{"id":199,"date":"2026-04-13T04:24:21","date_gmt":"2026-04-13T04:24:21","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-codedeploy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools\/"},"modified":"2026-04-13T04:24:21","modified_gmt":"2026-04-13T04:24:21","slug":"aws-codedeploy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-codedeploy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-developer-tools\/","title":{"rendered":"AWS CodeDeploy Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Developer tools"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Developer tools<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>AWS CodeDeploy is an AWS Developer tools service that automates application deployments to compute targets such as Amazon EC2 instances, on-premises servers, AWS Lambda, and Amazon ECS. It helps you release software consistently, reduce downtime, and avoid the common \u201cSSH into servers and copy files\u201d anti-pattern.<\/p>\n\n\n\n<p>In simple terms: you tell AWS CodeDeploy what to deploy (your application revision) and where to deploy it (your targets), and it performs the rollout using a defined strategy (all at once, rolling, blue\/green, or traffic shifting). You can attach lifecycle hooks to run scripts before\/after files are installed or traffic is shifted.<\/p>\n\n\n\n<p>Technically, AWS CodeDeploy is a managed deployment control plane that coordinates deployment state, target selection, and deployment orchestration. For EC2\/on-prem targets, a CodeDeploy agent running on the host polls CodeDeploy for instructions, downloads the revision (for example, from Amazon S3), and executes the AppSpec-defined lifecycle hooks. For Lambda and ECS, CodeDeploy integrates with native deployment constructs (Lambda versions\/aliases; ECS task sets behind an ALB\/NLB) to perform controlled traffic shifting and rollbacks.<\/p>\n\n\n\n<p>The main problem it solves is repeatable, observable, and safer deployments\u2014especially when you need consistent rollouts across many instances, want standard deployment patterns (rolling\/blue-green), and need auditability and rollback behavior without building your own deployment orchestrator.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is AWS CodeDeploy?<\/h2>\n\n\n\n<p><strong>Official purpose (scope and intent)<\/strong><br\/>\nAWS CodeDeploy is a deployment service that <strong>automates application deployments<\/strong> to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Amazon EC2 instances<\/strong><\/li>\n<li><strong>On-premises servers<\/strong><\/li>\n<li><strong>AWS Lambda functions<\/strong><\/li>\n<li><strong>Amazon ECS services<\/strong><\/li>\n<\/ul>\n\n\n\n<p>It is designed to help you deploy new versions quickly while minimizing downtime and deployment risk.<\/p>\n\n\n\n<p><strong>Core capabilities<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Orchestrate deployments with standard strategies (in-place, rolling, blue\/green, traffic shifting depending on platform).<\/li>\n<li>Run <strong>lifecycle hooks<\/strong> (scripts\/commands) at defined phases of a deployment (primarily for EC2\/on-prem).<\/li>\n<li>Integrate with CI\/CD services like <strong>AWS CodePipeline<\/strong> and artifact sources like <strong>Amazon S3<\/strong> (and others depending on workflow).<\/li>\n<li>Provide deployment status, history, and events for operational visibility.<\/li>\n<li>Support automatic rollback and health-based stopping (capabilities vary by compute platform and configuration).<\/li>\n<\/ul>\n\n\n\n<p><strong>Major components (terminology you\u2019ll use daily)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Application<\/strong>: A logical container in CodeDeploy representing what you deploy.<\/li>\n<li><strong>Compute platform<\/strong>: The deployment target type: EC2\/On-prem, Lambda, or ECS.<\/li>\n<li><strong>Deployment group<\/strong>: A set of target resources (EC2 instances by tag, Auto Scaling groups, on-prem registered instances, ECS service, etc.) plus deployment settings (strategy, alarms, LB settings).<\/li>\n<li><strong>Deployment<\/strong>: A single rollout attempt of a specific revision to a deployment group.<\/li>\n<li><strong>Revision<\/strong>: The deployable artifact (for example, a ZIP in S3) containing your application and an AppSpec file (for EC2\/on-prem; also used for ECS\/Lambda in different forms).<\/li>\n<li><strong>AppSpec file<\/strong>: A specification that tells CodeDeploy what to do during a deployment (files to copy, hooks to run). (Format depends on compute platform; always verify in official docs for your chosen platform.)<\/li>\n<li><strong>CodeDeploy agent<\/strong> (EC2\/on-prem only): Runs on the host and executes deployments.<\/li>\n<li><strong>Service role<\/strong>: An IAM role that CodeDeploy assumes to interact with other AWS services on your behalf (for example, Auto Scaling, load balancers, CloudWatch alarms).<\/li>\n<\/ul>\n\n\n\n<p><strong>Service type<\/strong><br\/>\nManaged AWS service (control plane) for deployments. You operate your application code and your targets; AWS operates the deployment orchestration plane.<\/p>\n\n\n\n<p><strong>Regional \/ global scope<\/strong><br\/>\nAWS CodeDeploy is <strong>regional<\/strong>. Applications, deployment groups, and deployments are created in a specific AWS Region. If you deploy to multiple Regions, you typically create parallel CodeDeploy resources per Region and orchestrate them (for example, with CodePipeline, Step Functions, or your release tooling).<\/p>\n\n\n\n<p><strong>How it fits into the AWS ecosystem<\/strong><\/p>\n\n\n\n<p>AWS CodeDeploy commonly sits in a CI\/CD chain:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Source: GitHub, AWS CodeCommit, etc.<\/li>\n<li>Build: AWS CodeBuild (or other build system)<\/li>\n<li>Artifact storage: Amazon S3 or Amazon ECR (for containers)<\/li>\n<li>Deploy: AWS CodeDeploy<\/li>\n<li>Observe\/Audit: Amazon CloudWatch, Amazon EventBridge, AWS CloudTrail<\/li>\n<\/ul>\n\n\n\n<p>It is part of the AWS <strong>Developer tools<\/strong> family and is often used alongside CodePipeline for end-to-end automation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use AWS CodeDeploy?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster releases with less risk<\/strong>: Repeatable deployments reduce human error and shorten release cycles.<\/li>\n<li><strong>Reduced downtime<\/strong>: Blue\/green and traffic-shifting patterns can minimize or eliminate user-visible downtime.<\/li>\n<li><strong>Auditability<\/strong>: Deployment history and integration with AWS CloudTrail support compliance and operational accountability.<\/li>\n<li><strong>Standardization<\/strong>: Teams can enforce a consistent deployment approach across many applications and environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Supports multiple compute platforms<\/strong>: EC2\/on-prem, Lambda, and ECS under one service umbrella.<\/li>\n<li><strong>Deployment orchestration primitives<\/strong>: Deployment groups, revision tracking, health checks, and rollback capabilities.<\/li>\n<li><strong>Lifecycle hooks<\/strong>: Execute scripts at well-defined points (EC2\/on-prem), enabling migrations, service restarts, config updates, and validation steps.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Progress visibility<\/strong>: Track deployment state centrally rather than \u201cit worked on my machine\u201d.<\/li>\n<li><strong>Integrations for alerts and events<\/strong>: Use EventBridge\/SNS patterns to notify teams and open incidents.<\/li>\n<li><strong>Repeatable rollbacks<\/strong>: Roll back on alarms, failures, or manual triggers (configuration-dependent).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM-based access control<\/strong>: Control who can deploy, who can create deployment groups, and what CodeDeploy can access.<\/li>\n<li><strong>Separation of duties<\/strong>: CI can build artifacts; deployment roles can be constrained; production deploy permissions can be limited.<\/li>\n<li><strong>Change tracking<\/strong>: CloudTrail logs CodeDeploy API activity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Deploy to fleets<\/strong>: Roll out across many instances with rolling strategies and controls.<\/li>\n<li><strong>Deployment strategies<\/strong>: Control blast radius with \u201cone at a time\u201d or \u201cpercentage-based\u201d patterns (where supported\/available).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose AWS CodeDeploy<\/h3>\n\n\n\n<p>Choose AWS CodeDeploy when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You deploy to <strong>EC2 fleets<\/strong> or <strong>on-prem servers<\/strong> and want managed orchestration and lifecycle hooks.<\/li>\n<li>You deploy <strong>ECS services<\/strong> and want managed blue\/green deployments integrated with load balancing.<\/li>\n<li>You deploy <strong>Lambda<\/strong> and want safe traffic shifting and controlled rollouts (aliases\/versions) rather than all-at-once updates.<\/li>\n<li>You want a service that works well with AWS-native CI\/CD patterns (S3 artifacts, CodePipeline orchestration, CloudWatch\/EventBridge ops).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose AWS CodeDeploy<\/h3>\n\n\n\n<p>Consider other options when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You primarily deploy to <strong>Kubernetes (EKS)<\/strong> and already standardize on Argo Rollouts\/Flux\/Spinnaker-like tooling. (CodeDeploy is not a Kubernetes deployment controller.)<\/li>\n<li>You only need very simple single-host deployments and prefer minimal moving parts (though CodeDeploy can still work).<\/li>\n<li>You want a fully integrated \u201cbuild + deploy + environment management\u201d PaaS workflow (AWS Elastic Beanstalk may be simpler for certain apps).<\/li>\n<li>You require advanced progressive delivery features across complex microservices meshes (service mesh + specialized rollout tooling may be a better fit).