AWS CloudWatch, X-Ray & Logging Best Practices
In this lesson, you'll learn how to monitor and trace your serverless applications using Amazon CloudWatch and AWS X-Ray — two key services that provide deep visibility into your application's behavior, performance, and errors.
We'll walk through instrumenting a Lambda function behind an API Gateway, configuring it to generate logs, metrics, alarms, and X-Ray traces. This hands-on approach uses the AWS CLI only, making it ideal for developers aiming to understand AWS under the hood.
Introduction to AWS CloudWatch and X-Ray
AWS CloudWatch
Amazon CloudWatch is a monitoring and observability service designed to collect and track metrics, logs, and events. It enables you to:
- Capture logs (via CloudWatch Logs);
- Track metrics like duration, error counts, and invocations;
- Create dashboards to visualize application health;
- Trigger alarms based on thresholds.
For AWS Lambda, CloudWatch automatically tracks important metrics:
- Invocations;
- Duration;
- Error counts.
Logs help you debug, metrics reveal patterns, and alarms enable automated responses.
AWS X-Ray
AWS X-Ray provides request tracing across AWS services, showing how requests flow through your architecture. With X-Ray, you can:
- Visualize service interactions using service maps;
- Identify latency bottlenecks;
- Debug failed segments.
To get full tracing, you must enable X-Ray on both:
- Lambda function;
- API Gateway.
Hands-On Lab: Monitor a Lambda Function with CloudWatch and X-Ray (CLI-Only)
Let's walk through the setup using CLI commands.
Step 1: Create an IAM Role for Lambda
This IAM role allows the Lambda function to:
- Write logs to CloudWatch;
- Send trace data to X-Ray.
1.1 Create the role:
aws iam create-role \
--role-name LambdaMonitorRole \
--assume-role-policy-document file://./6.1-trust-policy.json
1.2 Attach CloudWatch Logs policy:
aws iam attach-role-policy \
--role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
1.3 Attach X-Ray write access policy:
aws iam attach-role-policy \
--role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
Step 2: Create the Lambda Function
Assume you have a lambda_function.py file ready.
2.1 Zip your function:
zip function.zip lambda_function.py
2.2 Create the function with X-Ray tracing enabled:
aws lambda create-function \
--function-name MonitoredLambda \
--runtime python3.8 \
--role arn:aws:iam::[ACCOUNT_ID]:role/LambdaMonitorRole \
--handler lambda_function.lambda_handler \
--tracing-config Mode=Active \
--zip-file fileb://./function.zip
Step 3: Set Up API Gateway
This step creates an API Gateway to trigger the Lambda function via an HTTP GET request.
3.1 Create REST API:
rest_api_id=$(aws apigateway create-rest-api \
--name LambdaMonitorAPI \
--query 'id' --output text)
3.2 Get the root resource ID:
root_id=$(aws apigateway get-resources \
--rest-api-id $rest_api_id \
--query 'items[0].id' --output text)
3.3 Add a GET method:
aws apigateway put-method \
--rest-api-id $rest_api_id \
--resource-id $root_id \
--http-method GET \
--authorization-type NONE
3.4 Integrate with Lambda:
aws apigateway put-integration \
--rest-api-id $rest_api_id \
--resource-id $root_id \
--http-method GET \
--type AWS_PROXY \
--integration-http-method POST \
--uri arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-2:[ACCOUNT_ID]:function:MonitoredLambda/invocations
3.5 Grant API Gateway permission to invoke Lambda:
aws lambda add-permission \
--function-name MonitoredLambda \
--statement-id AllowAPIGWInvoke \
--action lambda:InvokeFunction \
--principal apigateway.amazonaws.com \
--source-arn 'arn:aws:execute-api:us-east-2:[ACCOUNT_ID]:$rest_api_id/*/GET/'
3.6 Deploy the API:
aws apigateway create-deployment \
--rest-api-id $rest_api_id \
--stage-name prod
Step 4: Invoke the Function
You can now invoke the Lambda function:
aws lambda invoke --function-name MonitoredLambda out.txt
This saves the response to out.txt.
