AWS Command Line Interface (AWS CLI)

A unified tool to manage AWS services from the terminal using commands. It is scriptable and faster than clicking, but still imperative and more manual than declarative IaC.

Language-specific libraries (such as for Python, JavaScript, or Java) that allow applications to call AWS APIs directly, often used to integrate AWS services into application logic.

An AWS service that lets you model, provision, and manage AWS resources as stacks using JSON or YAML templates, enabling declarative, repeatable infrastructure deployments.

In AWS CloudFormation, a collection of AWS resources that you can manage as a single unit, creating, updating, or deleting them together.

Language-specific libraries that allow applications to call AWS APIs directly, enabling integration of AWS services into application code.

An AWS service that continuously records configuration changes of supported resources and evaluates them against compliance rules.

Deploying and Operating in AWS: Infrastructure as Code and Management Tools — AWS Certified Cloud Practitioner (CLF-C02) Deep-Dive Exam Prep

Q: An operations engineer needs to investigate why a production EC2 instance became unreachable last night. They suspect a security group rule was changed around that time. Which combination of AWS services will BEST help them identify both the configuration change and who made it?

AWS CloudTrail and AWS Config. AWS Config records configuration changes to resources like security groups, so it can show exactly how the rules changed and when. AWS CloudTrail records API calls and user identities, so it can show who made the change. CloudWatch focuses on metrics and logs, not configuration history or user identity.

From Clicking to Operating: How We Deploy in AWS

Why This Module Matters

Earlier you learned what to build in AWS. Now we focus on how to deploy and operate it like a modern cloud operator using automation and monitoring.

Four Main Interaction Methods

You can work with AWS using: 1) the Management Console (web UI), 2) AWS CLI (terminal commands), 3) AWS SDKs (in code), and 4) automation/IaC tools like CloudFormation and CDK.

Maturity Ladder

Console is best for learning and one-offs, CLI/SDKs for scripts, and IaC for consistent, governed environments that are easy to reproduce and review.

Shared Responsibility Link

Under the AWS shared responsibility model, automation and monitoring are key to meeting your responsibilities for security, compliance, and operations.

Comparing Console, CLI, SDKs, and Automation

Console: Visual and Manual

The AWS Management Console is a web UI. It is visual and beginner‑friendly, great for exploration and one‑off tasks, but manual and error‑prone for repeated operations.

CLI: Commands and Scripts

The AWS CLI lets you run text commands like `aws s3 ls`. It is faster than clicking and can be scripted, but you still describe steps, not the final desired state.

SDKs: AWS from Your Code

AWS SDKs are language libraries your applications use to call AWS APIs. They are powerful but require coding skills and can accidentally become ad‑hoc infrastructure scripts.

Automation and IaC

IaC tools let you declare infrastructure in templates or code. They are designed for consistency, repeatability, and governance, and are usually the best answer for repeat deployments.

Exam Tip

If a question mentions repeatable, consistent deployments across environments or Regions, prefer IaC/automation over console or manual CLI use.

Infrastructure as Code: The Core Idea and Benefits

IaC Definition

Remember this exactly: Infrastructure as code is the process of managing and provisioning your cloud resources by writing templates or scripts, rather than using manual processes.

Mindset Shift

With IaC, you do not just click to build resources. You write templates that describe the desired infrastructure, and AWS creates or updates resources to match.

Consistency and Repeatability

The same template can create identical dev, test, and prod environments, even across Regions. You can quickly recreate or tear down environments when needed.

Governance and Auditing

Templates live in version control, can be reviewed, and combined with CloudTrail and AWS Config to show who changed what, when, and how.

Exam Signal Words

If a question mentions standardization, reducing human error, or versioning infrastructure, IaC is almost always the best answer.

AWS CloudFormation and AWS CDK: Native IaC Options

CloudFormation Basics

AWS CloudFormation lets you define infrastructure in JSON or YAML templates. It manages resources as a stack you can create, update, or delete as a unit.

