Search for Well Architected Advice
-
Operational Excellence
-
- Resources have identified owners
- Processes and procedures have identified owners
- Operations activities have identified owners responsible for their performance
- Team members know what they are responsible for
- Mechanisms exist to identify responsibility and ownership
- Mechanisms exist to request additions, changes, and exceptions
- Responsibilities between teams are predefined or negotiated
-
- Executive Sponsorship
- Team members are empowered to take action when outcomes are at risk
- Escalation is encouraged
- Communications are timely, clear, and actionable
- Experimentation is encouraged
- Team members are encouraged to maintain and grow their skill sets
- Resource teams appropriately
- Diverse opinions are encouraged and sought within and across teams
-
- Use version control
- Test and validate changes
- Use configuration management systems
- Use build and deployment management systems
- Perform patch management
- Implement practices to improve code quality
- Share design standards
- Use multiple environments
- Make frequent, small, reversible changes
- Fully automate integration and deployment
-
Security
-
- Evaluate and implement new security services and features regularly
- Automate testing and validation of security controls in pipelines
- Identify and prioritize risks using a threat model
- Keep up-to-date with security recommendations
- Keep up-to-date with security threats
- Identify and validate control objectives
- Secure account root user and properties
- Separate workloads using accounts
-
- Analyze public and cross-account access
- Manage access based on life cycle
- Share resources securely with a third party
- Reduce permissions continuously
- Share resources securely within your organization
- Establish emergency access process
- Define permission guardrails for your organization
- Grant least privilege access
- Define access requirements
-
- Build a program that embeds security ownership in workload teams
- Centralize services for packages and dependencies
- Manual code reviews
- Automate testing throughout the development and release lifecycle
- Train for application security
- Regularly assess security properties of the pipelines
- Deploy software programmatically
- Perform regular penetration testing
-
-
Reliability
-
- How do you ensure sufficient gap between quotas and maximum usage to accommodate failover?
- How do you automate quota management?
- How do you monitor and manage service quotas?
- How do you accommodate fixed service quotas and constraints through architecture?
- How do you manage service quotas and constraints across accounts and Regions?
- How do you manage service quotas and constraints?
- How do you build a program that embeds reliability into workload teams?
-
- How do you enforce non-overlapping private IP address ranges in all private address spaces?
- How do you prefer hub-and-spoke topologies over many-to-many mesh?
- How do you ensure IP subnet allocation accounts for expansion and availability?
- How do you provision redundant connectivity between private networks in the cloud and on-premises environments?
- How do you use highly available network connectivity for workload public endpoints?
-
- Monitor end-to-end tracing of requests through your system
- Conduct reviews regularly
- Analytics
- Automate responses (Real-time processing and alarming)
- Send notifications (Real-time processing and alarming)
- Define and calculate metrics (Aggregation)
- Monitor End-to-End Tracing of Requests Through Your System
-
- Monitor all components of the workload to detect failures
- Fail over to healthy resources
- Automate healing on all layers
- Rely on the data plane and not the control plane during recovery
- Use static stability to prevent bimodal behavior
- Send notifications when events impact availability
- Architect your product to meet availability targets and uptime service level agreements (SLAs)
-
-
Cost Optimization
-
- Establish ownership of cost optimization
- Establish a partnership between finance and technology
- Establish cloud budgets and forecasts
- Implement cost awareness in your organizational processes
- Monitor cost proactively
- Keep up-to-date with new service releases
- Quantify business value from cost optimization
- Report and notify on cost optimization
- Create a cost-aware culture
-
- Perform cost analysis for different usage over time
- Analyze all components of this workload
- Perform a thorough analysis of each component
- Select components of this workload to optimize cost in line with organization priorities
- Perform cost analysis for different usage over time
- Select software with cost effective licensing
-
-
Performance
-
- Learn about and understand available cloud services and features
- Evaluate how trade-offs impact customers and architecture efficiency
- Use guidance from your cloud provider or an appropriate partner to learn about architecture patterns and best practices
- Factor cost into architectural decisions
- Use policies and reference architectures
- Use benchmarking to drive architectural decisions
- Use a data-driven approach for architectural choices
-
- Use purpose-built data store that best support your data access and storage requirements
- Collect and record data store performance metrics
- Evaluate available configuration options for data store
- Implement Strategies to Improve Query Performance in Data Store
- Implement data access patterns that utilize caching
-
- Understand how networking impacts performance
- Evaluate available networking features
- Choose appropriate dedicated connectivity or VPN for your workload
- Use load balancing to distribute traffic across multiple resources
- Choose network protocols to improve performance
- Choose your workload's location based on network requirements
- Optimize network configuration based on metrics
-
- Establish key performance indicators (KPIs) to measure workload health and performance
- Use monitoring solutions to understand the areas where performance is most critical
- Define a process to improve workload performance
- Review metrics at regular intervals
- Load test your workload
- Use automation to proactively remediate performance-related issues
- Keep your workload and services up-to-date
-
-
Sustainability
-
- Optimize geographic placement of workloads based on their networking requirements
- Align SLAs with sustainability goals
- Optimize geographic placement of workloads based on their networking requirements
- Stop the creation and maintenance of unused assets
- Optimize team member resources for activities performed
- Implement buffering or throttling to flatten the demand curve
-
- Optimize software and architecture for asynchronous and scheduled jobs
- Remove or refactor workload components with low or no use
- Optimize areas of code that consume the most time or resources
- Optimize impact on devices and equipment
- Use software patterns and architectures that best support data access and storage patterns
- Remove unneeded or redundant data
- Use technologies that support data access and storage patterns
- Use policies to manage the lifecycle of your datasets
- Use shared file systems or storage to access common data
- Back up data only when difficult to recreate
- Use elasticity and automation to expand block storage or file system
- Minimize data movement across networks
-
- Articles coming soon
< All Topics
Print
Analyze logs, findings, and metrics centrally
PostedNovember 28, 2024
UpdatedNovember 28, 2024
ByKevin McCaffrey
Centralizing the analysis of logs, findings, and metrics is critical for detecting security events and responding to potential threats in a timely and efficient manner. By aggregating data from various services and using automated tools for analysis, security operations teams can quickly identify unauthorized activity or changes. Automation and centralized analysis reduce the reliance on manual processes, ensuring that security teams can handle the high volume of data from complex architectures.