Step 5: Monitor via CLI
A. View CloudWatch Logs
log_group="/aws/lambda/MonitoredLambda"
log_stream=$(aws logs describe-log-streams \
--log-group-name "$log_group" \
--order-by LastEventTime \
--descending \
--limit 1 \
--query 'logStreams[0].logStreamName' \
--output text)
aws logs get-log-events \
--log-group-name "$log_group" \
--log-stream-name "$log_stream"
B. Get CloudWatch Metrics
aws cloudwatch get-metric-statistics \
--namespace AWS/Lambda \
--metric-name Duration \
--dimensions Name=FunctionName,Value=MonitoredLambda \
--statistics Average \
--start-time $(date -u -v -10M '+%Y-%m-%dT%H:%M:%SZ') \
--end-time $(date -u '+%Y-%m-%dT%H:%M:%SZ') \
--period 60
C. Create CloudWatch Alarm (Duration > 1500ms)
aws cloudwatch put-metric-alarm \
--alarm-name "HighLambdaDuration" \
--metric-name Duration \
--namespace AWS/Lambda \
--statistic Average \
--period 60 \
--threshold 1500 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 1 \
--dimensions Name=FunctionName,Value=MonitoredLambda \
--treat-missing-data notBreaching
D. View Recent X-Ray Traces
aws xray get-trace-summaries \
--start-time $(date -u -v -10M +%s) \
--end-time $(date -u +%s)
Step 6: Cleanup (to Avoid Charges)
aws lambda delete-function --function-name MonitoredLambda
aws apigateway delete-rest-api --rest-api-id $rest_api_id
aws iam detach-role-policy --role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
aws iam detach-role-policy --role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
aws iam delete-role --role-name LambdaMonitorRole
aws cloudwatch delete-alarms --alarm-names "HighLambdaDuration"
Key Takeaways
- Use CloudWatch logs for debugging and metrics for performance monitoring;
- X-Ray helps you trace request paths and latency across services;
- Always clean up unused resources to avoid unexpected charges;
- All these steps can be performed using the AWS CLI, making automation possible.
1. What AWS service provides centralized logging, metric collection, dashboards,
and alarms?
2. Which of the following automatically tracks Lambda invocations, duration, and
errors?
3. What does Amazon X-Ray help you visualize in your application?
4. To enable Lambda to write logs to CloudWatch, which policy must be attached to
its IAM role?
5. What integration type connects API Gateway to Lambda for full request
passthrough?
6. What command allows API Gateway to invoke a specific Lambda function?
7. What metric is typically monitored to measure Lambda performance duration?
8. What AWS CLI command retrieves the most recent log stream for a Lambda
function?
9. Which CLI command creates an alarm based on CloudWatch metrics?
10. What must you do after completing the lab to avoid unnecessary AWS charges?
Grazie per i tuoi commenti!
Chieda ad AI
Chieda ad AI
Chieda pure quello che desidera o provi una delle domande suggerite per iniziare la nostra conversazione
Awesome!
Completion rate improved to 6.25AWS CloudWatch, X-Ray & Logging Best Practices
Scorri per mostrare il menu
In this lesson, you'll learn how to monitor and trace your serverless applications using Amazon CloudWatch and AWS X-Ray — two key services that provide deep visibility into your application's behavior, performance, and errors.
We'll walk through instrumenting a Lambda function behind an API Gateway, configuring it to generate logs, metrics, alarms, and X-Ray traces. This hands-on approach uses the AWS CLI only, making it ideal for developers aiming to understand AWS under the hood.
Introduction to AWS CloudWatch and X-Ray
AWS CloudWatch
Amazon CloudWatch is a monitoring and observability service designed to collect and track metrics, logs, and events. It enables you to:
- Capture logs (via CloudWatch Logs);
- Track metrics like duration, error counts, and invocations;
- Create dashboards to visualize application health;
- Trigger alarms based on thresholds.
For AWS Lambda, CloudWatch automatically tracks important metrics:
- Invocations;
- Duration;
- Error counts.
Logs help you debug, metrics reveal patterns, and alarms enable automated responses.
AWS X-Ray
AWS X-Ray provides request tracing across AWS services, showing how requests flow through your architecture. With X-Ray, you can:
- Visualize service interactions using service maps;
- Identify latency bottlenecks;
- Debug failed segments.
To get full tracing, you must enable X-Ray on both:
- Lambda function;
- API Gateway.
Hands-On Lab: Monitor a Lambda Function with CloudWatch and X-Ray (CLI-Only)
Let's walk through the setup using CLI commands.
Step 1: Create an IAM Role for Lambda
This IAM role allows the Lambda function to:
- Write logs to CloudWatch;
- Send trace data to X-Ray.
1.1 Create the role:
aws iam create-role \
--role-name LambdaMonitorRole \
--assume-role-policy-document file://./6.1-trust-policy.json
1.2 Attach CloudWatch Logs policy:
aws iam attach-role-policy \
--role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
1.3 Attach X-Ray write access policy:
aws iam attach-role-policy \
--role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
Step 2: Create the Lambda Function
Assume you have a lambda_function.py file ready.
