[AWS SAA-C02 Study Note] Cloud Management: CloudFormation, CloudWatch, CloudTrail, ConfigRule
IaC: CloudFormation
Infrastructure as Code
A templating Language that defines AWS resources to be provisioned.
Automating the creation of resource via code.
Intro to CloudFormation
Template Formats
Wwo different formats:
Template Anatomy
AWS Quick Start
AWS Quick Start are a collection of pre-built CloudFormation templates.
Learning resource:
CloudFormation Cheat Sheet
CloudWatch
A collection of monitoring services for logging, reacting and visualizing data
AWS CloudWatch is a monitoring solution for your AWS resources.
CloudWatch Logs
Use to monitor, store and access your log files
A Log Group is a collection of logs. Log files must belong to a log group.
A Log in a Log Group is called a Log Stream.
By default, logs are kept indefinitely and never expire.
Most AWS service is integrated with CloudWatch Logs. Logging of services sometimes needs to be turned on or requires IAM permissions to write to CloudWatch Logs.
CloudWatch Metrics
CloudWatch Events
Trigger an event based on a condition or on schedule
event source (how to trigger the event) → targets (what to trigger)
CloudWatch Custom Metrics
Using AWS CLI or SDK you can create and publish your own custom metrics
High Resolution Metrics
When you publish a custom metric, you can define it as either standard resolution or higher resolution.
High resolution lets you track under 1 minute down to 1 second.
The higher resolution cost more.
CloudWatch Alarms
Triggers a notifications based on metrics which breach a defined threshold
CloudWatch Dashboard
Create custom dashboards from CloudWatch Metrics
Availiability of Data
How often CW will collect and make available data
Basic is free, detailed cost money
Agent & Host Level Metrics
Some metric you might think are tracked by default for EC2 instances are not, and require install the CloudWatch Agent.
CW will track at Host Level by default:
- CPU Usage
- Network Usage
- Disck Usage
- Status Check (Underlying Hypervisor status, Underlying EC2 instance status)
Following require the Agent to get detailed metrics for:
- Memory utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
- Log collection
CW Cheat Sheet
CloudTrail
Logs API calls between AWS services. When you need to know who to blame.
Intro
AWS CT is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
AWS CT is used to monitor API calls and Actions made on AWS account.
Easily identify which users and accounts made the call to AWS, ex:
- Where Source IP address
- When EventTime
- Who User, UserAgent
- What Region, Resource, Action
Event History
CT is already logging by default and will collect logs for last 90 days via Event History
If you need more than 90 days, you need to create a Trail.
Trail are output to S3 and do not have GUI like Event History. To analyze a Trail you’d have to use Amazon Athena.
Trail Options
CloudTrail to CloudWatch
CT can be set to deliver to CW log.
Management Event and Data Event
90% events in CT is management events
new insight event: Identify unusual activity, errors, or user behavior in your account.
CT Cheat Sheet
AWS System Manager
AWS Systems Manager Parameter Store
Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.
Config Rule
An AWS Config rule represents an AWS Lambda function that you create for a custom rule or a predefined function for an AWS Config managed rule. The function evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change to an AWS resource and at a periodic frequency that you choose (for example, every 24 hours).