[SAP] CloudWatch

CloudWatch Alarms

• Can trigger actions: EC2 action (reboot, stop, terminate, recover), Auto Scaling, SNS
• Alarm events can be intercepted by CloudWatch Events

CloudWath Logs

• Log groups: arbitrary name, usually representing an application
• Log stream: instances within application / log files / containers
• Can define a log expiration policies (never expire, 30 days, etc...)
• Optional KMS encryption
• CloudWatch Logs can send logs to:
  • S3
  • KDS
  • KDF
  • Lambda
  • ElasticSearch

CloudWatch Logs - S3 Export

• S3 bucket must be encrypted with AES-256 (SSE-S3), not SSE-KMS
• Log data can take up to 12 hours to become available for export (so it is not real time usecase)
• The API call is CreateExportTask
• Not near-real time or real-time... use Logs Subscriptions instead

 

• For multi-account or multi region cloudwatch logs aggregation, need to send KDS first.
• NOT KDF first
• Then forward to S3