Alertas y Postmortems

How to monitor the security of an application with alerts in AWS?

In system and application management, it is crucial to be proactive about security. The use of logs, metrics and alerts can be your best ally. Alerts, for example, are sent when unexpected system behavior occurs and can be received in a variety of ways: text messages, emails, applications such as Ops Genie and even in corporate Slack channels. These tools allow you to detect potential problems before they become critical, but more importantly, these alerts must be actionable.

What is a postmortem and why is it important?

A postmortem is a ceremony within organizations that is performed to analyze a critical event that occurred in the system. The essential thing is to identify the root cause of the problem in order to avoid a recurrence. The aim is not to point the finger of blame, but to learn from the situation and improve processes and codes.

In postmortems, a thorough review is conducted to understand what caused the security breach and what measures can be taken to prevent future occurrences. Solutions may include process changes, code reviews or even infrastructure modifications.

How do I create an alert in AWS CloudWatch?

CloudWatch is the tool in AWS for managing metrics and creating alerts. The following describes how to set up an alert to monitor requests to an API Gateway.

1. Access CloudWatch and Alarms:

   • Log into your AWS console and navigate to CloudWatch, then select the Alarms option.

2. Create a new alert:

   • Click "Create Alarm."
   • Select a predefined metric, for example, one related to the Gateway API.

3. Configure the alert:

   • Choose a metric, such as 'Count' representing the number of requests in a time interval.
   • Define a static threshold to trigger the alert, for example, when requests exceed 10,000 in five minutes.

4. Set actions for the alert:

   • Create a new SNS (Simple Notification Service) topic to send email notifications.
   • Define the recipient email to be aware of the alerts.

5. Assign a name and description to the alert:

   • Name it descriptively, such as "max API gateway count" and provide a brief description of its purpose.

6. Confirm SNS subscription:

   • Check in your email to confirm subscription to this notification channel.

How to validate the functioning of an alert?

To confirm that our alert is working correctly, we can simulate its activation using the CloudWatch API.

• CloudShell access: We use the integrated AWS console to execute commands.
• Run a simulation command:

  aws cloudwatch set-alarm-state --alarm-name "maxAPIGateWaitHits" --state-value ALARM --state-reason "Testing"

• Refresh and check alert status: Subsequently, we verify that the alert has changed to "in alarm" in CloudWatch.

This way, in addition to receiving the confirmation in your email, you can be sure that the configuration and notification of your alert is operational and ready to act in case of deviations in the monitoring of your system.

The creation and validation of alerts in AWS CloudWatch is essential not only for the operability of the systems, but also to continuously improve the reaction to incidents. Continue to explore other applications and services to enhance the monitoring and management of your systems.