Lab 6: Capstone Lab for CloudOps

© 2026 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Lab overview

Tasks to be solved for this lab are divided into three parts. The first part requires you to create a custom mechanism that sends out an email notification when an AWS Systems Manager SSM document successfully completes. The second part requires you to use AWS CloudFormation drift detection to discover configuration changes and perform remediation actions using SSM documents. The third part requires you to use AWS Config rules to detect an Amazon Simple Storage Service (Amazon S3) storage configuration that is out of compliance with company policy and then setup an auto-remediation solution for all occurrences of the issue using AWS Config rules and SSM documents.

This lab concludes the Cloud Operations on AWS course. It is intended to provide both a summary review of monitoring tools previously covered, as well as a review of the final day’s topics including networking and storage. In this lab students are guided through three distinct monitoring and troubleshooting scenarios which are solved by using some of the tools and techniques previously covered.

Objectives

By the end of this lab, you should be able to do the following:

• Use Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to create monitoring and notification solutions.
• Use AWS Config Rules to detect out of compliance configurations.
• Use AWS Config and AWS Systems Manager document (SSM document) to remediate compliance issues.
• Use AWS CloudFormation drift detection to identify network configuration changes.

Technical knowledge prerequisites

This lab requires the following prerequisites:

• Access to a computer with internet and Microsoft Windows, macOS X, or Linux.
• An internet browser, such as Google Chrome, Mozilla Firefox, or Microsoft Internet Explorer 11 (previous versions of Internet Explorer are not supported).
• Basic knowledge of AWS CloudFormation, AWS Config, AWS Systems Manager, Amazon EventBridge, and Amazon Simple Notification Service.

Icon key

Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon:

• Caution: Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps).
• Learn more: Where to find more information.
• Note: A hint, tip, or important guidance.
• Task complete: A conclusion or summary point in the lab.
• Warning: An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made).

Start lab

1. To launch the lab, at the top of the page, choose Start Lab.

   Caution: You must wait for the provisioned AWS services to be ready before you can continue.

2. To open the lab, choose Open Console .

   You are automatically signed in to the AWS Management Console in a new web browser tab.

   Warning: Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

• Choose the click here link.
• Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
• Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

• Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
• Refresh the page and try again.

---

Lab environment

The following diagram represents the major components used in this lab. The numbers represent the logical workflow of the architecture in this lab.

Image description: The preceding diagram depicts the group labeled as part 1 displays the relevant Amazon Web Services (AWS) services you use to build a notification mechanism. This notification mechanism is leveraged by the groups in the lab labeled part 2 and part 3.The group labeled as part 2 displays the relevant AWS services you use to make changes to the existing lab environment and complete part 2 of the lab. In part 2 of the lab, the drift detection tool of CloudFormation is used to locate a configuration change of the stack. The change is remediated with SSM documents. The completion of these SSM documents sends a notification out from the mechanism that was created in part 1 of the lab.The group labeled part 3 displays the relevant AWS services you use to make changes in the existing lab environment and complete part 3 of the lab. In part 3 of the lab, AWS Config Rules and AWS Systems Manager SSM documents are used together to create an auto-remediation mechanism for certain configuration AWS resources in the lab environment. When this auto-remediation mechanism completes running, a notification is sent out from mechanism created in part 1.

---

Part 1: Amazon EventBridge and automated notifications from Systems Manager

In this task, you use the Amazon SNS and Amazon EventBridge services to create email notifications following the successful completion of an SSM document.

Part 1 (Challenge) Use Amazon EventBridge to forward event notifications to your Amazon SNS topic

Instructions in this challenge section are purposefully left vague to give you a chance to apply techniques learned from previous labs and resolve the compliance issue. You can skip this challenge section and continue on to the detailed guidance steps if you choose.

For the challenge section, try to build a mechanism using Amazon EventBridge that forwards notifications to an Amazon SNS topic whenever an SSM document from the Systems Manager service successfully completes.

