AWS CCP Module 10: Monitoring, Compliance, & Governance

Progression for effective monitoring

1. Securing systems

2. Monitoring activities

3. Conducting audits

4. Ensuring compliance

monitoring

observing systems, collecting metrics, and then using data to make decisions

Amazon CloudWatch

monitors AWS resources and applications run on AWS in real-time; system-wide visibility into resource utilization, app performance, and operational health

Amazon CloudWatch features

• Metrics collection from all AWS resrouces, apps, and services that run on AWS and on-premises servers

• Alarms: define thresholds on CW metrics and send notifications/automatically make changes to the resources

• Dashboards

• Logs are centralized from all of the systems, apps, and AWS services that you use

Amazon Cloudwatch benefits

• Helps you visualize and analyze your resrouces

• Operate efficiently with automation

• Use an integrated view

• Proactively monitor

• Gain insights

Amazon CloudWatch use cases

Monitor and troubleshoot infrastructure

Q: An ecommerce company is hosting their customer application on multiple Amazon EC2 instances. The application experiences fluctuating traffic and occasional performance issues that are impacting the customer experience. How can Amazon CloudWatch help the customer? (Select THREE.)

• CloudWatch can deliver content to the edge locations, closer to where customers are located, to reduce latency.

• CloudWatch dashboards can be customized to visualize the metrics, alarms, and data in a consolidated view.

• CloudWatch can predict the items that customers will purchase and place those in the ecommerce application shopping cart in the buy again category.

• CloudWatch alarms can be set up to alert when the Amazon EC2 utilization is too high for an extended period and automate more EC2 instances being created to share the load.

• CloudWatch logs can collect data on the EC2 instances and application logs. The logs can gain insights on performance issues or application errors.

• CloudWatch can design architectures and create all the resources to minimize performance issues.

• CloudWatch dashboards can be customized to visualize the metrics, alarms, and data in a consolidated view.

• CloudWatch alarms can be set up to alert when the Amazon EC2 utilization is too high for an extended period and automate more EC2 instances being created to share the load.

• CloudWatch logs can collect data on the EC2 instances and application logs. The logs can gain insights on performance issues or application errors.

Dashboards, alarms, and logs can all help the customer proactively improve the application performance and experience.

AWS CloudTrail

provides a detailed history of API calls to track user activity and API usage in the AWS cloud, on-premises, and with other cloud providers

AWS CloudTrail features

• CloudTrail events capture details about actions performed within your AWS account (free)

• CloudTrail logs monitor events and deliver those events as log files to an S3 bucket

  • Can be used to prove compliance with regulations

• CloudTrail Insights analyzes your normal patterns of API call volume and API error rates and generates Insight events when those deviate from normal patterns

AWS CloudTrail benefits

• Auditing

• Security monitoring

• Operational troubleshooting

• Helps provoide compliance

• Helps imrpove security posture

AWS CloudTrail use cases

• Compliance and auditing

• Identifying security incidents

• Troubleshooting operational issues

Q: A financial company with a hybrid cloud solution wants to track changes made to their AWS resources both in the cloud and on premises. Specifically, they want to know who did what, and when. Which AWS service would best meet their needs?

CloudTrail is an AWS service that uses APIs to track who did what, when the action occurred, and on which AWS services and resources.

Q: A company wants to store the files that contain API activities for an AWS account in an Amazon S3 bucket. They want to retain these files for auditing and compliance. Which solution and feature would provide this capability?

CloudTrail logs can be delivered to an S3 bucket/Amazon CloudWatch logs and are not limited to 90 days.

Benefits of compliance with AWS

• Inherit the latest security controls that AWS uses on its own infrastructure

• 3rd part validation for thousands of global systems

• Streamlining and automating compliance

• On-demand compliance reports

AWS Artifact

a service that provides free, on-demand access to AWS security and compliance reports and select online agreements

AWS Artifact benefits

• Helps you manage at scale

• Save time with on-demand access to compliance reports

• Deploy with more confidence

AWS Artifact use cases

• Manage select online agreements

• Assess 3rd-party security and compliance

AWS Artifact Agreements

review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations

AWS Artifact Reports

provides compliance reports for 3rd-party auditors

Q: Which tasks can you complete in AWS Artifact? (Select TWO)

• Access AWS compliance reports on demand.

• Consolidate and manage multiple AWS accounts within a central location.

• Create users to permit people and applications to interact with AWS services and resources.

• Set permissions for accounts by configuring service control policies (SCPs).

• Review, accept, and manage agreements with AWS.

• Access AWS compliance reports on demand.

• Review, accept, and manage agreements with AWS.

You can acces AWS compliance reports on demand, and review, accept, and manage agreements with AWS

Q: Which AWS service provides a no-cost, on-demand access to AWS security and compliance reports and select online agreements?

AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance documentation, including reports.

AWS Compliance Portal

contains resources to help you learn more about AWS Compliance, including compliance whitepapers and documentation

AWS Config

a service you can use to assess, audit, and evaluate the configurations of your AWS resources

AWS Config benefits

• Helps evaluate confugarations against a desired state

• Manage resource configuaration changes

• Simplify troubleshooting and remediation

AWS Config use cases

continual audit security monitoring and analysis to streamline operational troubleshooting and change management

Q: A research customer with a large team of developers needs a way to ensure specific configuration guidelines for the developers when creating AWS resources. They want a way to assess and audit the AWS resources to ensure that the team is using the most cost-effective approved list of compute resources. Which solution or feature would meet their needs?

AWS Config is the best choice because it will assess, audit, and evaluate the configurations of the developer’s AWS resources.

AWS Audit Manager

a service that continually audits your AWS usage to simplify risk and compliance assessment by helping collect evidence and manage audit data

AWS Audit Manager benefits

• Saves time with automated evidence collection

• Streamlines collaboration across teams

• Helps ensure integrity of audits with read-only permissions

AWS Audit Manager use cases

• Automate evidence collection

• Continually audit to assess compliance

• Deploy internal risk assessments

Q: An enterprise customer with a large team of developers needs a way to ensure specific configuration guidelines for the developers when creating AWS resources. They want to assess and audit the AWS resources to make sure that the team is using the most cost-effective approved list of Amazon EC2 instances. Which AWS service would best fit the customer's need?

AWS Config is the best choice because it will assess, audit, and evaluate the configurations of the developer’s AWS resources.

AWS Organizations

an account management service that allows for the consolidation and central management of multiple AWS accounts within an organization as it grows and scales their AWS resources

AWS Organizations: organization

a collection of AWS accounts that you can manage centrally and organize into a hierarchical, tree-like structures with a root at the top and organizational units (OUs) neseted under

• each account can be located directly in the root or placed in one of the OUs

• accounts don’t have to be part of an OU to be added to an organization

  • they can still take advantage of benefits, e.g. consolidated billing

AWS Organizations: organizational unit (OU)

a logical grouping of accounts in an AWS organization which can contain member accounts/nested OUs

AWS Organizations: root account

the parent container for all the accounts in the organization

• gets created when an organization is created

AWS Organizations: management account

the central AWS account that cfreates and manages the organization

• responsible for overall control and governance

AWS Organizations: service control policy (SCP)

a policy that lets you place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access

• can be applied to either OUs or individual member accounts

  • affects all IAM users/roles/groups in that account

AWS Organizations benefits

• Quickly scale your environment by programattically creating new AWS accounts for resources and teams

• Simplifies permission management through SCPs

• Managed and optimizaes costs across your AWS accounts and resources

AWS Organization use cases

• Automate AWS account creation

• Provide tools and access for your security teams

• Control user access to designated services

• Share common resources across accounts

Q: You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select TWO.)

• AWS Identity and Access Management (IAM) users

• AWS Identity and Access Management (IAM) groups

• An individual member account

• AWS Identity and Access Management (IAM) roles

• An organizational unit (OU)

You can apply SCPs to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.

You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the AWS account root user.

Q: A customer is using AWS Organizations to centrally manage their company's accounts for billing to optimize and organize costs. They want to set up rules or restrictions on the AWS services, resources, and individual API actions that the users can access. Which feature would meet their needs?

A SCP is a policy that lets you place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access. SCPs can be applied to either OUs or individual member accounts.

Q: An enterprise customer has grown rapidly and is struggling to manage billing of their AWS resources and accounts. Every employee has created independent accounts with no centralized management or hierarchical groupings of accounts. The customer wants to roll up billing and centralize management into organizational units. Which AWS service would best meet this customer's need?

With AWS Organizations, you can centrally manage your environment as you scale your AWS resources. It can be used to centralize management, consolidate billing, and implement hierarchical groupings of accounts.

AWS Control Tower

a service to set up and govern a secure compliant multi-account AWS environment based on best practices

AWS Control Tower features

• The dashboard provides continous oversight to see provisioned accounts accross your enterprise 

• Account Factory: a configurable account template that standardizes the provisioning of new accounts

• Controls (guardrails): high-level rules that provide governance for your overall AWS environment

• Landing zone: a well-architected, multi-account environment that’s based on security and compliance best practices

  • the enterprise-wide container that holds all of the OUs, accounts, users, and resources you want to regulate for compliance

AWS Control Tower benefits

• Uses preconfigured controls which can help quickly setup multi-account environments

• Automation with built-in governance

• Integration of 3rd-party software at scale

AWS Control Tower use cases

Quickly deploy apps and provision compliant AWS accounts

Q: What is the purpose of an AWS Control Tower landing zone?