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is AWS CodeDeploy used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and software companies delivering frequent updates<\/li>\n<li>Finance and regulated industries requiring auditable deployments<\/li>\n<li>Retail\/e-commerce with downtime-sensitive web frontends<\/li>\n<li>Media\/streaming and gaming with high-availability requirements<\/li>\n<li>Enterprises modernizing legacy applications on EC2 or hybrid environments<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DevOps and platform teams building shared deployment standards<\/li>\n<li>SRE teams focused on reliability and safe rollouts<\/li>\n<li>Application teams owning services deployed to EC2\/ECS\/Lambda<\/li>\n<li>Operations teams maintaining on-prem and hybrid fleets<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web applications (Apache\/Nginx + app runtimes)<\/li>\n<li>API services behind ALB\/NLB<\/li>\n<li>Worker fleets and batch processors on EC2<\/li>\n<li>Containerized microservices on ECS<\/li>\n<li>Serverless APIs and event processors on Lambda<\/li>\n<li>Hybrid workloads running on-prem but managed from AWS<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-account environments (dev\/test\/prod)<\/li>\n<li>Multi-account landing zones (separate prod account with controlled deploy roles)<\/li>\n<li>Auto Scaling Group-based web tiers<\/li>\n<li>Blue\/green architectures with load balancers<\/li>\n<li>Event-driven operations using EventBridge + CloudWatch alarms for rollback signals<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: Controlled rollouts with alarms, approvals (often via CodePipeline), restricted IAM, and audit logging.<\/li>\n<li><strong>Dev\/test<\/strong>: Faster iteration, fewer gates, more permissive configuration; often used to validate AppSpec hooks and packaging.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where AWS CodeDeploy is commonly used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Rolling deployments to an EC2 web fleet<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Manual deployments cause inconsistent versions across instances and occasional downtime.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Deployment groups + rolling strategy + hooks to stop\/start services.<\/li>\n<li><strong>Example<\/strong>: Deploy a new Java WAR to 20 EC2 instances behind an ALB, updating a few at a time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Blue\/green deployments for an EC2 Auto Scaling Group<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: In-place upgrades risk breaking all instances or require long maintenance windows.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Blue\/green strategy can launch a new environment and shift traffic.<\/li>\n<li><strong>Example<\/strong>: Deploy a new AMI-backed app version by provisioning a green ASG and shifting ALB traffic after health checks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Deploying to on-prem servers with consistent automation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: On-prem deployments vary by team and environment; auditability is weak.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: On-prem instance registration + centralized deployment orchestration.<\/li>\n<li><strong>Example<\/strong>: Deploy a static site bundle to a set of on-prem Linux servers in a DMZ.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Safe Lambda rollouts with traffic shifting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Updating a Lambda function all-at-once can introduce widespread errors immediately.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Integrates with Lambda versions\/aliases and controlled traffic shifting.<\/li>\n<li><strong>Example<\/strong>: Shift 10% of traffic to the new version for 10 minutes, then proceed if no alarms trigger.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) ECS service blue\/green deployments behind an ALB<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Replacing tasks in-place can cause brief errors or makes rollback messy.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: ECS blue\/green using task sets and traffic shifting.<\/li>\n<li><strong>Example<\/strong>: Deploy a new container image to an ECS service with separate target groups for blue and green.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Standardized deployments across multiple environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Dev\/test\/prod deployments drift; scripts diverge over time.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Same deployment artifact and process across environments; environment-specific config via parameters or environment variables (handled carefully).<\/li>\n<li><strong>Example<\/strong>: Same ZIP revision deployed to dev and prod, with hooks reading environment-specific values from secure sources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Controlled deploys with automated rollback on CloudWatch alarms<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Problems are detected after deployment but rollback is slow.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Configure deployments to stop\/rollback when alarms trigger (capability depends on platform\/config).<\/li>\n<li><strong>Example<\/strong>: Roll back automatically if 5xx errors spike beyond threshold after traffic shift.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Deploying multi-component apps with ordered hooks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: App needs migrations, cache warming, and controlled restarts.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Lifecycle hooks define order and failure handling.<\/li>\n<li><strong>Example<\/strong>: Run database migration before starting the app service; run health check after.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Integration into a CI\/CD pipeline with approvals<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Teams need repeatable promotion with approvals and audit logs.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Works with CodePipeline stages and manual approvals.<\/li>\n<li><strong>Example<\/strong>: CodePipeline builds artifact, stores in S3, triggers CodeDeploy deployment to staging, then requires approval for production.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Multi-tenant or multi-service fleet deployments with tagging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: One shared fleet hosts multiple services; need targeted rollouts.<\/li>\n<li><strong>Why CodeDeploy fits<\/strong>: Deployment groups can target instances by tag.<\/li>\n<li><strong>Example<\/strong>: Deploy only to instances with <code>App=payments-api<\/code> tag, not the entire account\u2019s fleet.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Multi-platform deployments (EC2\/On-Prem, Lambda, ECS)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you deploy to different compute platforms under the CodeDeploy model.<\/li>\n<li><strong>Why it matters<\/strong>: Reduces tool sprawl; standardizes rollout and governance.<\/li>\n<li><strong>Practical benefit<\/strong>: One deployment \u201clanguage\u201d (applications, deployment groups, deployments) across targets.<\/li>\n<li><strong>Caveats<\/strong>: Feature details vary by platform. For example, EC2 uses the agent; Lambda\/ECS do not.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Deployment groups (target selection + strategy)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Defines <em>where<\/em> and <em>how<\/em> to deploy (targets + deployment configuration).<\/li>\n<li><strong>Why it matters<\/strong>: Separates target selection from the artifact, enabling reuse.<\/li>\n<li><strong>Practical benefit<\/strong>: Same revision can be deployed to multiple groups (dev\/stage\/prod).<\/li>\n<li><strong>Caveats<\/strong>: Misconfigured tags or Auto Scaling references can cause \u201cno instances found\u201d or partial deployments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) AppSpec-driven lifecycle hooks (especially for EC2\/on-prem)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Runs scripts\/commands at defined phases (before install, after install, application start, validate, etc.\u2014exact phases depend on platform).<\/li>\n<li><strong>Why it matters<\/strong>: Enables safe deployments that include service control, migrations, file permissions, and health checks.<\/li>\n<li><strong>Practical benefit<\/strong>: Turn tribal deployment scripts into a consistent, versioned process.<\/li>\n<li><strong>Caveats<\/strong>: Hooks run with OS permissions of the configured user; plan sudo usage and least privilege carefully.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) In-place vs blue\/green deployments (platform-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Supports different rollout patterns:<\/li>\n<li><strong>In-place<\/strong>: Update instances in the existing fleet.<\/li>\n<li><strong>Blue\/green<\/strong>: Provision new capacity or new task sets and shift traffic.<\/li>\n<li><strong>Why it matters<\/strong>: Blue\/green reduces risk and improves rollback behavior.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster rollback and safer releases for user-facing apps.<\/li>\n<li><strong>Caveats<\/strong>: Blue\/green can increase temporary capacity and load balancer complexity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Deployment configurations (rollout controls)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Controls deployment speed (all-at-once, rolling, one-at-a-time, and other patterns depending on platform).<\/li>\n<li><strong>Why it matters<\/strong>: Limits blast radius.<\/li>\n<li><strong>Practical benefit<\/strong>: You can choose conservative rollouts in production and faster rollouts in dev.