AWSWell-Architected Labs Operational Excellence 100 Labs 100 - Inventory and Patch Management 1. Intro 2. Setup 3. Deploy an Environment 4. Inventory Management 5. Patch Management 6. Maintenance Windows 7. Creating SNS topic 8. Teardown 100 - Dependency Monitoring 1. Deploy Infrastructure 2. Understanding Metrics 3. Create Alarm 4. Test Fail Condition 5. Bonus Content 6. Tear down this lab 200 Labs 200 - Automating operations with Playbooks and Runbooks 1. Deploy the sample application environment 2. Simulate an Application Issue 3. Build & Run an Investigative Playbook 4. Build & Run Remediation Runbook 5. Teardown Security 100 Level Foundational Labs Account Setup and Root User 1. Account Settings & Root User Security 2. Tear down Identity and Access Management User, Group, Role CloudFront with S3 Bucket Origin 1. Create S3 bucket 2. Upload example index.html file 3. Configure Amazon CloudFront 4. Tear down Enable Security Hub 1. Enable AWS Security Hub 2. Tear Down Create a Data Bunker Account 1. Creating data bunker account in console 200 Level Intermediate Labs Automated Deployment of Detective Controls 1. Create Stack 2. Knowledge Check 3. Tear down Automated Deployment of EC2 Web Application 1. Create Web Stack 2. Tear down this lab Automated Deployment of IAM Groups and Roles 1. AWS CloudFormation to Create Groups, Policies and Roles with MFA Enforced 2. Assume Roles from an IAM user 3. Tear down Automated Deployment of VPC 1. Create VPC Stack 2. Tear Down Automated Deployment of Web Application Firewall 1. Configure AWS WAF 2. Configure Amazon CloudFront 3. Tear down Automated IAM User Cleanup 1. Deploying IAM Lambda Cleanup with AWS SAM 4. Tear down Basic EC2 WAF Protection 1. Launch Instance 2. Create AWS WAF Rules 3. Create Application Load Balancer with WAF integration 4. Tear down AWS Certificate Manager Request Public Certificate 1. Requesting a public certificate using the console 2. Tear down CloudFront for Web Application 1. Configure CloudFront - EC2 or Load Balancer 2. Tear down CloudFront with WAF Protection 1. Launch Instance 2. Configure AWS WAF 3. Configure Amazon CloudFront 4. Tear down this lab Remotely Configuring, Installing, and Viewing CloudWatch logs 1. Deploy the CloudFormation Stack 2. Install the CloudWatch Agent 3. Store the CloudWatch Config File in Parameter Store 4. Start the CloudWatch Agent 5. Generate Logs 6. View your CloudWatch Logs 7. Export Logs to S3 8. Query logs from S3 using Athena 9. Create a QuickSight Visualization 10. Lab Recap 11. Lab Teardown 300 Level Advanced Labs Multilayered API Security with Cognito and WAF 1. Deploy the lab base infrastructure 2. Use Secrets Securely 3. Prevent requests from accessing API directly 4. Application layer defence 5. Control access to API 6. Tear down Autonomous Monitoring Of Cryptographic Activity With KMS 1. Deploy The Lab Base Infrastructure 2. Configure ECS Respository and Deploy The Application Stack 3. Configure CloudTrail 4. Configure The Workload Logging and Alarm 5. Testing the Workload Functionality 6. Teardown Autonomous Patching with EC2 Image Builder and Systems Manager 1. Deploy The Lab Base Infrastructure 2. Deploy The Application Infrastructure 3. Deploy The AMI Builder Pipeline 4. Deploy The Build Automation With SSM 5. Teardown IAM Permission Boundaries Delegating Role Creation 1. Create IAM policies 2. Create and Test Developer Role 3. Create and Test User Role 4. Knowledge Check 5. Tear down IAM Tag Based Access Control for EC2 1. Create IAM policies 2. Create Role 3. Test Role 4. Knowledge Check 5. Tear down Incident Response Playbook with Jupyter - AWS IAM 1. Install