Introduction

Amazon CloudWatch serves as the central observability service we use at Fluid Attacks to monitor our services, collect and visualize real-time metrics, and respond to operational and security changes. This guide documents our specific implementation and best practices for debugging distributed systems in our cloud-native environment.

Why CloudWatch is Critical for Debugging

Debugging in cloud environments differs significantly from traditional debugging. It's no longer possible to simply launch a debugger or examine processes locally. Instead, we need tools that provide visibility into distributed and often ephemeral systems. CloudWatch offers:

Centralized observability: A single point to investigate issues across multiple AWS services and our entire platform.
Real-time and historical data: For analyzing both active incidents and recurring problems.
Cross-service correlation: Ability to connect related events across different components and microservices.
Powerful analysis tools: To identify patterns and trends in large volumes of data.
Automated alerting: Proactive notification when issues occur or thresholds are exceeded.

Essentially, CloudWatch provides the necessary tools to answer critical questions during debugging:

What exactly is failing?
When did the problem start?
Is it affecting other components?
Has it happened before?
What changed before the problem appeared?
Who was affected by the issue?

Use Cases

At Fluid Attacks, we use AWS CloudWatch primarily for:

Production Debugging: Tracking execution flows and diagnosing errors in real-time across our distributed architecture.
Security Auditing: Recording sensitive actions performed by users for compliance and forensic purposes.
Business Observability: Monitoring critical events in our service lifecycle and customer interactions.
Incident Correlation: Linking logs, metrics, and traces for root cause analysis.
Performance Monitoring: Identifying bottlenecks and optimizing system performance.
Capacity Planning: Understanding usage patterns to scale resources appropriately.

Logging Architecture

Core Components

Our CloudWatch logging architecture consists of several key components:

Log Groups: We primarily use the integrates group as our main container, with additional groups for specific services.
Log Streams: We separate by component or service to facilitate filtering and analysis.
Metrics: We extract key metrics from logs for dashboard visualization and alerting.
Alarms: We configure alerts based on specific patterns or metric thresholds.
Dashboards: Custom views for different teams and operational needs.

Backend Implementation

Core Logging Utility

We've developed the cloudwatch_log function as a centralized point to send structured logs to CloudWatch. This utility ensures consistent formatting, proper context inclusion, and asynchronous operation to minimize performance impact:

# integrates/back/integrates/custom_utils/logs.py
TRANSACTIONS_LOGGER: logging.Logger = logging.getLogger("transactional")

def cloudwatch_log(
    request: Request | WebSocket | Any,    msg: str,    extra: dict,    user_email: str = "",) -> None:
    if user_email:        TRANSACTIONS_LOGGER.info(            
            msg,
            extra={
                "extra": {
                    "environment": FI_ENVIRONMENT, "user_email": user_email, **extra}
            },        
        )
    else:        
        aio.to_background(cloudwatch_log_async(request, msg, extra))

When user_email is provided, the function logs synchronously with the specified user context. Otherwise, it delegates to an asynchronous function that extracts the user information from the request context without blocking the main execution thread.

The complementary asynchronous function automatically extracts the user context when not explicitly provided:

# integrates/back/integrates/custom_utils/logs.pyasync def cloudwatch_log_async(request: Request | WebSocket | Any, msg: str, extra: dict) -> None:
    try:        
        user_data = await sessions_domain.get_jwt_content(request)    except (ExpiredToken, InvalidAuthorization):        
        user_data = {"user_email": "unauthenticated"}

    TRANSACTIONS_LOGGER.info(
        msg,
        extra={
            "extra": {
                "environment": FI_ENVIRONMENT,
                "user_email": user_data["user_email"],
                **extra,
            }
        },
    )

The asynchronous approach is particularly important for our high-throughput APIs, as it prevents logging operations from blocking request processing.

