CloudWatchとはAWSで提供されているモニタリングサービス
カスタムメトリクスという機能を利用することで、モニタリングを統合できる
– セットアップ不要で使用できる
– 異常な状態を検知して、自動復旧
– メトリクスに応じてアラート通知やアクションを設定できる
– 監視対象はEC2, EBSなど
### CloudWatchのサービス
「CloudWatch」: CPU, メモリなどを監視。メール、再起動、AutoScaleなどできる
「CloudWatch Logs」: 各種ログ
「CloudWatch Events」: APIイベントをトリガーにアクションを実行
AWSTemplateFormatVersion: "2010-09-09"
Description:
VPCFlowLogs Settings
Metadata:
"AWS::CloudFormation::Interface":
ParameterGroups:
- Label:
default: "Project Name Prefix"
Parameters:
- PJPrefix
- Label:
default: "VPCFlowLogs Configuration (Destination Type is CloudWatchLogs)"
Parameters:
- Filter
- RetentionInDays
# ------------------------------------------------------------#
# Input Parameters
# ------------------------------------------------------------#
Parameters:
PJPrefix:
Type: String
Filter:
Type: String
Default: ALL
AllowedValues: [ ALL, ACCEPT, REJECT ]
RetentionInDays:
AllowedValues: [ 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 ]
Type: Number
Default: 30
Resources:
# ------------------------------------------------------------#
# IAM Role for VPCFlowLogs
# ------------------------------------------------------------#
# VPCFlowLogsIAMRole:
VPCFlowLogsIAMRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub "${PJPrefix}-vpcflowlogs-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "vpc-flow-logs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub "${PJPrefix}-vpcflowlogs-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
Resource: "*"
# ------------------------------------------------------------#
# LogGroup
# ------------------------------------------------------------#
LogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Sub "${PJPrefix}-vpcflowlogs-group"
RetentionInDays: !Ref RetentionInDays
# ------------------------------------------------------------#
# VPCFlowLogs
# ------------------------------------------------------------#
VPCFlowLogs:
Type: "AWS::EC2::FlowLog"
Properties:
DeliverLogsPermissionArn: !GetAtt VPCFlowLogsIAMRole.Arn
LogGroupName: !Ref LogGroup
ResourceId: { "Fn::ImportValue": !Sub "${PJPrefix}-vpc" }
ResourceType: "VPC"
TrafficType: !Ref Filter
# ------------------------------------------------------------#
# Output Parameters
# ------------------------------------------------------------#
Outputs:
#LogGroup
LogGroupName:
Value: !Sub "${PJPrefix}-vpcflowlogs-group"
Export:
Name: !Sub "${PJPrefix}-vpcflowlogs-group-name"
LogGroupARN:
Value: !GetAtt LogGroup.Arn
Export:
Name: !Sub "${PJPrefix}-vpcflowlogs-group-arn"
なるほど、監視はmakerelではなく、cloudwatchを使うのね。