3. Create a new Amazon SNS topic named
   SuccessfulAutomationAction
   .
4. Subscribe your email to the Amazon SNS topic.
5. Create a new EventBridge Rule named
   AutomationSuccess
   that triggers when an SSM document status updates to ‘success’.
6. Set the target of the rule to the Amazon SNS topic named
   SuccessfulAutomationAction
   .
7. Test the notification system by starting the
   AWS-ConfigureCloudWatchOnEC2Instance
   SSM document, and then checking your email for the notification from Amazon SNS when the automation completes successfully.

Continue on to the next task for detailed guidance.

Task 1: Create and subscribe to Amazon SNS notifications

In this task, you create the Amazon SNS topic necessary for setting up a notification service, and then subscribe your mail address to the topic.

Task 1.1: Create a new AWS Simple Notification Service topic

8. At the top of the AWS Management Console, in the search bar, search for and choose

   Simple Notification Service
   .

9. Locate the Amazon SNS navigation menu on the left of the console. If necessary, expand the service navigation menu by choosing the menu.

10. In the left navigation pane, choose Topics.

11. Choose Create topic.

12. For Type, select Standard.

13. For Name enter

    SuccessfulAutomationAction
    .

14. Choose Create topic.

    The Amazon SNS topic SuccessfulAutomationAction is created and details page for the topic is displayed.

Task complete: You have created a new Amazon SNS topic.

Task 1.2: Subscribe to an AWS Simple Notification Service topic

Subscribe to an existing Amazon Simple Notification Service topic. The topic is used to alert all subscribers about the successful completion of Systems Manager SSM document executions.

15. Still on the same page, in the Subscriptions tab, choose Create subscription.

16. For Protocol, select Email.

17. For Endpoint, enter a valid email address you can access.

    Note: In your personal AWS environment, this might be an email alias for all of the CloudOps engineers. Individuals receive an email and have to confirm their subscription prior to receiving future notifications from the topic.

18. Choose Create subscription.

    A banner message similar to the following is displayed at the top of the page, “ Subscription to SuccessfulAutomationAction created successfully.” letting you know the email address was successfully registered to the Amazon SNS topic.

19. Open the inbox of the email address you entered for the subscription.

20. Locate a recent message from

    AWS Notifications <no-reply@sns.amazonaws.com>
    .

    Note: It may take up to 5 minutes to receive the email, depending on your email server.

21. Choose the Confirm subscription link contained in the email.

    A page is opened confirming the subscription.

22. Close the Amazon SNS topic subscription confirmation page.

Task complete: You have successfully subscribed to an Amazon SNS topic. With a subscription, Amazon SNS pushes new messages from this topic to your email address.

Task 2: Setup an Amazon EventBridge rule for SSM document success

In this task, you setup a new Amazon EventBridge rule to monitor for SSM document successful completion and then publish notifications through an Amazon SNS topic.

Task 2.1: Create a EventBridge rule

23. At the top of the AWS Management Console, in the search bar, search for and choose

    Amazon EventBridge
    .

24. In the left navigation pane, under Buses, choose Rules.

25. Ensure that the Event pattern rules tab is selected, then choose Create rule.

    Note: If you see a Rule creation experience dialog, de-select the Visual rule builder opt in option.

26. In the Rule detail section, for Name enter

    AutomationSuccess
    .

27. Choose Next.

28. For Event source, select AWS events or EventBridge partner events.

29. In the Event pattern section:

    • Keep Creation method set to Use pattern form.
    • Keep Event source set to AWS services.
    • For AWS service, select Systems Manager.
    • For Event type select Automation.

30. Under Event Type Specification 1, select Specific detail type(s).

31. In the Specific detail type(s) menu, select only EC2 Automation Execution Status-change Notification.

32. Under Event Type Specification 2, select Specific status(es).

33. In the Specific status(es) menu, select only Success.

34. Choose Next.

    The Select target(s) page is displayed.

35. Under Target types, ensure AWS service is selected.

36. For Select a target search for and choose

    SNS topic
    .

