Enables users to centralized logs from all of your systems, applications, and AWS services.
Features:
Can query data and use insights to query and analyze data
Can create Metrics from logs
Monitor logs from EC2
Capture CloudTrail logs and use them to create alarms
Has log retention and archiving
Capture Route53 DNS request
Logs have:
Log Groups – which is a grouping of Log Streams
Log Streams – are the logs from an event from the same source (e.g. 1 lambda execution will result in 1 Log Stream)
Log Sources:
SDK
CloudWatch Agent/Cloud Watch Unified Agent
The agent allows you to collect system-level metrics from an EC2 instance or on-prem server
Retrieve custom metrics from your applications or services using the StatsD and collectd protocols.
Route 53
CloudTrail
ElasticBean Stalk
API Gateway
VPC Flow Log
ECS
Logs can be copied to S3 using the Export feature. This can take up to 12 hours
Streamed using Subscription Filter to:
Kinesis Fire Hose
Kinesis Data Stream
Lambda
OpenSearch (ElasticSearch)
Metrics
CloudWatch collects a number of metrics by default for billing and AWS services.
Metrics collected varies from service to service.
Metrics have:
Namespace – a container for CloudWatch metrics
Metric – represents a time-ordered set of data points
Timestamp
Retention
Dimension – a name/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric.
Resolution – can be Standard (1-minute granularity) or High (1-second granularity)
Statistics – metric data aggregations over specified periods of time
Period – the length of time associated with a specific Amazon CloudWatch statistic. Periods are defined in numbers of seconds, and valid values for the period are 1, 5, 10, 30, or any multiple of 60
Can create Custom Metrics using SDK or CLI
EC2 memory usage must be monitored from inside hence the need for Custom Metric.
AWS provides EC2 metrics every 5 minutes for free. But can change to detailed monitoring (every 1 minute) with a cost. You may want to do this if you want to get the alarms quickly.
Alarms
Used to trigger an action based on Metrics
Conditions are applied on the MetricsStatistics & Period to decide the State of the Alarm.
The State of the Alarm will decide if the action will be performed.
Create incident or opsitem in System Manager (only if IN ALARM state
Event
See EventBridge
EventBridge (CloudWatch Event)
A serverless event bus service that makes it easy to connect your applications with data from a variety of sources.
Delivers a stream of real-time data from your own applications, software-as-a-service (SaaS) applications, and AWS services and routes that data to targets such as AWS Lambda.
CloudWatch Events use the same underlying service and API as EventBridge but has less functionality than EventBridge
3 types of EvenBridge Bus
Default – used by CloudWatch
Partner – used by SaaS (e.g. DataDog, ZenDesk)
Custom – used by the user application
Rules
matches incoming events and routes them to Targets for processing
Targets can include Amazon EC2 instances, AWS Lambda functions, Kinesis streams, Amazon ECS tasks, Step Functions state machines, Amazon SNS topics, Amazon SQS queues, and built-in target
Event Reply allows reprocessing of past events back to an event bus or a specific EventBridge rule.
Schema Registry:
stores event schema in a registry that other developers can easily search and access
can be used to generate code
a schema defines the structure of the event message
CloudTrail
An AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.
Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Events are either Read (don’t modify resources) or Write (modify resources)
Events are kept for 90 days. If required more than that, then it has to be copied to S3.
3 Type of Events:
Management
information about management operations that are performed on resources in your AWS account., or control plane operations.
enabled by default
can separate Read Events from Write Events
Data
information about the resource operations performed on or in a resource, or data plane operations
not enabled by default
high volume
sources can be S3, Lambda or DynamoDB
Insight
capture unusual API call rate or error rate activity in your AWS account.
insights events are logged to a different folder or prefix in the destination S3 bucket for your trail
CloudTrail Trail
enables delivery of events to an Amazon S3
2 types of Trails:
Applies to all regions.
Applies to one region.
Events copied to S3 can be analyzed/viewed by Athena
Config
A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations
UI provides a timeline of changes.
Rules
represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config
does not enforce compliance, only records.
can evaluate for each change or at the desired interval
can be from AWS Managed Rule or Custom Rule (via a Lambda function)
can show:
resources compliance
configuration changes
link with CloudTrail to view API calls made for the resource
Can integrate with SSM automation for compliance. Retry is allowed 5 times.
Can integrate with EventBridge or SNS for notification
Per region service i.e. need to setup per region i.e. setup cannot be done in a central location, but information can be aggregated to a central ‘Aggregator’ account
Aggregator:
The ‘aggregator’ account will have the aggregator enabled.
Aggregate rules across multiple accounts
Need authorization of account is not part of AWS Organization