Section 11: AWS Monitoring & Audit: CloudWatch, X-Ray and CloudTrail

Question 1

What do our users care about?

Answer 1

That our application is working!

Question 2

Why is monitoring important?

Answer 2

We want to be aware if our application latency increases, if we have outages, or if our applications don’t behave as we expect them to.

Question 3

What does internal monitoring provides us?

Answer 3

See performance and cost
Detect trends
Learn and improve

Question 4

What are the three monitoring services offered by AWS?

Answer 4

CloudWatch
X-Ray
CloudTrail

Question 5

What is AWS CloudTrail used for?

Answer 5

Internal monitoring of API call being made to AWS

Audit changes to AWS Resources by users

Question 6

What is AWS X-Ray used for?

Answer 6

Troubleshooting application performance and errors

Visual tracing of microservices

Question 7

What are the four features provided by AWS CloudWatch?

Answer 7

Metrics
Logs
Events
Alarms

Question 8

What is AWS CloudWatch Metrics?

Answer 8

A fully managed service that provides metrics for every service in AWS

Question 9

What is a Metric?

Answer 9

A variable to monitor (CPUUtilization, NetworkIn, etc.)

Question 10

What is namespace in AWS CloudWatch Metrics?

Answer 10

A container for metrics

Question 11

What are some default metrics namespaces?

Answer 11

EBS, EC2, ELB, RDS, ElasticBeanstalk, etc. (Basically most AWS services have their own namespaces provided by AWS)

Question 12

Can you create your own Metrics namespace?

Answer 12

Absolutely

Question 13

What are dimensions and what are they used for? (In the context of Metrics)

Answer 13

Metrics are first grouped by namespace, and then by the various dimension combinations. For example:
All EC2 Metrics
EC2 Metrics grouped by instance
EC2 Metrics grouped by ASG

Question 14

Do all AWS services send metrics to CloudWatch by default?

Answer 14

Only the services you are using

Question 15

How many dimensions can a metric have?

Answer 15

Up to 10

Question 16

What is the one thing that all metrics have?

Answer 16

Timestamps

Question 17

How can we visualize metrics better?

Answer 17

By creating a custom dashboard of Metrics

Question 18

What is default period between each metric for an EC2 instance?

Answer 18

5 minutes

Question 19

How can you get more frequent metrics for an EC2 instance?

Answer 19

By enabling “Detailed monitoring” (for a cost)

Question 20

What is shortest period between each metric for an EC2 instance with detailed monitoring?

Answer 20

1 minute

Question 21

What metric is NOT pushed to AWS CloudWatch for EC2 instances?

Answer 21

Memory usage

Question 22

How can you push EC2 Memory usage metric to CloudWatch?

Answer 22

By pushing it as a custom metric

Question 23

How many detailed metrics does AWS Free Tier allow us to have?

Answer 23

10

Question 24

What can you do if you want to more prompt scale your ASG?

Answer 24

Enable detailed monitoring

Question 25

How can you segment metrics when you send your own custom metrics to CloudWatch?

Answer 25

By using dimensions

Question 26

How to get more frequent metrics when using custom metrics?

Answer 26

By using custom High Resolution custom metric

Question 27

What are the two types of custom metric?

Answer 27

Standard resolution

High resolution

Question 28

What is the granularity of custom metric with standard resolution?

Answer 28

1 minute

Question 29

What is the granularity of custom metric with high resolution?

Answer 29

1 second

Question 30

What are the available periods of analysis of custom metrics of high resolution in CloudWatch?

Answer 30

1 sec, 5 sec, 10 sec, 30 sec, any multiple of 60 sec

Question 31

What API should you use to emit custom metrics?

Answer 31

PutMetricData

Question 32

How can you set a custom metric to high resolution?

Answer 32

By setting the StorageResolution API parameter to any values under 60 (which would be 60 seconds therefore standard resolution)

Question 33

What should you do in case of throttle errors when sending custom metrics?

Answer 33

Use exponential back off

Question 34

What are CloudWatch Alarms used for?

Answer 34

They are used to trigger notifications for any metric

Question 35

What can alarms go to?

Answer 35

Auto Scaling, EC2 actions, SNS notifications

Question 36

What are the possible alarm states?

Answer 36

OK
INSUFFICIENT_DATA
ALARM

Question 37

What is the period of CloudWatch Alarms for standard resolution custom metrics and metrics provided by AWS?

Answer 37

The length of time in seconds to evaluate the metric

Question 38

What is the period of CloudWatch Alarms for high resolution custom metrics?

Answer 38

Can only choose 10 sec or 30 sec

Question 39

What does the AWS CloudWatch Logs panel allow you to do?

Answer 39

View logs from used AWS services

Question 40

What logs does EB can send to CloudWatch?

Answer 40

Logs from the application

Question 41

What logs does ECS can send to CloudWatch?

Answer 41

Logs from containers

Question 42

What logs does Lambda can send to CloudWatch?

