|Cloud Watch is a monitoring tool that collects operational and monitoring data in the form of logs, metrics, and events and lets user visualize these logs using automated dashboards.|
Basic monitoring = 5 mins (free for EC2 Instances, EBS volumes, ELBs and RDS DBs)
Detailed monitoring = 1 min (chargeable)
Metrics are provided automatically for a number of AWS products and services.
There is no standard metric for memory usage on EC2 instances.
A custom metric is any metric you provide to Amazon CloudWatch.
Key features of CloudWatch:
CloudWatch metrics are captured every 5 minutes.
CloudWatch considers a queue to be active for up to 6 hours if it contains any messages or if any API action accesses it.
There No charges for CloudWatch (no detailed monitoring).
CloudWatch Logs keeps logs indefinitely by default. You can configure how long to keep the log in log group.
You can change the retention period of each log group anytime.
CloudTrail logs can be sent to CloudWatch Logs for real-time monitoring
CloudWatch Logs metric filters can evaluate CloudTrail logs for specific terms, phrases or values.
CloudWatch is integrated with SQS and you can view and monitor queue metrics.
Options for storing logs:
Centralized logging system (e.g. Splunk)
Custom script and store on S3
Recommended practice is to store logs in CloudWatch Logs or S3
Amazon CloudWatch uses Amazon SNS to send email.
CloudTrail captures API calls from SQS and logs to a specified S3 bucket.
CloudWatch retains metric data as follows:
• Data points with a period of less than 60 seconds are available for 3 hours. These data points are high-resolution custom metrics.
• Data points with a period of 60 seconds (1 minute) are available for 15 days.
• Data points with a period of 300 seconds (5 minute) are available for 63 days.
• Data points with a period of 3600 seconds (1 hour) are available for 455 days (15 months).
|AWS CloudTrail: Basically used for security analysis, resource change tracking, and compliance auditing.|
AWS CloudTrail Features:
1.AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket.
2.CloudTrail is about logging and saves a history of API calls for your AWS account.
3.Provides visibility into user activity by recording actions taken on your account.
4.Logs API calls made via:- AWS Management Console/ AWS SDKs/ Command line tools/ Higher-level AWS services (such as CloudFormation).
5.Not enabled by default.
6.CloudTrail is per AWS account.
7.Trails can be enabled per region or a trail can be applied to all regions.
8.Trails can be configured to log data events and management events.
9.CloudTrail log files are encrypted using S3 Server-Side Encryption (SSE).You can also enable encryption using SSE KMS for additional security.
10.CloudTrail can be integrated with CloudWatch Logs to deliver data events captured by CloudTrail to a CloudWatch Logs log stream.
CloudTrail log file integrity validation feature allows you to determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified Amazon S3 bucket.
To view Cloudtrail data and management events beyond 90 days use Amazon Athena.
What are the diffrences between data and management events in Cloudtrail:
Cloudtrail data events: Cloudtrail data events also known as data plane operations and often high volume activity. They track specific operations for specific AWS services. Cloudtrail data events are disabled by default. They are not visible on cloudtrail event history.
The two services that can be tracked is S3 ans Lambda. So it would track action such as GetObject,DeleteObject, PutObject.
Cloudtrail management events: Also known as control plane operations.
Cloudtrail Management events track management operations. Records management events of last 90 days free of charge and can be viewed in event history with cloudtrail console. Example-configuring security, registering devices, configuring rules for routing data, etc.
Cloudtrail Insight: Designed to automatically analyze management events from your Cloudtrail trails to establish a baseline for normal behavior and then raise issues by generating insights events when it detects unusual patterns.
|AWS OpsWorks is an automation platform that transforms infrastructure into code. |
Automates how applications are configured, deployed and managed.
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet two very popular automation platforms.
Provide configuration management to deploy code, automate tasks, configure instances, perform upgrades etc.
There are three offerings: OpsWorks for Chef Automate, OpsWorks for Puppet Enterprise, and OpsWorks Stacks
|AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion.|
CloudFormation can be used to provision a broad range of AWS resources.