Python & AWS CLI 2. Playbook Run Incident Response with AWS Console and CLI 1. Getting Started 2. Identity & Access Management 3. Amazon VPC Lambda Cross Account Using Bucket Policy 1. Identify (or create) S3 bucket in account 2 2. Create role for Lambda in account 1 3. Create bucket policy for the S3 bucket in account 2 4. Create Lambda in account 1 5. Tear down Lambda Cross Account IAM Role Assumption 1. Create role for Lambda in account 2 2. Create role for Lambda in account 1 3. Create Lambda in account 1 4. Tear down VPC Flow Logs Analysis Dashboard 1. Enable VPC Flow Logs 2. Create Athena Resources 3. Create VPC Flow Logs QuickSight Dashboard 4. Teardown Quests Introduction to Security 1. New AWS Account Setup and Securing Root User 2. Basic Identity and Access Management User, Group, Role 3. CloudFront with WAF Protection 4. Automated Deployment of Detective Controls Simplest Security Steps 1. Step 1 - Protect privileged credentials 2. Step 2 - Use temporary credentials 3. Step 3 - Replace hardcoded credentials 4. Step 4 - Limit Network Access 5. Step 5 - Apply patches 6. Step 6 - Restrict public storage Quick Steps to Security Success 1. Control Tower 2. Centralize Identities 3. Enable Additional Guardrails 4. Monitoring and Alerting 5. Operating IR - Credential Misuse Reviewing Security Essential Best Practice AWS Incident Response Day Automate The Well-Architected Way With WeInvest AWS Security Best Practices Workshop Security Best Practices Day Managing Credentials & Authentication Control Human Access Control Programmatic Access Detect & Investigate Events Defend Against New Threats Protect Networks Protect Compute Classify Data Protect Data at Rest Protect Data in Transit Incident Response Reliability 100 Labs Deploy using CloudFormation 1. Deploy Infrastructure 2. Deploy Application 3. Explore Web Application 4. Explore CloudFormation 5. Tear down this lab 200 Labs S3 Bi-Directional Replication 1. Deploy Infrastructure 2. Configure CRR 3. Test CRR 4. Tear down this lab 5. Resources Update CloudFormation 1. Deploy Infrastructure 2. Explore Deployment 3. Use Parameters 4. Add S3 Bucket 5. Add EC2 Instance 6. Multi-region Deployment 7. Tear down this lab Testing Backup and Restore 1. Deploy Infrastructure 2. Create Backup Plan 3. Enable Notifications 4. Test Restore 5. Teardown Test Resiliency of EC2 1. Deploy Application 2. Execution Environment 3. EC2 Failure Injection 4. Tear down this lab Backup and Restore for Analytics Workload 1. Getting Started Prerequisites Architecture 2. Setting Up Backup Region Primary Region Test Workload 3. Failover Backup Region Infrastructure Endpoint Switch Verify Failover 4. Failback Recreate DynamoDB Redirect Traffic Remove Redundant Infrastructure Resync Data 5. Next Steps Cleanup 300 Labs Health Checks & Dependencies 1. Deploy Application 2. Dependency failure 3. Deep health checks 4. Fail open 5. Tear down this lab Test Resiliency EC2, RDS, & AZ 1. Deploy Application 2. Execution Environment 3. Failure Injection Prep 4. EC2 Failure Injection 5. RDS Failure Injection 6. Application Failure Injection 7. AZ Failure Injection 8. Failure Injection - optional 9. Tear down this lab Fault isolation with shuffle sharding 1. Deploy workload 2. Impact of failures 3. Implement sharding 4. Impact of failures - Sharding 5. Implement shuffle sharding 6. Impact of failures - Shuffle Sharding 7. Teardown 8. Resources Disaster Recovery Introduction Agenda Module 1: Backup and Restore Pre-requisites Account Setup S3 Access Primary Region Create Backup Resources RDS EC2 S3 Copy to Secondary Region RDS EC2 Verify Website Failover to Secondary EC2 RDS Modify