The AWS Managed Services (AMS) monitoring system monitors your AMS resources for failures, performance degradation, and security issues. The AMS monitoring system relies on AWS services such as Amazon CloudWatch(CloudWatch), Amazon GuardDuty, Amazon Macie, and AWS Health. In addition to the monitoring system, AMS also deploys TrendMicro DeepSecurity for protection against malware on Amazon Elastic Compute Cloud (Amazon EC2) instances, for information about endpoint security (EPS) defaults, see Endpoint Security (EPS).
AMS monitoring provides these benefits:
A monitoring baseline so that you have a default level of protection even if you don’t configure any other monitoring for your managed accounts. For information, see Alerts from baseline monitoring in AMS.
Investigation alerts to determine the appropriate action. For example, if GuardDuty finds activity indicating brute forcing attempts against an Amazon EC2 instance, AMS analyzes VPC flowlogs to understand the origin and context of the activity.
Remediation of alerts, when possible, to prevent or reduce the impact for your applications. For example, if you are using a standalone Amazon EC2 instance and it fails the System health check, AMS attempts to recover the instance by stopping and restarting it. For more information, see AMS automatic remediation of alerts.
Transparency into active, and previously resolved, alerts using OpsCenter. For example, if you have an unexpected high CPU utilization on an Amazon EC2 instance, you can request access to the AWS Systems Manager console (includes access to the OpsCenter console) and view the OpsItem directly in the OpsCenter console.
What is monitoring?
The AMS monitoring system monitors your AWS resources for failures, performance degradation, and security issues. As a managed account, AMS configures and deploys alarms for applicable AWS resources, monitors them, and performs remediation when applicable.
The AMS monitoring system generates alerts based on the monitoring configuration in your account. The monitoring configuration of an account refers to all the resource parameters in the account that create an alert; for information about the resource parameters, see Alerts from baseline monitoring in AMS. The monitoring configuration of an account includes CloudWatch Alarm definitions, and CloudWatch Event Rules that generate the alert (alarm or event).
The baseline monitoring configuration is the set of alarm definitions (Alerts from baseline monitoring in AMS) curated by AMS for monitoring resources in your managed account. The monitoring configuration of an account may differ from the baseline configuration, as a result of changes requested by you.
A notification of imminent, on-going, receding, or potential failures, performance degradation, or security issues generated by the baseline monitoring configured in an account, is called an alert. Examples of alerts are an Amazon CloudWatch Alarm, an Amazon CloudWatch Event, an Event, or a Finding from AWS service such as Amazon GuardDuty, and an event, or an alert, from Trend Micro Deep Security.
Alerts from security-related AWS services such as Amazon GuardDuty, Amazon Macie, or Trend Micro Deep Security are called security alerts to differentiate them from other types of alerts.
AMS monitoring provides these benefits:
The ability to customize the baseline resource alarms to meet your requirements.
Automatic remediation of alerts, when possible, to prevent or reduce the impact for your applications. For example, if you are using a standalone Amazon EC2 instance and it fails the system health check, AMS attempts to recover the instance by stopping and restarting it. For more information, see AMS automatic remediation of alerts.
Transparency into active, and previously resolved, alerts using OpsCenter. For example, if you have an unexpected high CPU utilization on an Amazon EC2 instance, you can request access to the AWS Systems Manager console (which includes access to the OpsCenter console) and view the OpsItem directly in the OpsCenter console.
Investigating alerts to determine the appropriate actions.
Alerts generated based on the configuration in your account and supported AWS services. The monitoring configuration of an account refers to all the resource parameters in the account that create an alert. The monitoring configuration of an account includes CloudWatch Alarm definitions, and EventBridge (formerly known as CloudWatch Events) that generate the alert (alarm or event). For more information about resource parameters, see Alerts from baseline monitoring in AMS.
Notification of imminent, on-going, receding, or potential failures; performance degradation; or security issues generated by the baseline monitoring configured in an account (known as an alert). Examples of alerts include a CloudWatch Alarm, an Event, or a Finding from an AWS service, such as GuardDuty or AWS Health.
Using OpsCenter in AMS
The AWS Managed Services (AMS) Operations team uses AWS Systems Manager OpsCenter for diagnosing and remediating many alerts related to your resources.
Using OpsCenter reduces mean time to resolution (MTTR), while providing a transparent view into the operational queues of the AMS operations teams.
With OpsCenter, AMS provides you with a transparent view of operational work items, also known as OpsItems, actively being worked upon by AMS teams, in addition to automated solutions.
To learn more about OpsCenter and OpsItems, see AWS Systems Manager OpsCenter. For information about getting access to the AWS Management Console, see Working with the AWS Management Console. From the AWS Management Console you can navigate to the AWS Systems Manager Console, and OpsCenter; to learn more, see AWS Systems Manager Session Manager. OpsCenter also provides an API that you can use; for information, see Learn More About OpsCenter.
OpsCenter is a priced feature with ~1000 OpsItems that cost under $10. For information, see
AWS Systems Manager pricing