<\/li>\n<li><strong>Caveats<\/strong>: If your app requires strict ordering or global coordination, you may need additional orchestration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Automatic rollback (configuration-dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Rolls back when deployment fails or when alarms indicate unhealthy outcomes (where supported).<\/li>\n<li><strong>Why it matters<\/strong>: Reduces MTTR and limits customer impact.<\/li>\n<li><strong>Practical benefit<\/strong>: \u201cFail safe\u201d behavior that doesn\u2019t rely on manual intervention.<\/li>\n<li><strong>Caveats<\/strong>: Rollback correctness depends on your artifact design and hook scripts (idempotency is critical).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Integrations with load balancers and Auto Scaling (common in production)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Works with ELB\/ALB and Auto Scaling groups for controlled traffic cutover and health checks.<\/li>\n<li><strong>Why it matters<\/strong>: Most production services require safe traffic management.<\/li>\n<li><strong>Practical benefit<\/strong>: Automates deregistration\/registration of instances (pattern varies).<\/li>\n<li><strong>Caveats<\/strong>: Verify health check paths and grace periods; misconfigurations cause false failures.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Deployment history, status, and events<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Tracks deployments, statuses, and provides event streams.<\/li>\n<li><strong>Why it matters<\/strong>: Supports debugging and audit trails.<\/li>\n<li><strong>Practical benefit<\/strong>: You can see which revision deployed where and when.<\/li>\n<li><strong>Caveats<\/strong>: Log retention and event routing require additional services (CloudWatch, EventBridge, S3, etc.).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Notifications and event-driven automation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Can trigger notifications and integrate with automation via AWS services (commonly SNS\/EventBridge).<\/li>\n<li><strong>Why it matters<\/strong>: Deployment is an operational event\u2014teams need alerts.<\/li>\n<li><strong>Practical benefit<\/strong>: Auto-create tickets\/incidents or post to chatops.<\/li>\n<li><strong>Caveats<\/strong>: Don\u2019t overload alert channels; define severity mapping.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) On-premises support (hybrid deployments)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you register non-EC2 instances and manage deployments similarly.<\/li>\n<li><strong>Why it matters<\/strong>: Many enterprises still run workloads outside AWS.<\/li>\n<li><strong>Practical benefit<\/strong>: Single deployment orchestration plane even in hybrid setups.<\/li>\n<li><strong>Caveats<\/strong>: Requires careful network egress, IAM credential management, and agent maintenance.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>At a high level:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>You store a deployable <strong>revision<\/strong> (for example a ZIP) in a location CodeDeploy can access (commonly Amazon S3 for EC2\/on-prem).<\/li>\n<li>You define a <strong>CodeDeploy application<\/strong> and <strong>deployment group<\/strong> that targets a set of instances\/services\/functions.<\/li>\n<li>You start a <strong>deployment<\/strong> referencing the revision.<\/li>\n<li>CodeDeploy orchestrates the deployment:\n   &#8211; For <strong>EC2\/on-prem<\/strong>: the <strong>CodeDeploy agent<\/strong> on each host polls for commands, downloads the revision, and executes lifecycle hooks.\n   &#8211; For <strong>Lambda<\/strong>: CodeDeploy creates\/updates versions and shifts traffic via aliases (pattern depends on config).\n   &#8211; For <strong>ECS<\/strong>: CodeDeploy coordinates new task sets and shifts traffic at the load balancer.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (EC2\/on-prem example)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>: You create a deployment in CodeDeploy (API\/Console\/CodePipeline).<\/li>\n<li><strong>Agent polling<\/strong>: Each instance\u2019s CodeDeploy agent polls the CodeDeploy service endpoint for work.<\/li>\n<li><strong>Artifact retrieval<\/strong>: The agent downloads the revision (often from S3) using the instance\u2019s IAM role.<\/li>\n<li><strong>Lifecycle execution<\/strong>: The agent runs hook scripts (for example, install dependencies, restart services, run smoke tests).<\/li>\n<li><strong>Status reporting<\/strong>: The agent reports success\/failure back to CodeDeploy.<\/li>\n<li><strong>Events\/notifications<\/strong>: CodeDeploy emits events; you can route them to monitoring\/alerting.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Amazon S3<\/strong>: Artifact storage for EC2\/on-prem revisions.<\/li>\n<li><strong>AWS CodePipeline<\/strong>: Orchestrates multi-stage CI\/CD, including approvals.<\/li>\n<li><strong>AWS CodeBuild<\/strong>: Produces build artifacts and uploads to S3\/ECR.<\/li>\n<li><strong>Amazon CloudWatch<\/strong>: Alarms, logs (agent logs on instances), dashboards.<\/li>\n<li><strong>Amazon EventBridge<\/strong>: React to deployment state changes.<\/li>\n<li><strong>AWS CloudTrail<\/strong>: Audit CodeDeploy API calls.<\/li>\n<li><strong>Elastic Load Balancing \/ ALB<\/strong>: Health checks and traffic shifting (blue\/green patterns).<\/li>\n<li><strong>Amazon EC2 Auto Scaling<\/strong>: Deploy to fleets managed by ASGs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (what you still pay attention to)<\/h3>\n\n\n\n<p>Even though CodeDeploy is managed, you still operate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The compute targets (EC2, on-prem, ECS, Lambda configuration)<\/li>\n<li>The artifact store (S3 \/ ECR)<\/li>\n<li>IAM roles and policies<\/li>\n<li>Network access and routing<\/li>\n<li>Observability pipelines (CloudWatch logs, metrics, alarms)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Human and pipeline access<\/strong>: Controlled by IAM permissions to CodeDeploy APIs.<\/li>\n<li><strong>CodeDeploy service role<\/strong>: CodeDeploy assumes a service role you provide to call other AWS services as needed.<\/li>\n<li><strong>Instance role \/ credentials<\/strong> (EC2\/on-prem): The agent uses host credentials to authenticate calls and download artifacts.<\/li>\n<li><strong>Artifact access<\/strong>: Typically controlled by S3 bucket policies, object ACLs (avoid), and KMS (optional).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For EC2\/on-prem: instances need network connectivity to CodeDeploy endpoints and to the artifact location (often S3). In private subnets, this often means:<\/li>\n<li>NAT gateway\/instance <strong>or<\/strong><\/li>\n<li>VPC endpoints (for S3 and relevant AWS APIs), depending on your architecture.<\/li>\n<li>On-prem requires outbound HTTPS to AWS endpoints (or a carefully designed proxy path).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Instance-level logs<\/strong> (EC2\/on-prem): CodeDeploy agent logs are on the instance OS.<\/li>\n<li><strong>Deployment events<\/strong>: Use CodeDeploy deployment history + EventBridge for automation.<\/li>\n<li><strong>Auditing<\/strong>: CloudTrail for who initiated deployments and what changed.<\/li>\n<li><strong>Tagging\/governance<\/strong>: Tag EC2 instances, Auto Scaling groups, and S3 buckets consistently to reduce targeting mistakes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Dev[Developer \/ CI] --&gt;|Upload revision| S3[(Amazon S3 Artifact Bucket)]\n  Dev --&gt;|Create deployment| CD[AWS CodeDeploy]\n  CD --&gt;|Orchestrate| EC2[EC2 Instances\\n(CodeDeploy Agent)]\n  EC2 --&gt;|Download revision| S3\n  EC2 --&gt;|Report status| CD\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Source\n    Git[GitHub \/ CodeCommit]\n  end\n\n  subgraph CI_CD[\"CI\/CD (Developer tools)\"]\n    CP[AWS CodePipeline]\n    CB[AWS CodeBuild]\n  end\n\n  subgraph Artifacts\n    S3[(S3 Artifact Bucket)]\n    ECR[(Amazon ECR\\n(optional for ECS))]\n  end\n\n  subgraph Deploy\n    CD[AWS CodeDeploy]\n  end\n\n  subgraph Compute\n    ALB[Application Load Balancer]\n    ASG[EC2 Auto Scaling Group\\n(CodeDeploy Agent)]\n  end\n\n  subgraph Observability\n    CW[Amazon CloudWatch\\nLogs\/Metrics\/Alarms]\n    EB[Amazon EventBridge]\n    CT[AWS CloudTrail]\n    SNS[Amazon SNS]\n  end\n\n  Git --&gt; CP --&gt; CB --&gt; S3\n  CP --&gt; CD\n  CD --&gt; ASG\n  ASG --&gt; ALB\n  CD --&gt; EB --&gt; SNS\n  CD --&gt; CW\n  CP --&gt; CT\n  CD --&gt; CT\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">AWS account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>AWS account<\/strong> with billing enabled.<\/li>\n<li>If using EC2, you will pay for compute and data transfer unless you stay within the AWS Free Tier eligibility (verify your account\u2019s Free Tier status in AWS Billing).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM permissions<\/h3>\n\n\n\n<p>To complete the lab in this article (EC2-based deployment), you typically need permission to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create\/manage IAM roles and instance profiles<\/li>\n<li>Create\/manage EC2 instances, security groups, key pairs<\/li>\n<li>Create\/manage S3 buckets and upload objects<\/li>\n<li>Create\/manage CodeDeploy applications, deployment groups, and deployments<\/li>\n<\/ul>\n\n\n\n<p>A common approach is to use an admin-capable lab user in a sandbox account. In production, split duties and use least privilege.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A shell environment with:<\/li>\n<li><strong>AWS CLI<\/strong> (recommended)<\/li>\n<li><strong>git<\/strong><\/li>\n<li><strong>zip<\/strong><\/li>\n<li>SSH client (if you choose to SSH to the instance)<\/li>\n<li>AWS CloudShell can work for CLI steps, but you\u2019ll still need a way to connect to the EC2 instance (SSH or Session Manager). For lowest friction, this lab uses SSH.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a supported AWS Region for EC2, S3, and CodeDeploy.