[SAP] CloudWatch
CloudWatch Alarms
- Can trigger actions: EC2 action (reboot, stop, terminate, recover), Auto Scaling, SNS
- Alarm events can be intercepted by CloudWatch Events
CloudWath Logs
- Log groups: arbitrary name, usually representing an application
- Log stream: instances within application / log files / containers
- Can define a log expiration policies (never expire, 30 days, etc...)
- Optional KMS encryption
- CloudWatch Logs can send logs to:
- S3
- KDS
- KDF
- Lambda
- ElasticSearch
CloudWatch Logs - S3 Export
- S3 bucket must be encrypted with AES-256 (SSE-S3), not SSE-KMS
- Log data can take up to 12 hours to become available for export (so it is not real time usecase)
- The API call is CreateExportTask
- Not near-real time or real-time... use Logs Subscriptions instead
- For multi-account or multi region cloudwatch logs aggregation, need to send KDS first.
- NOT KDF first
- Then forward to S3