A landing zone is a well-architected multi-account environment that’s based on security and compliance best practices. It is the container where you hold all the resources that you want to regulate for compliance.

Q: A government customer needs to set up and govern a secure, compliant, multi-account AWS environment. They want to make sure that employees comply with their approved requirements when creating new AWS accounts. Which AWS service would best fit the customer's need?

AWS Control Tower will help with the configuration of new accounts. The customer can use it to enforce and manage governance rules for security, operations, and compliance at scale across all their organizations and accounts in the AWS Cloud.

AWS Service Catalog

a service to create, share, and organize AWS services and resources from a curated catalog you can define

• deploy baseline networking resources and security tools for new AWS accounts so that you can govern consistently

AWS Service Catalog benefits

• Save time by making it quick to find and deploy approved, self-service cloud resources

• Stay agile while improving governance over resources accross multiple accounts

AWS Service Catalog use cases

• Provision resources across AWS accounts

• Apply access controls

• Accelerate provisioning of CI/CD pipelines

Q: A financial company is looking for a solution to govern a curated set of AWS resources for their employees. When the employees need to select and start up a new AWS resource, they want to provide a self-service way to create, share, and deploy the AWS resources. Which AWS service would best meet their needs?

With Service Catalog, you can create, share, and organize from a curated catalog of AWS resources. You can deploy baseline networking resources and security tools for new AWS accounts so that you can govern consistently.

AWS License Manager

a service to manage software licenses and fine-tune licensing costs

AWS License Manager benefits

• Helps with visisbility and control

• Helps with tracking and managing licenses

• Reduces the risk of noncompliance with licenses

AWS License Manager use cases

• Streamline license management to simplify the Microsoft License Mobility through software assurance experience

• Automate the distribution and activation of software entitlements across AWS accounts for end users

Q: A customer is moving from on premises to the cloud and has decided to use the Bring Your Own License model (BYOL) approach for cost savings. They are concerned about managing the licenses, want a way to reduce the risk of noncompliance, and want to enforce license usage limits. Which solution would best meet their needs?

AWS License Manager helps reduce the risk of noncompliance by enforcing license usage limits, blocking new launches, and using other controls.

AWS Health

source for events and changes affecting the health of your AWS cloud resources

• notifies you about service events, planned changes, and account notifications to help you manage and take actions

• use programmatically using the AWS Health API (available with AWS Premium Support)

AWS Health benefits

• Provides valuable information as a data source for events and changes

• Gives you timely and actionable guidance to remedy issues

• Helps manage service health

• Is inegrated and automated to use at scale

AWS Health use cases

• View account specific health information

• Plan for lifecycle events or troubleshoot an incident

AWS Trusted Advisor

continually evaluate your AWS environment by using best practice checks across several categories

AWS Trusted Advisor benefits

• Helps you align with AWS best practices

• Prioritizes reccomendations

• Optimizes your AWS resources at scale

AWS Trusted Advisor use cases

• Optimize cost, efficiency, security

• Imrpove performance

• Track service limits

Q: Which AWS service provides continuous evaluation and checks of your AWS resources, and provides suggestions to optimize costs, performance, security, and resilience?

AWS Trusted Advisor helps you optimize costs, increase performance, improve security and resilience, and operate at scale in the cloud.

Q: Which AWS service identifies security groups that allow unrestricted access to a user's AWS resources?

AWS Trusted Advisor checks security groups for rules that allow unrestricted access to a resource. Unrestricted access increases opportunities for malicious activity, such as hacking, denial-of-service attacks, or loss of data. 

IAM Access Analyzer

provides capabilities to set, verify, and refine permissions by analyzing external access and validating that your policies match your corporate security standards

IAM Access Analyzer benefits

• Refining permissions

• Validating IAM policies

• Helping you meet your least privelege goals

• Automating IAM policy reviews

IAM Access Analyzer use cases

• Set fine-grained permissions

• Verify who can access what

• Remediate unused access

• Refine and remove broad access

Q: An enterprise customer with a multi-Region AWS network is looking for ways to continuously evaluate and reduce costs while making sure that everything is secure and performing efficiently. They are also interested in learning AWS best practices to apply to their operations. Which solution would BEST meet their needs?

AWS Trusted Advisor would continously evaluate and provide recommendations on cost, security, and performance. It would also provide recommendations on best practices.

Q: Where can customers go to find resources on AWS compliance — ex: information on customer compliance stories, answers to key compliance questions, and an auditing security checklist?

The Customer Compliance Center provides resources to help you learn more about AWS compliance. You can read customer compliance stories to discover how companies in regulated industries have solved various compliance, governance, and audit challenges.