<\/li>\n<li>The CodeDeploy agent installer is served from region-specific S3 buckets. You must use the correct Region URL (you will plug in your chosen Region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CodeDeploy and EC2 have account\/region quotas (for example, number of instances, deployments, etc.).<\/li>\n<li>If you hit a limit, check <strong>Service Quotas<\/strong> in the AWS console and request increases as needed.<br\/>\n  (Exact quota values change; verify in official docs.)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For the EC2 lab you need:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon EC2<\/li>\n<li>Amazon S3<\/li>\n<li>AWS IAM<\/li>\n<li>AWS CodeDeploy<\/li>\n<\/ul>\n\n\n\n<p>Optional but recommended in real environments:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CloudWatch (alarms and logs)<\/li>\n<li>CloudTrail (audit)<\/li>\n<li>EventBridge\/SNS (notifications)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (how AWS CodeDeploy is charged)<\/h3>\n\n\n\n<p>AWS CodeDeploy pricing depends on the compute platform:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Deployments to Amazon EC2 instances and on-premises servers<\/strong>: typically <strong>no additional CodeDeploy charge<\/strong> (you still pay for the underlying compute, storage, and networking).<\/li>\n<li><strong>Deployments to AWS Lambda and Amazon ECS<\/strong>: typically charged <strong>per deployment<\/strong> (and pricing can be region-dependent).<\/li>\n<\/ul>\n\n\n\n<p>Because pricing can change and varies by Region and usage pattern, do not rely on blog-post numbers. Confirm on the official pages:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Official pricing page: https:\/\/aws.amazon.com\/codedeploy\/pricing\/<\/li>\n<li>AWS Pricing Calculator: https:\/\/calculator.aws\/#\/<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what affects your bill)<\/h3>\n\n\n\n<p>Even when CodeDeploy itself is free for EC2\/on-prem, your total cost includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EC2 instance hours<\/strong> (or seconds, depending on purchase model), EBS volumes, snapshots<\/li>\n<li><strong>Load balancers<\/strong> (ALB\/NLB) and LCU usage if using blue\/green patterns<\/li>\n<li><strong>S3 storage<\/strong> for artifacts and request costs (PUT\/GET)<\/li>\n<li><strong>Data transfer<\/strong>:<\/li>\n<li>S3 to EC2 in the same region is typically cheaper than cross-region<\/li>\n<li>Internet egress (serving your app to users) is a separate cost driver<\/li>\n<li><strong>CloudWatch<\/strong> logs and metrics, alarms<\/li>\n<li><strong>NAT Gateway<\/strong> costs if instances in private subnets need outbound access to S3\/CodeDeploy endpoints<\/li>\n<li><strong>KMS<\/strong> costs if you use SSE-KMS on the S3 artifact bucket<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Free Tier considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CodeDeploy itself may not add cost for EC2\/on-prem, but EC2\/S3\/CloudWatch do.<\/li>\n<li>If you\u2019re eligible for the AWS Free Tier, a small EC2 + small S3 usage may be within free usage amounts\u2014<strong>verify your Free Tier eligibility and current usage<\/strong> in the Billing console.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (the \u201cgotchas\u201d)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blue\/green<\/strong> can temporarily double capacity (blue + green) or require additional infrastructure during the cutover.<\/li>\n<li><strong>Frequent deployments<\/strong> to Lambda\/ECS can increase CodeDeploy charges (per-deployment model).<\/li>\n<li><strong>NAT Gateway<\/strong> is often the surprise bill item in VPC designs that require outbound internet access from private subnets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For EC2 deployments:<\/li>\n<li>Use in-place deployments for non-critical environments where downtime is acceptable.<\/li>\n<li>Keep artifact sizes small (avoid bundling large build caches).<\/li>\n<li>Prefer VPC endpoints (S3 gateway endpoint, relevant interface endpoints) to reduce NAT egress (verify endpoint requirements for your design).<\/li>\n<li>For Lambda\/ECS:<\/li>\n<li>Avoid unnecessary deploys (batch changes, use feature flags when appropriate).<\/li>\n<li>Use canary\/linear patterns to reduce risk (cost optimization is more about reducing failed releases than reducing the CodeDeploy line item).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (qualitative)<\/h3>\n\n\n\n<p>A typical low-cost lab setup is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1 small EC2 instance (potentially Free Tier eligible)<\/li>\n<li>1 small S3 bucket with a few ZIP uploads<\/li>\n<li>Minimal CloudWatch usage<\/li>\n<\/ul>\n\n\n\n<p>Your cost is dominated by EC2 runtime and any data egress. If you run the instance only during the lab and clean up immediately, the cost is usually low.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (what to model)<\/h3>\n\n\n\n<p>For production, model:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Number of instances in ASGs, and whether blue\/green doubles them temporarily<\/li>\n<li>Load balancer hours and LCU usage<\/li>\n<li>Volume and frequency of artifact downloads (each host downloads each deployment)<\/li>\n<li>NAT vs VPC endpoints<\/li>\n<li>CloudWatch log retention and alarm count<\/li>\n<\/ul>\n\n\n\n<p>For exact estimates, use the AWS Pricing Calculator and include EC2, ALB, S3, CloudWatch, NAT, and (if applicable) CodeDeploy for Lambda\/ECS.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Deploy a sample web application to an Amazon EC2 instance using <strong>AWS CodeDeploy<\/strong>, with artifacts stored in <strong>Amazon S3<\/strong> and the <strong>CodeDeploy agent<\/strong> running on the instance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create an S3 bucket to store a deployment artifact (ZIP).<\/li>\n<li>Create IAM roles:\n   &#8211; A <strong>CodeDeploy service role<\/strong>\n   &#8211; An <strong>EC2 instance profile role<\/strong> for the CodeDeploy agent to access S3 and CodeDeploy APIs<\/li>\n<li>Launch an EC2 instance, install Apache and the CodeDeploy agent.<\/li>\n<li>Create a CodeDeploy application + deployment group targeting the instance by tag.<\/li>\n<li>Upload a sample CodeDeploy revision to S3 and deploy it.<\/li>\n<li>Validate by visiting the instance over HTTP.<\/li>\n<li>Troubleshoot common issues.<\/li>\n<li>Clean up everything to avoid ongoing charges.<\/li>\n<\/ol>\n\n\n\n<p>This lab is designed to be safe and low-cost if you terminate the EC2 instance and delete the S3 bucket afterward.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Choose a Region and set variables<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nPick one AWS Region (for example, <code>us-east-1<\/code>, <code>eu-west-1<\/code>, etc.) and use it consistently for EC2, S3, and CodeDeploy.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nYou know the Region you will use throughout the lab.<\/p>\n\n\n\n<p>If you use AWS CLI, set your default region:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aws configure set region &lt;your-region&gt;\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aws configure get region\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create an S3 bucket for deployment artifacts<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nCreate a dedicated S3 bucket to store deployment artifacts.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nYou have an empty S3 bucket.<\/p>\n\n\n\n<p>If using the AWS console:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Amazon S3<\/strong> \u2192 <strong>Buckets<\/strong> \u2192 <strong>Create bucket<\/strong><\/li>\n<li>Bucket name: <code>codedeploy-artifacts-&lt;accountid&gt;-&lt;region&gt;<\/code> (must be globally unique)<\/li>\n<li>Region: your chosen Region<\/li>\n<li>Keep defaults for this lab (block public access should remain enabled)<\/li>\n<li>Create bucket<\/li>\n<\/ol>\n\n\n\n<p>If using AWS CLI:<\/p>\n\n\n\n<pre><code class=\"language-bash\">aws s3 mb s3:\/\/codedeploy-artifacts-&lt;accountid&gt;-&lt;region&gt;\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create required IAM roles (Console)<\/h3>\n\n\n\n<p>This step is easiest and safest to follow using the AWS console because it avoids copy\/pasting policy documents.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3A) Create the CodeDeploy service role<\/h4>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nCreate an IAM role that AWS CodeDeploy can assume to interact with other AWS services (for example, describing instances, interacting with Auto Scaling\/ELB depending on configuration).<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nYou have a role like <code>CodeDeployServiceRole<\/code> with the AWS-managed policy recommended for CodeDeploy service roles.<\/p>\n\n\n\n<p>Console steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>IAM<\/strong> \u2192 <strong>Roles<\/strong> \u2192 <strong>Create role<\/strong><\/li>\n<li>Trusted entity type: <strong>AWS service<\/strong><\/li>\n<li>Use case: <strong>CodeDeploy<\/strong><\/li>\n<li>Attach the AWS-managed policy shown\/recommended for CodeDeploy service roles<br\/>\n   &#8211; Commonly, AWS documentation references a managed policy for CodeDeploy service roles (verify the current name in official docs if the console does not show it clearly).<\/li>\n<li>Role name: <code>CodeDeployServiceRole<\/code><\/li>\n<li>Create role<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">3B) Create the EC2 instance profile role for the CodeDeploy agent<\/h4>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nCreate an IAM role attached to the EC2 instance so the CodeDeploy agent can:\n&#8211; Read the artifact from S3\n&#8211; Communicate with the CodeDeploy service APIs needed for polling and status reporting<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nYour EC2 instance will have an instance profile role attached.