06 - Management and Governance Flashcards
Amazon CloudWatch (Resources Monitoring)
Core AWS monitoring tool for resources and applications.
1) Metrics - Data about system performance
2) Logs - EC2, CloudTrail, Route 53
3) Alarms - Automatically initiate actions on your behalf
4) Events - Changes in the environment
5) Rules - Match incoming events and routes to targets
6) Targets - EventBridge targets such as EC2, Lambda, Kinesis, etc
AWS CloudWatch Logs
Log aggregation, Log searches, Log processing Source examples: * VPC Flow Logs * Amazon Route 53 * Elastic Load Balancing access logs
AWS CloudWatch Alarms
1) Tracks a single metric over a specified period of time and based on the metric value, will perform a specific action
2) Alarm States: OK, ALARM, INSUFFICIENT_DATA
3) To specify when create an alarm: Period, Evaluation Period, Datapoints to Alarm
Amazon EventBridge (Amazon CloudWatch Events)
1) Event examples: Change in AWS resource such as Console sign-in, EC2 instance state change, EC2 Auto Scaling state change, and EBS volume creation
2) Target examples: EC2 instances, AWS Lambda, Kinesis streams, Amazon ECS, Step Functions, Amazon SNS, Amazon SQS
AWS X-Ray (Application Monitoring)
1) Used to analyse and debug applications, specifically those deployed in a decoupled architecture
2) Used for Identify performance bottlenecks, Pinpoint specific service issues, Identify errors, Identify impact to users
3) Trace (Path of a request) –> Segment (Data from a service) –> Subsegment (Identifies API calls)
Create New AWS CloudWatch
1) Create IAM role and attach CloudWatch Policy
2) Assign the IAM role to the EC2 instance
3) Install and Configure CloudWatch Agent
4) Check Metrics (CWAgent)
AWS CloudFormation
1) Provisions resources in a repeatable manner; without manual intervention
2) Simple text file
* Uses JSON or YAML scripts
* Contains all the infrastructure and properties you want to deploy
* Actions are repeatable and version-able
* Can check scripts into source code repository
* Available at no additional charge
AWS CloudFormation Stacks
1) Collection or resource you manage as one single item
2) Created from the template
3) Can be modified, or deleted
4) Each part of the stack have different layers
5) Make use of Change Sets
AWS Config
1) Service that enables you to assess, audit, and evaluate the configurations of your AWS resources
2) Use Cases: Security Compliance, Discovery of Resources, Audit Compliance, Resource Change Management, Troubleshooting and Problem Management
3) Can be used to retrieve configurational changes made to AWS resources that may have caused these issues
AWS Trusted Advisor
AWS Trusted Advisor can help optimise resources with AWS cloud with respect to cost, security, performance, fault tolerance, and service limits
AWS Auto Scaling Groups (ASG) Cheat Sheet
1) An ASG is a collection of EC2 instances grouped for scaling and management
2) Scaling Out is when add servers; Scaling In is when you remove servers
3) Scaling Up is when you increase the size of an instance (eg. updating Launch Configuration with larger size)
4) Size of an ASG is based on a Min, Max, and Desired Capacity
5) Target Scaling policy scales based on when a target value for a metric is breached eg. Average CPU Utilisation exceed 75%
6) Simple Scaling policy triggers a scaling when an alarm is breached
7) Scaling Policy with Steps is the new version of Simple Scaling Policy and allows you to create steps based on eculation alarm values
8) Health checks ca be run against either an ELB or the EC2 instances
9) Launch Configurations cannot be edited and must be cloned or a new one created
10) Launch Configurations must be manually updated in by editing the Auto Scaling settings
AWS CloudFormation (IaC) Cheat Sheet
1) When being asked to automate the provisioning of resources think CloudFormation
2) When Infrastructure as Code (IaC) is mentioned think CloudFormation
3) CloudFormation can be written in either JSON or YAML
4) When CloudFormation encounters an error it will rollback with ROLLBACK_IN_PROGRESS
5) CloudFormation templates larger than 51,200 bytes (0.05 MB) are too large to upload directly, and must be imported into CloudFormation via an S3 bucket
6) NestedStacks helps you break up your CloudFormation template into smaller reusable templates that can be composed into larger templates
7) At least one resource under resources: must be defined for a CloudFormation template to be valid
8) MetaData extra information about your template
9) Description - a description of what the template is suppose to do
10) Transforms - Applies macros (like applying a mod which change the anatomy to be custom)
11) Outputs are values you can use to import into other stacks
12) Mappings maps keys to values, just like a lookup table
13) Resources defines the resources you want to provision, at least 1 resource is required
14) Conditions are whether resources are created or properties are assigned
Amazon CloudWatch Cheat Sheet
1) CloudWatch is a collection of monitoring services: Dashboards, Events, Alarms, Logs and Metrics
2) CloudWatch Logs: Log data from AWS services. eg. CPU Utilisation
3) CloudWatch Metrics: Represent a time-ordered set of data points, A variable to monitor eg. CPU Utilisation over time
4) CloudWatch Events: Trigger an event based on a condition eg. every hour take snapshot of server
5) CloudWatch Alarms: Trigger notifications based on metrics when a defined threshold is breached
6) CloudWatch Dashboards: Create visualisations based on metrics
7) EC2 monitors at 5 min intervals and at Detailed Monitoring 1 minute intervals
8) Most other service monitor at 1 minute intervals, with intervals of 1, 3, 5 minutes
9) Logs must belong to a Log Group
10) CloudWatch Agent need to be installed on EC2 host to track Memory Usage and Disk Size
11) You can stream custom log files eg. production.log
12) Custom Metrics allow you to track High Resolution Metrics a sub minute intervals all the way down to 1 second
AWS CloudTrail Cheat Sheet
1) CloudTrail logs calls between AWS services
2) Governance, Compliance, Operational Auditing, and Risk Auditing are keywords relating to CloudTrail
3) When you need to know who to blame think CloudTrail
4) CloudTrail by defaults logs event data for the past 90s days via Event History
5) To track beyond 90 days you need to create Trail
6) To ensure logs have not been tampered with you need to turn on Log File Validation option
7) CloudTrail logs can be encrypted using KMS (Key Management Service)
8) CloudTrail can be set to log across all AWS accounts in an Organisation and all regions in an account
9) CloudTrail logs can be streamed to CloudWatch logs
10) Trails are outputted to an S3 bucket that you specify
11) CloudTrail logs 3 kinds of events: Management Events and Data Events
12) Management Events log management operations eg. AttachRolePolicy
13) Data Events log data operations for resources (S3, Lambda) eg. GetObject, DeleteObject, and PutObject
14) Data Events are disabled by default when creating a Trail
15) Trail logs in S3 can be analysed using Athena
