This content is part of the Conference Coverage: Your guide to AWS re:Invent 2017 news and analysis

Upgraded AWS automation streamlines cross-account controls

AWS automation additions to CloudFormation and CloudWatch Events give organizations new tools to manage resources across multiple accounts.

As enterprises increasingly manage their cloud environments across multiple accounts, AWS has responded with features to address the complexity of those designs.

AWS CloudFormation, Amazon's infrastructure-as-code offering, this week added StackSets to manage changes across regions or accounts. That comes a month after the monitoring service CloudWatch Events added cross-account support, too. These AWS automation developments reflect a change in how IT organizations utilize the cloud, particularly as enterprises and other large users establish governance controls across hundreds of accounts.

A business could require separate accounts to parse development, testing and production for each application, or to distinguish between business units or staff members. In any case, multiple accounts create complexity, especially if companies want consistency across access, security, configuration, logging and Virtual Private Clouds (VPCs). With these AWS automation updates, customers can turn to an administrator account to set resource configurations and create a baseline across accounts and regions.

This update will certainly be helpful for enterprises that want to segregate nonproduction and production workloads, said Jeff Aden, co-founder and executive vice president of strategic business development and marketing at 2nd Watch Inc., an AWS managed service provider.

"Many of our large accounts have hundreds, if not thousands, of accounts they want to share resources across," he said. "This will keep them from having to repeat a lot of the tasks hundreds and hundreds of times."

The CloudFormation update in particular has been a common feature request from an operational standpoint, Aden said. 2nd Watch also created some of its own AWS automation tools to work around the problem of segregating workloads.

Automate for consistency, security

These updates, including the CloudWatch Events change targeted at complex security models, are part of a broader strategy to extend AWS automation deeper into its customers' workflows. Earlier in 2017, Amazon added automation features to Elastic Compute Cloud Systems Manager, and the company continues to build out higher-level services, such as AWS Lambda, that free systems administrators from many mundane activities.

"This is really making AWS more enterprise-friendly, so IT operations can have more of a global view of the resources they are using and the ability to manage across multiple AWS accounts," said Jeff Kato, an analyst at the Taneja Group, in Hopkinton, Mass.

This might be a clearer way to manage environments, so we're pretty excited about it.
David Luckydirector of product management, Datapipe

CloudFormation users build templates to pull in resources for application development with automation to remove manual errors and maintain consistency. This latest update could serve as another reason for customers to go with CloudFormation rather than some of the popular third-party tools on the market, such as Ansible, Chef, Puppet and Terraform.

David Lucky, director of product management at Datapipe Inc., a hybrid IT company in Jersey City, N.J., sees the potential to use this tool for its CloudFormation VPCs or standardized management of its library of templates.

"This might be a clearer way to manage environments, so we're pretty excited about it," he said. "It gives a consistent approach and control and flexibility in using CloudFormation."

Thales, a cloud security firm based in France, uses CloudFormation for its client-side encryption service for Amazon Simple Storage Service (S3). StackSets could potentially strengthen the regional controls in CloudFormation StackSets to establish fault tolerances and configure orders of priorities to respond when services go down, said Charles Goldberg, senior director of product at Thales.

Native tools that can automate template rules and best practices also could help prevent the types of high-profile security scares that have been in the news lately, wherein companies have left S3 buckets exposed to the public internet, Goldberg said.

The only possible downside is that this tool is limited to AWS at a time when enterprises want overarching controls for their deployments spread across multiple clouds, he added.

Trevor Jones is a news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].

Next Steps

Consider workloads in container automation

Combine AWS and PowerShell in automation

Use AWS automation to take the wheel

Dig Deeper on AWS tools for development