- 1. Monitor Service
- 2. Comparison of Access Management
- 3. Action Trail Comparision
1. Monitor Service
Alibaba Cloud CloudMonitor is a service that monitors Alibaba Cloud resources and IoT (Internet of Things) applications. Alibaba Cloud CloudMonitor can be used to collect monitoring metrics for Alibaba Cloud resources or monitoring metrics customized by the user to detect service availability, and to set alerts for these metrics. It allows you to be fully aware of resource usage, service status, and service health on Alibaba Cloud, and enables you to promptly respond to error alerts and ensure smooth running of your application.
Amazon CloudWatch is a service that monitors AWS cloud resources applications running on AWS. You can use Amazon CloudWatch to collect and track various metrics, collect and monitor log files, and set alerts. You can use Amazon CloudWatch to always be aware of resource usage, application performance, and application running status. Based on these analysis results, you can make responses quickly to ensure that your applications run smoothly.
1.1 Main functions comparison
In general, Alibaba Cloud CloudMonitor supports more functions than AWS ClouWatch. The following table shows the details of the comparision.
|Service Type||Alibaba CloudMonitor||AWS CloudWatch|
|Alarm mode||Aliwangwang, Email, MNS, SMS + DingTalk (China site)||SNS, Email|
|Application group||Supported||Not supported|
|Digital operation||Dashboard，resource usage monthly report||Control Panel|
|Site monitoring||Supported||Not supported|
|Cloud service monitoring||Supported||Supported|
|Log monitoring||Supported (currently unsupported for the international site)||Supported|
|Overview||Overview of all cloud resource statistics, alerts, events, and resource count & level||Overview of alerts and service running status|
1.2 Host monitoring and cloud service monitoring
- Hybrid cloud: Supports Alibaba Cloud host, one-click installation, authorized automatic installation, non-Alibaba Cloud hosts, and all mainstream operating systems.
- Metrics: Supports extensive metrics, for example cpu/mem, load/disk/net/device 30+f. More metrics will be supported, such as rdma gpu and virtual multiple NICs.
- Process: Top 5 process resource consumption information.
- Second-level monitoring: Collects data every second, aggregates data every 15s, averages resource consumption and business requirements.
- Monitoring: Supports monitoring of all cloud products that have been connected to CloudMonitor.
- Supports the basic monitoring metrics of Amazon EC2 instance, including CPU usage, data transmission, and disk usage activity.
- 7 pre-selection metrics every 5 minutes and 3 status-check metrics every 1 minute.
- Supports monitoring all other AWS products, including computing, network, storage, and database.
1.3 Alert service
- One-click alert function: Supports one-click alert for mainstream products, covering all instances of these products.
- Alert module: Alert module and application grouping allows quick monitoring over big data IT infrastructures.
- Supports combining product alerts to improve the user’s alert configuration efficiency.
- Alert methods: Supports multi-channel alerting, including MNS subscription, emails, and Aliwangwang.
- High quality alerting: Supports high precision alerting for a period of 10 or 30s, or scheduled alerting for a period that is an integer multiple of 60s.
- Assessment alert: Alert thresholds are set to be three values. The alert is configured to trigger when all three data points exceed the threshold value within the recent three successive periods.
- Alert method: Amazon SNS themed notification alert.
1.4 Application group
- Supports cross-product and cross-region resource grouping.
- Supports group-level aggregation computing and alert aggregation.
- Supports grouping custom speedup settings and time logs.
- Supports group-level authorization, subaccounts, primary/subaccounts, cross-accounts, and so on.
1.5 Digital operation
- dashboard： Supports cross-product and cross-region metric display. Supports log monitoring, custom monitoring, and other metrics.
- O&M weekly reports, resource utilization monthly reports (supported by Enterprise Edition).
- Amazon CloudWatch control panel: You can use the control panel for centralized monitoring over various AWS resources at one location.
- Monitors resources in multiple regions.
1.6 Site monitoring
- Provides IDC probes (charged) all over Alibaba Cloud with over 300,000 astmile user probes, and a 1-minute probing capacity.
- User access simulation to see the actual status of a website.
- Checks site status, including http, ping, tcp, udp, dns, pop, smtp, ftp, and response time.
- Network fault discovery.
1.7 Custom monitoring
- Using customized monitoring, you can quickly integrate Redis, MySql, and other monitoring metrics to Alibaba Cloud CloudMonitor.
- Custom monitoring is a feature that allows you to customize monitoring metrics and alert rules. By using this feature, you can monitor service metrics that you care about, and report collected monitoring data to Alibaba Cloud CloudMonitor, so that Alibaba Cloud CloudMonitor can process the data and generate alerts according to the results.
