# CloudWatch

## Overview

* Sevice used for monitoring the ***cloud*** and ***on-premises*** systems (using CloudWatch agent).

### State of Alarm

* `INSUFFICIENT_DATA`: alarm has just started, the metric is not available, not enough data.
* `OK`: within the threshold
* `ALARM`: outside of the defined threshold.

### Benefits

* Single platform observability (both AWS resources and on-premises servers).
* Easy metrics collection. Natively integrate with 70+ AWS services.
* Improve performance and resource optimization

***

## Features

### Default EC2 metrics

By default, CloudWatch provides these metrics:

* CPU utilization
* Network utilization
* Disk I/O

It *<mark style="color:red;">does not natively provide memory and disk space utilization metrics</mark>*.  You need to install [CloudWatch agent](#cloudwatch-agent) to collect these metrics. Some other metric that unavailable:

* Memory utilization
* Disk swap, disk space utilization
* Page file utilization
* Log collection

### CloudWatch Agent&#x20;

* Used to collect data from on-prem systems.
* Support both Windows, Linux
* **Configuration file**: a JSON file that specifies the metrics and logs that the agent is to collect.

### Metrics `Lambda` send to CloudWatch

* Invocation
* Duration
* Errors
* Throttles
* DeadLetterErrors
* IteratorAge
* ConcurrentExecutions
* UnreservedConcurrentExecutions&#x20;

***

## Concepts

* ***Metric***: a time-ordered set of data points that are published to CloudWatch.
* ***Namespace***: a container for CloudWatch metrics.
* ***Dashboard***: are customizable home pages in the CloudWatch console.

## Trivia

* Data is available in 5-minute periods. If you enable `Detailed monitoring`, data will be available in 1-minute periods.
* Dashboard are global. That means you can access dashboard from anywhere.
* If you want people to access Dashboard only, try to use [CloudWatch Dashboard sharing](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html).

### KMS

* CloudWatch Logs supports only *<mark style="color:red;">**symmetric**</mark>* customer managed keys. Do not use an asymmetric key to encrypt the data in your log groups.
* To encrypt a log group with a customer managed key, you need to use the AWS CLI or SDKs. The steps would be:

1. Create a customer managed ***symmetric*** KMS key
2. Add policy to KMS key for CloudWatch to use the created key `"Service": "logs.region.amazonaws.com"`
3. Associate the KMS key with the log group

```bash
aws logs associate-kms-key --log-group-name logGroupName --kms-key-id keyArn
```

4. Any new log events ingested into the log group ***after*** associating the KMS key will be encrypted using that key