- Centralize log and metric collection: Use a centralized platform, such as AWS CloudWatch Logs or AWS Security Hub, to collect logs, security findings, and metrics from all AWS services, custom applications, and third-party tools. Centralized collection simplifies the analysis process and provides a unified view of the environment.
- Automate log and finding analysis: Implement automated tools like AWS GuardDuty, Amazon Detective, and AWS Security Hub to analyze logs and findings in real-time. These services help identify potential security events, such as unauthorized access attempts, data exfiltration, or unusual patterns of behavior, without requiring manual intervention.
- Use machine learning for anomaly detection: Leverage AWS services such as Amazon GuardDuty and AWS CloudWatch Anomaly Detection to automatically detect patterns and anomalies in logs and metrics. Machine learning models can flag unexpected behaviors or deviations from normal activity, allowing for faster detection of potential security incidents.
- Create actionable alerts: Set up alerts in AWS CloudWatch or AWS Security Hub that notify security operations teams of significant findings or unusual activity. These alerts should be tied to automated workflows to assign the right resources to investigate and mitigate the issue quickly.
- Prioritize security events: Use tools like AWS Security Hub to aggregate findings from multiple AWS services and prioritize security events based on severity. This ensures that high-priority incidents, such as potential breaches or critical misconfigurations, receive immediate attention from the security team.
- Track and report security events: Use centralized dashboards in AWS Security Hub or Amazon CloudWatch to visualize trends, track incidents, and generate reports for security operations teams and stakeholders. These tools help ensure that potential threats are identified and addressed in a timely manner.
Supporting Questions:
- How do you centralize the collection of logs, findings, and metrics from your AWS environment and applications?
- What automated tools are in place to analyze security events and detect anomalies in real-time?
- How do you ensure timely alerts and responses to high-priority security incidents?
Roles and Responsibilities:
Security Operations Engineer:
- Responsibilities:
- Implement centralized logging and metric collection from AWS services, applications, and third-party tools.
- Configure and manage automated analysis tools to detect and respond to potential security incidents.
- Prioritize and assign resources to investigate high-severity security events identified through automated findings.
Cloud Administrator:
- Responsibilities:
- Set up and manage AWS CloudWatch Logs, Security Hub, and other services for centralized monitoring and reporting.
- Ensure that alerts are properly configured and directed to the appropriate teams for investigation and response.
- Monitor dashboards and reports to ensure that potential security threats are detected and mitigated in a timely manner.
Artefacts:
- Centralized Logging Configuration: Documentation outlining how logs, findings, and metrics are aggregated from AWS services and applications into a central platform for analysis.
- Alert and Workflow Configuration: Configuration of alerts and automated workflows in services like AWS CloudWatch and Security Hub to ensure prompt action on security events.
- Security Event Reports: Reports generated from centralized analysis tools, providing insights into potential security threats, detected anomalies, and the actions taken to address them.
Relevant AWS Services:
AWS Monitoring and Security Services:
- AWS CloudWatch Logs: Centralizes the collection of logs from AWS services, custom applications, and third-party tools, enabling real-time analysis and alerting.
- AWS Security Hub: Aggregates security findings from various AWS services, prioritizes incidents, and provides a centralized dashboard for security operations teams to track and respond to security events.
- Amazon GuardDuty: Uses machine learning and threat intelligence to analyze logs and detect anomalies, helping identify unauthorized activity or security threats.
- Amazon Detective: Helps security teams investigate and analyze the root cause of security events using data collected from logs and AWS CloudTrail.
- AWS CloudWatch Anomaly Detection: Automatically detects anomalies in metrics and logs, using machine learning models to identify deviations from normal behavior.
Table of Contents