<\/p>\n\n\n\n<p>Console steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>IAM \u2192 Roles \u2192 Create role<\/li>\n<li>Trusted entity: <strong>AWS service<\/strong><\/li>\n<li>Use case: <strong>EC2<\/strong><\/li>\n<li>Attach permissions:\n   &#8211; For this lab, you can attach <strong>AmazonS3ReadOnlyAccess<\/strong> (broad but simple).<br\/>\n     For production, scope it to your artifact bucket only.<\/li>\n<li>Add additional permissions for the CodeDeploy agent to interact with CodeDeploy APIs:\n   &#8211; In IAM role creation, choose <strong>Add permissions<\/strong> \u2192 <strong>Create inline policy<\/strong> \u2192 <strong>Visual editor<\/strong>\n   &#8211; Service: <strong>CodeDeploy<\/strong>\n   &#8211; Allow the agent actions needed to poll and report status.<br\/>\n     The exact minimal action set can evolve; verify in the official CodeDeploy documentation for \u201cinstance profile\u201d permissions.<br\/>\n     In a lab, you may temporarily grant broader CodeDeploy permissions to reduce friction, then tighten later.<\/li>\n<li>Role name: <code>EC2CodeDeployAgentRole<\/code><\/li>\n<li>Create role<\/li>\n<\/ol>\n\n\n\n<p>Attach this role as the instance profile when you launch the instance in the next step.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Launch an EC2 instance and tag it for CodeDeploy targeting<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nLaunch a Linux EC2 instance and apply tags that your CodeDeploy deployment group will use to find the target.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nYou have a running EC2 instance reachable via SSH and HTTP.<\/p>\n\n\n\n<p>Console steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>EC2<\/strong> \u2192 <strong>Instances<\/strong> \u2192 <strong>Launch instances<\/strong><\/li>\n<li>Name: <code>codedeploy-lab-1<\/code><\/li>\n<li>AMI: Choose a CodeDeploy-agent-supported Linux distribution.<br\/>\n   A common choice is <strong>Amazon Linux 2<\/strong> (verify current CodeDeploy agent support matrix in official docs).<\/li>\n<li>Instance type: choose a small type for a lab (cost-aware).<\/li>\n<li>Key pair: create\/select one you can use for SSH.<\/li>\n<li>Network settings:\n   &#8211; Create a security group allowing:<ul>\n<li>SSH (22) from <strong>your IP<\/strong> (recommended)<\/li>\n<li>HTTP (80) from <strong>your IP<\/strong> (or from anywhere for quick testing, but your IP is safer)<\/li>\n<\/ul>\n<\/li>\n<li>IAM instance profile: select <strong>EC2CodeDeployAgentRole<\/strong><\/li>\n<li>Tags:\n   &#8211; Add a tag: <code>Key=CodeDeployDemo<\/code>, <code>Value=Yes<\/code><\/li>\n<li>Launch instance<\/li>\n<\/ol>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Instance state: <strong>running<\/strong>\n&#8211; You can see the public IPv4 address (if you launched in a public subnet with auto-assign public IP)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Install Apache and the CodeDeploy agent on the instance<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nSSH to the instance, install a web server, then install and start the CodeDeploy agent.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\n&#8211; Apache is serving a default page on port 80\n&#8211; CodeDeploy agent is running<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5A) SSH to the instance<\/h4>\n\n\n\n<p>From your workstation:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh -i \/path\/to\/your-key.pem ec2-user@&lt;EC2_PUBLIC_IP&gt;\n<\/code><\/pre>\n\n\n\n<p>(Username may vary by AMI.)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5B) Install and start Apache (Amazon Linux 2 example)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">sudo yum -y update\nsudo yum -y install httpd\nsudo systemctl enable httpd\nsudo systemctl start httpd\n<\/code><\/pre>\n\n\n\n<p>Quick test from your local machine:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;EC2_PUBLIC_IP&gt;\/\n<\/code><\/pre>\n\n\n\n<p>You should see an HTTP 200 response (or the default Apache page content).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5C) Install the CodeDeploy agent<\/h4>\n\n\n\n<p>The CodeDeploy agent installer is hosted in a <strong>region-specific S3 bucket<\/strong>. Use the installer URL for your Region from the official documentation, or adapt the standard pattern.<\/p>\n\n\n\n<p>From the EC2 instance (replace <code>&lt;region&gt;<\/code>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">cd \/home\/ec2-user\n\ncurl -O https:\/\/aws-codedeploy-&lt;region&gt;.s3.&lt;region&gt;.amazonaws.com\/latest\/install\nchmod +x .\/install\nsudo .\/install auto\n<\/code><\/pre>\n\n\n\n<p>Start and check the agent:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl status codedeploy-agent --no-pager\n<\/code><\/pre>\n\n\n\n<p>If your OS uses a different service manager or package prerequisites, follow the official install instructions for your distribution:\nhttps:\/\/docs.aws.amazon.com\/codedeploy\/latest\/userguide\/codedeploy-agent-operations-install.html<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Create a CodeDeploy application and deployment group (Console)<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nCreate a CodeDeploy application targeting EC2\/on-prem and a deployment group that selects instances by tag.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nA deployment group exists and shows at least one matching instance.<\/p>\n\n\n\n<p>Console steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>AWS CodeDeploy<\/strong> console<\/li>\n<li><strong>Applications<\/strong> \u2192 <strong>Create application<\/strong>\n   &#8211; Application name: <code>CodeDeployEC2Demo<\/code>\n   &#8211; Compute platform: <strong>EC2\/On-premises<\/strong><\/li>\n<li>Open the application \u2192 <strong>Create deployment group<\/strong>\n   &#8211; Deployment group name: <code>CodeDeployEC2Demo-DG<\/code>\n   &#8211; Service role: select <code>CodeDeployServiceRole<\/code>\n   &#8211; Environment configuration: choose <strong>Amazon EC2 instances<\/strong>\n   &#8211; Tag group:<ul>\n<li>Key: <code>CodeDeployDemo<\/code><\/li>\n<li>Value: <code>Yes<\/code><\/li>\n<li>Type: <code>KEY_AND_VALUE<\/code><\/li>\n<li>Deployment configuration: choose a simple option (for example, \u201cone at a time\u201d or similar) suitable for a single-instance lab<\/li>\n<li>Load balancer: <strong>disable<\/strong> for this lab (single instance)<\/li>\n<\/ul>\n<\/li>\n<li>Create deployment group<\/li>\n<\/ol>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; In the deployment group, confirm it recognizes <strong>1 instance<\/strong> (your EC2 instance).\n&#8211; If it shows 0 instances, fix tags\/Region\/VPC selection issues (see Troubleshooting).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Prepare a sample CodeDeploy revision (artifact)<\/h3>\n\n\n\n<p>To keep this tutorial realistic and executable <strong>without pasting AppSpec content into this article<\/strong>, use the official or AWS-maintained CodeDeploy samples repository and upload a sample revision to S3.<\/p>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nDownload a sample revision, package it as a ZIP, upload to S3.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nA ZIP artifact is in your S3 bucket.<\/p>\n\n\n\n<p>You can do this from <strong>AWS CloudShell<\/strong> or your local machine with AWS CLI.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">7A) Get the sample<\/h4>\n\n\n\n<p>Use the AWS samples repository (verify repository path if it changes):<\/p>\n\n\n\n<p>https:\/\/github.com\/aws-samples\/aws-codedeploy-samples<\/p>\n\n\n\n<p>Commands:<\/p>\n\n\n\n<pre><code class=\"language-bash\">git clone https:\/\/github.com\/aws-samples\/aws-codedeploy-samples.git\ncd aws-codedeploy-samples\n<\/code><\/pre>\n\n\n\n<p>Locate a Linux EC2 sample (the repo contains multiple). Choose a sample intended for <strong>EC2\/On-Prem Linux<\/strong>.<\/p>\n\n\n\n<p>Create a ZIP from the sample folder you chose. For example:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cd &lt;path-to-a-linux-ec2-sample-folder&gt;\nzip -r \/tmp\/codedeploy-ec2-demo.zip .\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">7B) Upload to S3<\/h4>\n\n\n\n<pre><code class=\"language-bash\">aws s3 cp \/tmp\/codedeploy-ec2-demo.zip s3:\/\/codedeploy-artifacts-&lt;accountid&gt;-&lt;region&gt;\/revisions\/codedeploy-ec2-demo.zip\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Create and run a deployment (Console)<\/h3>\n\n\n\n<p><strong>What you do<\/strong><br\/>\nStart a CodeDeploy deployment referencing your S3 artifact.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong><br\/>\nDeployment completes successfully and updates the content served by Apache.<\/p>\n\n\n\n<p>Console steps:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>CodeDeploy \u2192 Applications \u2192 <code>CodeDeployEC2Demo<\/code><\/li>\n<li>Deployments \u2192 <strong>Create deployment<\/strong><\/li>\n<li>Deployment group: <code>CodeDeployEC2Demo-DG<\/code><\/li>\n<li>Revision type: <strong>Amazon S3<\/strong><\/li>\n<li>S3 location:\n   &#8211; Bucket: your artifact bucket\n   &#8211; Key: <code>revisions\/codedeploy-ec2-demo.zip<\/code>\n   &#8211; Bundle type: <strong>zip<\/strong><\/li>\n<li>(Optional) Enable rollback settings if shown (good practice even in labs)<\/li>\n<li>Create deployment<\/li>\n<\/ol>\n\n\n\n<p>Watch the deployment events until it reaches <strong>Succeeded<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Validate deployment status<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the CodeDeploy console, the deployment should be <strong>Succeeded<\/strong>.<\/li>\n<li>Click into deployment details and confirm lifecycle events completed.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Validate on the instance<\/h4>\n\n\n\n<p>From your local machine:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;EC2_PUBLIC_IP&gt;\/\n<\/code><\/pre>\n\n\n\n<p>You should see updated content based on the sample revision.