37. In the Topic drop-down menu, select SuccessfulAutomationAction.

38. Under Permissions, clear the checkbox next to Use execution role (recommended).

39. Choose Next.

40. On the Configure tags - optional page, choose Next.

41. On the Review and create page, choose Create rule.

    The event pattern rule is created. It appears in the list of rules. The newly created rule will be enabled by default.

Task complete: You have created a new EventBridge rule and linked it to the Amazon SNS topic.

Task 2.2: Test notification system by running a Systems Manager SSM document

42. At the top of the AWS Management Console, in the search bar, search for and choose

    Systems Manager
    .

43. In the left navigation pane, under Change Management Tools, choose Documents.

44. On the Documents page, verify that Owned by Amazon is selected, then in the search area, search for

    AWS-ConfigureCloudWatchOnEC2Instance
    .

45. Choose the link for AWS-ConfigureCloudWatchOnEC2Instance.

    The Description page for the command document is displayed.

46. Choose the Content tab and review the SSM document.

47. Choose Execute automation.

    The Execute automation runbook page is displayed.

48. Leave the default choice of Simple execution.

    Note: Simple execution is a good choice for this lab as the architecture is relatively straightforward. Read descriptions of the other execution options and think about what kinds of scenarios they would be useful for.

49. From the left of these lab instructions, copy the value for the InstanceID.

50. Back in the Systems Manager console, locate the Input parameters section and under InstanceId paste in the value you just copied.

51. Scroll down and choose Execute.

    Warning: If the SSM document execution status fails instead of succeeding, double-check the values used in the Input parameters section. Whitespace used in the InstanceID field could cause an error. If you find any errors, correct them, wait one minute and run the SSM document once more. Ask your instructor if you need help retrying this SSM document.

    Within a minute, the Overall status in the Execution status section returns ‘ Success’.

52. Return to the inbox of the email account you subscribed to the Amazon SNS topic named SuccessfulAutomationAction and wait for an email from Amazon SNS.

    Amazon SNS delivers to your email a JSON formatted text string detailing the SSM document that completed.

    Note: It may take up to 5 minutes to receive the email depending on your email server.

Task complete: You have run an SSM document, triggered the notification system and completed this task.

---

Part 2: AWS CloudFormation and automated remediation

In this task, you use AWS CloudFormation drift detection to detect a change to your networking security and then setup auto remediation for this specific issue using AWS Systems Manager.

Note: Recall from lab 2 ‘Infrastructure as Code’ that drift detection is a tool in AWS CloudFormation that helps you identify what item(s) in your AWS CloudFormation stack(s) are currently out of synchronization from their original template. Automated drift detection for stacks is not a feature built-in to AWS CloudFormation.

Learn more: Refer to additional resources to discover using multiple AWS services to build an architecture that automatically detects drift.

Part 2 (Challenge) Detect a change from AWS CloudFormation template and remediate with Systems Manager

Instructions in this challenge section are purposefully left vague to give you a chance to apply techniques learned from previous labs and resolve the compliance issue. You can skip this challenge section and continue on to the detailed guidance steps if you choose.

For the challenge section, find the change made to your environment by comparing the original AWS CloudFormation template and the current configuration of resources. Once you find the changes made to your environment, revert the resource back to their original configuration using a Systems Manager SSM document. Then run drift detection once again to confirm resources are in synchronization with their original AWS CloudFormation template.

53. Navigate to the AWS CloudFormation console.
54. Perform a drift detection on the AWS CloudFormation lab stack.
55. Identify which stack resources have been modified and how.
56. Navigate to the Systems Manager console.
57. Browse the Systems Manager Document library and locate an appropriate SSM document to remediate the non-compliant resources found by the drift detection.
58. Run the SSM document.
59. Navigate to the AWS CloudFormation console.
60. Perform a drift detection on the AWS CloudFormation stack.
61. Verify the AWS CloudFormation stack returns an ‘in sync’ status.

Continue on to the next task for detailed guidance.

---

Task 3: Perform a drift detection operation on your environment’s AWS CloudFormation stack

In this task, perform a drift detection operation.

