You will need the following to be able to perform this lab:

  • Your own device for console access
  • An AWS account that you are able to use for testing, that is not used for production or other purposes
  • An available region within your account with capacity to add 2 additional VPCs

User and Group Management

When you create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. It is accessed by signing in with the email address and password that you used to create the account.

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Securely store the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User.

IAM Users & Groups

As a best practice, do not use the AWS account root user for any task where it’s not required. Instead, create a new IAM user for each person that requires administrator access. Then grant administrator access by placing the users into an “Administrators” group to which the AdministratorAccess managed policy is attached.

Use administrators group members to manage permissions and policy for the AWS account. Limit use of the root user to only those actions that require it.

1.1 Create Administrator IAM User and Group

If you’re currently using Event Engine, you do not need to complete this section or section 1.2. Skip the following two sections and go to section 1.3 Create an EC2 Key Pair below.

To create an administrator user for yourself and add the user to an administrators group:

  1. Use your AWS account email address and password to sign in as the AWS account root user to the IAM console at
  2. In the IAM navigation pane, choose Users and then choose Add user.
  3. In Set user details for User name, type a user name for the administrator account you are creating. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 64 characters in length.
  4. In Select AWS access type for Access type, select the check box next to AWS Management Console access, select Custom password, and then type your new password in the text box. If you’re creating the user for someone other than yourself, you can leave Require password reset selected to force the user to create a new password when first signing in. Clear the box next to Require password reset and then choose Next: Permissions.
  5. In set permissions for user ensure Add user to group is selected.
  6. Under Add user to group choose Create group.
  7. In the Create group dialog box, type a Group name for the new group, such as Administrators. The name can consist of letters, digits, and the following characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). The name is not case sensitive and can be a maximum of 128 characters in length. In the policy list, select the check box next to AdministratorAccess and then choose Create group.
  8. Back at Add user to group, in the list of groups, ensure the check box for your new group is selected. Choose Refresh if necessary to see the group in the list. choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.
  9. At the confirmation screen you do not need to download the user credentials for programmatic access at this time. You can create new credentials at any time.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to specific AWS resources, see Access Management and Example Policies. To add additional users to the group after it’s created, see Adding and Removing Users in an IAM Group.

1.2 Log in to the AWS Management Console using your administrator account

  1. You can now use this administrator user instead of your root user for this AWS account. Choose the link https://<yourAccountNumber> and log in with your administrator user credentials.
  2. Select the region you will use for the lab from the the list in the upper right corner.
  3. Verify that you have 2 available VPCs (3 or less in use) in the selected region by navigating to the VPC Console ( and in the Resources section reviewing the number of VPCs.

1.3 Create an EC2 Key Pair

Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Public-key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. To log in to the Amazon Linux instances we will create in this lab, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance.

  1. Use your administrator account to access the Amazon EC2 console at
  2. In the EC2 navigation pane under Network & Security, choose Key Pairs and then choose Create Key Pair.
  3. In the Create Key Pair dialog box, type a Key pair name such as OELabIPM, choose pem, and then choose Create key pair.
  4. Save the keyPairName.pem file for optional later use accessing the EC2 instances created in this lab.

2. Deploy an Environment Using Infrastructure as Code


We will make extensive use of tagging throughout the lab. The CloudFormation template for the lab includes the definition of multiple tags against a variety of resources.

AWS enables you to assign metadata to your AWS resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources. Although there are no inherent types of tags, commonly adopted categories of tags include technical tags (e.g. Environment, Workload, InstanceRole, and Name), tags for automation (e.g. Patch Group, and SSMManaged), business tags (e.g. Owner), and security tags (e.g. Confidentiality).

Apply the following best practices when using tags:

  • Use a standardized, case-sensitive format for tags, and implement it consistently across all resource types
  • Consider tag dimensions that support the following:
    • Managing resource access control with IAM
    • Cost tracking
    • Automation
    • AWS console organization
  • Implement automated tools to help manage resource tags. The Resource Groups Tagging API enables programmatic control of tags, making it easier to automatically manage, search, and filter tags and resources.
  • Err on the side of using too many tags rather than too few tags.
  • Develop a tagging strategy.

