Related Books
Guide to Prompt Engineering

Guide to Prompt Engineering
Introduction to C Programming Language

Introduction to C Programming Language
TypeScript for Java Developers by CodeAhoy

TypeScript for Java Developers by CodeAhoy
Ruby for Beginners

Ruby for Beginners
The Little ASP.NET Core Book

The Little ASP.NET Core Book

View all

Monitoring AWS

  • CloudWatch is for monitoring/performance.
  • CloudTrail is for auditing API call stacks e.g. when/where/by whom.

CloudWatch

  • Can monitor Compute (EC2, ASG, ELB, Route53 health checks..), Storage & Content Delivery (EBS, Storage)…
  • Metrics
    • Provides metrics (e.g. CPU utilization, Network Utilization, Disk Reads/Writes, Status Check) for every services in AWS.
    • Metrics belong to namespaces
    • Dimension is an attribute of an metric (instance id, environment, etc..)
    • Up to 10 dimensions per metric
    • ❗ 14 days retention, Extended retention offering allows up to 15 months.
    • Metrics have timestamps
    • EC2 Detailed Monitoring
      • 📝EC2 instance metrics have basic metrics for “every 5 minutes”
        • With detailed monitoring (for a cost), you get data “every 1 minute”
      • 💡 Use detailed monitoring if you want to more prompt scale your ASG
      • AWS Free Tier allows up to 10 detailed monitoring metrics
      • ❗ EC2 memory usage is by default not pushed
        • 💡 Must be pushed from inside the instance as a custom metric with e.g. CloudWatch agent.
    • Custom Metrics
      • Possibility to define and send your own custom metrics to CloudWatch
        • E.g. for RAM utilization, disk storage usage.
      • Must be pushed from inside the instance as a custom metric by installing agent
        • E.g. CloudWatch agent
      • Ability to use dimensions (attributes) to segment metrics
        • E.g. Instance.id, Environment.name
      • Metric resolution
        • Standard: 1 minute
        • High resolution: up to 1 second (StorageResolution API parameter)
          • Higher cost
      • API call PutMetricData
      • 💡 Use exponential back off in case of throttle errors
    • ❗ CloudWatch itself does not have a native export feature that will send data periodically to S3.
  • Dashboards
    • Can create CloudWatch dashboard of metrics
    • In console you can monitor & access dashboards
    • Can be regional or global (e.g. include graphs from different regions)
    • You can change the time zone & time range of the dashboards
    • You can setup automatic refresh (10s, 1m, 2m, 5m, 15m)
    • Pricing
      • 3 dashboards (up to 50 metrics) for free
      • 3$ per dashboard per month afterwards
    • Types are:
      • Line: compare metrics over time
      • Stacked area: Compare the total over time
      • Number: instantly see the latest value for a metric
      • Text: Free text with markdown formatting
      • Query results: Explore results from Logs Insights
  • Logs
    • Applications can send logs to CloudWatch using the SDK
    • CloudWatch Logs metric filters can evaluate CloudTrail logs for specific terms, phrases or values.
      • I.e. values are not always from CloudWatch Metrics, but can be generated from Logs e.g. HTTP errors.
    • CloudWatch can collect log from Elastic Beanstalk, ECS, AWS Lambda, VPC Flow Logs, API Gateway, CloudTrail, CloudWatch log agents, Route53 and more.
      • CloudWatch Log Agents
        • Install on EC2 machines sudo yum install -y awslogs
          • Ensure EC2 has IAM permissions to write to CloudWatch
        • Configure /etc/awslogs/awslogs.conf for logs (errors etc.)
        • Configure /etc/awslogs/awscli.conf for region
        • Start service with systemctl start awslogsd
    • CloudWatch logs can go to:
      • Batch exporter to S3 for archival
      • Stream to ElasticSearch cluster for further analytics
      • Stream to Lambda
    • You need to store logs in 2 things:
      • Log groups: arbitrary name, usually representing an application
      • Log stream: instances within application / log files / containers
    • Can define log expiration policies (never expire, 30 days, etc..)
      • You pay for data retention in CloudWatch
    • Using the AWS CLI we can tail CloudWatch logs
      • To see e.g. how application is behaving in real time
    • Security
      • ❗ To send logs to CloudWatch, make sure IAM permissions are correct!
      • Encryption of logs using KMS at the Group Level
    • CloudWatch Logs can use filter expressions
      • E.g. find a specific IP inside of a log
      • Metric filters can be used to trigger alarms
        • E.g. if specific IP appears you can trigger an alarm
    • CloudWatch Logs Insights
      • Log analytics service for CloudWatch
      • Can be used to query logs and add queries into CloudWatch Dashboards
      • Pay for the queries you run
  • Alarms
    • Alarms are used to trigger notifications for any metrics
    • You can set up billing alarms to be triggered after the account charges goes over a certain threshold.
    • Alarms invokes actions such as:
      • EC2 Actions: e.g. restart EC2.
      • SNS Notifications: email, SMS, etc.
      • Auto Scaling: triggers Auto Scaling policies.
    • Various options (sampling, %, max, min, etc…)
    • Alarm states: OK, INSUFFICIENT_DATA, ALARM (being triggered)
    • Period:
      • Length of time in seconds to evaluate the metric
      • 📝 High resolution custom metrics
        • Decreases as metrics age: 1 sec (for 3 hours), then 1 minute (for 15 days), 5 minute (for 63 days), 1 hour for 15 months.
      • E.g. NetworkOut < 2.000.000 for 1 data points (EC2) within 5 minutes
    • Data points
      • Represents the values of that variable over time
      • E.g. if period is 5 minutes and data points is three then the alarm will trigger after 15 minutes of being condition met
  • Events
    • Event Rule
      • Types
        • Schedule: Notifications that’ll be triggered on demand
        • Event Pattern: React to service doing something e.g. CodePipeline state changes.
      • Targets: e.g. lambda function, EC2 StopInstances API call, SNS, SQS, ECS Task, Event bus in another AWS account…
    • Triggers to Lambda functions, SQS/SNS/Kinesis Messages
    • CloudWatch Event creates a small JSON document to give information about the change

