Section 11: AWS Monitoring & Audit: CloudWatch, X-Ray and CloudTrail Flashcards
What do our users care about?
That our application is working!
Why is monitoring important?
We want to be aware if our application latency increases, if we have outages, or if our applications donโt behave as we expect them to.
What does internal monitoring provides us?
See performance and cost
Detect trends
Learn and improve
What are the three monitoring services offered by AWS?
CloudWatch
X-Ray
CloudTrail
What is AWS CloudTrail used for?
Internal monitoring of API call being made to AWS
Audit changes to AWS Resources by users
What is AWS X-Ray used for?
Troubleshooting application performance and errors
Visual tracing of microservices
What are the four features provided by AWS CloudWatch?
Metrics
Logs
Events
Alarms
What is AWS CloudWatch Metrics?
A fully managed service that provides metrics for every service in AWS
What is a Metric?
A variable to monitor (CPUUtilization, NetworkIn, etc.)
What is namespace in AWS CloudWatch Metrics?
A container for metrics
What are some default metrics namespaces?
EBS, EC2, ELB, RDS, ElasticBeanstalk, etc. (Basically most AWS services have their own namespaces provided by AWS)
Can you create your own Metrics namespace?
Absolutely
What are dimensions and what are they used for? (In the context of Metrics)
Metrics are first grouped by namespace, and then by the various dimension combinations. For example:
All EC2 Metrics
EC2 Metrics grouped by instance
EC2 Metrics grouped by ASG
Do all AWS services send metrics to CloudWatch by default?
Only the services you are using
How many dimensions can a metric have?
Up to 10
What is the one thing that all metrics have?
Timestamps
How can we visualize metrics better?
By creating a custom dashboard of Metrics
What is default period between each metric for an EC2 instance?
5 minutes
How can you get more frequent metrics for an EC2 instance?
By enabling โDetailed monitoringโ (for a cost)
What is shortest period between each metric for an EC2 instance with detailed monitoring?
1 minute
What metric is NOT pushed to AWS CloudWatch for EC2 instances?
Memory usage
How can you push EC2 Memory usage metric to CloudWatch?
By pushing it as a custom metric
How many detailed metrics does AWS Free Tier allow us to have?
10
What can you do if you want to more prompt scale your ASG?
Enable detailed monitoring
How can you segment metrics when you send your own custom metrics to CloudWatch?
By using dimensions
How to get more frequent metrics when using custom metrics?
By using custom High Resolution custom metric
What are the two types of custom metric?
Standard resolution
High resolution
What is the granularity of custom metric with standard resolution?
1 minute
What is the granularity of custom metric with high resolution?
1 second
What are the available periods of analysis of custom metrics of high resolution in CloudWatch?
1 sec, 5 sec, 10 sec, 30 sec, any multiple of 60 sec
What API should you use to emit custom metrics?
PutMetricData
How can you set a custom metric to high resolution?
By setting the StorageResolution API parameter to any values under 60 (which would be 60 seconds therefore standard resolution)
What should you do in case of throttle errors when sending custom metrics?
Use exponential back off
What are CloudWatch Alarms used for?
They are used to trigger notifications for any metric
What can alarms go to?
Auto Scaling, EC2 actions, SNS notifications
What are the possible alarm states?
OK
INSUFFICIENT_DATA
ALARM
What is the period of CloudWatch Alarms for standard resolution custom metrics and metrics provided by AWS?
The length of time in seconds to evaluate the metric
What is the period of CloudWatch Alarms for high resolution custom metrics?
Can only choose 10 sec or 30 sec
What does the AWS CloudWatch Logs panel allow you to do?
View logs from used AWS services
What logs does EB can send to CloudWatch?
Logs from the application
What logs does ECS can send to CloudWatch?
Logs from containers
What logs does Lambda can send to CloudWatch?
Function logs
What logs does VPC Flow Logs can send to CloudWatch?
VPC specific logs
What logs does API Gateway can send to CloudWatch?
API related logs
What logs does Route53 can send to CloudWatch?
DNS queries logs
Where can CloudWatch logs go to? (2 options)
Batch export to S3
Stream to ElasticSearch cluster for further analysis
What can you use to filter logs in CloudWatch Logs?
Filter expressions
What is the Logs storage architecture?
Log groups
Log streams
What are Log groups?
Groups of log streams
What are Log streams?
Instances within applications, log files, containers, functions, etc.
Can you define expiration policies?
Yes (never expire, 30 days, etc.)
What do your services ABSOLUTELY need to have in order to be able to send logs to CloudWatch?
The right IAM permissions!
Is encryption available for logs in CloudWatch Logs?
Yes, encryption of logs is available using KMS
At what level is encryption availble in CloudWatch Logs?
At the group level
What is CloudWatch Events?
They are a way to schedule cron jobs or react to a service doing something
What can CloudWatch Events trigger?
Lambda functions
SQS/SNS/Kinesis Messages
What do CloudWatch Events create when triggered?
A small JSON document to give information about the change
What was the good old way to do debugging when a problem occurred in production?
Test locally
Add log statements everywhere
Re-deploy in production
What is the hardest to debug when using the good old way, a monolith or distributed services? And why so?
A monolith, because with distributed services you donโt have common views or your architecture.
What are some of the things that X-Ray helps you detect?
Bottlenecks
Service issues
Impacted users
What services/other things are compatible with X-Ray?
AWS Lambda Elastic Beanstalk ECS ELB API Gateway EC2 Instances or any application server (even on premise)
What does X-Ray leverages?
Tracing
What is tracing?
It is an end to end way to following โa requestโ
What do each components dealing with the request add?
Their own โtraceโ
What are traces made of?
Segments (and sub segments)
How can you provide extra-information to your traces?
By adding annotations
Do you have to trace every request when using X-Ray?
No, you can use sampling to sample request (as a % or a rate per minute)
How is X-Ray secure?
IAM for authorization
KMS for encryption at rest
How can you enable X-Ray in your application running on EC2 instances / on premise servers?
Import the AWS X-Ray SDK in your code
Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)
Install and run the X-Ray daemon
What is the X-Ray daemon?
A software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API
How can you enable X-Ray in your application running on Elatic Beanstalk?
Import the AWS X-Ray SDK in your code
Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)
Set the configuration in the EB console OR
enable the service in a .ebextensions/xray-daemon.config file like so:
option_settings:
aws:elasticbeanstalk:xray:
XRayEnabled: true
How can you enable X-Ray in functions running on Lambda?
Import the AWS X-Ray SDK in your code
Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)
Make sure that X-Ray integration is enabled
What do all applications, regardless of the platform, absolutely need in order to relay data to X-Ray?
The corresponding IAM rights
How can you send traces cross-account with the X-Ray daemon / agent?
The agent has a config to send traces cross account, make sure the IAM permissions are correct - the agent will assume the role
How to reduce cost when using X-Ray?
By using sampling
What can you use to provide key value pairs which can be used for filtering when using X-Ray?
Annotations
What can you use to provide key value pairs which can NOT be used for filtering when using X-Ray?
Metadata
What does AWS CloudTrail provide?
Governance, compliance and audit for your AWS Account
Is CloudTrail enabled by default?
Yes
What are the sources of events in CloudTrail?
Console
SDK
CLI
AWS Services
Can you put logs from CloudTrail into CloudWatch Logs?
Yes
What should you do if you feel like something weird happened into your AWS account?
Look into CloudTrail first
