AWS CloudWatch Logs: SAA-C03 Study Guide
Amazon CloudWatch Logs is a fully managed service that centralizes the storage and monitoring of logs from AWS resources, applications, and on-premises servers. For the SAA-C03 exam, you must understand how to ingest, filter, and export these logs to meet operational and compliance requirements.
Analogy: Think of CloudWatch Logs as a digital black box on an airplane. It records every event from various sensors (EC2, Lambda, VPC). You can set alarms to go off if a specific reading looks dangerous (Metric Filters), and later, you can archive those records in a long-term vault (S3) or analyze them to find out exactly what happened during a flight (Insights).
Core Concepts & Architecture
- Log Stream: A sequence of log events that share the same source (e.g., a specific EC2 instance or a specific Lambda function execution).
- Log Group: A collection of log streams that share the same retention, monitoring, and access control settings.
- Metric Filters: These extract data from logs and turn them into CloudWatch Metrics. Example: Count how many times “404 Error” appears in your logs.
- Retention: By default, logs are kept forever. You can configure retention periods ranging from 1 day to 10 years.
Security & Compliance
Security is a major focus of the SAA-C03. Remember these three pillars for CloudWatch Logs:
- IAM: Control who can create log groups (
CreateLogGroup), write logs (PutLogEvents), and read logs (GetLogEvents). - KMS Encryption: Logs are encrypted at rest by default, but you can use your own Customer Managed Key (CMK) for higher compliance requirements.
- Resource Policies: Essential for Cross-Account Logging. You must apply a resource policy to the destination account’s log group to allow the source account to send logs.
Comparison: Logging Destinations
| Destination | Best For… | Latency | Cost Profile |
|---|---|---|---|
| CloudWatch Logs | Real-time monitoring & Alarms | Near Real-time | High (Pay per GB ingested) |
| Amazon S3 | Long-term archiving & Compliance | Batched (Export task) | Lowest (Standard/Glacier) |
| Kinesis Firehose | Streaming to OpenSearch/S3/Third-party | Near Real-time | Moderate |
| Lambda | Real-time custom processing/alerting | Real-time | Variable (Per invocation) |
Exam Tips and Gotchas
- Metric Filters are NOT Retroactive: They only start counting events after the filter is created. They do not scan old logs.
- S3 Export Timing: Exporting logs to S3 is not instantaneous. It is a batch process. If the exam asks for “Real-time” analysis in S3, the answer is likely Kinesis Data Firehose, not CloudWatch Log Exports.
- CloudWatch Logs Insights: This is the go-to answer for “querying logs using SQL-like syntax” without needing to set up an ELK stack or Athena.
- VPC Flow Logs: Can be sent to either S3 or CloudWatch Logs. Choose CloudWatch for real-time alerting on traffic patterns.
Decision Matrix / If–Then Guide
- IF you need to alert on a specific string in a log file… THEN use a Metric Filter + CloudWatch Alarm.
- IF you need to keep logs for 7 years for compliance at minimum cost… THEN set a short retention in CW Logs and export to S3 Glacier.
- IF you need to analyze logs across multiple accounts in one place… THEN use Subscription Filters and Kinesis Data Streams with a centralized destination.
- IF you need to find the top 10 IP addresses in your VPC Flow Logs quickly… THEN use CloudWatch Logs Insights.
Topics covered:
Summary of key subtopics covered in this guide:
- Log Groups and Log Streams hierarchy.
- Metric Filters and their limitations.
- Security via IAM, KMS, and Resource Policies.
- Cost optimization via Retention Policies and S3 Exports.
- Real-time processing via Subscription Filters.
- Querying capabilities with CloudWatch Logs Insights.
CloudWatch Logs Ecosystem Infographic
Performance
High Throughput
CloudWatch Logs scales automatically. Use Subscription Filters to stream logs to Kinesis Data Streams if you need to process millions of events per second with low latency.
Cost
Optimization
Ingestion is the most expensive part ($0.50 per GB). Reduce costs by:
- Setting Retention Policies.
- Using Infrequent Access log class for logs you don’t need to query often.
Use Case
Threat Detection
Enable VPC Flow Logs, send them to CloudWatch Logs, and use Metric Filters to detect unauthorized SSH attempts (Port 22) from blocked IP ranges in real-time.