Drift detection is a tool within the AWS CloudFormation service that lets you quickly locate stack resources which are no longer configured as defined by their original template.

Learn more: Refer to additional resources for documentation on a current list of resources supported by drift detection as well as some notable limitations of the tool.

Task 3.1: Start an AWS CloudFormation drift detection operation

62. At the top of the AWS Management Console, in the search bar, search for and choose

    CloudFormation
    .

63. Choose the Stack name link for the AWS CloudFormation stack with the Description of Lab 6 Capstone.

    The Stack info page is displayed.

64. Choose the Stack actions drop-down and select Detect drift.

    An informational banner is displayed at the top of the page with text similar to, ‘Drift detection initiated for arn:aws:cloudformation:us-west-2:1234567890:stack/qls-abcdefg123’.

65. Wait as long as 1 minute for the drift detection job to complete before continuing to the next task.

Task complete: You have started a drift detection operation.

Task 3.2: Review AWS CloudFormation drift detection results and identify the out of sync resource

66. From the Stack actions menu, select View drift results.

    The Drifts page is displayed.

    The Drift status for this stack is DRIFTED.

67. Locate the Resource drift status section.

68. Review which resource has a Drift status MODIFIED.

69. Select AppSecurityGroup.

70. Choose View drift details.

    The Drift details page is displayed.

71. In the Resource drift overview section, copy the value for the Physical ID of the Security Group to a notepad. The ID begins like sg-1234…. You will need this value in a later task.

72. In the Differences section, select SecurityGroupIngress.

73. Review the highlighted code in the Details section and discover what configuration has been changed in this Security group.

Task complete: You have used drift detection to identify specific stack resources that have changed from the stack template.

---

Task 4: Use an SSM automation document to remediate Amazon EC2 security groups that are open to the public

In this task, you use SSM documents to disable public access to individual Amazon EC2 Security groups.

Task 4.1: Locate a suitable SSM Document

74. At the top of the AWS Management Console, in the search bar, search for and choose

    Systems Manager
    .

75. In the left navigation pane, under Change Management Tools, choose Documents.

76. On the Documents page, verify that Owned by Amazon is selected, then in the search area, search for

    AWS-DisablePublicAccessForSecurityGroup
    .

77. Choose the link for AWS-DisablePublicAccessForSecurityGroup.

    The Description page for the command document is displayed.

78. Choose the Content tab and review the SSM document.

79. Choose Execute automation.

    The Execute automation runbook page is displayed.

80. Leave the default choice of Simple execution.

81. In the Input Parameters section, locate the GroupId and paste in the Security Group ID you copied earlier.

    Note: It is a string value that starts with sg-. The same value is also located to the left of these lab instructions.

82. Scroll down and choose Execute.

    The Execution details page is displayed.

    A banner message is displayed at the top of the page with text similar to Execution has been initiated.

83. Wait until the Overall status in the Execution status section of the page displays Success.

    Note: You may notice some of the individual executed steps from the operation succeed while others fail. Recall the content of the document you examined before you ran it. There are more cases handled by the document than are applicable to the current scenario. If you investigate the reason for the individual step failure, the reason is because the rule specified by that step does not exist in the security group you specified. Overall the document succeeds with individual failed steps. This is by design.

84. Return to the inbox of the email account you subscribed to the Amazon SNS topic named SuccessfulAutomationAction and wait for an email from Amazon SNS.

    Amazon SNS delivers to your email a JSON string detailing each of the SSM document steps that complete.

    Note: It may take up to 5 minutes to receive the email depending on your email server. You do not need to wait for the email notification as you have already tested that the system works in task 2.2.

Task complete: You manually ran an SSM Document and removed a publicly available SSH port from a security group.

Task 4.2: Run drift detection operation on the AWS CloudFormation stack to verify the stack resources are in sync with the template

Run the CloudFormation drift detection operation to verify stack resources are in sync with the template that created them.

85. At the top of the AWS Management Console, in the search bar, search for and choose

    CloudFormation
    .

86. Choose the Stack name link for the AWS CloudFormation stack with the Description of Lab 6 Capstone.

    The Stack info page is displayed.

