Contents
- Monitoring vs. observability: the real difference
- The three pillars: logs, metrics, and traces
- Native AWS stack: CloudWatch, X-Ray, CloudTrail
- Alternatives: Datadog, New Relic, Grafana + Prometheus
- Alerts that matter (and the ones that are noise)
- SLIs, SLOs, and error budgets
- Observability cost pitfalls
- Next step
- Frequently asked questions
- Is CloudWatch enough, or do we need a third-party tool?
- How many SLOs should a service have?
- What is the difference between CloudTrail and CloudWatch?
- How do we reduce CloudWatch costs without losing visibility?
- Should we adopt OpenTelemetry on AWS?
- How often should alerts be reviewed?
Most AWS incidents are not caught by the dashboard the team built on day one. They surface when a customer complains, when p99 latency quietly doubles, or when a downstream Lambda starts throttling at 3 a.m. The gap between "we have CloudWatch" and "we can explain what is happening in production right now" is where engineering leaders lose hours and money.
This guide is written for teams running non-trivial workloads on AWS and asking three practical questions: what should we instrument, which tools actually pay off, and how do we keep the observability bill from growing faster than the workload it watches. The answers depend less on vendor marketing and more on a clear model of what monitoring and observability do.
If you are still planning your AWS footprint, pair this with our enterprise AWS migration guide. If costs are already a pain point, our FinOps on AWS piece covers the financial side in depth.
Monitoring vs. observability: the real difference
Monitoring answers questions you already knew to ask. CPU above 80%, 5xx rate above 1%, queue depth above N. You define the metric, the threshold, and the alert. It works well for known failure modes in stable systems.
Observability is the ability to ask new questions about the system without shipping new code. In a distributed architecture with dozens of Lambdas, ECS services, SQS queues, and third-party APIs, most outages are novel. You need enough signal, structured well enough, to reconstruct what happened and why, even for a scenario nobody anticipated.
The practical implication: monitoring is a subset of observability. A team with strong observability can build monitoring on top of it. A team with only monitoring is blind the moment reality deviates from the playbook.
The three pillars: logs, metrics, and traces
The industry converged on three pillars because each answers a different question:
- Metrics answer "is something wrong?" They are cheap to store, easy to aggregate, and ideal for dashboards and alerts. CPU, memory, request rate, error rate, latency percentiles.
- Logs answer "what happened?" They are verbose, higher cost per GB, and essential for forensic work. Structured JSON logs are non-negotiable in production.
- Traces answer "where did it happen, and why was it slow?" A trace follows a single request across services, showing which span consumed the time or failed.
In AWS, these map to CloudWatch Metrics, CloudWatch Logs, and AWS X-Ray respectively. Mature teams add a fourth pillar: events (deploys, config changes, feature flags) correlated on the same timeline, because most incidents start with a change.
Native AWS stack: CloudWatch, X-Ray, CloudTrail
The AWS-native stack is underrated for teams that want to avoid a second vendor.
CloudWatch covers metrics, logs, dashboards, alarms, and synthetic checks. Container Insights and Lambda Insights add curated views for ECS, EKS, and serverless. CloudWatch Logs Insights provides query-based analysis over log data without moving it.
AWS X-Ray provides distributed tracing with automatic instrumentation for Lambda, API Gateway, and the AWS SDK. It is sufficient for most workloads up to moderate complexity. For deeper OpenTelemetry support, AWS Distro for OpenTelemetry (ADOT) is the path forward.
CloudTrail is not monitoring in the classic sense; it is the audit log of every API call in your account. It is how you answer "who deleted that security group?" or "when did IAM policy X change?" Combine it with AWS Config for resource state history.
The strength of the native stack is integration. The weakness is that dashboards and cross-account visibility require real effort, and costs can escalate with high-cardinality metrics.
Alternatives: Datadog, New Relic, Grafana + Prometheus
The native stack is not always the right answer, especially in multi-cloud or hybrid environments.
| Option | Strengths | Trade-offs |
|---|---|---|
| Datadog | Best-in-class UX, broad integrations, strong APM and log correlation | Expensive at scale, per-host and per-GB pricing compounds quickly |
| New Relic | Unified data model, consumption-based pricing | Learning curve on NRQL, some integrations less mature |
| Grafana + Prometheus + Loki + Tempo | Open source, full control, OpenTelemetry-native | Operational burden, you run the stack yourself |
A common pattern we see: CloudWatch for AWS infrastructure metrics and logs, plus Datadog or Grafana for APM, traces, and business dashboards. Hybrid setups work, but be explicit about which tool owns which signal to avoid duplicate spend.