Answer 42

Function logs

Question 43

What logs does VPC Flow Logs can send to CloudWatch?

Answer 43

VPC specific logs

Question 44

What logs does API Gateway can send to CloudWatch?

Answer 44

API related logs

Question 45

What logs does Route53 can send to CloudWatch?

Answer 45

DNS queries logs

Question 46

Where can CloudWatch logs go to? (2 options)

Answer 46

Batch export to S3

Stream to ElasticSearch cluster for further analysis

Question 47

What can you use to filter logs in CloudWatch Logs?

Answer 47

Filter expressions

Question 48

What is the Logs storage architecture?

Answer 48

Log groups

Log streams

Question 49

What are Log groups?

Answer 49

Groups of log streams

Question 50

What are Log streams?

Answer 50

Instances within applications, log files, containers, functions, etc.

Question 51

Can you define expiration policies?

Answer 51

Yes (never expire, 30 days, etc.)

Question 52

What do your services ABSOLUTELY need to have in order to be able to send logs to CloudWatch?

Answer 52

The right IAM permissions!

Question 53

Is encryption available for logs in CloudWatch Logs?

Answer 53

Yes, encryption of logs is available using KMS

Question 54

At what level is encryption availble in CloudWatch Logs?

Answer 54

At the group level

Question 55

What is CloudWatch Events?

Answer 55

They are a way to schedule cron jobs or react to a service doing something

Question 56

What can CloudWatch Events trigger?

Answer 56

Lambda functions

SQS/SNS/Kinesis Messages

Question 57

What do CloudWatch Events create when triggered?

Answer 57

A small JSON document to give information about the change

Question 58

What was the good old way to do debugging when a problem occurred in production?

Answer 58

Test locally
Add log statements everywhere
Re-deploy in production

Question 59

What is the hardest to debug when using the good old way, a monolith or distributed services? And why so?

Answer 59

A monolith, because with distributed services you don’t have common views or your architecture.

Question 60

What are some of the things that X-Ray helps you detect?

Answer 60

Bottlenecks
Service issues
Impacted users

Question 61

What services/other things are compatible with X-Ray?

Answer 61

AWS Lambda
Elastic Beanstalk
ECS
ELB
API Gateway
EC2 Instances or any application server (even on premise)

Question 62

What does X-Ray leverages?

Answer 62

Tracing

Question 63

What is tracing?

Answer 63

It is an end to end way to following “a request”

Question 64

What do each components dealing with the request add?

Answer 64

Their own “trace”

Question 65

What are traces made of?

Answer 65

Segments (and sub segments)

Question 66

How can you provide extra-information to your traces?

Answer 66

By adding annotations

Question 67

Do you have to trace every request when using X-Ray?

Answer 67

No, you can use sampling to sample request (as a % or a rate per minute)

Question 68

How is X-Ray secure?

Answer 68

IAM for authorization

KMS for encryption at rest

Question 69

How can you enable X-Ray in your application running on EC2 instances / on premise servers?

Answer 69

Import the AWS X-Ray SDK in your code

Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)

Install and run the X-Ray daemon

Question 70

What is the X-Ray daemon?

Answer 70

A software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API

Question 71

How can you enable X-Ray in your application running on Elatic Beanstalk?

Answer 71

Import the AWS X-Ray SDK in your code

Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)

Set the configuration in the EB console OR
enable the service in a .ebextensions/xray-daemon.config file like so:
option_settings:
aws:elasticbeanstalk:xray:
XRayEnabled: true

Question 72

How can you enable X-Ray in functions running on Lambda?

Answer 72

Import the AWS X-Ray SDK in your code

Configure the SDK to capture calls to AWS services, HTTP/HTTPS requests, database calls, queue calls (SQS)

Make sure that X-Ray integration is enabled

Question 73

What do all applications, regardless of the platform, absolutely need in order to relay data to X-Ray?

Answer 73

The corresponding IAM rights

Question 74

How can you send traces cross-account with the X-Ray daemon / agent?

Answer 74

The agent has a config to send traces cross account, make sure the IAM permissions are correct - the agent will assume the role

Question 75

How to reduce cost when using X-Ray?

Answer 75

By using sampling

Question 76

What can you use to provide key value pairs which can be used for filtering when using X-Ray?

Answer 76

Annotations

Question 77

What can you use to provide key value pairs which can NOT be used for filtering when using X-Ray?

Answer 77

Metadata

Question 78

What does AWS CloudTrail provide?

Answer 78

Governance, compliance and audit for your AWS Account

Question 79

Is CloudTrail enabled by default?

Answer 79

Yes

Question 80

What are the sources of events in CloudTrail?

Answer 80

Console
SDK
CLI
AWS Services

Question 81

Can you put logs from CloudTrail into CloudWatch Logs?

Answer 81

Yes

Question 82

What should you do if you feel like something weird happened into your AWS account?

Answer 82

Look into CloudTrail first