- Publishing custom metrics: You can use AWS CLI or API to send your own metrics to CloudWatch.
- You can submit custom metrics generated by your English application, and use AWS CloudWatch to align these monitoring metrics. You can submit these metrics to AWS CloudWatch by using a simple API. You can set the corresponding alert thresholds and metrics.
2 Comparison of Access Management
Alibaba Cloud Resource Access Management (RAM) is a management service designed for the centralized management of cloud identities and access permissions. You can use RAM to grant access and management permissions to Alibaba Cloud resources to your enterprise members or partners.
AWS Identity and Access Management (IAM) is a Web service that can help you safely control access to AWS resources. You can use IAM to decide which user needs to conduct ID authentication (upon login), and authorize users (grant permissions) to use resources.
2.1 Main functions comparison
|Service Type||Alibaba RAM||AWS IAM|
|Flexibility||Supports integration with Alibaba Cloud service; supports external account management and multi-dimensional authorization||Supports seamless integration with AWS services, and cooperation with external web ID authentication service providers|
|Availability||Multi-node redundancy deployment||Supports eventual consistency|
|Security||Token, access key||Security certificate management, MFA|
2.2 Identity Management Comparison
2.2.1 User Management
User is an Alibaba Cloud RAM identity which corresponds to an operation entity, such as an operator or application. If you have a new user or application to access your cloud resources, you must create an Alibaba Cloud RAM user and grant it the access to the relevant resources.
AWS IAM allows you to create users in AWS IAM, and assign separate security certificates to them (such as the access key, password, and multi-factor authentication device), or provide temporary security certificates to grant users the access to AWS services and resources.
2.2.2 Group Management
If you have created multiple Alibaba Cloud RAM users under your Alibaba Cloud account, we recommend you use groups to better manage the users and their permissions. You can create a group for Alibaba Cloud RAM users who share the same responsibilities, and grant permissions by group.This provides the following advantages:
- When a user’s responsibility changes, you only need to move this user to a group that has the corresponding responsibility, without affecting other users.
- When a group’s responsibility changes, you only need to modify the group’s authorization policy that applies to all users in the group.。
An AWS IAM group is a collection of AWS IAM users. You can manage group members as a simple list:
- You can grant permissions to a group by modifying the group’s access control policy. This allows you to easily manage permissions of a group of users, without having to manage individual permissions one by one.
- A group does not have security certificates to directly access web services. The purpose of a group is to make user permission management easier.
2.2.3 Role Management
Alibaba Cloud RAM and user are both identities used in RAM. In comparison with a RAM user, a RAM role is a virtual user who does not have a long-term authentication key, and cannot be used without being played by an authorized entity.
- As a virtual user, a RAM role has a fixed identity and can be granted group authorization policies. However, it does not have a fixed identity authentication key (password or access key).
- A RAM role differs from a RAM user in the way it is used. A RAM role must be played by an authorized entity. After playing the role successfully, the entity receives a temporary STS security token for this RAM role. Then, this entity is able to use this security token to access the resources authorized for the role.
An AWS IAM role is an IAM entity that is associated with a group permission to submit an AWS service request. An IAM role is not uniquely associated with one user or group. Instead, a trusted entity (for example an IAM user, application, or EC2 and other AWS services) can assume any roles.
- An IAM role does not have any certificates and cannot directly raise AWS service requests. An IAM role must be assumed by an authorized entity, for example an IAM user, application, or EC2 and other AWS services.
- An IAM role allows you to assign access permissions to a trusted entity by using defined permissions, without having to share a long-term access key. You can use IAM roles to grant IAM users under you AWS account, IAM users under other AWS accounts, as well as EC2 and other AWS services the access permission.
2.3 Authorization Management Comparison
Alibaba Cloud RAM uses permission to describe an internal identity’s ability (such as user, user group, and role) to access a specific resource. A permission is used to allow or deny the execution of certain operations on certain resources under certain conditions.
AWS IAM access management module helps define operations that a user or other entities can execute under an AWS account, which is usually called authorization. Permissions are granted by means of policies. A policy is an AWS entity. When associated with identities or resources, a policy defines their permissions. When a principal (such as a user) sends a request, AWS will evaluate these policies.
Alibaba Cloud RAM permissions include:
- The primary account (resource owner) controls all permissions.
- By default, RAM users (operators) have no permissions.
- Resource creators (RAM users) are not automatically granted permissions for resources created by them.
AWS IAM attaches access management policies to users, groups, and roles for convenience in assigning permissions for AWS resources. By default, IAM users, groups, and users do not have permissions, and they must be granted the required permissions by a user that has the complete permissions by using policies.
