[AWS SAA-C02 Study Note] Cloud Management: CloudFormation, CloudWatch, CloudTrail, ConfigRule

IaC: CloudFormation

Infrastructure as Code

A templating Language that defines AWS resources to be provisioned.

Automating the creation of resource via code.

Intro to CloudFormation

Template Formats

Wwo different formats:

Template Anatomy

AWS Quick Start

AWS Quick Start are a collection of pre-built CloudFormation templates.

Learning resource:

CloudFormation Cheat Sheet

CloudWatch

A collection of monitoring services for logging, reacting and visualizing data

AWS CloudWatch is a monitoring solution for your AWS resources.

CloudWatch Logs

Use to monitor, store and access your log files

A Log Group is a collection of logs. Log files must belong to a log group.

A Log in a Log Group is called a Log Stream.

By default, logs are kept indefinitely and never expire.

Most AWS service is integrated with CloudWatch Logs. Logging of services sometimes needs to be turned on or requires IAM permissions to write to CloudWatch Logs.

CloudWatch Metrics

CloudWatch Events

Trigger an event based on a condition or on schedule

event source (how to trigger the event) → targets (what to trigger)

CloudWatch Custom Metrics

Using AWS CLI or SDK you can create and publish your own custom metrics

High Resolution Metrics

When you publish a custom metric, you can define it as either standard resolution or higher resolution.

High resolution lets you track under 1 minute down to 1 second.

The higher resolution cost more.

CloudWatch Alarms

Triggers a notifications based on metrics which breach a defined threshold

CloudWatch Dashboard

Create custom dashboards from CloudWatch Metrics

Availiability of Data

How often CW will collect and make available data

Basic is free, detailed cost money

Agent & Host Level Metrics

Some metric you might think are tracked by default for EC2 instances are not, and require install the CloudWatch Agent.

CW will track at Host Level by default:

  • CPU Usage
  • Network Usage
  • Disck Usage
  • Status Check (Underlying Hypervisor status, Underlying EC2 instance status)

Following require the Agent to get detailed metrics for:

  • Memory utilization
  • Disk swap utilization
  • Disk space utilization
  • Page file utilization
  • Log collection

CW Cheat Sheet

CloudTrail

Logs API calls between AWS services. When you need to know who to blame.

Intro

AWS CT is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.

AWS CT is used to monitor API calls and Actions made on AWS account.

Easily identify which users and accounts made the call to AWS, ex:

  • Where Source IP address
  • When EventTime
  • Who User, UserAgent
  • What Region, Resource, Action

Event History

CT is already logging by default and will collect logs for last 90 days via Event History

If you need more than 90 days, you need to create a Trail.

Trail are output to S3 and do not have GUI like Event History. To analyze a Trail you’d have to use Amazon Athena.

Trail Options

CloudTrail to CloudWatch

CT can be set to deliver to CW log.

Management Event and Data Event

90% events in CT is management events

new insight event: Identify unusual activity, errors, or user behavior in your account.

CT Cheat Sheet

AWS System Manager

AWS Systems Manager Parameter Store

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.

Config Rule

An AWS Config rule represents an AWS Lambda function that you create for a custom rule or a predefined function for an AWS Config managed rule. The function evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change to an AWS resource and at a periodic frequency that you choose (for example, every 24 hours).