Application Cleanup Resources Module 2: Pilot Light Pre-requisites Account Setup S3 Access Primary Region Secondary Region Verify Website Failover to Secondary Promote App in Secondary Region Promote Aurora Verify Failover Cleanup Resources Module 3: Warm Standby Pre-requisites Account Setup S3 Access Primary Region Secondary Region Verify Aurora Write Forwarding Verify Websites Failover to Secondary Promote App in Secondary Region Promote Aurora Verify Failover Cleanup Resources Module 4: Hot Standby Pre-requisites Account Setup S3 Access Primary Region Secondary Region CloudFormation Outputs DynamoDB Global Tables Verify Aurora Write Forwarding Configure Websites Verify Websites Setup for CloudFront Failover to Secondary Promote Aurora Modify Application Verify Failover Cleanup Resources AWS Elastic Disaster Recovery Performance Efficiency 100 Labs Monitoring with CloudWatch Dashboards 1. View Amazon CloudWatch Automatic Dashboards 2. Teardown Calculating differences in clock source 1. Deploy 2. Test performance 3. Change clock type 4. Teardown Monitoring Windows EC2 with CloudWatch Dashboards 1. Deploy Infrastructure 2. Deploy Instance 3. Create CloudWatch Dashboard 4. Add metrics to Dashboard 5. Generate load 6. Teardown Monitoring Linux EC2 with CloudWatch Dashboards 1. Deploy Infrastructure 2. Deploy Instance 3. Create CloudWatch Dashboard 4. Add metrics to Dashboard 5. Generate load 6. Teardown Cost Optimization Fundamentals Expenditure Awareness Cost Effective Resources 100 Labs Level 100: AWS Account Setup: Lab Guide 1. Configure IAM access 2. Create an account structure 3. Configure Cost and Usage reports 4. Enable Single Sign On (SSO) 5. Configure account settings 6. Setup Amazon QuickSight 7. Enable AWS Cost Explorer 8. Enable AWS-Generated Cost Allocation Tags 9. Configure Monthly Reports (Optional) 10. Tear down Level 100: Cost and Usage Governance 1. Create and implement an AWS Budget for monthly forecasted cost 2. Create and implement an AWS Budget for EC2 actual cost 3. Create and implement an AWS Budget for EC2 Savings Plan coverage 4. Create and implement an AWS Budget Report 5. Tear down Level 100: Pricing Models 1. View your Savings Plan recommendations 2. Understand your usage trend 3. Analyze your Savings Plan recommendations 4. Visualize your Savings Plan recommendations 5. Tear down Level 100: Cost and Usage Analysis 1. View your AWS Invoices 2. View your cost and usage in detail 3. Download your Monthly Report CSV 4. Teardown Level 100: Cost Visualization 1. View your cost and usage by service 2. View your cost and usage by account 3. View your Savings Plan coverage 4. View your Elasticity 5. View your Reserved Instance coverage 6. Create custom EC2 reports 7. Tear down Level 100: Rightsizing Recommendations 1. Intro to Rightsizing on AWS 2. Using AWS Cost Management Rightsizing Recommendations 3. Prioritizing Rightsizing Recommendations 4. Other Rightsizing Tools 5. Tear down Level 100: Cost Estimation 1. Launch AWS Pricing Calculator 2. Add & Configure Services 3. Review Estimate 4. Export Estimate 5. Save and Share Level 100: Goals & Targets 1. Cloud Financial Management 2. Govern Usage 3. Monitor Cost and Usage 4. Decommission Resources 5. Service Selection 6. Resource Type, Size & Number 7. Pricing Models 8. Data Transfer 9. Manage Demand & Supply Resources 10. Evaluate New Services Level 100: Tag Policies 1. Create a Tag Policy 2. Attach the Tag Policy to an account 3. Check for non-compliant resources 4. Teardown 200 Labs Level 200: Cost and Usage Governance 1. Create a group of users for testing 2. Create an IAM Policy to restrict service usage