SAA-C03: CloudTrail, CloudWatch and AWS Config

Ways to help keep you environment secure

• Tracking Performance

• Detecting Application Problems

• Detecting Security Problems

• Logging Events

• Maintaining an Inventory of AWS Resources

CloudTrail

Kees detailed logs of every read or write action that occurs against your AWS resources

CloudWatch

collects numeric performance metrics from AWS and non-AWS resources such as on-premises servers

AWS Config

tracks how your AWS resources are configured and how they change over time

CloudTrail Logs

logs both API and non-API actions. API actions include launching an instance, creating an S3 bucket. Non-API actions include logging into the management console

CloudTrail Management Events types

• Write-Only Events

• Read-Only Events

CloudTrail Write-Only Events

API operations that modify or might modify resources. ex)RunInstances or logging in as the root user

CloudTrail Read-Only Events

API Operations that read resources that DON’T make changes ex)DescribeInstances

Data Events

Tracks two types of data: S3 Object-level activity and Lambda function executions

Event History

CloudTrail logs 90 days of management events and stores them in a viewable, searchable and downloadable database called event history.

Trails

configuration that records specified events and delivers them as CloudTrail log files in an S3 bucket

Components of a log entry

• eventTime

• userIdentity

• eventSource

• eventName

• awsRegion

• sourceIPAddress

Not limited to this.

How many trails can you have per region?

5

Management events vs. data events

Management events - a global service that tracks service events

Data events - track up to 250 individual OBJECTS like lambda and S3 buckets

Log file integrity validation

CloudTrail provides integrity validation by storing logs in an S3 bucket. So if CloudTrail gets compromised by the hacker deleting logs, There’s an S3 bucket with everything in it.

digest file

Every hour CloudTrail creates a file with cryptographic hashes of all the log files created in CloudTrail and stored in an S3 bucket.

How often is a digest file created?

Created every hour

Steps to validate the digest file

1. Go to AWS CLI

2. specify the ARN of the trail and start time

CloudWatch

collects, retrieve and graph numeric performance metrics from AWS and non-AWS resources.

How are CloudWatch Metrics organized?

Namespaces (Ex. AWS/Service, CW/Agent, etc.)

Basic Monitoring vs. Detailed Monitoring

Basic Monitoring - sends metrics to CW every five minutes (this becomes an average)

Detailed monitoring - publish metrics every minute

TRUE or FALSE: You can delete CloudWatch metrics.

FALSE - you cannot delete them, they expire on their own.

Graphing metrics use the following statistics:

• Sum

• Minimum

• Maximum

• Average

• Sample Count

• Percentile

CloudWatch Logs

feature of CloudWatch that collects and stores logs from AWS and non-AWS resources

Log Stream vs. Log Groups

Log streams - access logs from individual resources like separate EC2 (xlinkcloud, xquery, calcserver)

Log groups - how all the streams are put together

What is the default setting for log retention?

Indefinitely

CloudWatch Agent

Command line-based program that collects logs from EC2 instances and on-premises servers running Linux or Windows.

CloudWatch Alarms

monitors a single metric and performs an action based on a change in its value

Examples of CloudWatch Actions

• email notification

• rebooting an instance

• executing an ASG action

Threshold

value the data point to monitor must meet or cross to indicate something is wrong

Types of thresholds

• Static Threshold

• Anomaly Detection

• Metric Math Expression

Static threshold examples

CPUUtilization, mem_used_percent, disk_used_percent

Anomaly Detection

based on whether a metric falls outside of a range of values called a band.

Metric Math Expression

evaluate one or more CloudWatch metrics using a metric math expression

Once an alarm is triggered, what are the options for actions?

• SNS

• ASG action like spinning up a new instance

• EC2 action like stop, terminate, reboot or recover

EventBridge

monitors for and takes an action either based on specific events or on a schedule

EventBridge vs. CloudWatch Alarms

EventBridge - takes some action based on specific events

CloudWatch Alarms - takes some action based on metrics

Event Buses

The way EventBridge monitors events

EventBridge Rules and Targets

rules defines the action to take in response to an event. Create the rule to watch for targets to complete the action.

AWS Config

Tracks the configuration state of your resources at a point in time

CloudTrail vs. Eventbridge vs. Config

CloudTrail - logs events

EventBridge - deals with events or actions that occur against a resource

Config - Deals with the state of the resource

AWS Config can help with the following objectives:

• Security

• Easy Audit reports

• Troubleshooting

• Change Management

AWS Config - Security

Notify of configuration changes and potential breaches

AWS Easy Audit Reports

Provides a configuration snapshot report showing how resources were configured at any point in time

AWS Config - Troubleshooting