Handler Configuration

We use Watchtower as a handler for Python logging, configured centrally through our logging configuration system. This handler efficiently transmits logs to CloudWatch while providing important features like queuing, batching, and throttling:

# integrates/back/integrates/settings/logging/handlers.py
def get_watchtower_handler(*, stream_name: str) -> dict:    return {        "boto3_client": BOTO3_SESSION.client("logs"),        "class": "watchtower.CloudWatchLogHandler",        "create_log_group": False,        "create_log_stream": False,        "filters": ["production_only"],        "formatter": "json",        "level": "INFO",        "log_group_name": "integrates",        "log_stream_name": stream_name,        "use_queues": True,    }

This configuration ensures:

Structured JSON format: All logs are stored in a consistent JSON structure for easy querying and parsing.
Automatic environment filtering: The production_only filter ensures development logs don't flood our production CloudWatch account.
Asynchronous sending: The use_queues option enables background processing of log events, preventing application blocking.
Separate streams by component: Each functional component uses a distinct stream for better organization.
Consistent authentication: We use a pre-configured boto3 session with appropriate IAM credentials.
Resource optimization: We don't automatically create log groups or streams, which are instead managed through infrastructure as code.

We have extended this basic configuration with additional features:

Custom JSON formatters that properly handle complex Python objects.
Throttling to prevent excessive API calls during log bursts.
Retry logic for handling temporary AWS API failures.
Graceful degradation when CloudWatch is unavailable.

Usage Patterns

Security Audit Logging

We log access attempts to sensitive resources, especially for security operations. This allows us to maintain a comprehensive audit trail for regulatory compliance and security investigations:

# integrates/back/integrates/api/mutations/add_secret.py
logs_utils.cloudwatch_log(
    info.context,
    "Blocked attept to create ROOT type secret for GitRoot",    
    extra={
        "group_name": kwargs["group_name"],        
        "resource_type": resource_type,        
        "resource_id": kwargs["resource_id"],
        "root_type": "GitRoot",        
        "user_email": email,        
        "log_type": "Security",    
    },
)

In this example, we're documenting a security policy enforcement event where:

A user attempted to create a sensitive resource (ROOT type secret).
The system blocked this action based on security policies.
We capture complete context, including the group, resource details, and user identity.

This type of logging is critical for security operations, as it allows us to:

Detect potential security policy violations or misconfigurations.
Provide evidence during security audits and compliance reviews.
Create alerts for suspicious activity patterns.
Support forensic investigations when needed.

Our security logs maintain a consistent structure with detailed contextual information, enabling the creation of comprehensive dashboards and reports for effective security oversight.

State Change Logging

We document critical system changes for traceability, enabling us to understand what changed, when it changed, and who made the change:

# integrates/back/integrates/api/mutations/add_secret.pylogs_utils.cloudwatch_log(
    info.context,
    "Added secret",    extra={
        "group_name": kwargs["group_name"],
        "resource_type": resource_type,
        "resource_id": kwargs["resource_id"],
        "log_type": "Security",
    },
)

State change logs serve multiple critical purposes:

Creating a chronological record of system modifications.
Supporting rollback operations when issues arise.
Providing context for troubleshooting application behavior.
Enabling reconstruction of the system state at any point in time.
Facilitating compliance with data governance requirements.

For particularly sensitive operations, we include additional context such as the previous state, specific fields that changed, and justification for the change.

GraphQL Operation Logging

We maintain a record of all executed mutations to provide a complete picture of API activity and data modifications:

# integrates/back/integrates/api/__init__.py
logs_utils.cloudwatch_log(
    request,
    "GraphQL mutation executed",    extra={
        "operation": operation_name,        "log_type": "Audit",    },
)

GraphQL operation logging is particularly important because:

It provides a high-level view of API usage patterns.
It helps identify performance bottlenecks in specific operations.
It creates an audit trail of data modifications across the system.
It supports debugging complex GraphQL operations that touch multiple resolvers.

Our logging captures the operation name and type, along with authentication context, while carefully avoiding logging of sensitive parameter values that might contain PII or credentials.