by region 3. Create an IAM Policy to restrict EC2 usage by family 4. Extend an IAM Policy to restrict EC2 usage by instance size 5. Create an IAM policy to restrict EBS Volume creation by volume type 6. Teardown Level 200: Pricing Models 1. View an RI report 2. Download and prepare the RI CSV files 3. Sort and filter the RI CSV files 4. Tear down Level 200: Cost and Usage Analysis 1. Verify your CUR files are being delivered 2. Use AWS Glue to enable access to CUR files via Amazon Athena 3. Cost and Usage analysis 4. Tear down Level 200: Cost Visualization 1. Create a data set 2. Create visualizations 3. Share your Analysis and Dashboard 4. Tear down Level 200: Rightsizing with Compute Optimizer 1. Getting to know Amazon Cloudwatch 2. Create an IAM Role to use with Amazon CloudWatch Agent 3. Attach CloudWatch IAM role to selected EC2 Instances 4. CloudWatch Agent Manual Install 5. Rightsizing with AWS Compute Optimizer and Memory Utilization Enabled 6. Tear down Level 200: Pricing Model Analysis 1. Create Pricing Data Sources 2. Create the Usage Data Source 3. Setup QuickSight Dashboard 4. Create the Recommendation Dashboard 5. Format the Recommendation Dashboard 6. Teardown Level 200: Cloud Intelligence Dashboards Cost & Usage Report Dashboards 1. Prerequisites 2a. Cost Intelligence Dashboard 2b. CUDOS Dashboard 2c. KPI Dashboard 3. Additional Dashboards Compute Optimizer Dashboard (COD) 1. Prerequisites 2. COD Deployment 3. Optional Steps Trusted Advisor Organizational (TAO) Dashboard 1. Prerequisites 2. Create & Upload Trusted Advisor Report 3. TAO Dashboard Deployment 4. Optional Steps Teardown Customizations 1. Adding Tags 2. Filtering Visuals by Cost Allocation Tags 3. SaaS Unit Metrics FAQ Level 200: Workload Efficiency 1. Create the Data Sources 2. Create the efficiency data source 3. Create the Visualizations 4. Teardown Level 200: Licensing 1. Create Pricing Data Source 2. Analyze and Understand Licensing 3. Teardown Level 200: Cost Journey 1. Configure Services 2. Create Journey 3. Teardown 300 Labs Level 300: Automated Athena CUR Query and E-mail Delivery 1. Overview architecture 2. Create S3 Bucket 3. Create an IAM policy and role for Lambda function 4. Configure parameters of function code and upload code to S3 5. Create a Lambda function 6. Customize query strings and create scheduled CloudWatch event 7. Teardown Level 300: Automated CUR Updates and Ingestion 1. Create the CloudFormation Stack 2. Multiple CURs 3. Teardown Level 300: AWS CUR Query Library Analytics Application Integration AWS Cost Management Compute Container Cost Optimization Customer Engagement Database End User Computing Global Queries Machine Learning Management & Governance Networking & Content Delivery Security, Identity, & Compliance Storage CUR Query Library Help CUR Query Building Library Contribution Guide CUR Query Library Contributors Level 300: Splitting the CUR and Sharing Access 1. Setup Output S3 Bucket 2. Perform one off Fill of Member/Linked Data 3. Create Athena Saved Queries to Write new Data 4. Create Lambda function to run the Saved Queries 5. Trigger the Lambda When a CUR is Delivered 6. Sub Account Crawler Setup 7. Tear Down Level 300: Optimization Data Collection 2. Grant permissions to your accounts in your AWS Organization 1. Deploy core infrastructure for data retrieval 3. Data Collection Modules and Testing Deployment 4. Utilize Data 5. Create Custom Data Collection Module (Optional) 6. Teardown Level 300: Organization Data CUR Connection 1. Create Static Resources 2. Create Automation Resources 3. Utilize Organization Data Source 4. Visualize Organization Data in QuickSight 