It is easy to modify tags to accommodate changing business requirements; however, consider the consequences of future changes, especially in relation to tag-based access control, automation, or upstream billing reports.

Patch Group is a reserved tag key used by Systems Manager Patch Manager that is case sensitive with a space between the two words.

Management Tools: CloudFormation

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances) and AWS CloudFormation provisions and configures those resources for you. AWS CloudFormation enables you to use a template file to create and delete a collection of resources as a single unit (a stack).

There is no additional charge for AWS CloudFormation. You pay for AWS resources (such as Amazon EC2 instances, Elastic Load Balancing load balancers, etc.) created using AWS CloudFormation in the same manner as if you created the resources manually. You only pay for what you use as you use it. There are no minimum fees and no required upfront commitments.

2.1 Deploy the Lab Infrastructure

To deploy the lab infrastructure:

  1. Download the CloudFormation script for this lab from this link here.
  2. Use your administrator account to access the CloudFormation console at
  3. Choose Create Stack.
  4. On the Specify template page, select Upload a template file.
  5. Select Choose file and select the JSON file OE_Inventory_and_Patch_Mgmt.json you downloaded in step 1 of this section.

AWS CloudFormation Designer

AWS CloudFormation Designer is a graphic tool for creating, viewing, and modifying AWS CloudFormation templates. With Designer you can diagram your template resources using a drag-and-drop interface. You can edit their details using the integrated JSON and YAML editor. AWS CloudFormation Designer can help you see the relationship between template resources.

  1. On the Specify template page, choose the link to View in Designer.
  2. Briefly review the graphical representation of the environment we are about to create, including the template in the JSON and YAML formats. You can use this feature to convert between JSON and YAML formats.
  3. Choose the Create Stack icon (a cloud with an arrow) to return to the Select Template page.
  4. On the Specify template page, choose Next.

A CloudFormation template is a JSON or YAML formatted text file that describes your AWS infrastructure containing both optional and required sections. In the next steps, we will provide a name for our stack and parameters that will be passed into the template to help define the resources that will be implemented.

  1. On the Specify stack details page, define a Stack name, such as OELabStack1.
  2. In the Parameters section:
    1. Leave InstanceProfile blank as we have not yet defined an instance profile.
    2. Leave InstanceTypeApp and InstanceTypeWeb as the default free-tier-eligible t2.micro value.
    3. Select the EC2 KeyName you defined earlier from the list.
    4. In a browser window, go to to get your IP. Enter your IP address in SourceLocation in CIDR notation (i.e., ending in /32).
    5. Define the Workload Name as Test.
  3. Choose Next.
  4. On the Configure stack options page under Tags, define a Key of Owner, with Value set to the username you choose for your administrator. You may define additional keys as needed. The CloudFormation template creates all the example tags given in the discussion on tagging above.
  5. Leave all other sections unmodified. Scroll to the bottom of the page and choose Next.
  6. On the Review page, review your choices and then choose Create stack.
  7. On the CloudFormation console page
    1. Check the box next to your Stack Name to see its details.
    2. If your Stack Name is not displayed, click the refresh button (circular arrow) in the top right until it appears.
    3. If the details are not displayed, choose the refresh button until details appear.
  8. Choose the Events tab for your selected workload to see the activity log from the creation of your CloudFormation stack.

When the Status of your stack displays CREATE_COMPLETE in the filter list, you have just created a representation of a typical lift and shift 2-tier application migrated to the cloud.

  1. Navigate to the EC2 console to view the deployed systems:
    1. Choose Instances.
    2. Select a server and review the details under its Description and Tag tabs.
    3. (Optional) choose Security Groups and select the Security Group whose name begins with the name of your stack. Examine the inbound rules.
    4. (Optional) navigate to the VPC console and examine the configuration of the VPC you just created.

The impact of Infrastructure as Code

With infrastructure as code, if you can deploy one environment, you can deploy any number of copies of that environment. In this example we have created a Test environment. Later, we will repeat these steps to deploy a Prod environment.

The ability to dynamically deploy temporary environments on-demand enables parallel experimentation, development, and testing efforts. It allows duplication of environments to recreate and analyze errors, as well as cut-over deployment of production systems using blue-green methodologies. These practices contribute to reduced risk, increased operations effectiveness, and efficiency.