CloudFormation Benefits

CloudFormation is declarative, supports change sets to preview changes, and can roll back failed updates to a previous stable state.

AWS CDK Overview

AWS CDK lets you define infrastructure using languages like TypeScript or Python. It generates CloudFormation templates behind the scenes.

CDK Advantages

CDK uses loops, conditionals, and reusable constructs, making it easier to express complex patterns and share best practices as code.

Related Services and Exam Cues

Elastic Beanstalk hides infrastructure details and manages them for you. “JSON/YAML stacks” hints CloudFormation; “familiar programming languages” hints CDK.

A Simple CloudFormation Template Walkthrough

Template Overview

A simple CloudFormation template can create an S3 bucket using YAML or JSON instead of clicks. You describe resources under a `Resources` section.

Reading the YAML

`MyBucket` is a logical name. `Type: 'AWS::S3::Bucket'` tells CloudFormation to create an S3 bucket. `Properties` configures details like `BucketName`.

What CloudFormation Does

When you deploy the template as a stack, CloudFormation calls the S3 APIs for you and manages the bucket as part of that stack’s lifecycle.

Recognizing CloudFormation

On the exam, YAML or JSON with `Resources` and `Type: AWS::Service::Resource` is a strong sign the question is about AWS CloudFormation.

Comparing Console vs CLI vs IaC for a Simple Task

This step contrasts how the same outcome (creating an S3 bucket) looks using the console, CLI, and IaC. You do not need to run these commands; focus on recognizing the patterns.

Console (conceptual)

Log in to the AWS Management Console.
Navigate to S3.
Click “Create bucket”, fill in the bucket name and Region, click “Create”.

AWS CLI

```bash

aws s3api create-bucket \

--bucket my-example-bucket-123456 \

--region us-east-1 \

--create-bucket-configuration LocationConstraint=us-east-1

```

CloudFormation IaC (YAML)

```yaml

Resources:

MyBucket:

Type: 'AWS::S3::Bucket'

Properties:

BucketName: my-example-bucket-123456

```

Key comparison points for the exam:

Console: Most manual, but easiest to discover features.
CLI: Scriptable, but still imperative. You must remember the exact command and flags.
IaC (CloudFormation/CDK): Declarative and repeatable. Best when you need multiple environments or long‑term governance.

If a question asks for “a repeatable, automated way to create and manage infrastructure”, IaC is usually the correct answer. If it asks for “quickly testing a single command from your laptop”, the CLI is more likely. If it mentions “visual exploration of services by a new user”, that suggests the console.

Monitoring and Operational Visibility: CloudWatch, CloudTrail, Config

CloudWatch in a Nutshell

Amazon CloudWatch focuses on performance and operational metrics, logs, and alarms. Use it to see CPU, requests, and to trigger alarms when thresholds are crossed.

CloudTrail in a Nutshell

AWS CloudTrail records who did what and when at the API level. It is key for security auditing and investigating unexpected changes in your AWS account.

AWS Config in a Nutshell

AWS Config tracks configuration changes over time and checks resources against compliance rules, such as “all S3 buckets must block public access”.

Choosing the Right Tool

Performance or alarms? CloudWatch. API history and user actions? CloudTrail. Configuration history or compliance checks? AWS Config.

IaC + Observability

IaC defines desired state; CloudWatch, CloudTrail, and Config give visibility into how your running environment behaves and changes over time.

Thought Exercise: Picking the Right Tool

Work through these short scenarios and decide which AWS tool or method is the best fit conceptually. Think first, then check the suggested answers.

Scenario A: Your team wants a junior engineer to visually explore Amazon RDS options for learning purposes. They should be able to click through wizards and see diagrams.

What should they use?

Scenario B: You need to deploy the same VPC, subnets, and EC2 instances into three AWS Regions, and you want all environments to stay as similar as possible over time.

