Amazon Web Services
Services
| Service | Description |
|---|---|
| CloudWatch | Observability (logging, monitoring, alerting) |
| EC2 | Virtual machines |
CloudWatch
Observability service. with functions for logging, monitoring and alerting.
Metrics are whatever needs to be monitored (e.g. CPU usage). Data points are the values of a metric over time. Namespaces are containers for metrics.
Metrics only exist in the region in which they are created.
Many AWS services offer basic monitoring by publishing a default set of
metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.
Resource constraints
| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
|---|---|---|---|---|---|---|---|
| Tag | Key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:". The string can contain only the set of Unicode letters, digits, white-space, _,' ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$) |
String | 1 to 128 | ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$ |
Yes |
| Tag | Value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, _, ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$", [\p{L}\p{Z}\p{N}_.:\/=+\-@]* on AWS) |
String | 0 to 256 | ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$ |
Yes |
Access control
| Entity | Description | Notes |
|---|---|---|
| User | Represents a human or a workload. Defined by its name and credentials. |
No permissions by default, need to be assigned to it |
| Role | Defines a set of permissions for making requests to AWS services. Defines what actions can be performed on which resources. |
Can be assumed by AWS services, applications and users |
To be able to assume roles:
- Users, roles or services must have the permissions to assume the role they want to assume.
- The role's trust relationship should allow the users, roles or services to assume it.
From Using service-linked roles:
A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
Further readings
- EC2
- Services that publish CloudWatch metrics
- Using service-linked roles
- Best Practices for Tagging AWS Resources