87. Choose the Stack actions drop-down and select Detect drift.

    An informational banner is displayed at the top of the page with text similar to ‘Drift detection initiated for arn:aws:cloudformation:us-west-2:1234567890:stack/qls-abcdefg123’

88. Wait as long as 1 minute for the drift detection job to complete before continuing to the next task.

89. From the Stack actions menu, select View drift results.

    The Drifts page is displayed.

90. Confirm that the Drift status now displays IN_SYNC.

Task complete: After making a configuration change to a security group using an SSM document, you then ran the AWS CloudFormation drift detection tool and verified that the stack is now in sync with the original template.

---

Part 3: AWS Config Rules and automated remediation

In this task, you use AWS Config to detect non-compliance violations with your company’s data security policy regarding Amazon S3 Buckets that do not have bucket versioning enabled. Next, you institute an automated remediation action to correct this particular violation, as well as future potential violations of this policy.

Task 5: Using the AWS Config Dashboard to identify noncompliant resource

Use the AWS Config service to identify non-compliant storage resource that currently exist in the infrastructure.

Task 5.1: Set up AWS Config and create a new rule

91. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Config
    .

92. Choose Get started.

    The Settings page of the AWS Config setup is displayed.

93. In the Recording method section, under Recording Strategy section, select All resource types with customizable overrides.

94. In the Default settings section, under Recording Frequency, select Continuous recording.

95. In the Data governance section, under IAM role for AWS Config section, select Choose a role from your account.

96. From the Existing roles dropdown, choose AWSServiceRoleForConfig.

97. In the Delivery channel section, under Amazon S3 bucket section, select Create a bucket.

98. Choose Next.

    The Rules page of the AWS Config setup is displayed.

99. Search for the AWS Managed Rule named

    S3-bucket-versioning-enabled
    .

100. Select S3-bucket-versioning-enabled.

101. Choose Next.

     The Review page of the AWS Config setup is displayed.

102. Choose Confirm.

     AWS Config finishes its initial setup process.

     The AWS Config dashboard is displayed.

103. In the left navigation pane, choose Rules.

104. Choose the link for s3-bucket-versioning-enabled.

105. In the Resources in Scope section, select All from the dropdown menu.

     Important: If your AWS Config rule returns a result of No resources in scope you need to wait as long as 5 minutes for other AWS resources to synchronize with AWS Config and re-evaluate the AWS Config rule.

     In the Resources in scope section, the Compliance column displays a status of Evaluating… for the rule while the scan is in progress. A result of Noncompliant appears after a few minutes when the compliance scan is finished.

106. For this step of the lab you do not need to wait for the status to change from Evaluating… to Noncompliant. Continue to the next step.

107. In the Resources in scope list, locate the bucket with the string labbucket in the name and choose the link for it. You may need to expand the column width to view the full bucket names.

     The resource Details page is displayed.

108. Choose Manage Resource .

     The details page for the Amazon S3 bucket is displayed.

109. Select the Properties tab.

110. Verify that Bucket Versioning is Disabled for this bucket.

Part 3 (Challenge): Edit the AWS Config rule for Auto-remediation

Instructions in this challenge section are purposefully left vague to give you a chance to apply techniques learned from previous labs and resolve the compliance issue. You can skip this challenge section and continue on to the detailed guidance steps if you choose.

For the challenge section, identify the appropriate SSM document to use. Then find a way to link the deployment status of the SSM document to the AWS Config rule findings of non-compliant resources.

111. Navigate to the Systems Manager console.
112. Browse to the SSM document library.
113. Locate an appropriate SSM document to remediate the non-compliant resources as found by the AWSConfig rule named s3-bucket-versioning-enabled.
114. Return to the AWS Config console.
115. Edit the s3-bucket-versioning-enabled AWS Config rule to appropriately to remediate the compliance issue for the bucket that does not have bucket versioning enabled using an SSM document named AWS-ConfigureS3BucketVersioning.

Continue on to the next task for detailed guidance.

