Monitoring as a service in AWS cloud computing provides several key benefits to an organization. It not only helps to meet the compliance but also detects incident and find the resolution. Amazon provides logging and monitoring facilities in AWS cloud computing in different ways, which include:

-AWS CloudWatch

-AWS CloudTrail

-AWS Config

-VPC Flow logs

From trend analysis to collating data, it helps in optimizing the overall performance. Besides, it helps keep track of application performance, operational issues, resource use, and constraints. In this blog, we will overview what all services the above monitoring components of AWS Cloud computing covered and some best practices around it.

AWS CloudWatch

If, as a developer, architect, or administer you are worried about “What is happening on AWS?” then AWS CloudWatch is the best answer for your monitoring on a real-time basis. This AWS Cloud computing out-of-the-box feature of configuring with EC2 and offers two types of monitoring:

1.Basic monitoring: It does not require any additional fee, and based on pre-selected metrics, it produces reports in regular time intervals.

2.Detailed monitoring: It requires additional fees to pay for monitoring. Besides, it increases the frequency of all metrics up to the one-minute interval.

Metrics those are provided as part of AWS CloudWatch monitoring are as follows:-

-Request counts

-Latency

-CPU usage

-User logs

-Custom metrics

CloudWatch automatically integrates with AWS services. Besides it can be scaled up easily. Commonly used with –

-Elastic Compute Cloud (EC2) instances

-Amazon Elastic Block Store (EBS) volumes – To monitor read/write latency

-Elastic Load Balancers (ELBs),

-Amazon Relational Database Service (RDS) instances – Monitors storage space and memory.

-SNS Topics

-SNS Queues

However, the above mentioned are not the limit. AWS CloudWatch is capable of taking external data also.

Through the CloudWatch dashboard interface, users can create custom graphical views across their AWS Cloud computing services. These can include both real-time data and historical data within a timeline of up to a two-week maximum. Also, CloudWatch facilitates alarms, which will trigger whenever a metric crosses a specified limit. This allows us to identify and take quick actions for the resources which are being underutilized. Users can also set automated responsive actions by using a rules engine built into the service.

Related post – Amazon EKS – Managed Kubernetes service

AWS CloudTrail

AWS CloudTrail in AWS Cloud computing mainly deals with the following:

-API calls to the services.

-What is happening on AWS, i.e. greater visibility on user activities

-Logging for high volume activity events on other services.

CloudTrail mainly focuses on API calls and any changes in settings, which may be the creation, deletion, or modification of the instances inside. Besides, the logs are automatically sent to the S3 bucket.

Hence, in a nutshell, CloudTrail has the three main benefits:

Activity monitoring prevents any insecure or inappropriate changes by inappropriate resource activities to services or resources.

Streamlined organization compliance by automatic logging, which can identify the events which are not as per the organization compliance policies

Security auditing – CloudTrail helps to discover the security risk of data.

AWS Config

AWS Config is a AWS Cloud computing service which enables user to

-Evaluate the configurations of AWS resources.

-Auditing

-Assess

-Continuously monitor and record AWS resource configurations

-Provides detailed inventory information related to AWS resources

-Automate the changes of recorded configurations against expected configurations.

Features:

AWS Config is integrated with AWS CloudTrail, which captures all API calls as events. Such information is useful to determine the IP address of the request made from, who has made the request, the time it was made, etc.

VPC Flow logs

VPC or Virtual Private Cloud in AWS is an important aspect of logging. The main purpose of VPC flow logs is to collect, analyze, and store network flow logs. Using these logs, organizations can –

-Troubleshoot connectivity

-Find security issues

-Monitor working status of network access rules

-Provides better support for network monitoring

-Track all inbound and outbound traffic

-Enables alarms for specific types of network traffic

-Create metrics to identify patterns and trends.

-Group logs according to Elastic Load Balancer or Elastic Network Interface (ENI) attached to your EC2 instance.

-Do performance analysis like identifying latencies, and base lining performance.

-Reveal flow duration.

AWS logging and monitoring best practices

Best practices for AWS CloudWatch

1.Careful data sharing between AWS accounts via CloudWatch Event bus

The CloudWatch Event bus allows AWS accounts within an organization to share events. However, it should be carefully monitored that such event sharing can’t harm the organization’s sensitive data. Thus permission must be granted to selective accounts, and the event bus will be configured accordingly.

2.AWS CloudWatch alarms monitoring

AWS CloudWatch must monitor the following changes:

-AWS Config configuration

-Amazon Organizations changes as relevant.

-AWS CloudTrail configuration.

-Any unauthorized API calls made within an AWS account

-AWS CMK configuration

-AWS Console authentication process.

-AWS EC2 instance

-AWS IAM policy configuration

-AWS VPC Customer/Internet Gateway configuration

-AWS Network ACLs configuration

-Root Account Usage

-AWS Route Tables configuration

-AWS S3 Buckets configuration

-AWS security groups configuration

-AWS VPCs configuration

3.CloudWatch alarm for the VPC Flow Logs metric filter

CloudWatch alarm action must be configured for VPC Flow Logs metric filter

4.AWS CloudWatch log for application tier

For application tier AWS CloudWatch log group needs to be created with a retention period.

5.AWS CloudWatch log group must be created for web tier and it should also have retention period.

CloudTrail best practices

Some essential AWS CloudTrail best practices are as follows:

-CloudTrail logs need to be sent to CloudWatch

-CloudTrail logs encryption using KMS and setting key policy for it.

-CloudTrail log file must be validated.

-CloudTrail logs need to be sent to a centralized S3 bucket in case of multi-account. Also, it should be enabled at the organization level.

-Any configuration change must be monitored carefully to prevent unauthorized infrastructural modification.

-Security of CloudTrail log bucket should be properly managed.

-CloudTrail should be enabled in all regions. However, to avoid duplicate entries “Include Global Services” must be enabled.

Please share your valuable inputs in comment area to make the article more informative.