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Validate agent health (on the instance)<\/h4>\n\n\n\n<p>SSH to the instance and check:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl status codedeploy-agent --no-pager\nsudo tail -n 200 \/var\/log\/aws\/codedeploy-agent\/codedeploy-agent.log\n<\/code><\/pre>\n\n\n\n<p>(Log paths can vary slightly by OS; verify via official docs.)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Deployment group shows 0 instances<\/strong>\n   &#8211; Confirm EC2 instance is in the same <strong>Region<\/strong> as the CodeDeploy app.\n   &#8211; Confirm tag key\/value matches exactly.\n   &#8211; Confirm you targeted \u201cAmazon EC2 instances\u201d and not Auto Scaling groups.\n   &#8211; Wait a few minutes after tagging; then refresh.<\/p>\n<\/li>\n<li>\n<p><strong>Deployment fails: agent not running \/ not found<\/strong>\n   &#8211; SSH to the instance and check:<\/p>\n<ul>\n<li><code>sudo systemctl status codedeploy-agent --no-pager<\/code><\/li>\n<li>Reinstall agent using the correct <strong>Region-specific<\/strong> installer URL.<\/li>\n<li>Verify the instance can reach the internet\/S3\/CodeDeploy endpoints (route table, NAT, security group egress).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Access denied downloading from S3<\/strong>\n   &#8211; Ensure the EC2 instance role has permission to <code>s3:GetObject<\/code> on the artifact object.\n   &#8211; If using SSE-KMS, ensure the role can decrypt with the KMS key.\n   &#8211; For labs, attaching AmazonS3ReadOnlyAccess is a quick fix; for production, use least privilege.<\/p>\n<\/li>\n<li>\n<p><strong>Permissions error calling CodeDeploy APIs<\/strong>\n   &#8211; Your EC2 instance role likely lacks required CodeDeploy actions for the agent.\n   &#8211; Review the official \u201cinstance profile\u201d permissions and update the role accordingly (prefer least privilege, test, then tighten).<\/p>\n<\/li>\n<li>\n<p><strong>HTTP validation fails (connection refused\/timeouts)<\/strong>\n   &#8211; Ensure Apache is running: <code>sudo systemctl status httpd --no-pager<\/code>\n   &#8211; Ensure security group allows inbound TCP\/80 from your IP.\n   &#8211; Ensure you\u2019re using the correct public IP and that the instance is in a public subnet.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, delete resources created in this lab:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Terminate the EC2 instance<\/strong>\n   &#8211; EC2 \u2192 Instances \u2192 select <code>codedeploy-lab-1<\/code> \u2192 Terminate<\/p>\n<\/li>\n<li>\n<p><strong>Delete CodeDeploy resources<\/strong>\n   &#8211; CodeDeploy \u2192 delete deployment group and application<\/p>\n<\/li>\n<li>\n<p><strong>Delete S3 artifacts<\/strong>\n   &#8211; Remove objects in <code>s3:\/\/codedeploy-artifacts-...\/revisions\/<\/code>\n   &#8211; Delete the bucket (must be empty first)<\/p>\n<\/li>\n<li>\n<p><strong>Delete IAM roles (optional in a sandbox)<\/strong>\n   &#8211; Delete <code>EC2CodeDeployAgentRole<\/code> (and instance profile if separate)\n   &#8211; Delete <code>CodeDeployServiceRole<\/code>\n   &#8211; Only delete roles if you\u2019re sure nothing else uses them.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prefer blue\/green for customer-facing services<\/strong> when you need fast rollback and minimal downtime (especially for ECS and Lambda patterns).<\/li>\n<li><strong>Keep artifacts immutable<\/strong>: a deployment should reference a specific build output. Avoid overwriting the same S3 key for different builds.<\/li>\n<li><strong>Design for idempotency<\/strong> in hooks: scripts should be safe to rerun (retries happen; partial failures happen).<\/li>\n<li><strong>Separate environments<\/strong> (dev\/stage\/prod) with separate deployment groups\u2014and often separate AWS accounts for prod.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong>:<\/li>\n<li>Restrict who can create deployments to production.<\/li>\n<li>Scope EC2 instance role S3 permissions to the artifact bucket\/prefix.<\/li>\n<li>Avoid long-lived static credentials on instances; use <strong>instance profiles<\/strong> or secure credential delivery for on-prem.<\/li>\n<li>Use <strong>CloudTrail<\/strong> and restrict high-risk actions (editing deployment groups, disabling rollback).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For EC2: CodeDeploy is not usually the line item\u2014<strong>EC2, ALB, NAT, and CloudWatch<\/strong> are.<\/li>\n<li>For private subnets, evaluate <strong>VPC endpoints<\/strong> to reduce NAT usage (validate which endpoints you need).<\/li>\n<li>Keep <strong>artifact sizes small<\/strong> and avoid bundling dependencies that can be fetched at runtime reliably (balanced against reliability requirements).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tune deployment configuration to match your app\u2019s startup time and warmup needs.<\/li>\n<li>Avoid deployment hooks that do heavy work synchronously if it extends deployment windows excessively\u2014consider pre-baking AMIs or container images.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>health checks and post-deploy validation<\/strong> hooks.<\/li>\n<li>Configure <strong>automatic rollback<\/strong> where appropriate and test it regularly.<\/li>\n<li>Add <strong>CloudWatch alarms<\/strong> that reflect user impact (5xx rate, latency, error budgets), not just instance CPU.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralize deployment events using <strong>EventBridge<\/strong> and route to incident tools.<\/li>\n<li>Keep clear naming conventions:<\/li>\n<li><code>appname-env-platform<\/code> for applications and deployment groups<\/li>\n<li>Store operational runbooks for common failure modes (permissions, agent health, S3 access).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tag instances with stable keys used for deployments (avoid ad-hoc tags).<\/li>\n<li>Tag CodeDeploy applications\/deployment groups for cost allocation and ownership where supported.<\/li>\n<li>Document the mapping: \u201cWhich tags qualify an instance to receive production deployments?\u201d<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User\/pipeline IAM<\/strong> controls:<\/li>\n<li>Who can create deployments<\/li>\n<li>Who can modify deployment groups (high impact)<\/li>\n<li>Who can attach\/modify service roles<\/li>\n<li><strong>CodeDeploy service role<\/strong> controls what AWS CodeDeploy can do in your account (for example, interact with Auto Scaling\/LB\/alarms).<\/li>\n<li><strong>Instance role<\/strong> (EC2) controls:<\/li>\n<li>Access to the artifact store (S3)<\/li>\n<li>Ability to call CodeDeploy APIs required by the agent<\/li>\n<\/ul>\n\n\n\n<p>Security recommendation: treat deployment roles as production-sensitive. A compromised deployment pipeline can become a code execution path on your fleet.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In transit<\/strong>: CodeDeploy API calls and S3 downloads use HTTPS.<\/li>\n<li><strong>At rest<\/strong>:<\/li>\n<li>Encrypt S3 artifact buckets (SSE-S3 or SSE-KMS depending on requirements).<\/li>\n<li>Encrypt EBS volumes on EC2 instances.<\/li>\n<li>If you use <strong>SSE-KMS<\/strong>, ensure the instance role and deploy roles have the necessary KMS permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid exposing SSH to the internet broadly:<\/li>\n<li>Restrict SSH to your IP or use <strong>AWS Systems Manager Session Manager<\/strong> (preferred for production).<\/li>\n<li>If instances are private:<\/li>\n<li>Ensure connectivity to required AWS endpoints via NAT\/proxy or VPC endpoints.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Do not bake secrets into the artifact ZIP.<\/li>\n<li>Prefer:<\/li>\n<li>AWS Systems Manager Parameter Store (SecureString)<\/li>\n<li>AWS Secrets Manager<\/li>\n<li>Retrieve secrets at runtime with least privilege and audit access.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and retain <strong>CloudTrail<\/strong> logs for CodeDeploy API activity.<\/li>\n<li>Capture agent logs and hook outputs (for EC2) using your log pipeline (for example, CloudWatch agent, centralized logging).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deployment history + CloudTrail helps support change management controls.<\/li>\n<li>For regulated environments:<\/li>\n<li>Require approvals (often via CodePipeline manual approval stage).<\/li>\n<li>Separate build and deploy roles.<\/li>\n<li>Use artifact integrity controls (for example, signed artifacts\u2014implementation is outside CodeDeploy itself; verify your approach).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Overly broad instance role permissions (<code>s3:*<\/code> on <code>*<\/code>, or wide <code>codedeploy:*<\/code>) in production.<\/li>\n<li>Allowing developers to edit production deployment groups without review.<\/li>\n<li>Using public S3 buckets for artifacts (avoid).<\/li>\n<li>Embedding credentials in scripts or artifacts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use separate accounts for prod and non-prod (typical AWS best practice).<\/li>\n<li>Enforce least privilege for:<\/li>\n<li>CodeDeploy service role<\/li>\n<li>EC2 instance role<\/li>\n<li>Deployment initiators<\/li>\n<li>Require approvals for prod deployments.<\/li>\n<li>Monitor deployments as security-relevant events (EventBridge rules + alerting).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional scope<\/strong>: CodeDeploy apps and deployment groups are regional; multi-region requires orchestration.<\/li>\n<li><strong>Agent requirement<\/strong>: EC2\/on-prem deployments require the <strong>CodeDeploy agent<\/strong> installed and running. This is a common operational failure point.<\/li>\n<li><strong>OS support<\/strong>: The agent supports specific OS\/distribution versions. Always verify against official docs before standardizing an AMI.<\/li>\n<li><strong>Networking in private subnets<\/strong>: Instances must reach CodeDeploy endpoints and artifact storage. NAT Gateway costs and routing issues are common gotchas.