Alerts that matter (and the ones that are noise)
Alert fatigue kills on-call rotations faster than any outage. A good alert meets three criteria: it indicates real user impact or imminent risk, it is actionable, and the responder knows what to do in the first sixty seconds.
Patterns worth enforcing:
- Alert on symptoms, not causes. "Checkout error rate above 2%" is a symptom. "CPU at 90%" is often a cause that may or may not matter.
- Use multi-window, multi-burn-rate alerts for SLOs instead of static thresholds.
- Every alert must link to a runbook. If there is no runbook, the alert is not ready for production.
- Route by severity. Page humans only for things that need immediate human judgment. Everything else goes to a ticket queue.
Audit your alerts quarterly. Any alert that fired more than five times without action is either misconfigured or should be automated away.
SLIs, SLOs, and error budgets
Service Level Indicators (SLIs) are the metrics that matter to users: request success rate, latency at p95 or p99, data freshness. Service Level Objectives (SLOs) are the targets you commit to, for example "99.9% of checkout requests succeed in under 400 ms over a 30-day window."
The error budget is the inverse: 0.1% of requests can fail without breaching the SLO. This number is operationally powerful. When the budget is healthy, the team can ship fast and take risks. When it is burning, the team freezes risky changes and invests in reliability. It converts reliability from an opinion into a number.
Start with two or three SLOs per critical user journey. Do not try to cover every service on day one. Review them every quarter against actual user behavior, not aspirational goals.
Observability cost pitfalls
Observability bills grow in ways that surprise finance teams. The common traps:
- High-cardinality custom metrics. CloudWatch charges per metric per month. A metric tagged with
user_idorrequest_idcan explode into millions of unique series. Tag with bounded dimensions likeservice,region,environment. - Verbose logging in Lambda. A chatty function invoked millions of times generates terabytes. Log at INFO by default, DEBUG behind a flag.
- Log retention defaults. CloudWatch Logs retains indefinitely unless you set a retention policy. Most teams need 30–90 days hot and S3 + Glacier for the rest.
- Data egress. Shipping logs and metrics to a third-party SaaS incurs egress charges on top of vendor fees. Use VPC endpoints or regional ingestion where possible.
- 100% trace sampling in production. Sample intelligently: keep all errors, keep a percentage of successful requests, adjust by endpoint criticality.
A reasonable target is observability spend between [VERIFY: typical observability spend as % of total cloud cost, likely 5–15%, source CNCF or Datadog industry reports] of total AWS spend. Anything significantly above that deserves a review.
Next step
If your team is building or rebuilding the observability layer on AWS and wants a second opinion on architecture, tooling, and cost, contact us for a 30-minute diagnostic. We will review your current stack and identify the three highest-impact changes.
Frequently asked questions
Is CloudWatch enough, or do we need a third-party tool?
For workloads fully on AWS with moderate complexity, CloudWatch plus X-Ray and CloudTrail is enough. Teams add Datadog, New Relic, or Grafana when they need better APM UX, multi-cloud visibility, or advanced trace analysis.
How many SLOs should a service have?
Two to four per critical user journey is a healthy starting point. More than that dilutes focus and makes error budget decisions harder.
What is the difference between CloudTrail and CloudWatch?
CloudWatch monitors performance and operational health (metrics, logs, traces). CloudTrail records who did what in your AWS account (API calls, configuration changes). You need both.
How do we reduce CloudWatch costs without losing visibility?
Set log retention policies, avoid high-cardinality custom metrics, sample traces, and move cold logs to S3. Review the top ten log groups by volume monthly; that is usually where 80% of the spend sits.
Should we adopt OpenTelemetry on AWS?
Yes, if you want vendor portability or plan to use tools beyond the native stack. AWS Distro for OpenTelemetry (ADOT) is supported and works with CloudWatch, X-Ray, and most third-party backends.
How often should alerts be reviewed?
Quarterly at minimum. Track alert volume, false positive rate, and mean time to acknowledge. Any alert that never fires or always fires is a candidate for deletion or automation.
Need to optimize your cloud infrastructure?
Schedule a free assessment with our team.
Talk to an expert