From 4134f6ace73ecf92bae6a6a0e936ea0ef90e5cb9 Mon Sep 17 00:00:00 2001 From: m4dn3g4t1v3 <36699013+m4dn3g4t1v3@users.noreply.github.com> Date: Fri, 7 Jun 2024 08:37:41 +0200 Subject: [PATCH] aws-cloudwatch-enum.md v1.1 --- .../aws-cloudwatch-enum.md | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md index eec9fddf2b..2b899cf0f1 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md +++ b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md @@ -29,6 +29,102 @@ You can monitor for example logs from CloudTrail. Events that are monitored: * API calls that resulted in failed authorization * Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) +## Key concepts + +### Namespaces + +A namespace is a container for CloudWatch metrics. It helps to categorize and isolate metrics, making it easier to manage and analyze them. + +- **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics. + +### Metrics + +Metrics are data points collected over time that represent the performance or utilization of AWS resources. Metrics can be collected from AWS services, custom applications, or third-party integrations. + +- **Example**: CPUUtilization, NetworkIn, DiskReadOps. + +### Dimensions + +Dimensions are key-value pairs that are part of metrics. They help to uniquely identify a metric and provide additional context, being 30 the most number of dimensions that can be associated with a metric. Dimensions also allow to filter and aggregate metrics based on specific attributes. + +- **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone. + +### Statistics + +Statistics are mathematical calculations performed on metric data to summarize it over time. Common statistics include Average, Sum, Minimum, Maximum, and SampleCount. + +- **Example**: Calculating the average CPU utilization over a period of one hour. + +### Units + +Units are the measurement type associated with a metric. Units help to provide context and meaning to the metric data. Common units include Percent, Bytes, Seconds, Count. + +- **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes. + +## CloudWatch Features + +### Dashboard + +**CloudWatch Dashboards** provide customizable **views of your AWS CloudWatch metrics**. It is possible to create and configure dashboards to visualize data and monitor resources in a single view, combining different metrics from various AWS services. + +**Key Features**: + +- **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more. +- **Customization**: Layout and content can be customized to fit specific monitoring needs. + +**Example Use Case**: + +- A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets. + +### Metric Stream and Metric Data + +**Metric Streams** in AWS CloudWatch enable you to continuously stream CloudWatch metrics to a destination of your choice in near real-time. This is particularly useful for advanced monitoring, analytics, and custom dashboards using tools outside of AWS. + +**Metric Data** inside Metric Streams refers to the actual measurements or data points that are being streamed. These data points represent various metrics like CPU utilization, memory usage, etc., for AWS resources. + +**Example Use Case**: + +- Sending real-time metrics to a third-party monitoring service for advanced analysis. +- Archiving metrics in an Amazon S3 bucket for long-term storage and compliance. + +### Alarm + +**CloudWatch Alarms** monitor your metrics and perform actions based on predefined thresholds. When a metric breaches a threshold, the alarm can perform one or more actions such as sending notifications via SNS, triggering an auto-scaling policy, or running an AWS Lambda function. + +**Key Components**: + +- **Threshold**: The value at which the alarm triggers. +- **Evaluation Periods**: The number of periods over which data is evaluated. +- **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm +- **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS). + +**Example Use Case**: + +- Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes. + +### Anomaly Detectors + +**Anomaly Detectors** use machine learning to automatically detect anomalies in your metrics. You can apply anomaly detection to any CloudWatch metric to identify deviations from normal patterns that might indicate issues. + +**Key Components**: + +- **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like. +- **Anomaly Detection Band**: A visual representation of the expected range of values for a metric. + +**Example Use Case**: + +- Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue. + +### Insight Rules and Managed Insight Rules + +**Insight Rules** allow you to identify trends, detect spikes, or other patterns of interest in your metric data using **powerful mathematical expressions** to define the conditions under which actions should be taken. These rules can help you identify anomalies or unusual behaviors in your resource performance and utilization. + +**Managed Insight Rules** are pre-configured **insight rules provided by AWS**. They are designed to monitor specific AWS services or common use cases and can be enabled without needing detailed configuration. + +**Example Use Case**: + +- Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action. + ### CloudWatch Logs Allows to **aggregate and monitor logs from applications** and systems from **AWS services** (including CloudTrail) and **from apps/systems** (**CloudWatch Agen**t can be installed on a host). Logs can be **stored indefinitely** (depending on the Log Group settings) and can be exported.