<\/li>\n<li><strong>Artifact immutability<\/strong>: Overwriting S3 objects under the same key can cause confusion and accidental rollbacks to unexpected code.<\/li>\n<li><strong>Hook script reliability<\/strong>: Non-idempotent scripts cause flaky deployments and hard-to-debug partial states.<\/li>\n<li><strong>Permissions complexity<\/strong>: The instance role needs the right permissions to poll CodeDeploy and read artifacts; mis-scoping is a top cause of failures.<\/li>\n<li><strong>Blue\/green complexity<\/strong>: Requires correct load balancer target groups and health checks; misconfiguration can cause false failures or traffic blackholes.<\/li>\n<li><strong>Operational visibility<\/strong>: Agent logs live on the instance; if you don\u2019t centralize logs, debugging at scale becomes slow.<\/li>\n<li><strong>Not a full CI system<\/strong>: CodeDeploy is for deployment, not building artifacts. Pair it with CodeBuild\/Jenkins\/GitHub Actions, etc.<\/li>\n<li><strong>Not Kubernetes-native<\/strong>: If your main target is EKS, use Kubernetes-native deployment tooling.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>AWS CodeDeploy is one of several ways to deploy software. The best choice depends on your compute platform, desired rollout strategy, and how opinionated you want the system to be.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>AWS CodeDeploy<\/strong><\/td>\n<td>EC2\/on-prem deployments with hooks; ECS\/Lambda controlled rollouts<\/td>\n<td>Managed deployment orchestration; blue\/green\/traffic shifting patterns (platform-dependent); integrates with AWS<\/td>\n<td>Agent management for EC2\/on-prem; requires IAM and artifact discipline<\/td>\n<td>You want AWS-native deployment automation and consistent rollout patterns<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS CodePipeline<\/strong><\/td>\n<td>Orchestrating CI\/CD stages<\/td>\n<td>Native pipeline orchestration, approvals, integrations<\/td>\n<td>Not a deployment engine by itself; you still need deploy actions (CodeDeploy, ECS, etc.)<\/td>\n<td>You need multi-stage pipelines and governance\/approvals around deployments<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Elastic Beanstalk<\/strong><\/td>\n<td>Simpler app platform for certain web apps<\/td>\n<td>\u201cPlatform\u201d style experience; handles environment provisioning + deploy<\/td>\n<td>Less flexible for complex enterprise patterns; platform constraints<\/td>\n<td>You want a more managed PaaS-like workflow and accept its conventions<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Systems Manager (Run Command \/ Automation)<\/strong><\/td>\n<td>Ops-runbooks, patching, ad-hoc deployments<\/td>\n<td>Strong operational control; works across fleets; good for commands and automation<\/td>\n<td>Not a specialized progressive deployment controller; you must build rollout logic<\/td>\n<td>You need ops automation and command execution with tight control<\/td>\n<\/tr>\n<tr>\n<td><strong>Jenkins (self-managed)<\/strong><\/td>\n<td>Highly customizable CI\/CD<\/td>\n<td>Flexible; huge plugin ecosystem<\/td>\n<td>Operational overhead; security and scaling burden<\/td>\n<td>You need maximum flexibility and can run\/secure Jenkins reliably<\/td>\n<\/tr>\n<tr>\n<td><strong>GitHub Actions<\/strong><\/td>\n<td>Repo-centric CI\/CD<\/td>\n<td>Easy integration with GitHub repos; large ecosystem<\/td>\n<td>AWS deployment patterns require careful credential management<\/td>\n<td>You are GitHub-first and want workflow-based CI\/CD<\/td>\n<\/tr>\n<tr>\n<td><strong>Spinnaker \/ Argo Rollouts<\/strong><\/td>\n<td>Advanced progressive delivery (often Kubernetes-centric)<\/td>\n<td>Sophisticated rollout strategies and analysis<\/td>\n<td>Operational complexity; may be overkill<\/td>\n<td>You need advanced progressive delivery beyond typical CodeDeploy patterns<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure DevOps \/ GCP Cloud Deploy<\/strong><\/td>\n<td>Cross-cloud alternatives<\/td>\n<td>Integrated CI\/CD in their ecosystems<\/td>\n<td>Different IAM models; cross-cloud complexity<\/td>\n<td>You are standardized on another cloud provider\u2019s DevOps stack<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated fintech deploying a customer portal on EC2<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: The company runs a multi-instance web portal on EC2 behind an ALB. Manual deployments lead to drift and inconsistent rollback behavior. Compliance requires audit trails and controlled change windows.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>CodePipeline orchestrates build + approvals<\/li>\n<li>CodeBuild builds a versioned artifact and uploads to S3<\/li>\n<li>CodeDeploy deploys to EC2 Auto Scaling Group using rolling or blue\/green strategy (depending on SLA)<\/li>\n<li>CloudWatch alarms detect elevated 5xx and trigger rollback policy<\/li>\n<li>CloudTrail captures change events; EventBridge routes deployment state changes to incident management<\/li>\n<li><strong>Why AWS CodeDeploy was chosen<\/strong>:<\/li>\n<li>Works directly with EC2 fleets and deployment hooks<\/li>\n<li>Integrates with AWS governance controls (IAM\/CloudTrail)<\/li>\n<li>Provides repeatable deployment history and rollback mechanics<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Reduced deployment-related incidents<\/li>\n<li>Faster, auditable releases with approvals<\/li>\n<li>Lower MTTR through automated rollback signals<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS app deploying a simple API on ECS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A small team deploys containers to ECS. They need safer rollouts than replacing tasks all at once, but cannot afford to build a custom progressive delivery platform.<\/li>\n<li><strong>Proposed architecture<\/strong>:<\/li>\n<li>GitHub Actions builds container images and pushes to ECR<\/li>\n<li>CodeDeploy performs ECS blue\/green deployments with ALB target groups<\/li>\n<li>CloudWatch alarms detect error spikes during rollout<\/li>\n<li><strong>Why AWS CodeDeploy was chosen<\/strong>:<\/li>\n<li>ECS blue\/green is a known pattern supported by AWS<\/li>\n<li>Minimal operational overhead compared to self-managing advanced rollout tooling<\/li>\n<li><strong>Expected outcomes<\/strong>:<\/li>\n<li>Safer releases with easy rollback<\/li>\n<li>Clear deployment visibility without building a custom system<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is AWS CodeDeploy still an active AWS service?<\/strong><br\/>\n   Yes. AWS CodeDeploy is an active AWS Developer tools service used for deployments to EC2\/on-prem, Lambda, and ECS. Verify current feature scope in the official documentation.<\/p>\n<\/li>\n<li>\n<p><strong>Is AWS CodeDeploy regional or global?<\/strong><br\/>\n   Regional. Create applications and deployment groups in each Region where you deploy.<\/p>\n<\/li>\n<li>\n<p><strong>Do I need the CodeDeploy agent?<\/strong><br\/>\n   You need the CodeDeploy agent for <strong>EC2 and on-premises<\/strong> deployments. You do not use the agent for Lambda or ECS deployments.<\/p>\n<\/li>\n<li>\n<p><strong>Where do I store deployment artifacts for EC2 deployments?<\/strong><br\/>\n   Commonly in <strong>Amazon S3<\/strong> as a ZIP bundle. You can also integrate via pipelines that provide artifacts. Verify supported revision sources in official docs for your workflow.<\/p>\n<\/li>\n<li>\n<p><strong>What is a deployment group?<\/strong><br\/>\n   A deployment group defines the targets (instances\/ASG\/ECS service) and deployment settings (strategy, alarms, load balancer config).<\/p>\n<\/li>\n<li>\n<p><strong>How does CodeDeploy select EC2 instances?<\/strong><br\/>\n   Commonly by EC2 <strong>tags<\/strong> or by <strong>Auto Scaling group<\/strong> membership, depending on how you configure the deployment group.<\/p>\n<\/li>\n<li>\n<p><strong>What is the AppSpec file used for?<\/strong><br\/>\n   It defines what CodeDeploy should do during the deployment (files and lifecycle hooks). The exact format and semantics vary by compute platform.<\/p>\n<\/li>\n<li>\n<p><strong>Can CodeDeploy do blue\/green deployments?<\/strong><br\/>\n   Yes, depending on compute platform and configuration (commonly with ECS\/Lambda, and with EC2 in certain patterns). Confirm the exact requirements in official docs for your platform.<\/p>\n<\/li>\n<li>\n<p><strong>Can CodeDeploy roll back automatically?<\/strong><br\/>\n   Yes, if you configure rollback behavior. Rollback triggers can include deployment failures and (in some configurations) alarms\/health signals.<\/p>\n<\/li>\n<li>\n<p><strong>How do I monitor deployments?<\/strong><br\/>\n   Use CodeDeploy deployment status\/history, plus integrate events with EventBridge and alarms\/logs with CloudWatch.<\/p>\n<\/li>\n<li>\n<p><strong>Is CodeDeploy free?<\/strong><br\/>\n   CodeDeploy for EC2\/on-prem is typically not charged directly, but you pay for underlying resources. Lambda and ECS deployments are commonly charged per deployment. Always confirm on the pricing page: https:\/\/aws.amazon.com\/codedeploy\/pricing\/<\/p>\n<\/li>\n<li>\n<p><strong>Can I deploy to private EC2 instances with no internet access?<\/strong><br\/>\n   Yes, but you must provide network access to required AWS endpoints (via NAT\/proxy or VPC endpoints where applicable). Artifact access (S3) is often handled via an S3 gateway endpoint.<\/p>\n<\/li>\n<li>\n<p><strong>How do I keep secrets out of my artifacts?<\/strong><br\/>\n   Use AWS Secrets Manager or SSM Parameter Store and fetch secrets at runtime with least privilege.<\/p>\n<\/li>\n<li>\n<p><strong>What causes \u201c0 instances found\u201d in a deployment group?<\/strong><br\/>\n   Usually mismatched tags, wrong Region, wrong target type (EC2 vs ASG), or the instance not in the expected state.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s a good first production hardening step?