AWS CloudFormation, Amazon’s infrastructure-as-code offering, this week added StackSets to manage changes across regions or accounts. That comes a month after the monitoring service CloudWatch Events added cross-account support, too. These AWS automation developments reflect a change in how IT organizations utilize the cloud, particularly as enterprises and other large users establish governance controls across hundreds of accounts.
A business could require separate accounts to parse development, testing and production for each application, or to distinguish between business units or staff members. In any case, multiple accounts create complexity, especially if companies want consistency across access, security, configuration, logging and Virtual Private Clouds (VPCs). With these AWS automation updates, customers can turn to an administrator account to set resource configurations and create a baseline across accounts and regions.
This update will certainly be helpful for enterprises that want to segregate non-production and production workloads, said Jeff Aden, cofounder and executive vice president of strategic business development and marketing at 2nd Watch, an AWS managed service provider.
“Many of our large accounts have hundreds if not thousands of accounts they want to share resources across,” he said. “This will keep them from having to repeat a lot of the tasks hundreds and hundreds of times.”
The CloudFormation update in particular has been a common feature request from an operational standpoint, Aden said. 2nd Watch also created some of its own AWS automation tools to work around the problem of segregating workloads.
Automate for consistency, security
These updates, including the CloudWatch Events change targeted at complex security models, are part of a broader strategy to extend AWS automation deeper into its customers’ workflows. Earlier in 2017, Amazon added automation features to EC2 Systems Manager, and the company continues to build out higher-level services, such as AWS Lambda, that free systems administrators from many mundane activities.
“This is really making AWS more enterprise-friendly, so IT operations can have more of global view of the resources they are using and the ability to manage across multiple AWS accounts,” said Jeff Kato, an analyst at The Taneja Group, in Hopkinton, Mass.
CloudFormation users build templates to pull in resources for application development, with automation to remove manual errors and maintain consistency. This latest update could serve as another reason for customers to go with CloudFormation rather than some of the popular third-party tools on the market, such as Ansible, Chef, Puppet and Terraform.
David Lucky, director of product management at Datapipe, a hybrid IT company in Jersey City, N.J., sees the potential to use this tool for its CloudFormation VPCs or standardized management of its library of templates.
“This might be a clearer way to manage environments, so we’re pretty excited about it,” he said. “It gives a consistent approach and control and flexibility in using CloudFormation.”
Thales, a cloud security firm based in France, uses CloudFormation for its client-side encryption service for Amazon Simple Storage Service (S3). StackSets could potentially strengthen the regional controls in CloudFormation StackSets to establish fault tolerances and configure orders of priorities to respond when services go down, said Charles Goldberg, senior director of product at Thales.
Native tools that can automate template rules and best practices also could help prevent the types of high-profile security scares that have been in the news lately, wherein companies have left S3 buckets exposed to the public internet, Goldberg said.
The only possible downside is that this tool is limited to AWS at a time when enterprises want overarching controls for their deployments spread across multiple clouds, he added.