Logging & Monitoring & Audit

Question 1

What is CloudWatch Metrics used for?

Answer 1

Provides metrics for every service in AWS

Metric is a time-stamped variable to monior, e.g. CPU, networking, etc.

Metrics belong to namespaces

Metrics have attributes called dimensions, e.g. instance id, environment

Up to 10 dimenions per metric

Metrics have timestamps

CloudWatch Dashboard can provide nice graphs of Metrics

Question 2

What is CloudWatch Detailed Monitoring for EC2?

Answer 2

EC2 instances send metrics every 5 minutes, by default

Detailed Monitoring can be applied to get metrics every minute

Costs more, 10 in free tier

Question 3

What are CLoudWatch Custom Metrics?

Answer 3

Possibility to define own custom metrics

Ability to segment them using dimensions

Metric Resolution: 1 minute, by default - 1 second, high resolution (StorageSolution Api parameter), costs more

to send a metric to CLoudWatch use API call PutMetricData

use exponential backoff in case of Throttle Errors

Question 4

What are CloudWatch Alarms?

Answer 4

Alarms are triggered by pre-defined Metrics thresholds

Can trigger:

AutoScaling Actions

EC2 Actions

SNS Notifications

Alarm States: OK, INSUFFICIENT_DATA, ALARM

Period: Length of time to evaluate metric - high resolution custom metrics can only choose 10 or 30 seconds

Question 5

What are CloudWatch Logs?

Answer 5

Applications can send logs to CloudWatch Logs

CloudWatch can collect logs from many services such as:

EC2 instances using the CloudWatch Logs Agent

ECS, logs from containers

Lambda, logs from functions

Beanstalk, app logs

VPC Flow Logs

Route53, DNS query logs

CloudWatch Logs can be sent to S3 for archieving or

Streamed to an ElasticSearch cluster for furhter analytics

Question 6

What is the CloudWatch Logs Agent?

Answer 6

by default EC2 does not send any logs to CloudWatch (only Metrics)

The CloudWatch Agent has to run on the EC2 instance to send logs to CloudWatch

Needed permissions are required

Can also be set up for on-premises instances

Question 7

CloudWatch Logs Agent vs. CloudWatch Unified Agent

Answer 7

Logs Agent:

old version

Can only send to CloudWatch Logs

Unified Agent:

Collects additional system-level Metrics, such as RAM, …

Sends logs to CloudWatch

Centralized configuration using SSM Parameter Store

Question 8

What are CloudWatch Metric Filters?

Answer 8

CloudWatch Logs can use FIlter Expressions

count errors, find specific ip, trigger alarms

Filters do not retroactively filter data

Filter only publish the metric data points for events after the filter was created

Question 9

WHat can you do with CloudWatch Events?

Answer 9

Schedule events, such as Cron Jobs

Event pattern: define event rules that are triggered by a aws service

Triggers to Lambda, SNS, Kinesis

Creates a JSON file to document the change that triggered the event

Question 10

What is EventBridge?

Answer 10

An evolution of CloudWatch Events

Default Event Bus: generated by AWS services - cloudwatch events

Parnter Event Bus: receive events from SaaS or other apps (ZenDesk, Auth0)

Custom Event Bus: Create my own event bus

event busses can be accessed by other accounts

Rules: how to process the events

Question 11

What is EventBridge Schema Registry?

Answer 11

EventBridge can analyze events from my bus and infer the schema

Schema Registry allows to generate code, that will know in advance how data is structured in the event bus

Schema can be versioned

Question 12

EventBridge vs. Events

Answer 12

Eventbridge builds upon and extends Events

Eventbridge uses the same service api and endpoint

Eventbridge lets us add custom event busses and event busses from third parties

EventBridge has Schema Registry capability

Question 13

What is AWS X-Ray?

Answer 13

Good to visualize dependencies and detect service issues in a microservice architecture

Compatible with:

ECS, EC2, Lambda, Beanstalk, ELB, GateWay

leverages Tracing:

Question 14

How to enable X-Ray?

Answer 14

Application code must use the X-Ray SDK, correctly

Service running the instance must run the X-Ray Daemon or enable X-Ray integration - lambda and other services use the daemon by default

Each service requires permission to use interact with X-Ray

Question 15

X-Ray Instrumentation and Concepts

Answer 15

Instrumentation is some useless garbage

Concepts:

Segments: Each app/service will send them

Subsegments: If more details are required in the segments

Trace: Segments collected together to form an end-to-end trace

Sampling: Decrease the amount of requests send to xray

Annotations: Key-Value pairs used to index traces and use with filters

Metadata: Key-Value paris not indexed, not used for searching

X-Ray daemon has a config to send traces cross-account

Question 16

Important X-Ray API calls

Answer 16

arn:aws:iam::aws::policy/AWSXrayWriteOnlyAccess

Actions/api calls:

Write:

PutTraceSegments: uploads segment documents to xray

PutTelemetryRecords: used by xray daemon to upload telemtry (SegmentReceivedCounts, SegmentRejectedCounts, …)

GetSamplingRules: Retrieve all sampling rules

GetSamplingTargets & GetSamplingStatisticsSummaries: advanced stuff

Read:

GetServiceGraph: main graph

BatchGetTraces: Retrieves a list of traces specified by id. each trace is a collection of segment documents that originates from a single request

GetTraceSummaries: Retrieves ids and annotations from traces in a specfied time range

GetTraceGraph: Retrieves a service graph for one or more specific traces

Question 17

What is AWS CloudTrail?

Answer 17

Provides governance, compliance, and audit for my AWS account

get history of events/api calls for each service in use

can put logs from CloudTrail to CloudWatch logs or S3

A trail can be applied to a single or all regions

Question 18

What are CloudTrail Events?

Answer 18

Management Events:

Operations that are performed on resources on my aws account

are split into read events, no resources modified, and write events, resources modifed

Data Events:

are not logged by default

Lambda invokation events(?)

Events are stored for 90 days, to go beyond use Athena or S3

Question 19

What are CloudTrail Insights?

Answer 19

Enable CloudTrail to detect unusual activity

Analyzes normal management events to create a baselines

then monitors all write events for suspicious behavior

Anomalies can be seen in the console, written to S3, sent to an Event Bus

Question 20

CloudTrail vs. CloudWatch vs. X-Ray

Answer 20

CloudTrail:

Audit api calls made by users/services/console against resources in my account

CloudWatch:

Metrics for monitoring - Logs for app logs - Alarms to send notifications in case of strange Metrics

X-Ray:

Automated Trace Analysis & Central Service Map Visualization

Latency, Errors, and Fault Analysis

Request tracking across distributed systems