<\/strong><br\/>\n   Add least-privilege IAM, CloudWatch alarms for user-impacting metrics, automated rollback (where appropriate), and an approval gate for production deployments.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn AWS CodeDeploy<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>AWS CodeDeploy User Guide<\/td>\n<td>Canonical reference for concepts, configuration, and supported platforms: https:\/\/docs.aws.amazon.com\/codedeploy\/<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>AWS CodeDeploy Pricing<\/td>\n<td>Current pricing model for EC2\/on-prem vs Lambda\/ECS: https:\/\/aws.amazon.com\/codedeploy\/pricing\/<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>AWS Pricing Calculator<\/td>\n<td>Model end-to-end costs (EC2, ALB, S3, NAT, CloudWatch): https:\/\/calculator.aws\/#\/<\/td>\n<\/tr>\n<tr>\n<td>Official agent install guide<\/td>\n<td>Install the CodeDeploy agent<\/td>\n<td>Required for EC2\/on-prem; OS-specific steps: https:\/\/docs.aws.amazon.com\/codedeploy\/latest\/userguide\/codedeploy-agent-operations-install.html<\/td>\n<\/tr>\n<tr>\n<td>Official samples (GitHub)<\/td>\n<td>aws-samples\/aws-codedeploy-samples<\/td>\n<td>Ready-to-use sample apps and AppSpec patterns: https:\/\/github.com\/aws-samples\/aws-codedeploy-samples<\/td>\n<\/tr>\n<tr>\n<td>Official CI\/CD orchestration<\/td>\n<td>AWS CodePipeline documentation<\/td>\n<td>Common way to trigger CodeDeploy with approvals: https:\/\/docs.aws.amazon.com\/codepipeline\/<\/td>\n<\/tr>\n<tr>\n<td>Official build service<\/td>\n<td>AWS CodeBuild documentation<\/td>\n<td>Produce artifacts and push to S3\/ECR: https:\/\/docs.aws.amazon.com\/codebuild\/<\/td>\n<\/tr>\n<tr>\n<td>Observability<\/td>\n<td>Amazon EventBridge documentation<\/td>\n<td>Route deployment events to automation\/alerts: https:\/\/docs.aws.amazon.com\/eventbridge\/<\/td>\n<\/tr>\n<tr>\n<td>Auditing<\/td>\n<td>AWS CloudTrail documentation<\/td>\n<td>Track deploy actions and changes: https:\/\/docs.aws.amazon.com\/cloudtrail\/<\/td>\n<\/tr>\n<tr>\n<td>Videos (official)<\/td>\n<td>AWS YouTube channel<\/td>\n<td>Search for \u201cAWS CodeDeploy\u201d for service walkthroughs and demos: https:\/\/www.youtube.com\/@amazonwebservices<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, developers, platform teams<\/td>\n<td>CI\/CD fundamentals, AWS Developer tools, deployment automation practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>Source control, CI\/CD concepts, DevOps tooling overviews<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud\/ops practitioners<\/td>\n<td>Cloud operations and DevOps workflows<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations engineers<\/td>\n<td>Reliability engineering practices, monitoring, incident response alongside deployments<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring AIOps concepts<\/td>\n<td>Ops automation and AIOps-adjacent practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current offerings)<\/td>\n<td>Learners seeking practical DevOps guidance<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training (verify course catalog)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>DevOps consulting\/training platform (verify services)<\/td>\n<td>Teams seeking external DevOps help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support\/training (verify offerings)<\/td>\n<td>Ops teams needing hands-on support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company Name<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service menu)<\/td>\n<td>Deployment automation, CI\/CD implementation, cloud architecture reviews<\/td>\n<td>Setting up CodeDeploy + CodePipeline; IAM hardening for deployment roles; rollout strategy design<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training services<\/td>\n<td>CI\/CD standardization, DevOps transformation support<\/td>\n<td>Building deployment patterns; creating reusable deployment templates; operational runbooks<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Delivery pipelines, automation and operational readiness<\/td>\n<td>CodeDeploy adoption for EC2 fleets; blue\/green rollout design; monitoring and rollback patterns<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before AWS CodeDeploy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Linux basics (systemd, permissions, package managers)<\/li>\n<li>Networking basics (HTTP, security groups, load balancers)<\/li>\n<li>AWS fundamentals:<\/li>\n<li>IAM roles\/policies and least privilege<\/li>\n<li>EC2, Auto Scaling basics<\/li>\n<li>S3 buckets, object permissions, encryption<\/li>\n<li>Basic CI\/CD concepts (build artifact, versioning, environments)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after AWS CodeDeploy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS CodePipeline for end-to-end orchestration<\/li>\n<li>AWS CodeBuild for reproducible builds and artifact generation<\/li>\n<li>ECS blue\/green deployments (if you run containers)<\/li>\n<li>Lambda traffic shifting strategies (if you run serverless)<\/li>\n<li>Observability:<\/li>\n<li>CloudWatch dashboards and alarms<\/li>\n<li>EventBridge automation<\/li>\n<li>Infrastructure as Code (CloudFormation\/CDK\/Terraform) to version deployment groups and roles (choose one; verify best practices for your org)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use AWS CodeDeploy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DevOps Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Platform Engineer<\/li>\n<li>Cloud Engineer<\/li>\n<li>Build\/Release Engineer<\/li>\n<li>Solutions Architect (designing deployment strategies and governance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (AWS)<\/h3>\n\n\n\n<p>AWS certifications are role-based rather than service-specific. Common paths:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS Certified Cloud Practitioner (foundation)<\/li>\n<li>AWS Certified Developer \u2013 Associate (developer workflows)<\/li>\n<li>AWS Certified SysOps Administrator \u2013 Associate (ops and deployment)<\/li>\n<li>AWS Certified DevOps Engineer \u2013 Professional (CI\/CD, governance, operations)<\/li>\n<\/ul>\n\n\n\n<p>Verify current certification names and exam guides on the official AWS Training and Certification site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a simple CI\/CD pipeline: GitHub \u2192 CodeBuild \u2192 S3 \u2192 CodeDeploy \u2192 EC2.<\/li>\n<li>Add CloudWatch alarms and automatic rollback.<\/li>\n<li>Extend to an Auto Scaling Group and test rolling deployments.<\/li>\n<li>Implement ECS blue\/green with CodeDeploy (requires ALB target groups and task sets).<\/li>\n<li>Create a multi-account deployment model with restricted production deploy permissions.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Artifact (Revision)<\/strong>: The packaged application content to deploy (often a ZIP in S3).<\/li>\n<li><strong>AppSpec file<\/strong>: A specification describing deployment actions and hooks for CodeDeploy.<\/li>\n<li><strong>Deployment<\/strong>: A single execution of deploying a revision to a target group.<\/li>\n<li><strong>Deployment group<\/strong>: Defines which targets to deploy to and how to deploy.<\/li>\n<li><strong>In-place deployment<\/strong>: Updates existing instances\/tasks rather than provisioning a parallel environment.<\/li>\n<li><strong>Blue\/green deployment<\/strong>: Runs old (blue) and new (green) versions side-by-side and shifts traffic.<\/li>\n<li><strong>Traffic shifting<\/strong>: Gradually moves production traffic from old to new version (common for Lambda\/ECS).<\/li>\n<li><strong>Lifecycle hooks<\/strong>: Scripts\/commands run at defined phases of deployment (mainly EC2\/on-prem).<\/li>\n<li><strong>CodeDeploy agent<\/strong>: Host agent that executes EC2\/on-prem deployments.<\/li>\n<li><strong>Service role<\/strong>: IAM role assumed by CodeDeploy to interact with AWS resources.<\/li>\n<li><strong>Instance profile<\/strong>: IAM role attached to an EC2 instance, providing temporary credentials.<\/li>\n<li><strong>Least privilege<\/strong>: Security principle of granting only the minimal permissions needed.<\/li>\n<li><strong>Rollback<\/strong>: Reverting to a previous known-good version when a deployment fails or alarms trigger.<\/li>\n<li><strong>CloudTrail<\/strong>: AWS service that records API calls for auditing and investigation.<\/li>\n<li><strong>EventBridge<\/strong>: Event bus used to route service events to automation and notifications.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>AWS CodeDeploy is an AWS <strong>Developer tools<\/strong> service for automating application deployments to <strong>EC2\/on-prem<\/strong>, <strong>Lambda<\/strong>, and <strong>ECS<\/strong>. It matters because it replaces manual, error-prone deployments with repeatable rollout strategies, lifecycle hooks, and operational visibility\u2014while fitting naturally into AWS-native CI\/CD architectures.<\/p>\n\n\n\n<p>Cost-wise, CodeDeploy is typically not directly charged for EC2\/on-prem deployments, but your real costs come from EC2, load balancers, S3, NAT, and observability services; Lambda\/ECS deployments commonly have a per-deployment charge\u2014verify on the official pricing page. Security-wise, focus on least-privilege IAM for deploy roles and instance profiles, artifact bucket encryption and access control, and strong audit trails via CloudTrail.<\/p>\n\n\n\n<p>Use AWS CodeDeploy when you need dependable deployments to EC2 fleets, on-prem servers, ECS services, or Lambda functions with controlled rollout and rollback behavior. Next, deepen your skills by integrating CodeDeploy into AWS CodePipeline with approvals, alarms, and event-driven notifications for production-grade release automation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Developer tools<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,18],"tags":[],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-aws","category-developer-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}