With the last few days’ events, a quick set of missives to discuss the BASICS of event monitoring in AWS is well in order. I speak of a social media site data scrape that could have been limited with basic monitoring and alerting.
Several services will do this and do this quite well. Still, a few simple and basic CloudWatch Event Rules and a simple SNS notification topic will at least provide a tripwire to deliver notice of possible anomalous events.
I’ll produce a set of missives on how to get the BASICS done. These are NOT and end-all, be-all; they are BASICS.
First of all, lets review the AWS Documentation on CloudWatch:
Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications
I will add SecOps engineers to the above list.
A primary data source for CloudWatch is CloudTrail.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.
An analysis and action engine for the above-mentioned data sources and collectors is CloudWatch Events:
Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set up, you can match events and route them to one or more target functions or streams. CloudWatch Events becomes aware of operational changes as they occur. CloudWatch Events responds to these operational changes and takes corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.
Using these monitoring metrics and event rules to trigger an email notification via SNS, one can get near real-time notice of “interesting” events or create actions to respond to said events dynamically.
We will focus on the BASICS of simply sending an email when an event occurs.
I shall tag / title this set of missives as C1, a riff on the traditional C3 (Command, Communications, and Control) information system used in military operations.