https://ferkakta.dev/tags/cloudwatch/Recent content in Cloudwatch on ferkakta.devHugoen-USCopyright fizz.Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/per-tenant-cloudwatch-log-isolation-eks/<h2 id="the-starting-assumption">The starting assumption</h2> <p>I&rsquo;m building <a href="https://ramparts.dev">ramparts</a>, a multi-tenant compliance platform running on EKS. Each tenant gets a Kubernetes namespace &ndash; <code>tenant-acme</code>, <code>tenant-globex</code>, whatever &ndash; and the compliance controls require that their application logs land in isolated storage with 365-day retention. CMMC maps this to AU-2 (audit events), AU-3 (audit content), AU-11 (retention), and AC-4 (information flow isolation). A tenant cannot read another tenant&rsquo;s container output.</p> <p>The obvious first move was <code>aws-for-fluent-bit</code>, AWS&rsquo;s own Helm chart and container image for shipping logs to CloudWatch. AWS service, AWS chart, AWS logging destination. The blessed path.</p>https://ferkakta.dev/why-we-removed-aws-for-fluent-bit-from-eks/Mon, 02 Mar 2026 00:00:00 +0000https://ferkakta.dev/why-we-removed-aws-for-fluent-bit-from-eks/<p>We deployed <code>aws-for-fluent-bit</code> because AWS recommends it.</p> <p>If you follow the EKS logging documentation, that&rsquo;s the default path. It assumes you use AWS&rsquo;s distribution of Fluent Bit rather than the upstream Helm chart.</p> <p>We did.</p> <p>Two days later, we ripped it out.</p> <p>The AWS chart and the upstream chart are not the same thing. The differences aren&rsquo;t cosmetic. They affect how quickly you receive security patches, how transparently your configuration maps to the underlying plugin, and how many boundaries sit between your logs and the CloudWatch API.</p>https://ferkakta.dev/iam-deny-overlay-managed-policies/Fri, 27 Feb 2026 00:00:00 +0000https://ferkakta.dev/iam-deny-overlay-managed-policies/<p>I needed to give a developer full CloudWatch read access — metrics, alarms, dashboards, log groups — but deny access to three categories of log groups containing security-sensitive data: WorkSpaces OS event logs, VPC flow logs, and WAF request logs.</p> <p>The reflex is to copy <code>CloudWatchReadOnlyAccess</code> into a custom policy and delete the parts you don&rsquo;t want. I&rsquo;ve seen this in every organization I&rsquo;ve worked in. It produces a policy with 50+ actions that you now own. Every time AWS ships a new CloudWatch feature, your policy is stale. You won&rsquo;t update it. It&rsquo;ll rot.</p>https://ferkakta.dev/workspaces-ssm-cloudwatch-bootstrap/Thu, 12 Feb 2026 10:00:00 -0600https://ferkakta.dev/workspaces-ssm-cloudwatch-bootstrap/<p>I spent an afternoon arguing with Windows about whether I was allowed to be root on a machine I created. Six hours and six layers of undocumented workarounds later, I got CMMC-compliant audit logging on a desktop that doesn&rsquo;t know it exists.</p> <h2 id="the-problem">The problem</h2> <p>WorkSpaces don&rsquo;t show up in AWS Systems Manager. They&rsquo;re not EC2 instances — no instance profile, no metadata endpoint, no identity. SSM Agent is pre-installed but thinks it&rsquo;s nobody. CloudWatch Agent has no credentials and doesn&rsquo;t know what region it&rsquo;s in.</p>