Observability architecture

Forge platforms answer four distinct operational questions. Although they all involve collecting operational data, they serve different purposes, have different consumers, and require different retention and protection models. Forge deliberately keeps these concerns separate — especially governance evidence and operational observability.

This guide is the architectural map. It explains how Forge thinks about operational capabilities — not how to deploy or configure them. Depth guides: Application telemetry, Infrastructure monitoring, Audit. Deployment defaults are in Operations.

Four concerns

ConcernQuestionForge providesTypical implementation (AWS)
Application observabilityHow is my software behaving?Instrumentation, export, and dashboards across all servicesAMP, X-Ray, CloudWatch Logs, AMG
Infrastructure monitoringIs the infrastructure healthy?Per-stack CloudWatch dashboards and alarms across the deployed platformCloudWatch metrics → SNS
Application auditWhat business action did a user perform?Declarative audit capture to a central audit servicePostgreSQL (audit-service store)
Governance evidenceWhat happened on the AWS control plane and at the platform edge — and can I prove it later?Protected evidence collection for control-plane and edge HTTP trafficProtected object storage (encryption, lifecycle)

Governance evidence is separate from operational dashboards. It is durable, tamper-resistant proof stored for investigations — not another datasource in AMG.

Application observability

Deployed services export metrics, traces, and structured logs to managed AWS backends. Logs, traces, and metrics share correlation identifiers so operators can move between dashboards, traces, and log lines during live investigations — operational troubleshooting, not long-term governance archives. Signal depth is in Application telemetry.

Infrastructure monitoring

Forge deliberately separates application telemetry from infrastructure health monitoring. Dashboards and alarms cover runtime, datastores, edge delivery, identity, and email — delivered via CloudWatch and SNS, not through the application metrics backend. Coverage and scope boundaries are in Infrastructure monitoring.

Application audit

Application audit records business-domain events such as authentication, registration, sensitive data access, and notification activity. Unlike infrastructure monitoring or governance evidence, these records describe application behaviour from a business perspective and are consumed by compliance, customer support, and investigations. See Audit.

Governance evidence

Forge's governance evidence capability uses CloudTrail, load-balancer access logs, and protected evidence storage. Deployments may disable this capability when equivalent organization-wide evidence stores already exist. Deployment scope, account boundaries, and flag defaults are in Operations — Governance evidence and ADR-0027.

Three independent audit and evidence streams (do not conflate)

StreamAnswersConsumers
Application audit serviceLogin, registration, sensitive data access, notification eventsCompliance, product support, investigations
CloudTrailWho changed IAM, RDS, security groups? CDK vs console?Security, platform ops
ALB access logsWhat raw HTTP reached the load balancer?Incident response, abuse analysis

Environment posture

EnvironmentApplication observabilityInfrastructure monitoringGovernance evidence
LocalLocal metrics and tracing toolingn/an/a
INTLightweight logging onlyAlarms deployOff by default
TEST / PRODFull managed observabilityAlarms deployOn by default (configurable)

INT is optimized for integration testing rather than production-scale operational visibility. Deployment defaults and environment-specific behaviour are documented in Operations. See ADR-0026 for backend detail.

Governance evidence vs application observability

Application observabilityGovernance evidence
PurposeLive health, latency, errors, tracesImmutable proof for investigations and attribution
ConsumersOn-call, SRE, engineeringSecurity, audit, incident response
Typical query"Why is p99 high?""Who changed this security group?"

Common operator extensions

Forge operates at the application platform layer, not as an AWS landing zone. Operators may add:

ExtensionComplements
AWS ConfigCloudTrail (configuration history: what changed, not only who)
Org-wide CloudTrail → log archiveReplace or supplement Forge governance evidence
GuardDuty, Security Hub, Inspector, DetectiveAccount-level threat detection
SIEM / central security accountCross-account correlation
VPC Flow LogsNetwork forensics (volume/cost sensitive)
CloudFront / WAF full access log archivesBeyond WAF alarms already in infrastructure monitoring

Further reading


Did this page help you?