2.3.2 Authorization policies
Alibaba Cloud RAM supports the following two types of authorization policies:
- System access policies: A group of commonly used permission sets created and managed by Alibaba Cloud, such as the read-only permission for ECS and the complete permission for ECS. You can use these policies, but cannot modify them.
- Custom access policies: A group of permission sets created and managed by the user. They can be used to expand and supplement system authorization policies.
AWS IAM policies based on identities and resources:
- 1) Identity-based policies are permission policies that can be associated with a principal or an identity (such as an IAM user, role, and group). Identity-based policies control what actions that identity can perform, on which resources, and under what conditions.
- 2) Resource-based policies are JSON policy documents that you attached to a resource such as an Amazon S3 bucket. These policies control what actions a specified principal can perform on that resource and under what conditions.
2.3.3 Access control authorization
Granting permissions to an Alibaba Cloud RAM user refers to the process of binding one or more authorization policies to the user, user group, or role.
- You can bind both system authorization policies and custom authorization policies.
- If a bound authorization policy is updated, the updated policy automatically takes effect, and you do not have to rebind it.
Likewise, granting permissions to an AWS IAM user refers to the process of binding authorization policies to the user, user group, or role.
- Users and policies
- Combination policies
- Combination identities, users, and roles
Alibaba Cloud RAM does not charge service fees. If you meet the activation criteria and have activated this service, you can use it immediately.
AWS IAM is a feature provided in an AWS account, and no additional cost is required.
3 Action Trail Comparision
Alibaba Cloud ActionTrail records your Alibaba Cloud account resource operations. It supports operation record query, and saves record files to your specified OSS bucket. With all the operation records saved by Alibaba Cloud ActionTrail, you can perform security analysis, resource change tracking and compliance audit.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With AWS CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
3.1 Main functions comparison
|Service Type||Alibaba ActionTrail||AWS CloudTrail|
|History event query||30 days by default, can be extended||90 days|
|Filtering conditions||Operation period, user name, resource type, resource name,operation name, and so on||Event name, user name, resource name,event source, event ID, and resource type|
|Service support||Most cloud product services||Most AWS product services|
3.2 API & SDK Support
If you are an Alibaba Cloud user, you will be able to use the management console or API to create Alibaba Cloud ActionTrail for your account, and specify an OSS bucket to store ActionTrail event log. If you initiate an operation call by using SDK, Alibaba Cloud ActionTrail will automatically transmit the operation log to your specified OSS Bucket within ten minutes.
AWS CloudTrail can improve the visibility of user and resource activities by logging AWS management console operations and API calls. CloudTrail transmits events within 15 minutes after an API call.
3.3 Data Security
Alibaba Cloud ActionTrail saves event logs to your specified OSS bucket. You can use OSS data encryption and permission management functions to ensure data security of event logs.
By default, AWS CloudTrail encrypts CloudTrail log files by using S3 server encryption (SSE), and stores them in your S3 bucket. You can use the application AWS IAM or S3 storage policies to control the access to log files.
3.4 Log Query
Alibaba Cloud ActionTrail supports querying operation logs within 30 days by default. If you want to extend the time range for querying logs, you need to activate OSS and specify a bucket to save records to using the StartLogging command.
AWS CloudTrail only displays CloudTrail history event logs in the last 90 days for the region that you are currently viewing. You can view information from the last 90 days using the CloudTrail console or CloudTrail API/CLI.
3.5 Security Analysis and Troubleshooting
When your Alibaba Cloud account or resource has security issues, logs recorded by Alibaba Cloud ActionTrail will help you analyze the issues and identify the causes. For example, Alibaba Cloud ActionTrail records all your account logon operations, including detailed records such as the logon time, which IP was used, and whether you used multi-factor authentication logon or not. With these records, you can determine whether your account has any security issues.
When your cloud resource undergoes any abnormal changes, Alibaba Cloud ActionTrail operation logs can help you identify the causes. It supports capturing changes and query operations occurred in your Alibaba Cloud account within a specific period, and helps you analyze and solve possible faults and problems.
With AWS CloudTrail, you can capture full history records for all changes in your AWS account for a specific period, to identify and solve security and operational problems. By importing AWS CloudTrail events to your log management and analysis solutions, you will be able to carry out security analysis and detect user behavior modes.
You can use AWS API calling history records generated by AWS CloudTrail to solve operational problems. For example, you can quickly identify changes to resources in your environment, including the creation, edit, and deletion of AWS resources.
You do not need to pay for using Alibaba Cloud ActionTrail, but you have to pay for OSS storage that you may use in Alibaba Cloud ActionTrail.
AWS CloudTrail allows you to view and download the last 90 days of your account activity for the create, modify, and delete operations of supported services free of charge. Once a CloudTrail trail is setup, Amazon S3 charges apply based on your usage.