Field Taxonomy

To facilitate searches and analysis, we standardize the following fields in the extra structure. This consistent taxonomy makes it possible to build powerful queries, filters, and dashboards across our entire logging ecosystem:

Field	Description	Examples
environment	Execution environment identifier	production, staging, development
user_email	Email of the user performing the action	user@fluidattacks.com, unauthenticated
log_type	Main event category for classification	Security, Audit, Business, Error, Performance
group_name	Affected group/project identifier	group_123, acme_corp
resource_type	Type of resource involved in the operation	Secret, Root, Finding, Evidence, Organization
resource_id	Unique identifier for the affected resource	uuid, path/to/resource
operation	Name of the specific operation being performed	addSecret, updateFinding, deleteUser
status	Operation outcome status	success, failure, blocked, partial
duration_ms	Time taken to complete the operation in milliseconds	127, 3542
error_code	Standardized error code, if applicable	AUTH_FAILED, RESOURCE_NOT_FOUND, VALIDATION_ERROR
service	Service or microservice handling the request	api, auth, notifications
version	Service version or deployment identifier	v2.3.1, build-5436

This taxonomy has evolved based on our operational needs and is consistently enforced through our centralized logging utilities. The standardized structure enables powerful analytical capabilities:

We can track actions by specific users across multiple services.
We can correlate errors with specific resource types or operations.
We can measure performance characteristics by service or operation type.
We can filter security events by group, resource type, or action outcome.

Monitored Services

CloudWatch is used across the following Fluid Attacks components:

Integrates Backend: All GraphQL operations and critical domains, including user management, vulnerability findings, evidence handling, and security scanning operations. We maintain dedicated log streams for each major API component.
Observes: ETL components and data analysis pipelines that process security findings and metrics. These components generate logs for data processing activities, extraction operations, and transformation steps.
Infrastructure: Monitoring of ECS clusters, Lambda functions, and other AWS services supporting our platform. We collect both application-generated logs and AWS-provided infrastructure metrics to gain a complete view of system health.
Security Services: Our security scanning engines, vulnerability verification systems, and remediation tracking tools all contribute logs to CloudWatch to provide complete visibility into the security assessment lifecycle.
Client Applications: Frontend errors and performance metrics are captured and sent to CloudWatch, giving us insights into client-side operations and user experience.

Each service implements consistent logging patterns while adding domain-specific contextual information that enhances the value of the logs for that particular component.

Queries and Analysis with CloudWatch Logs Insights

Security events by user in the last 24h:

fields @timestamp, extra.user_email, message, extra.resource_type
| filter extra.log_type = "Security"| sort @timestamp desc
| limit 100

This query helps our security team review all security-relevant events, organized by user, to identify potential suspicious patterns or unauthorized access attempts.

Errors in critical operations:

fields @timestamp, message, extra.operation
| filter level = "ERROR"| sort @timestamp desc
| limit 50

Best Practices at Fluid Attacks

Through years of CloudWatch implementation experience, we've established the following best practices:

Consistent Structure: Always use cloudwatch_log instead of direct logger calls to ensure standardized formatting and context inclusion. This consistent approach simplifies queries and analysis while ensuring that all necessary context is captured with every log event.
Avoid Sensitive Information: Don't include passwords, tokens, or PII in logs to maintain compliance with data protection regulations. We've implemented automatic sanitization for common patterns like credit card numbers, social security numbers, and authentication tokens to prevent accidental exposure.
Enriched Context: Always add relevant information in the extra field to make logs more valuable for analysis. Context-rich logs significantly reduce the time required for troubleshooting and provide better insights for operational and security analysis.
Descriptive Messages: Use clear and concise messages that identify the action being performed or the event being recorded. Good message formatting makes logs more readable for humans while still supporting machine parsing.
Optimal Log Levels: Use appropriate log levels (DEBUG, INFO, WARNING, ERROR) to differentiate between routine operations and exceptional conditions. This practice helps control log volume while ensuring that important events are properly highlighted.
Correlation IDs: Include request IDs or correlation tokens in all logs related to a single transaction to enable end-to-end request tracking across services. These IDs allow us to reconstruct the complete flow of a request through our distributed system.
Performance Awareness: Be mindful of the performance impact of logging, especially in high-throughput components. Our asynchronous logging approach and careful control of log verbosity help minimize this impact.
Regular Log Analysis: Schedule regular reviews of log data to identify patterns, anomalies, or potential improvements. Proactive log analysis often reveals issues before they become critical incidents.

CloudWatch serves as the backbone of our observability strategy at Fluid Attacks, enabling us to maintain high service quality and security standards in our distributed, cloud-native environment. By implementing consistent logging patterns, structured data formats, and comprehensive monitoring across all our services, we can quickly identify and resolve issues while maintaining detailed audit trails for compliance and security purposes.