Lab: Implementing Secure and Consistent Deployment with Infrastructure as Code
Implement a secure and consistent deployment strategy for cloud resources
Lab: Implementing Secure and Consistent Deployment with Infrastructure as Code
This lab guides you through the process of using Infrastructure as Code (IaC) to deploy AWS resources consistently and securely. You will learn how to enforce tagging strategies and use AWS Config to ensure resources remain compliant with organizational standards.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges.
Prerequisites
To complete this lab, you need:
- An AWS account with administrative access.
- AWS CLI installed and configured with appropriate credentials:
<YOUR_ACCESS_KEY>,<YOUR_SECRET_KEY>, and<YOUR_REGION>(e.g.,us-east-1). - Basic familiarity with YAML syntax for CloudFormation templates.
- Access to a terminal or command prompt.
Learning Objectives
By the end of this lab, you will be able to:
- Deploy cloud resources consistently using AWS CloudFormation.
- Implement a tagging strategy for resource organization and cost allocation.
- Enforce security configurations such as Server-Side Encryption (SSE) via templates.
- Use AWS Config to evaluate the compliance of deployed resources against organizational rules.
Architecture Overview
The following diagram illustrates the workflow: defining a secure template, deploying it to create an S3 bucket, and monitoring that bucket with AWS Config.
Step-by-Step Instructions
Step 1: Create a Secure CloudFormation Template
We will create a YAML template for an S3 bucket that includes mandatory tagging and encryption.
- Create a file named
secure-bucket.yamlon your local machine. - Paste the following content into the file:
AWSTemplateFormatVersion: '2010-09-09'
Description: Secure S3 Bucket with Tags and Encryption
Resources:
SecureBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "brainybee-lab-bucket-${AWS::AccountId}"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: Environment
Value: Lab
- Key: Department
Value: SecurityStep 2: Deploy the Infrastructure
Now, use the AWS CLI to deploy the stack.
aws cloudformation create-stack \
--stack-name SecureDeploymentStack \
--template-body file://secure-bucket.yaml▶Console alternative
- Navigate to CloudFormation in the AWS Management Console.
- Click Create stack > With new resources (standard).
- Choose Upload a template file, select
secure-bucket.yaml, and click Next. - Enter
SecureDeploymentStackas the Stack name and complete the wizard.
Step 3: Verify Resource Compliance with AWS Config
We will now create a Config Rule to ensure that all S3 buckets have the Department tag.
aws configservice put-config-rule \
--config-rule '{"ConfigRuleName": "check-s3-department-tag", "Source": {"Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS"}, "InputParameters": "{\"tag1Key\":\"Department\"}", "Scope": {"ComplianceResourceTypes": ["AWS::S3::Bucket"]}}'[!TIP] AWS Config may take a few minutes to record the resource and evaluate the rule after deployment.
Step 4: Visualize Resource Relationships
To understand how AWS Config tracks your resources, consider this relationship diagram of the components you just created:
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum height=1cm, text centered}] \node (cf) {CloudFormation Stack}; \node (s3) [right=of cf] {S3 Bucket}; \node (config) [below=of s3] {AWS Config}; \node (rule) [right=of config] {Required Tags Rule};
\draw[->, thick] (cf) -- (s3) node[midway, above] {Deploys};
\draw[->, thick] (config) -- (s3) node[midway, left] {Records};
\draw[->, thick] (rule) -- (config) node[midway, above] {Evaluates};\end{tikzpicture}
Checkpoints
- CloudFormation Status: Run
aws cloudformation describe-stacks --stack-name SecureDeploymentStack --query "Stacks[0].StackStatus"— it should return"CREATE_COMPLETE". - Encryption Check: Run
aws s3api get-bucket-encryption --bucket brainybee-lab-bucket-<YOUR_ACCOUNT_ID>— ensureAES256is returned. - Tagging Check: Run
aws s3api get-bucket-tagging --bucket brainybee-lab-bucket-<YOUR_ACCOUNT_ID>— ensure theDepartment: Securitytag is present. - Compliance Result: Check the Config Console under Rules to see if
check-s3-department-tagshows "Compliant".
Troubleshooting
| Error | Likely Cause | Fix |
|---|---|---|
AlreadyExistsException | Bucket name is globally taken. | Edit secure-bucket.yaml to use a more unique name. |
AccessDenied | Missing IAM permissions for CloudFormation or S3. | Ensure your user has AdministratorAccess or specific S3/CFN permissions. |
ConfigRuleNotAvailable | AWS Config recorder is not enabled. | Go to Config Console > Settings and ensure recording is turned on for the region. |
Clean-Up / Teardown
To avoid costs, delete the resources in this order:
-
Delete the Config Rule:
bashaws configservice delete-config-rule --config-rule-name check-s3-department-tag -
Delete the CloudFormation Stack (this deletes the S3 bucket):
bashaws cloudformation delete-stack --stack-name SecureDeploymentStack -
Verify S3 is Empty: If you manually added files to the bucket, the stack deletion will fail. Empty the bucket first:
aws s3 rm s3://brainybee-lab-bucket-<YOUR_ACCOUNT_ID> --recursive.
Cost Estimate
| Service | Cost Component | Estimate |
|---|---|---|
| AWS CloudFormation | Create/Update | Free |
| AWS S3 | Storage/Requests | ~$0.02 (within Free Tier) |
| AWS Config | Config Item Recorded | $0.003 per item |
| AWS Config | Rule Evaluation | $0.001 per evaluation |
Total Estimated Cost: < $0.10 for the duration of this lab.