5. Join with the Enterprise Cost Intelligence Dashboard 6. Teardown Sustainability 300 Level Advanced Labs Optimize Data Pattern using Amazon Redshift Data Sharing 1. Understand Amazon Redshift Data Sharing 2. Prepare Amazon Redshift Producer Cluster 3. Prepare Amazon Redshift Consumer Cluster 4. Baseline Sustainability KPI 5. Enable Amazon Redshift Data Sharing 6. Amazon Redshift Consumer Cluster Validation 7. Review Sustainability KPI Optimization Cleanup Turning Cost & Usage Reports into Efficiency Reports 1.1 Prepare CUR Data 1.2 Discover CUR data with Amazon Athena 1.3 Query your Amazon S3 usage by storage class 1.4 Install the AWS Cost and Usage Queries from the AWS Serverless Application Repository 2 Add your own assumptions (using the Amazon Athena console) 3 Add your own assumptions (using infrastructure as code) Cleanup Well-Architected Tool 100 Labs Level 100: Walkthrough of the Well-Architected Tool 1. Navigating to the console 2. Creating a workload 3. Performing a review 4. Saving a milestone 5. Viewing and downloading the report 6. Tear down this lab 200 Labs Level 200: Using AWSCLI to Manage WA Reviews 1. Configure Environment 2. Create a Well-Architected Workload 3. Performing a review 4. Saving a milestone 5. Viewing and downloading the report 6. Programmatic access via API 7. Teardown Level 200: Manage Workload Risks with OpsCenter 1. Deploy infrastructure 2. Configure risk tracking 3. Configure workload updates 4. Teardown 300 Labs Using custom resource in AWS CloudFormation to create and update Well-Architected Reviews 1. Deploy Infrastructure 2. Explore Lambda code 3. Use Lambda in CloudFormation 4. Deploy Sample Application 5. Explore WA Review 6. Teardown Level 300: Build custom reports of AWS Well-Architected Reviews 1. Extract workload data 2. Catalog the workload data 3. Query the workload data 4. Visualize the workload data 5. Clean up the deployment Helpful Resources Copying a WA Workload 1. Configure Environment 2. Python Code 3. Script usage examples Custom WAF Report 1. Configure Environment 2. Python Code 3. Script usage examples Export to XLSX 1. Configure Environment 2. Python Code 3. Script usage examples Export Import Utility 1. Configure Environment 2. Python Code 3. Script usage examples Well-Architected Partners 100 Labs Level 100: Automating Serverless Best Practices with Dashbird 1. Deploy The Blue Car Application 2. Well-Architected Insights 3. Modern Load Test 4. Tear down Contributing Guide General Reporting Bugs & Feature Requests Creating a Fork Updating an Existing Lab Creating a New lab Creating a Pull Request Contributing (GitHub) Labs RSS Feed Amazon Free TierEnglish Clear HistoryLicenseDocumentation LicenseLicensed under the Creative Commons Share Alike 4.0 license.Code LicenseLicensed under the Apache 2.0 and MITnoAttr License.© 2022 Amazon Web Services, Inc. or its Affiliates. All rights reserved.Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the license accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Edit this page AWS Well-Architected Labs > Security > 300 Level Advanced Labs > Level 300: IAM Permission Boundaries Delegating Role Creation > Knowledge CheckKnowledge CheckThe security best practices followed in this lab are:Manage credentials and authentication Use of MFA for access to provide additional access control.Grant access through roles or federation: Roles with associated policies have been used to define appropriate permission boundaries.Grant least privileges: The roles are scoped with minimum privileges to accomplish the task.Privacy|Site Terms |© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.