All Collections
Control Tests
Test: Infrastructure Instance CPU Monitored
Test: Infrastructure Instance CPU Monitored

Drata inspects your company server monitoring configuration to determine if server CPU use is monitored, with appropriate alerts.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

ASSOCIATED DRATA CONTROL

This test is part of the Servers Monitored and Alarmed control that ensures your company has implemented tools to monitor servers and notify appropriate personnel of any events or incidents based on predetermined criteria.

WHAT TO DO IF A TEST FAILS

If Drata detects that CPU utilization monitoring is not enabled or that alerts have not been properly set up the test will fail. With a failed test you will receive a list of instances that lack CPU utilization monitoring or administrative alerts.

To remediate a failed test, you will need to set up and configure CPU utilization monitoring for the reported instances to ensure they are monitored with alerts being sent to admins in an event or incident.

STEPS FOR PASSING

To ensure a validated state when testing for monitoring of the infrastructure instance CPU, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.

NOTE: If you are using the Datadog integration for this test, please see this help article for the metrics to be used.

Provider / Technology

Provider Steps

AWS - EC2 - By Instance

Instance Creation

  1. Within AWS, go to the EC2 service

  2. Click on the "Launch instances" button

  3. On the Step 1: Choose an Amazon Machine Image (AMI)

  4. Select any Image

  5. On the Step 2: Choose an Instance Type

  6. Select any option

  7. Click on Next: Configure Instance Details button

  8. On the Step 3: Configure Instance Details

  9. Click on Network

  10. Select the appropriate network

  11. Click on Next: add storage button

  12. Step 4: Add Storage (keep as is)

  13. Click on Next: add tags button

  14. Step 5: Add Tags (keep as is)

  15. Click on Next: Configure Security Group button

  16. On Step 6: Configure Security Group

  17. Click on "Select an existing security group"

  18. Select any of the items in the group

  19. Click on Review and Launch button

  20. On Step 7: Review Instance Launch click on Launch button

  21. On the modal - Select the Proceed without a key pair

  22. On the modal - Click on the checkbox of (I acknowledge that I will not be able to connect to this instance unless I already know the password built into this AMI.)

  23. On the modal - Launch instances button

  24. Click on View instances button

Alarm Creation

  1. Navigate to the CloudWatch service

  2. Create by clicking on the Create Alarm button

  3. AWS Namespace: EC2

  4. Metrics: Per-Instance Metrics

  5. Instance Name: (the name of the EC2 instance)

  6. Metric Name: CPUUtilization

  7. Threshold type: Static

  8. Whenever CPU Utilization is Greater > 10 (units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  9. Click on Notification

    1. Alarm state trigger: In alarm

    2. Select an SNS topic: Select an existing SNS topic

    3. Set a notification recipient

  10. Create alarm

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

AWS - EC2 - Cluster Across All Instances

Cluster Creation

  1. Within AWS, verify there's more than 1 Instance in EC2

  2. If setting up clusters from scratch:

    1. Go to ECS

    2. Create a new cluster - e.g. choose “EC2 Linux + Networking” and fill out the form

    3. Ensure the cluster and services are fully deployed.

Alarm Creation

  1. Create an alarm in Cloudwatch

  2. AWS Namespace: EC2

  3. Metrics: Across All Instances

  4. Metric Name: CPUUtilization

  5. Threshold type: Static

  6. Whenever CPU Utilization is Greater > 10 (units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  7. Click on Notification

    1. Alarm state trigger: In alarm

    2. Select an SNS topic: Select an existing SNS topic

    3. Set a notification recipient

  8. Create alarm

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

AWS - EC2 - Cluster By AutoScaling Group (ASG)

Cluster Creation

  1. Create a Launch Template

  2. Select template name

  3. Example settings:

    1. AMI: Amazon Linux 2 AMI(HVM), SSD Volume Type

    2. Instance Type: t1.micro

    3. Networking Platform: EC2-Classic

  4. Create an Auto Scaling Group for EC2

    1. Select an Auto Scaling group name

    2. Select the EC2 Launch Template you created in the previous step

    3. Instance purchase options: Adhere to launch template

    4. Choose a Network

    5. Choose a Subnet

    6. Load balancing: No Load Balancer

    7. Group Size: The numbers you enter will determine the number of instances created in this ASG

      1. Desired Capacity: 2

      2. Minimum Capacity: 2

      3. Maximum Capacity: 2

      4. Scaling policies: none

Alarm Creation

  1. Set an Alarm in CloudWatch

  2. AWS Namespace: EC2

  3. Metrics: Auto Scaling Group

  4. Autoscaling Group Name: name chosen in step 4

  5. Metric Name: CPUUtilization

  6. Threshold type: Static

  7. Whenever CPU Utilization is Greater > 10 (units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  8. Click on Notification