---

Task 6: Configure auto-remediation for your AWS Config rule

In this task, you set up the auto-remediation for the AWS Config rule and verify the results.

116. At the top of the AWS Management Console, in the search bar, search for and choose

     AWS Config
     .

117. In the left navigation pane, choose Rules.

118. Choose the link for s3-bucket-versioning-enabled.

     The Details page for the rule is displayed.

119. Choose Actions .

120. Choose Manage remediation.

     The Edit: Remediation action page is displayed.

121. In the Select remediation method section, select Automatic remediation.

122. In the Remediation action details section, from the Choose remediation action dropdown menu, search for and select

     AWS-ConfigureS3BucketVersioning
     .

123. In the Resource ID parameter section, select BucketName from the drop-down menu.

124. In the Parameters section, configure the following:

     • For VersioningState, enter
       Enabled
       .
     • For AutomationAssumeRole, paste the value of LabConfigRoleARN located to the left of these lab instructions.

125. Choose Save changes.

     The Details page for the rule is displayed.

     With auto-remediation now set up for the AWS Config rule, the resources found to be noncompliant by the Config rule are fixed without user intervention.

126. Scroll down the page to the Resources in scope section. select All All from the dropdown menu.

     If you wait long enough, you will see that the compliance status of the S3 bucket that contains labbucket in the bucket name changes to Compliant.

     However, you do not need to wait from the status to change to compliant. Continue onto the next step.

     Note: From this point on, if more S3 buckets without Bucket Versioning are added to the environment, they would also be detected by the Rule scan and auto-remediated without the need of manual action.

     (Three Optional steps) Rather than waiting for auto-remediation actions, the following three steps detail manual remediation.

127. From the Rules page of the AWS Config console, choose the link for s3-bucket-versioning-enabled.

128. Select the S3 bucket with the string labbucket in the name.

129. Choose Remediate.

     The Action Status column for the resource changes from ‘n/a’ to 'Action execution queued… ’ and finally to ‘ Action executed successfully’ when the SSM document specified in the Remediation settings of the rule completes.

     Note: It takes a few minutes for the resource to be re-classified as compliant by AWS Config. It is not necessary to wait for this. Continue onto the next task.

     In part 1 of the lab you created a notification mechanism. The email account you subscribed to the Amazon SNS topic named SuccessfulAutomationAction receives a new email from Amazon SNS as each time an SSM document completes. The email is a JSON string detailing each of the steps that SSM document completes. In this task each time a resource is auto-remediated by Config, a new email is be sent out. This is because the auto-remediation is occurring through use of SSM documents.

     Note: It may take up to 5 minutes to receive the email, depending on your email server. You do not need to wait for email notifications about all the non-compliant Amazon S3 buckets to continue with the lab.

130. Locate the Resources in scope section.

131. Select All from the drop-down menu in the Resources in Scope section.

132. Choose the link for the bucket with the string labbucket in the name.

     The details page of the resource is displayed.

133. Choose Manage Resource .

     The S3 console is displayed with the details of the selected bucket.

134. Choose the Properties tab.

135. Verify the Bucket Versioning is Enabled for this Amazon S3 bucket.

Task complete: You have combined Systems Manager Command Documents, with AWS Config rule, and auto-remediation features. Non-compliant resources were located and remediated.

---

Conclusion

You have successfully done the following:

• Used Amazon EventBridge and Amazon Simple Notification Service (Amazon SNS) to create monitoring and notification solutions.
• Used AWS Config Rules to detect out of compliance configurations.
• Used AWS Config and AWS Systems Manager document (SSM document) to remediate compliance issues.
• Used AWS CloudFormation drift detection to identify network configuration changes.

End lab

Follow these steps to close the console and end your lab.

136. Return to the AWS Management Console.

137. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.

138. Choose End Lab and then confirm that you want to end your lab.

For more information about AWS Training and Certification, see https://aws.amazon.com/training/.

Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS Training and Certification Contact Form.

Additional resources

• Drift detection
• Current list of resources supported by drift detection as well as some notable limitations of the tool