CloudTrail

  • Tracks API events allowing you to see who accessed what resources and when.
  • CloudTrail reports on who made the change, when, and from which location.
  • Per AWS account & per region
    • 💡 Should be enabled in all regions with a cloud formation stack.
    • All accounts / regions can log into same S3 bucket in an account / region.
    • In a region when you apply the trail to all regions, CloudTrail creates a new trail in all other regions.
  • Enabled by default
    • Default metrics are from hypervisor (e.g. CPU, connections)
    • Many services has deeper “Advanced monitoring” for inside hypervisor metrics such as connected users, CPU usage per thread / application.
  • Encryption
    • A single KMS key can be used to encrypt log files for trails applied to all regions.
    • CloudTrail log files are by default encrypted using S3 Server Side Encryption (SSE)
    • You can also enable encryption SSE KMS for additional security
  • Get an history of events / API calls made within your AWS Account by Console, SDK, CLI, AWS Services
  • Can push to S3 (encrypted by default), CloudWatch Logs and SNS.
  • Has 90 days of retention
  • 📝 If a resource is deleted in AWS, look into CloudTrail first!

AWS Config

  • Asses, audit, and evaluate the configurations of your AWS resources.
    • Resources include RDS, subnets, DB snapshots, security groups, and event subscriptions.
  • Reports on what has changed
    • You can e.g. look back and see what instances were in default VPC last week.
  • Per AWS account & per region
    • 💡 Should be enabled in all regions with a cloud formation stack.
    • Data aggregation in AWS Config allows you to aggregate AWS Config data from multiple accounts and regions into a single account.
  • Tracks resource state.
  • AWS Config is around compliance, Trusted Advisor is more around recommendations but they check same things for security.
  • Integrates with SNS to receive notifications.

Licenses and Attributions

Speak Your Mind

-->