What approach or service should you favor?

Scenario C: A security engineer needs to investigate who changed an S3 bucket policy yesterday, and from which IP address.

Which service’s logs should they look at?

Scenario D: You want to be alerted if CPU utilization on a production EC2 instance stays above 80% for more than 5 minutes.

Which service should you use to set up this alert?

Scenario E: Your compliance team requires that all security groups disallow inbound SSH (port 22) from the entire internet (`0.0.0.0/0`). You want a service that continuously checks for violations.

Which service best fits this need?

Suggested answers (peek after you think):

Scenario A: AWS Management Console.
Scenario B: Infrastructure as code using AWS CloudFormation or AWS CDK.
Scenario C: AWS CloudTrail.
Scenario D: Amazon CloudWatch (CloudWatch Alarms).
Scenario E: AWS Config with appropriate compliance rules.

Quick Check: IaC and Deployment Methods

Answer this question to confirm you can distinguish between console, CLI, SDKs, and IaC at a high level.

A company wants to deploy the same standardized network and application stack into multiple AWS Regions with minimal manual effort. They also want to track changes to this infrastructure in version control. Which approach is MOST appropriate?

Use the AWS Management Console in each Region to manually recreate the resources.
Write a shell script that calls the AWS CLI to create resources step by step in each Region.
Use infrastructure as code with AWS CloudFormation or AWS CDK and store templates in a code repository.
Embed AWS SDK calls directly in the application code to create infrastructure at startup.

Show Answer

Answer: C) Use infrastructure as code with AWS CloudFormation or AWS CDK and store templates in a code repository.

Infrastructure as code is designed for consistent, repeatable, and governed deployments. Using CloudFormation or CDK templates stored in version control lets the company deploy the same stack across Regions with minimal manual work. The console and CLI are more manual and error‑prone, and embedding SDK calls in application startup is not a best practice for managing core infrastructure.

Quick Check: Monitoring and Logging Tools

Test your ability to match scenarios to the right AWS operations service.

An operations engineer needs to investigate why a production EC2 instance became unreachable last night. They suspect a security group rule was changed around that time. Which combination of AWS services will BEST help them identify both the configuration change and who made it?

Amazon CloudWatch only
AWS CloudTrail and AWS Config
AWS CloudTrail and Amazon S3
AWS Config and Amazon Route 53

Show Answer

Answer: B) AWS CloudTrail and AWS Config

AWS Config records configuration changes to resources like security groups, so it can show exactly how the rules changed and when. AWS CloudTrail records API calls and user identities, so it can show who made the change. CloudWatch focuses on metrics and logs, not configuration history or user identity.

Key Term Review: IaC and Operations Tools

Use these flashcards to solidify the key concepts from this module.

Infrastructure as code (IaC): Infrastructure as code is the process of managing and provisioning your cloud resources by writing templates or scripts, rather than using manual processes.
AWS Management Console: A web-based user interface for accessing and managing AWS services. It is visual and beginner‑friendly but manual and less suitable for large‑scale, repeatable deployments.
AWS Command Line Interface (AWS CLI): A unified tool to manage AWS services from the terminal using commands. It is scriptable and faster than clicking, but still imperative and more manual than declarative IaC.
AWS SDKs: Language-specific libraries (such as for Python, JavaScript, or Java) that allow applications to call AWS APIs directly, often used to integrate AWS services into application logic.
AWS CloudFormation: An AWS service that lets you model, provision, and manage AWS resources as stacks using JSON or YAML templates, enabling declarative, repeatable infrastructure deployments.
AWS Cloud Development Kit (AWS CDK): A framework for defining cloud infrastructure using familiar programming languages. It synthesizes your code into CloudFormation templates for deployment.
Amazon CloudWatch: An AWS service for collecting and visualizing metrics and logs, and for creating alarms to monitor the performance and health of AWS resources and applications.
AWS CloudTrail: An AWS service that records account activity and API calls, providing a history of who did what and when, useful for security auditing and troubleshooting.
AWS Config: An AWS service that continuously records configuration changes of supported resources and evaluates them against compliance rules to identify non‑compliant resources.
Stack (CloudFormation): A collection of AWS resources that you can manage as a single unit in AWS CloudFormation. Creating, updating, or deleting a stack affects all its resources together.

