You can find the 5-minute video that walks through all of the steps described here.
In this episode, we'll be looking at AWS Step Functions. With Step Functions you can orchestratre serverless functions and manual activities into an end-to-end workflow. It provides a "State Machine as a Service".
There is a visual interface as well as a way to define states as code using the Amazon States Language (ASL). The ASL is a JSON-based, structured language used to define your state machine, or collection of states, that can do work (Task states), determine which states to transition to next (Choice states), stop an execution with an error (Fail states), and so on. The output of one step acts as an input to the next. Each step in your application executes in order, as defined by your business logic.
For example, without Step Functions, you might have a series of individual serverless applications and manage retries and debugging failures can be challenging. As your distributed applications become more complex, the complexity of managing them also grows. Step Functions automatically manages sequencing, error handling, retry logic, and state. It can remove many of the operational burdens from your team.
In the demo, I use Step Functions to track and resolve a security incident in which Step Functions identifies the problem and then orchestrates manual and automated actions until it's resolved.
- AWS::StepFunctions::StateMachine - Defines the steps in your state machine.
- AWS::StepFunctions::Activity - Defines how the task in your state machine is performed - whether it's EC2, ECS, mobile devices, etc.
Run the following steps to launch resources that create an AWS Step Function State Machine and associated resources. Some of the steps below are taken from this blog post.
- Deploy the application from the Serverless Application Repository Find the Automated-IAM-policy-alerts-and-approvals app in the Serverless Application Repository.
- Complete the required application settings
- Application name: Enter
aws-5-mins-automated-iam-policy-alerts-approvals. - EmailAddress: an administrator's email address for receiving approval requests.
- restrictedActions: the IAM Policy actions you want to restrict.
- Choose Deploy. Once the deployment process is completed, 21 new resources are created. This includes:
- Five Lambda functions that contain the business logic.
- An Amazon EventBridge rule.
- An Amazon SNS topic and subscription.
- An Amazon API Gateway REST API with two resources.
- An AWS Step Functions state machine
- To receive Amazon SNS notifications as the application administrator, you must confirm the subscription to the SNS topic. To do this, choose the Confirm subscription link in the verification email that was sent to you when deploying the application.
- Once the serverlessrepo-aws-5-mins-* AWS CloudFormation stack is CREATE_COMPLETE, go to the AWS Step Functions Console to see the State machine defined but no executions run yet.
- From your AWS CloudShell Environment in the us-east-1 region, run the following commands:
aws iam create-policy --policy-name my-bad-policy-aws-5-mins --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteObjectVersion",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}'
-
Go to the IAM policy you just created to view the definition.
-
Go to Amazon API Gateway Console. Choose Stages and then Prod. Copy the Invoke URL link and paste to your clipboard.
-
Go to the AWS Step Functions Console and choose the State Machine. Then scroll down to the TaskSubmitted Type of the AskUser step.
-
Copy the token value and append it to the URL as shown:
-
API_GATEWAY_URL/allow?token=TOKEN_FROM_STEP_FUNCTION_STEP- To revert to the original IAM policy definition. -
API_GATEWAY_URL/deny?token=TOKEN_FROM_STEP_FUNCTION_STEP- To keep the automatically remediated IAM policy definition in place. -
Now, open your browser and paste the URL from above and submit.
-
Go to the IAM policy view the definition based on your updates.
-
Go to the AWS Step Functions Console. The status for the state machine should be Succeeded.
For the standard workflow and after 4,000 state transitions per month, you pay $0.025 per 1,000 state transitions. For more information, see AWS Step Functions Pricing .
- Go to the IAM policy and delete
my-bad-policy-aws-5-mins. - From your AWS CloudShell Environment in the us-east-1 region, run the following command:
aws cloudformation delete-stack --stack-name serverlessrepo-aws-5-mins-automated-iam-policy-alerts-approvals