DevOps

CloudWatch

native monitoring service

Overview

  • Sevice used for monitoring the cloud and on-premises systems (using CloudWatch agent).

State of Alarm

  • INSUFFICIENT_DATA: alarm has just started, the metric is not available, not enough data.

  • OK: within the threshold

  • ALARM: outside of the defined threshold.

Benefits

  • Single platform observability (both AWS resources and on-premises servers).

  • Easy metrics collection. Natively integrate with 70+ AWS services.

  • Improve performance and resource optimization

Features

Default EC2 metrics

By default, CloudWatch provides these metrics:

  • CPU utilization

  • Network utilization

  • Disk I/O

It does not natively provide memory and disk space utilization metrics. You need to install CloudWatch agent to collect these metrics. Some other metric that unavailable:

  • Memory utilization

  • Disk swap, disk space utilization

  • Page file utilization

  • Log collection

CloudWatch Agent

  • Used to collect data from on-prem systems.

  • Support both Windows, Linux

  • Configuration file: a JSON file that specifies the metrics and logs that the agent is to collect.

Metrics Lambda send to CloudWatch

  • Invocation

  • Duration

  • Errors

  • Throttles

  • DeadLetterErrors

  • IteratorAge

  • ConcurrentExecutions

  • UnreservedConcurrentExecutions

Concepts

  • Metric: a time-ordered set of data points that are published to CloudWatch.

  • Namespace: a container for CloudWatch metrics.

  • Dashboard: are customizable home pages in the CloudWatch console.

Trivia

  • Data is available in 5-minute periods. If you enable Detailed monitoring, data will be available in 1-minute periods.

  • Dashboard are global. That means you can access dashboard from anywhere.

  • If you want people to access Dashboard only, try to use CloudWatch Dashboard sharing.

KMS

  • CloudWatch Logs supports only symmetric customer managed keys. Do not use an asymmetric key to encrypt the data in your log groups.

  • To encrypt a log group with a customer managed key, you need to use the AWS CLI or SDKs. The steps would be:

  1. Create a customer managed symmetric KMS key

  2. Add policy to KMS key for CloudWatch to use the created key "Service": "logs.region.amazonaws.com"

  3. Associate the KMS key with the log group

aws logs associate-kms-key --log-group-name logGroupName --kms-key-id keyArn

  1. Any new log events ingested into the log group after associating the KMS key will be encrypted using that key

PreviousCloudTrailNextTrustedAdvisor

Last updated