    1. Alarm state trigger: In alarm

    2. Select an SNS topic: Select an existing SNS topic

    3. Set a notification recipient

  9. Create alarm

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

AWS - ECS - Fargate - Service

Service Creation

  1. Within AWS, go to the ECS service

  2. Create a Task Definition

  3. Click on Fargate

  4. Fill out form: Name, Task Role

  5. Add a container

  6. Click on the create button

  7. Go to Task Definition Name

  8. Actions -> create service: Launch type: FARGATE

  9. Make sure you have a cluster set up

  10. Enter a service name

  11. Enter number of tasks

  12. In VPC and security groups pick a VPC with Subnets

Alarm Creation

  1. Navigate to the CloudWatch service

  2. AWS Namespace: ECS

  3. Click on ClusterName, ServiceName for ECS

  4. Select a ClusterName and ServiceName pair for the CPUUtilization metric

  5. Threshold type: Static

  6. Whenever CPU Utilization is Greater > 10 (units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  7. Click on Notification

    1. Alarm state trigger: In alarm

    2. Select an SNS topic: Select an existing SNS topic

    3. Set a notification recipient

  8. Save

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

AWS - ECS - Fargate - Cluster

Cluster Creation

  1. Go to ECS

  2. Go to Clusters -> Create Cluster

  3. Fill out the form (utilizing a template is optional; below instructions used the Networking only template for use with AWS Fargate)

  4. Provide a cluster name

  5. Once the cluster is launched, click to the view the cluster

  6. Under the Services tab, click Create

  7. Choose a launch type of Fargate

  8. When filling out the form, ensure the cluster you created in the previous steps is specified

  9. Be sure to specify a number of tasks to start

  10. Click Next step

  11. Choose at least one VPC with subnets, and one subnets value

  12. Click Next step

  13. Autoscaling is optional

  14. Click Next step to review, then click Create Service

  15. Once the service has been created, click View Service

  16. Go back to Clusters and click the cluster name to be monitored

  17. Click the Metrics tab

  18. Click the CPUUtilization metric to be taken to CloudWatch

Alarm Creation

  1. CPUUtilization should be prechecked - click the small bell icon to the right to create an alarm

  2. Threshold type: Static

  3. Whenever CPU Utilization is Greater > 10 (units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  4. Click on Notification

    1. Alarm state trigger: In alarm

    2. Select an SNS topic: Select an existing SNS topic

    3. Set a notification recipient

  5. Create alarm

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

AWS - EKS

  1. Within AWS, create an EKS cluster

  2. Go to CloudWatch

  3. On the navigation pane, click Alarms

  4. Choose Create alarm

  5. In the Metrics section, choose Select metric.

  6. Select a metric namespace: EC2

  7. Select: AutoScalingGroup

  8. Choose Metric name: CPUUtilization

  9. Choose Select Metric.

  10. In the Conditions section, type in Define the threshold value. (10 - units are in percentages)

    1. 10 is an illustrative example; choose a value that makes sense for your setup

  11. Choose Next.

  12. In the Notification section, do the following:

    1. Alarm state trigger: In alarm

    2. Select an SNS topic (any active topic is valid)

    3. Choose Next.

  13. In the Name and description section, do the following:

    1. Type in an alarm name

    2. Choose Next.

  14. Choose Create Alarm

Subscription Confirmation

The subscription to the SNS topic used (or newly created) above must be confirmed for the test to pass.

  1. Go to SNS and select Subscriptions

  2. Click "Create subscription" and reference the newly created topic for the Topic ARN

  3. For Protocol select Email

  4. For Endpoint enter an email address, generally a monitored team inbox

  5. Click "Create subscription" and verify the email that was sent to your provided inbox

Alternatively:

