Skip to content


General Info

Use cases Monitoring service for AWS resources/applications:
  1. Collects monitoring and operational data in the form of logs/metrics/events
  2. Provides a unified view of AWS resources, applications and services
  3. Can set high resolution alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to optimize applications
  • Resource utilization, operational performance monitoring
    • Provides: disk read operations, CPU usage, and inbound network traffic
    • Does not provide memory usage
  • Real-time monitoring
  • Log aggregation and basic analysis
  • 5,000 alarms for each AWS account
  • Metrics data retained for 2 weeks by default

CloudWatch Logs

  • Allows to aggregate and monitor logs from applications and systems
  • Sources
    • pushed from some AWS services (including CloudTrail)
    • pushed from your apps/systems
    • metrics from log entry matches
  • Elements
Log Group A collection of log streams that share the same retention, monitoring, and access control settings
Log Stream A sequence of log events that share the same source
Subscription Filters Define a filter pattern that matches events in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function
  • Storage
    • stored indefinitely (does not use S3) unless you set a retention period on a Log Group
    • can export Log Groups (in a particular time range) to S3 (not real time)
  • Integrations
    • CloudWatch Agent can be installed on a host (e.g. via SSM) to push logs to CloudWatch Logs
    • can receive events from other accounts by creating a "destination" in CloudWatch, which references a receiving Kinesis stream
      • the destination has a resource-based policy that controls which accounts can write to the destination
      • CloudWatch Logs on the sender side can then stream to the other account

CloudWatch Monitoring

  • Provides monitoring of performance metrics (real time)
  • Types
Type Description
  • Sends data points to CloudWatch every 5mins
  • For a limited number of metrics
  • No charge
  • Every 1min
  • Allows data aggregation (across AZ within a region)
  • Additional charge
  • Metrics
    • Hypervisor visible metrics (CPU) (NO MEMORY)
    • default = CPU util/network util
    • custom = disk space/RAM utilization
  • Alarms = if CPU > 80% for 5 mins —> alarm
  • Notifications = SNS
  • Can support on-premise services (doesn't need to be an AWS service)

CloudWatch Events

  • Provides a near real-time stream of events within your AWS account which can be used to trigger actions (such as a Lambda function) to perform a task
  • Near real-time stream of system events (event-driven security)


  • AWS CloudTrail (API calls)
  • AWS resources state change
  • Custom events (code)
  • Scheduled
  • Match incoming events and route them to 1+ targets
  • Rules that trigger from either event patterns or a schedule
  • Rules send JSON to one or more targets
  • AWS lambda functions, SNS topics, SQS queues, Kinesis Streams
  • Lambda function can kick in a delete the newly created EC2 instance
Access control
  • Use IAM policies to restrict access to CloudWatch and the Actions they can perform
  • However, data is decoupled from its source, therefore you are not able to restrict access by the originating resource