Bringing It Together: Operating Like a Modern Cloud Practitioner

Choosing Interaction Methods

Use the console for learning and inspection, CLI for quick scripts, SDKs for app integration, and IaC for standardized, governed environments.

IaC and Well‑Architected

IaC templates are versioned, reviewable, and auditable. This supports the AWS Well‑Architected Framework, especially Operational Excellence and Reliability.

Monitoring Trio

CloudWatch: metrics and alarms. CloudTrail: API and user activity. AWS Config: configuration history and compliance checks.

Link to Your Study Path

Upcoming diagnostics and mocks in this course will stress-test your ability to pick the right deployment and monitoring tools in scenario questions.

Key Terms

Stack: In AWS CloudFormation, a collection of AWS resources that you can manage as a single unit, creating, updating, or deleting them together.
AWS SDKs: Language-specific libraries that allow applications to call AWS APIs directly, enabling integration of AWS services into application code.
AWS Config: An AWS service that continuously records configuration changes of supported resources and evaluates them against compliance rules.
AWS CloudTrail: An AWS service that records account activity and API calls, providing a history of actions for security auditing and troubleshooting.
Amazon CloudWatch: An AWS service for collecting metrics and logs, creating alarms, and visualizing the performance and health of resources and applications.
AWS CloudFormation: An AWS service that lets you model, provision, and manage AWS resources as stacks using JSON or YAML templates.
AWS Management Console: A web-based user interface for accessing and managing AWS services, suitable for visual exploration and manual changes.
Infrastructure as code (IaC): Infrastructure as code is the process of managing and provisioning your cloud resources by writing templates or scripts, rather than using manual processes.
AWS Well-Architected Framework: The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.
AWS Cloud Development Kit (AWS CDK): A framework for defining cloud infrastructure using familiar programming languages, which synthesizes into CloudFormation templates.
AWS Command Line Interface (AWS CLI): A unified tool for managing AWS services from the terminal using text commands, useful for scripting and automation of tasks.

From Clicking to Operating: How We Deploy in AWS

Why This Module Matters

Four Main Interaction Methods

Maturity Ladder

Shared Responsibility Link

Comparing Console, CLI, SDKs, and Automation

Console: Visual and Manual

CLI: Commands and Scripts

SDKs: AWS from Your Code

Automation and IaC

Exam Tip

Infrastructure as Code: The Core Idea and Benefits

IaC Definition

Mindset Shift

Consistency and Repeatability

Governance and Auditing

Exam Signal Words

AWS CloudFormation and AWS CDK: Native IaC Options

CloudFormation Basics

CloudFormation Benefits

AWS CDK Overview

CDK Advantages

Related Services and Exam Cues

A Simple CloudFormation Template Walkthrough

Template Overview

Reading the YAML

What CloudFormation Does

Recognizing CloudFormation

Comparing Console vs CLI vs IaC for a Simple Task

Monitoring and Operational Visibility: CloudWatch, CloudTrail, Config

CloudWatch in a Nutshell

CloudTrail in a Nutshell

AWS Config in a Nutshell

Choosing the Right Tool

IaC + Observability

Thought Exercise: Picking the Right Tool

Quick Check: IaC and Deployment Methods

Quick Check: Monitoring and Logging Tools

Key Term Review: IaC and Operations Tools

Bringing It Together: Operating Like a Modern Cloud Practitioner

Choosing Interaction Methods

IaC and Well‑Architected

Monitoring Trio

Link to Your Study Path

Key Terms

Finished reading?