  1. Go to SNS and select Topics

  2. Click the topic name created with the alarm

  3. Under the Subscriptions banner, click the radio button for the topic's subscription

  4. Click "Confirm subscription" and verify the email that was sent to your provided inbox

Azure - Container Instances

  1. Create a Container instance

  2. Navigate to Alerts

  3. Create a new Alert Rule

    1. Resource Type: Container instances (Choose the instance from under the resource group)

    2. Condition: CPU Usage

    3. Actions: Add an action group with a Notification type of "Email/SMS message/Push/Voice".

    4. Ensure target resource type is set

    5. Ensure target resource region is set

    6. Details: Name the Alert Rule and choose Severity level.

  4. Review and Create the Alert Rule

Azure - Kubernetes Services

  1. Create a Kubernetes service

  2. Choose node size

  3. Create new Alert Rule

    1. Resource Type: Kubernetes services

    2. Condition is one of:

      1. Total number of available cpu cores in a managed cluster

      2. CPU Usage Millicores

      3. CPU Usage Percentage

    3. Actions: Add an action group with a Notification type of "Email/SMS message/Push/Voice".

    4. Ensure target resource type is set

    5. Ensure target resource region is set

    6. Details: Name the Alert Rule and choose Severity level.

  4. Review and Create the Alert Rule

Azure - Virtual Machines

  1. Create a Virtual Machine

  2. Choose size

  3. Create new Alert Rule

    1. Resource Type: Virtual machines

    2. Condition is one of:

      1. CPU Credits Consumed

      2. CPU Credits Remaining

      3. Percentage CPU

    3. Actions: Add an action group with a Notification type of "Email/SMS message/Push/Voice".

    4. Ensure target resource type is set

    5. Ensure target resource region is set

    6. Details: Name the Alert Rule and choose Severity level.

  4. Review and Create the Alert Rule

GCP - Kubernetes Cluster

NOTE: GCP automatically creates associated VMs when a Kubernetes cluster is created. These VMs need to be monitored with their own alerts. See the next section, "GCP - VM Instance," for instructions on how to build those alerts.

Cluster Creation

  1. Within GCP, go to the Instance groups section

  2. Click on Create instance group button

    1. Add a name

    2. Instance groups - Add (any)

    3. Select an existing template (which is dictated by the zone(s) selected) or create a new one (see step 3)

    4. Single or Multiple zones ok

    5. Select a region

  3. [Optional] Create an instance template

    1. Enter a name

    2. Identity and API access - Select Terraform

    3. Click on link to expand (Management, security, disks, networking, sole tenancy)

    4. Click on the Networking tab

    5. Set a Network

    6. Set a Subnet - (any from dropdown)

    7. Click on Save and continue button

    8. Number of instances - Set to AutoScale

    9. Autoscaling policy - Keep as is

    10. Predictive autoscaling - Keep as is

    11. Cool down period - Keep as is

    12. Click on the create button

  4. Then, go to the Kubernetes Engine service

  5. Click on the Create button

  6. Click 'CONFIGURE' for GKE Standard

    1. Enter a name

    2. Set a location type - ensure the zone or region selected matches where you set up your instance template above (you may have to validate the Networking -> Node subnet selection under Cluster in the left sidebar

    3. In the left sidebar, under Node Pools, click default-pool -> Security - select the appropriate service account

  7. Click on Create button

Alert Creation

  1. Navigate to the Monitoring service

  2. On the left menu click on "Alerting"

  3. Click on "Create policy button

  4. On the "Create alerting policy" form click on Add Condition

  5. In the "Find resource type and metric" search for any of these three resource types and metrics

    1. GKE Container and CPU utilization

      1. Resource type: GKE Container

      2. Category: Container

      3. Metric: CPU utilization

    2. Kubernetes Container and CPU limit utilization

      1. Resource type: Kubernetes Container

      2. Category: Container

      3. Metric: CPU limit utilization

    3. Kubernetes node and CPU allocatable utilization

      1. Resource type: Kubernetes node

      2. Category: Node

      3. Metric: CPU allocatable utilization

    4. For steps 5a-5c, by default the GCP Alert UI may only show "Active" metrics, and you may need to turn that toggle off to see the required option

  6. In the Configuration section enter a non-zero value for Threshold

  7. Click the ADD button

  8. Add any active notification channel under the "Configure notifications?" section (except for mobile cloud console)

  9. Click on Next button

  10. Enter an Alert name

  11. Click on Save button

GCP - VM Instance

Instance Creation

  1. Within GCP, go to the Compute Engine service

  2. Create a VM instance

  3. Click on the Create Instance button

  4. Enter an Instance Name

  5. Select a Region

  6. Select any Zone

  7. Select a machine configuration

  8. Click on Create button

Alert Creation

  1. Go to the Monitoring service

  2. On the left menu click on "Alerting"

  3. Click on "Create policy" button

  4. On the "Create alerting policy" form click on Add Condition

  5. In the "Find resource type and metric" search for VM Instance (gce_instance) and CPU utilization

    1. Resource type: VM Instance (gce_instance)

    2. Category: Instance

    3. Metric: CPU utilization

      1. For steps 5a-5c, by default the GCP Alert UI may only show "Active" metrics, and you may need to turn that toggle off to see the required option

    4. In the Configuration section enter a non-zero value for Threshold

  6. Click the ADD button

  7. Add any active notification channel under the "Configure notifications" section

  8. Click on Next button

  9. Enter an Alert name

  10. Click on Save button

Did this answer your question?