy and manage your infrastructure.
A user is usingCloudFormation to launch an EC2 instance and then configure an application after the instance is launched. The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly. How can the user configure this?
It is not possible that the stack creation will wait until one service is created and launched
The user can use the HoldCondition resource to wait for the creation of the other dependent resources
The user can use the DependentCondition resource to hold the creation of the other dependent resources
The user can use the WaitCondition resource to hold the creation of the other dependent resources
A user has created a CloudFormation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it created EC2, ELB and AutoScaling but failed to create RDS. What will CloudFormation do in this scenario?
CloudFormation can never throw an error after launching a few services since it verifies all the steps before launching
It will warn the user about the error and ask the user to manually create RDS
Rollback all the changes and terminate all the created services
It will wait for the user’s input about the error and correct the mistake after the input
A user is planning to use AWS CloudFormation. Which of the below mentioned functionalities does not help him to correctly understand CloudFormation?
CloudFormation follows the DevOps model for the creation of Dev & Test
AWS CloudFormation does not charge the user for its service but only charges for the AWS resources created with it
CloudFormation works with a wide variety of AWS services, such as EC2, EBS, VPC, IAM, S3, RDS, ELB, etc
CloudFormation provides a set of application bootstrapping scripts which enables the user to install Software
A customer is using AWS for Dev and Test. The customer wants to setup the Dev environment with CloudFormation. Which of the below mentioned steps are not required while using CloudFormation?
Create a stack
Configure a service
Create and upload the template
Provide the parameters configured as part of the template
A marketing research company has developed a tracking system that collects user behavior during web marketing campaigns on behalf of their customers all over the world. The tracking system consists of an auto-scaled group of Amazon Elastic Compute Cloud (EC2) instances behind an elastic load balancer (ELB), and the collected data is stored in Amazon DynamoDB. After the campaign is terminated, the tracking system is torn down and the data is moved to Amazon Redshift, where it is aggregated, analyzed and used to generate detailed reports. The company wants to be able to instantiate new tracking systems in any region without any manual intervention and therefore adopted AWS CloudFormation. What needs to be done to make sure that the AWS CloudFormation template works in every AWS region? Choose 2 answers
IAM users with the right to start AWS CloudFormation stacks must be defined for every target region. (IAM users are global)
The names of the Amazon DynamoDB tables must be different in every target region. (DynamoDB names should be unique only within a region)
Use the built-in function of AWS CloudFormation to set the AvailabilityZone attribute of the ELB resource.
Avoid using DeletionPolicies for EBS snapshots. (Don’t want the data to be retained)
Use the built-in Mappings and FindInMap functions of AWS CloudFormation to refer to the AMI ID set in the ImageId attribute of the Auto Scaling::LaunchConfiguration resource.
A gaming company adopted AWS CloudFormation to automate load -testing of their games. They have created an AWS CloudFormation template for each gaming environment and one for the load -testing stack. The load – testing stack creates an Amazon Relational Database Service (RDS) Postgres database and two web servers running on Amazon Elastic Compute Cloud (EC2) that send HTTP requests, measure response times, and write the results into the database. A test run usually takes between 15 and 30 minutes. Once the tests are done, the AWS CloudFormation stacks are torn down immediately. The test results written to the Amazon RDS database must remain accessible for visualization and analysis. Select possible solutions that allow access to the test results after the AWS CloudFormation load -testing stack is deleted. Choose 2 answers
Define a deletion policy of type Retain for the Amazon QDS resource to assure that the RDS database is not deleted with the AWS CloudFormation stack.
Define a deletion policy of type Snapshot for the Amazon RDS resource to assure that the RDS database can be restored after the AWS CloudFormation stack is deleted.
Define automated backups with a backup retention period of 30 days for the Amazon RDS database and perform point -in -time recovery of the database after the AWS CloudFormation stack is deleted. (as the environment is required for limited time the automated backup will not serve the purpose)
Define an Amazon RDS Read-Replica in the load-testing AWS CloudFormation stack and define a dependency relation between master and replica via the DependsOn attribute. (read replica not needed and will be deleted when the stack is deleted)
Define an update policy to prevent deletion of the Amazon RDS database after the AWS CloudFormation stack is deleted. (UpdatePolicy does not apply to RDS)