As an AWS user, have you ever thought that how to run your containerized app in AWS? Well, it can be done in multiple ways but a simpler way is via the AWS App Runner service. As per AWS, you don't need any orchestrator, load balancer, setup any build pipeline, TLS certificate, or manage any server.

Either you can bring your container image or you can use the container build service by connecting your GitHub repository. A simple architectural overview is shown below:

Let's dive into the steps to deploy the containerized app.

Step 1: Specify Container Image Source

If you are going to link your GitHub repo, select Repository type "Source Code", and if in case you going to use AWS ECR (Elastic Container Registry), select Repository type "Container Registry". In this section, I am going to  use public AWS ECR. I didn't found an option to specify a public image from Docker Hub. In my opinion, AWS should consider supporting Docker Hub, as it is a popular repository to host private and public repo. After selecting Repository type, specify the link to container image as shown below and click "Next".

Step 2: Configure Settings for your Service

Specify the name, port to be used. You can configure optional configurations as per your requirement. For this example, I am keeping them as default. Click "Next".

Step 3: Review and Create

In this step, review your configurations and then click "Create & deploy".

Your Application will get deployed behind a load balancer with a TLS certificate. You can check logs and once your application is in RUNNING state, you can click on the URL generated by AWS. You can also configure your custom Domain.

Summary

After reading this article you can easily deploy your containerized app using AWS App Runner. It will be great if in the future we see Docker Hub integration with App Runner. Other providers do support Docker Hub.

Want to leave a comment?

Join the discussion on Twitter.

AWS CloudTrail provides the ability to record all API calls and resource changes that helps to build preventative and detective security controls for your AWS environment. CloudTrail records the API requests with metadata in your environment and then sent them to AWS S3 to store these event logs. You can use these logs for Security Analysis and Compliance Monitoring.

CloudTrail events

A CloudTrail event is the record of activity in your AWS environment. For example, events can be like users creating/deleting a DynamoDB table, modifying the configuration of EC2, or any activity made through the AWS Management Console, etc.

There are 3 types of events:

1. Management events – control plane (management and network) operations performed on the resources in your AWS environment, such as IAM role configuration, VPC network configuration, EC2 subnet creation/update, etc.
2. Data events - data plane operations and are often high-volume activities. It is disabled by default. Data events charge an additional cost for logging.
3. CloudTrail Insight events – Record unusual activity in your AWS environment such as excessive API calls in a short period. It is disabled by default. CloudTrail Insight events charge an additional cost for logging.

CloudWatch vs CloudTrail

Though both are monitoring services from AWS, they are used for different purposes. CloudWatch is used to log all events for AWS service and resources whereas CloudTrail is used to log all events inside your AWS environment.

CloudWatch is used to monitor:

• Performance and metrics of your AWS resource and application.
• User-defined logs in your application.
• CloudWatch events and you can automate actions based on these events.
• Alarms, where you can define thresholds for the resources. When the threshold reaches, the alarm will get triggered and you can define actions(like sending you a mail notification).

Whereas, CloudTrail is used to monitor:

• "Who" has performed "what" action in your AWS environment.
• "When" and "where" the action has been performed.

These two services when used together, will give you a robust monitoring solution provided by AWS.

CloudTrail Best Practices

You can consider below mentioned best practices while using the CloudTrail service. This list does not represent a complete cloud security solution, but you can refer to it when you are setting up your security solution for your organization.

• To get a complete record of events in your organization, configure CloudTrail on all Accounts and Regions.
• Set up different trails for different use cases.
• To monitor data plane events, consider enabling data events. By default it is disabled. It has an additional cost.
• Have a dedicated S3 bucket to store CloudTrail events log files with a security policy in place.
• Enable MFA delete and versioning on S3 bucket which stores CloudTrail events log files.
• Enable CloudTrail log files integrity validation.
• Enable encryption on CloudTrail log files in the S3 bucket.
• Use event selectors with data events. It will give you more control of your data events logs.
• When used with CloudWatch, you will get a robust monitoring solution provided by AWS.
• You can enable CloudTrail Insights. Insights automatically analyze management events and deliver the event to the S3 bucket whenever there is any unusual activity in your AWS environment. Then you can create a workflow to send notifications of these unusual events.

Summary

In this post, I have covered the basics of CloudTrail Concepts and how it can be used for Security analysis and compliance monitoring. You can use CloudWatch with CloudTrail to provide additional monitoring capabilities to your monitoring solution. Also, you can refer to some of the best practices mentioned in this post.

Want to leave a comment?

Join the discussion on Twitter.