2.1 Zip your function:
zip function.zip lambda_function.py
2.2 Create the function with X-Ray tracing enabled:
aws lambda create-function \
--function-name MonitoredLambda \
--runtime python3.8 \
--role arn:aws:iam::[ACCOUNT_ID]:role/LambdaMonitorRole \
--handler lambda_function.lambda_handler \
--tracing-config Mode=Active \
--zip-file fileb://./function.zip
Step 3: Set Up API Gateway
This step creates an API Gateway to trigger the Lambda function via an HTTP GET request.
3.1 Create REST API:
rest_api_id=$(aws apigateway create-rest-api \
--name LambdaMonitorAPI \
--query 'id' --output text)
3.2 Get the root resource ID:
root_id=$(aws apigateway get-resources \
--rest-api-id $rest_api_id \
--query 'items[0].id' --output text)
3.3 Add a GET method:
aws apigateway put-method \
--rest-api-id $rest_api_id \
--resource-id $root_id \
--http-method GET \
--authorization-type NONE
3.4 Integrate with Lambda:
aws apigateway put-integration \
--rest-api-id $rest_api_id \
--resource-id $root_id \
--http-method GET \
--type AWS_PROXY \
--integration-http-method POST \
--uri arn:aws:apigateway:us-east-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-2:[ACCOUNT_ID]:function:MonitoredLambda/invocations
3.5 Grant API Gateway permission to invoke Lambda:
aws lambda add-permission \
--function-name MonitoredLambda \
--statement-id AllowAPIGWInvoke \
--action lambda:InvokeFunction \
--principal apigateway.amazonaws.com \
--source-arn 'arn:aws:execute-api:us-east-2:[ACCOUNT_ID]:$rest_api_id/*/GET/'
3.6 Deploy the API:
aws apigateway create-deployment \
--rest-api-id $rest_api_id \
--stage-name prod
Step 4: Invoke the Function
You can now invoke the Lambda function:
aws lambda invoke --function-name MonitoredLambda out.txt
This saves the response to out.txt.
Step 5: Monitor via CLI
A. View CloudWatch Logs
log_group="/aws/lambda/MonitoredLambda"
log_stream=$(aws logs describe-log-streams \
--log-group-name "$log_group" \
--order-by LastEventTime \
--descending \
--limit 1 \
--query 'logStreams[0].logStreamName' \
--output text)
aws logs get-log-events \
--log-group-name "$log_group" \
--log-stream-name "$log_stream"
B. Get CloudWatch Metrics
aws cloudwatch get-metric-statistics \
--namespace AWS/Lambda \
--metric-name Duration \
--dimensions Name=FunctionName,Value=MonitoredLambda \
--statistics Average \
--start-time $(date -u -v -10M '+%Y-%m-%dT%H:%M:%SZ') \
--end-time $(date -u '+%Y-%m-%dT%H:%M:%SZ') \
--period 60
C. Create CloudWatch Alarm (Duration > 1500ms)
aws cloudwatch put-metric-alarm \
--alarm-name "HighLambdaDuration" \
--metric-name Duration \
--namespace AWS/Lambda \
--statistic Average \
--period 60 \
--threshold 1500 \
--comparison-operator GreaterThanThreshold \
--evaluation-periods 1 \
--dimensions Name=FunctionName,Value=MonitoredLambda \
--treat-missing-data notBreaching
D. View Recent X-Ray Traces
aws xray get-trace-summaries \
--start-time $(date -u -v -10M +%s) \
--end-time $(date -u +%s)
Step 6: Cleanup (to Avoid Charges)
aws lambda delete-function --function-name MonitoredLambda
aws apigateway delete-rest-api --rest-api-id $rest_api_id
aws iam detach-role-policy --role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
aws iam detach-role-policy --role-name LambdaMonitorRole \
--policy-arn arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
aws iam delete-role --role-name LambdaMonitorRole
aws cloudwatch delete-alarms --alarm-names "HighLambdaDuration"
Key Takeaways
- Use CloudWatch logs for debugging and metrics for performance monitoring;
- X-Ray helps you trace request paths and latency across services;
- Always clean up unused resources to avoid unexpected charges;
- All these steps can be performed using the AWS CLI, making automation possible.
1. What AWS service provides centralized logging, metric collection, dashboards,
and alarms?
2. Which of the following automatically tracks Lambda invocations, duration, and
errors?
3. What does Amazon X-Ray help you visualize in your application?
4. To enable Lambda to write logs to CloudWatch, which policy must be attached to
its IAM role?
5. What integration type connects API Gateway to Lambda for full request
passthrough?
6. What command allows API Gateway to invoke a specific Lambda function?
7. What metric is typically monitored to measure Lambda performance duration?
8. What AWS CLI command retrieves the most recent log stream for a Lambda
function?
9. Which CLI command creates an alarm based on CloudWatch metrics?
10. What must you do after completing the lab to avoid unnecessary AWS charges?
Grazie per i tuoi commenti!
