AWS prescriptive-guidance medium security documentation change
Summary
Expanded guidance on CloudWatch Logs Insights usage, added security section about IAM policies and KMS encryption, and cost optimization tips
Security assessment
Added explicit security section detailing IAM least privilege policies and KMS encryption for log data. These are direct security controls to prevent unauthorized access and protect sensitive information.
Diff
diff --git a/prescriptive-guidance/latest/patterns/monitor-application-activity-by-using-cloudwatch-logs-insights.md b/prescriptive-guidance/latest/patterns/monitor-application-activity-by-using-cloudwatch-logs-insights.md index 2080c6703..172783415 100644 --- a//prescriptive-guidance/latest/patterns/monitor-application-activity-by-using-cloudwatch-logs-insights.md +++ b//prescriptive-guidance/latest/patterns/monitor-application-activity-by-using-cloudwatch-logs-insights.md @@ -17 +17,25 @@ Logs play a crucial role in monitoring system behavior, identifying issues, and -This pattern is particularly valuable for teams that need to maintain high application availability and quickly respond to production issues. It’s relevant across various industries and use cases. For example, in telecommunications, it enables quick identification of network misconfigurations or outages and detection of suboptimal routing paths to pinpoint potential congestion. In the Internet of Things (IoT) domain, Greengrass components can publish logs to CloudWatch, allowing this technique to extract relevant log details and present them in a comprehensive dashboard. +This pattern is particularly valuable for teams that need to do the following: + + * Maintain high application availability. + + * Respond to production issues quickly. + + * Analyze application-specific errors not captured by AWS service logs. + + * Perform on-demand log analysis without pre-built infrastructure. + + + + +CloudWatch Logs Insights is optimal for analyzing application-generated logs where the error context exists only within your application code. CloudWatch Logs Insights excels at the following tasks: + + * Query unstructured or semi-structured log data. + + * Perform on-demand analysis during incident response. + + * Correlate events across multiple log groups. + + * Create quick visualizations without external tools. + + + @@ -43 +67 @@ The following diagram shows how CloudWatch Logs Insights evaluates resource logs - + @@ -74,0 +99,2 @@ Developers can automate this pattern’s solution by using the AWS Cloud Develop +**Query efficiency** + @@ -83,3 +109 @@ Developers can automate this pattern’s solution by using the AWS Cloud Develop - * Monitor queries to identify potential performance issues or bottlenecks. - - * Set query limits to avoid excessive costs or resource consumption. + * Limit query time ranges to reduce data scanned and improve performance. @@ -89 +112,0 @@ Developers can automate this pattern’s solution by using the AWS Cloud Develop - * Apply appropriate [IAM policies to control access](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html) to CloudWatch Logs Insights and log groups. Follow the principle of least privilege and grant the minimum permissions required to perform a task. For more information, see [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#grant-least-priv) and [Security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the IAM documentation. @@ -91 +114,20 @@ Developers can automate this pattern’s solution by using the AWS Cloud Develop - * Enable log [data encryption using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Insights-Query-Encrypt.html) for sensitive log data. + + +**Security** + + * Apply appropriate IAM[ policies](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html) to CloudWatch Logs Insights and log groups. Follow the principle of least privilege and grant the minimum permissions required to perform a task. For more information, see [Grant least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#grant-least-priv) and [Security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the IAM documentation. + + * Enable [log data encryption using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Insights-Query-Encrypt.html) for sensitive log data. + + + + +**Cost optimization** + + * CloudWatch Logs Insights charges per GB of data scanned per query. Narrow time ranges and target specific log groups to reduce costs. + + * Configure appropriate log retention policies to manage storage costs. + + * For frequent analysis of large historical datasets, consider exporting logs to Amazon S3 and using Amazon Athena. + + * Review [CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/) to understand cost implications for your use case. @@ -162 +204 @@ For more information, see [Quick Start: Use AWS CloudFormation to get started wi -Generate a CloudWatch Logs Insights query.| To create and save a CloudWatch Logs Insights query: +Generate a CloudWatch Logs Insights query.| To create and save a CloudWatch Logs Insights query, do the following: @@ -188,0 +231,2 @@ Log groups not creating log streams| In the IAM policy, make sure that the resou +Query timeout or slow performance| Reduce the time range, target specific log groups, or simplify the query. Complex regular expression (`regex`) patterns and large time ranges increase query time. +No data returned for valid time range| Verify log group selection and check that logs are being ingested (review log streams), and confirm the filter pattern matches your log format.