█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/Cloud Platforms — AWS/AWS Monitoring and Security Services
45 minIntermediate

AWS Monitoring and Security Services

After this lesson, you will be able to: Operate AWS safely: observe with CloudWatch and X-Ray, protect workloads with Secrets Manager, KMS, WAF, and Shield, and detect threats with CloudTrail and GuardDuty.

Deploying to AWS is half the job; knowing what your system is doing and keeping it secure is the other half. CloudWatch and X-Ray are how you see inside a running system. Secrets Manager, KMS, WAF, and Shield are the managed services that keep secrets out of code and attackers out of your app. These are the topics AWS certifications weight heavily and that real on-call engineers live in.

Prerequisites:IAM in Depth

Observability: CloudWatch and X-Ray

CloudWatch is the central observability service: Logs (every Lambda and many services stream logs here), Metrics (CPU, request count, custom business metrics), Alarms (notify or auto-scale when a metric crosses a threshold), and Dashboards. X-Ray adds distributed tracing: it follows a single request across API Gateway, Lambda, and DynamoDB so you can see exactly which hop was slow. The on-call workflow is: an alarm fires, you open the relevant CloudWatch dashboard and logs, and use an X-Ray trace to localize the slow or failing component. This is the AWS-native version of the reliability and observability ideas from System Design.

A CloudWatch alarm in Terraform

Alarms turn a metric crossing a threshold into an action (notify, page, or auto-scale).

tsx
resource "aws_cloudwatch_metric_alarm" "api_5xx" {
alarm_name = "api-5xx-too-high"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 2
metric_name = "5XXError"
namespace = "AWS/ApiGateway"
period = 60
statistic = "Sum"
threshold = 10
alarm_actions = [aws_sns_topic.alerts.arn] # page the on-call
}
// Fires when the API returns >10 server errors in two consecutive minutes,
// then publishes to an SNS topic that emails/pages the on-call engineer.

Secrets and encryption: Secrets Manager and KMS

Secrets Manager stores database passwords, API keys, and tokens encrypted, with fine-grained IAM access and automatic rotation (it can rotate an RDS password on a schedule without downtime). Your app fetches the secret at runtime via the SDK instead of reading it from an environment variable baked into an image (the anti-pattern from the Docker security lesson). KMS (Key Management Service) is the managed encryption-key service underneath: it holds the keys used to encrypt S3 objects, EBS volumes, RDS storage, and Secrets Manager itself, with access controlled by IAM and every use logged. The principle: secrets live in Secrets Manager, encryption keys live in KMS, and neither lives in your code.

💡 Edge protection: WAF and Shield

WAF (Web Application Firewall) sits in front of CloudFront, API Gateway, or a load balancer and filters HTTP traffic by rules: block SQL injection and XSS patterns, rate-limit abusive IPs, geo-block, and apply AWS-managed rule sets for the OWASP Top 10. Shield is DDoS protection: Shield Standard is automatic and free for all AWS customers; Shield Advanced adds higher-tier mitigation and cost protection for large targets. Together they are the managed edge defenses, so your application code does not have to be the only thing standing between you and an attacker.

Audit logging and threat detection: CloudTrail and GuardDuty

CloudTrail records every API call made in your account (who did what, when, from which IP), which is the audit log you need for forensics and compliance: who deleted that bucket, who changed that IAM policy. Enable it in every account and send the trail to a locked-down S3 bucket so it cannot be tampered with. GuardDuty is managed threat detection: it continuously analyzes CloudTrail, VPC flow logs, and DNS logs with AWS threat intelligence and machine learning, then raises findings like 'an EC2 instance is talking to a known crypto-mining host,' 'credentials are being used from an unusual location,' or 'an S3 bucket was made public.' You turn it on with a click (no agents) and route findings to CloudWatch Events / EventBridge so a Lambda or your on-call gets notified. CloudTrail answers 'what happened?'; GuardDuty answers 'is something suspicious happening right now?'

Common mistakes only experienced engineers catch

No CloudWatch alarms, so you learn about outages from users instead of from a page. Alarm on error rate and latency at minimum. Reading secrets from baked-in environment variables instead of Secrets Manager, then leaking them in an image or repo. Logging the secret or the full request body to CloudWatch, recreating the leak inside your logs. Assuming Shield Standard or a WAF is on by default with custom rules; Standard DDoS is automatic, but WAF rules are something you configure. Letting CloudWatch Logs retain forever, which quietly becomes a large bill. Set retention per log group.

Quick Check

Where should your app's database password live in a production AWS setup?

Pick the correct option.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←AWS Application and Integration Services
Back to Cloud Platforms — AWS
AWS CLI and Infrastructure as Code→