Think of CloudFormation as deploying infrastructure as code.
Logical IDs are used to reference resources within the template.
Physical IDs identify resources outside of AWS CloudFormation templates, but only after the resources have been created.
Features of Templates:
• Architectural designs
• Create, update and delete templates
• Written in JSON or YAML
• CloudFormation determines the order of provisioning
• Don’t need to worry about dependencies
• Modifies and updates templates in a controlled way (version control)
• Designer allows you to visualize using a drag and drop interface
Other features of Cloud Formation:
Puppet and Chef integration is supported.
Can use bootstrap scripts.
Can define deletion policies.
Provides WaitCondition function.
Can create roles in IAM.
VPCs can be created and customized.
VPC peering in the same AWS account can be performed.
• AWS CloudFormation provides two methods for updating stacks: direct update or creating and executing change sets.
• When you directly update a stack, you submit changes and AWS CloudFormation immediately deploys them.
• Use direct updates when you want to quickly deploy your updates.
• With change sets, you can preview the changes AWS CloudFormation will make to your stack, and then decide whether to apply those changes.
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.
Using an administrator account, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified regions.
Elastic Beanstalk is more focused on deploying applications on EC2 (PaaS).
CloudFormation can deploy Elastic Beanstalk-hosted applications however the reverse is not possible.
There is no additional charge for AWS CloudFormation.
• You pay for AWS resources (such as Amazon EC2 instances, Elastic Load Balancing load balancers, etc.) created using AWS CloudFormation in the same manner as if you created them manually
• You only pay for what you use, as you use it; there are no minimum fees and no required upfront commitments
|AWS Config enables security and governance.-It allows to assess, audit and evaluate configurations of your AWS resources.|
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time.
These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Creates a baseline of various configuration settings and files and can then track variations against that baseline.
AWS Config vs CloudTrail:
AWS CloudTrail records user API activity on your account and allows you to access information about this activity.
AWS Config records point-in-time configuration details for your AWS resources as Configuration Items (CIs).
With AWS Config, you are charged based on the number configuration items (CIs) recorded for supported resources in your AWS account.
AWS Config creates a configuration item whenever it detects a change to a resource type that it is recording.
AWS Systems Manager
|Systems Manager provides a central place to view and manage your AWS resources, so you can have complete visibility and control over your operations.|
AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources.
Centralized console and toolset for a wide variety of system management tasks.
SSM Agent enables System Manager features.
SSM Agent installed by default on recent AWS-provided base AMIs for Linux and Windows
Systems Manager Inventory: AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications.
can view multiple application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more.
By default, AWS Systems Manager displays data about patching and associations. You can also customize the service and create your own compliance types based on your requirements.
Automation: AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks across AWS resources.
• With Systems Manager, you can create JSON documents that specify a specific list of tasks or use community published documents
• These documents can be executed directly through the AWS Management Console, CLIs, and SDKs, scheduled in a maintenance window, or triggered based on changes to AWS resources through Amazon CloudWatch Events
• You can track the execution of each step in the documents as well as require approvals for each step
• You can also incrementally roll out changes and automatically halt when errors occurs.
AWS Systems Manager provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell.
It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations.
Through integration with AWS Identity and Access Management (IAM), you can apply granular permissions to control the actions users can perform on instances
All actions taken with Systems Manager are recorded by AWS CloudTrail, allo towing you to audit changes throughout your environment.
AWS Serverless Application Model (AWS SAM) is an extension of AWS CloudFormation that is used to package, test, and deploy serverless applications.
AWS CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda function.
AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment, Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.
Amazon Simple Email Service (SES) :Amazon Simple Email Service (SES) is a cost-effective, flexible, and scalable email service that enables developers to send mail from within any application. You can configure Amazon SES quickly to support several email use cases, including transactional, marketing, or mass email communications. Amazon SES’s flexible IP deployment and email authentication options help drive higher deliverability and protect sender reputation, while sending analytics measure the impact of each email. With Amazon SES, you can send email securely, globally, and at scale.