DEV Community

Cover image for Journey of Enhanced & Mindful Architecture - Part 2

Journey of Enhanced & Mindful Architecture - Part 2

Welcome to Part 2 of the enhanced solution design under Management & Governance category

Requirement is to efficiently manage & maintain "Creation/Updation" of Resource Definitions in AWS accounts is a minimal illustration of one of the use cases. Ideally expecting Tag:Value in any resource that is created in an AWS account.

Part #2 solution break down:

1) User/Roles is the access mechanism to any resources which holds access definitions in the form of permissions

2) So, attach policy to IAM users/roles/groups(as appropriately) to allow creation/modification of resources like EC2, RDS or S3 or any other resource to have tag value defined mandatorily

3) Just defining IAM permissions and attaching them to appropriate users/roles will enable monitoring & maintaining the resources for the expected tag:values

Simple policy pseudocode to restrict any resource creation without tag values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyResourceCreationWithoutTags",
      "Effect": "Deny",
      "Action": "*", 
      "Resource": "*",
      "Condition": {
        "Null": {
          "aws:RequestTag/": "true" 
        }
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Solution Design for this scenario:

Image description

Benefits around this solution:

1) Requirement being efficient way of handling tags' existence in resources, attaching a permissions policy with IAM user or role or group is most efficient as resources are created through these source points
2) In addition, the policy will take care of the Tag's existence both at creation and also at any update that happens(when it is about to remove the existing tag via code/console/CLI)
3) Instead of attaching manual scheduler to EC2(like the previous solution explained in) Part #1, here the policy can take care of the requirement against any resources any time w/o need of scheduler. For example, RDS, S3 are represented here
4) Part #1 solution works & meets up with the requirements, but it is reactive model, that notifies user/group on tag's deletion and later to this, the team needs to take action to have tags back in place but there the solution is more proactive
5) Few AWS services' like AWS Eventbridge Rules, SNS, Lambda (from previous solution design) has been eliminated in this solution thus cost is optimized too :-)

In conclusion, this is an improvised version of solution design compared to the earlier one !!

Yet again folks, please hold on to your invaluable suggestions to the last part of this series(coming soon) and I am willing to learn & know more possibilities from my fellow aspirants !!

Part #1: Link

Billboard image

Imagine monitoring that's actually built for developers

Join Vercel, CrowdStrike, and thousands of other teams that trust Checkly to streamline monitor creation and configuration with Monitoring as Code.

Start Monitoring

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay