31. Cloud Watch

i. Monitoring service to monitor AWS resources as well as applications that run on AWS {like a gym trainer who watches the performance}. Monitors performance.

Cloud Watch can monitor things like:

Compute Storage & Content Delivery
EC2 instances. Cloud Watch with EC2 will monitor events every 5 minutes by default EBS volumes
Autoscaling groups Storage gateways
ELB (Elastic Load Balancers) Cloud Front
Route 53 health checks
We can have one minute interval by turning on detailed monitoring. Create Cloud Watch alarms which triggers notifications.

i. Monitor at a host level & host level metrics consist of CPU, n/w, disk, status check
ii. Cloud Trail {think of CC TV or auditing} increases visibility into user & resource activity by recording AWS management console actions and API calls. For example when we create a S3 bucket or an EC2 instance, we are making an API call to AWS and this is all recorded using Cloud Trail. We can identify which users & accounts called AWS, what is the source IP address from which these calls were made & when the calls were made.
iii. Cloud Watch monitors performance
iv. Cloud Trail monitors API calls in the AWS platform
v. We can see monitor in step 3: configure instance details
vi. Standard monitoring = 5 min and detailed monitoring = 1 min

What we can do with Cloud Watch:
i. Dashboards: Creates awesome dashboards to see what is happening in AWS environment
ii. Alarms: Allows to set alarms that notify when particular thresholds are hit.
iii. Events: Cloud Watch events helps you to respond to state changes in AWS resources
iv. Logs: Cloud Watch logs help to aggregate, monitor & storelogs

Question 1:
Log data is stored indefinitely and alarm history is deleted. Supports ELB.

Question 2:
How is CloudWatch integrated with Lambda? (Select two)
A. tenant must enable CloudWatch monitoring
B. network metrics such as latency are not monitored
C. Lambda functions are automatically monitored through Lambda service
D. log group is created for each event source
E. log group is created for each function
Answer (C,E)

Question 3:
What two statements correctly describe AWS monitoring and audit operations?
A. CloudTrail captures API calls, stores them in an S3 bucket and generates
a Cloudwatch event
B. CloudWatch alarm can send a message to a Lambda function
C. CloudWatch alarm can send a message to an SNS Topic that triggers an
event for a Lambda function
D. CloudTrail captures all AWS events and stores them in a log file
E. VPC logs do not support events for security groups
Answer (A,C)

Question 4:
What are two features of CloudWatch operation?
A. CloudWatch does not support custom metrics
B. CloudWatch permissions are granted per feature and not AWS resource
C. Collect and monitor operating system and application generated log files
D. AWS services automatically create logs for CloudWatch
E. CloudTrail generates logs automatically when AWS account is activated
Answer (B,C)

Question 5:
You are asked to select an AWS solution that will create a log entry anytime a
snapshot of an RDS database instance and deletes the original instance. Select
the AWS service that would provide that feature?
A. VPC Flow Logs
B. RDS Access Logs
C. CloudWatch
D. CloudTrail
Answer (D)

Question 5:
What is required to enable application and operating system generated logs and publish to CloudWatch Logs?
A. Syslog
B. enable access logs
C. IAM cross-account enabled
D. CloudWatch Log Agent
Answer (D)

Question 6:
What two statements correctly describe CloudWatch monitoring of database
instances?
A. Metrics are sent automatically from DynamoDB and RDS to CloudWatch
B. alarms must be configured for DynamoDB and RDS within CloudWatch
C. metrics are not enabled automatically for DynamoDB and RDS
D. RDS does not support monitoring of operating system metrics
Answer (A,B)

Question 7:
What Amazon AWS service provides account transaction monitoring and security audit?
A. CloudFront
B. CloudTrail
C. CloudWatch
D. security group
Answer (B)

Question 8:
What AWS service is used to monitor tenant remote access and various security errors including authentication retries?
A. SSH
B. Telnet
C. CloudFront
D. CloudWatch
Answer (D)

Question 9:
What feature enables CloudWatch to manage capacity dynamically for EC2
instances?
A. replication lag
B. Auto-Scaling
C. Elastic Load Balancer
D. vertical scaling
Answer (B)

Question 10:
Select two cloud infrastructure services and/or components included with default CloudWatch monitoring?
A. SQS queues
B. operating system metrics
C. hypervisor metrics
D. virtual appliances
E. application level metrics
Answer (A,C)

Question 11:
The engineering team at a social media company wants to use Amazon CloudWatch alarms to automatically recover EC2 instances if they become impaired. The team has hired you as a solutions architect to provide subject matter expertise.
As a solutions architect, which of the following statements would you identify as CORRECT regarding this automatic recovery process? (Select two)
A• If your instance has a public IPv4 address, it retains the public IPv4 address after recovery
B• During instance recovery, the instance is migrated during an instance reboot, and any data that is in-memory is retained
C• Terminated EC2 instances can be recovered if they are configured at the launch of instance
D• A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata
E• If your instance has a public IPv4 address, it does not retain the public IPv4 address after recovery
Answer: A & D
Explanation
Correct options:
A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata
If your instance has a public IPv4 address, it retains the public IPv4 address after recovery
You can create an Amazon CloudWatch alarm to automatically recover the Amazon EC2 instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance is in a placement group, the recovered instance runs in the placement group. If your instance has a public IPv4 address, it retains the public IPv4 address after recovery. During instance recovery, the instance is migrated during an instance reboot, and any data that is in-memory is lost.
Incorrect options:
Terminated EC2 instances can be recovered if they are configured at the launch of instance – This is as terminated instances cannot be recovered.
During instance recovery, the instance is migrated during an instance reboot, and any data that is in-memory is retained – As mentioned above, during instance recovery, the instance is migrated during an instance reboot, and any data that is in-memory is lost.
If your instance has a public IPv4 address, it does not retain the public IPv4 address after recovery – As mentioned above, if your instance has a public IPv4 address, it retains the public IPv4 address after recovery.

Question 12:
A startup has recently moved their monolithic web application to AWS Cloud. The application runs on a single EC2 instance. Currently, the user base is small and the startup does not want to spend effort on elaborate disaster recovery strategies or Auto Scaling Group. The application can afford a maximum downtime of 10 minutes.
In case of a failure, which of these options would you suggest as a cost-effective and automatic recovery procedure for the instance?
• Configure AWS Trusted Advisor to monitor the health check of EC2 instance and provide a remedial action in case an unhealthy flag is detected
• Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance can be configured with EBS volume or with instance store volumes
• Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume
• Configure Amazon CloudWatch events that can trigger the recovery of the EC2 instance, in case the instance or the application fails
Answer: C
Explanation
Correct option:
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume – If your instance fails a system status check, you can use CloudWatch alarm actions to automatically recover it. The recover option is available for over 90% of deployed customer EC2 instances. The CloudWatch recovery option works only for system check failures, not for instance status check failures. Also, if you terminate your instance, then it can’t be recovered.
You can create an Amazon CloudWatch alarm that monitors an Amazon EC2 instance and automatically recovers the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair. Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance is in a placement group, the recovered instance runs in the placement group.
The automatic recovery process attempts to recover your instance for up to three separate failures per day. Your instance may subsequently be retired if automatic recovery fails and a hardware degradation is determined to be the root cause for the original system status check failure.
Incorrect options:
Configure Amazon CloudWatch events that can trigger the recovery of the EC2 instance, in case the instance or the application fails – You cannot use CloudWatch events to directly trigger the recovery of the EC2 instance.
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance can be configured with EBS volume or with instance store volumes – The recover action is supported only on instances that have EBS volumes configured on them, instance store volumes are not supported for automatic recovery by CloudWatch alarms.
Configure AWS Trusted Advisor to monitor the health check of EC2 instance and provide a remedial action in case an unhealthy flag is detected – You can use Amazon CloudWatch Events to detect and react to changes in the status of Trusted Advisor checks. This support is only available with AWS Business Support and AWS Enterprise Support. Trusted Advisor by itself does not support health checks of EC2 instances or their recovery.

Question 13:
A social media startup uses AWS Cloud to manage its IT infrastructure. The engineering team at the startup wants to perform weekly database rollovers for a MySQL database server using a serverless cron job that typically takes about 5 minutes to execute the database rollover script written in Python. The database rollover will archive the past week’s data from the production database to keep the database small while still keeping its data accessible.
As a solutions architect, which of the following would you recommend as the MOST cost-efficient and reliable solution?
• Create a time-based schedule option within an AWS Glue job to invoke itself every week and run the database rollover script
• Provision an EC2 spot instance to run the database rollover script to be run via an OS-based weekly cron expression
• Provision an EC2 scheduled reserved instance to run the database rollover script to be run via an OS-based weekly cron expression
• Schedule a weekly CloudWatch event cron expression to invoke a Lambda function that runs the database rollover job
Answer: D
Explanation
Correct option:
Schedule a weekly CloudWatch event cron expression to invoke a Lambda function that runs the database rollover job
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. AWS Lambda supports standard rate and cron expressions for frequencies of up to once per minute.
Schedule expressions using rate or cron:
Incorrect options:
Create a time-based schedule option within an AWS Glue job to invoke itself every week and run the database rollover script – AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. AWS Glue job is meant to be used for batch ETL data processing and it’s not the right fit for running a database rollover script. Although AWS Glue is also serverless, Lambda is a more cost-effective option compared to AWS Glue.
Provision an EC2 spot instance to run the database rollover job triggered via an OS-based weekly cron expression – A Spot Instance is an unused EC2 instance that is available for less than the On-Demand price. Because Spot Instances enable you to request unused EC2 instances at steep discounts, you can lower your Amazon EC2 costs significantly (up to 90% off the On-Demand price). As the Spot Instance runs whenever capacity is available, there is no guarantee that the weekly job will be executed during the defined time window. Additionally, the given use-case requires a serverless solution, therefore this option is.
Provision an EC2 scheduled reserved instance to run the database rollover script to be run via an OS-based weekly cron expression – Scheduled Reserved Instances run on a part-time basis. Scheduled Reserved Instances option allows you to use reserve capacity on a recurring daily, weekly, and monthly schedules. Scheduled Reserved Instances are available for one-year terms at 5-10% below On-Demand rates. As the given use-case requires a serverless solution, therefore this option is.