AWS CloudTrail | Security and Expiration Flashcards
Does CloudTrail support resource level permissions?
Security and Expiration
AWS CloudTrail | Management Tools
Yes. Using resource level permissions, you can write granular access control policies to allow or deny access to specific users for a particular trail. For more details, go to CloudTrail documentation.
How can I secure my CloudTrail log files?
Security and Expiration
AWS CloudTrail | Management Tools
By default, CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies. You can add an additional layer of security by enabling S3 Multi Factor Authentication (MFA) Delete on your S3 bucket. For more details on creating and updating a trail, see the CloudTrail documentation.
Where can I download a sample S3 bucket policy and an SNS topic policy?
Security and Expiration
AWS CloudTrail | Management Tools
You can download a sample S3 bucket policy and an SNS topic policy from CloudTrail S3 bucket. You need to update the sample policies with your information before you apply them to your S3 bucket or SNS topic.
How long can I store my activity log files?
Security and Expiration
AWS CloudTrail | Management Tools
You control the retention policies for your CloudTrail log files. By default, log files are stored indefinitely. You can use Amazon S3 object lifecycle management rules to define your own retention policy. For example, you may want to delete old log files or archive them to Amazon Glacier.
Event Payload, Timeliness and Delivery Frequency
What information is available in an event?
Security and Expiration
AWS CloudTrail | Management Tools
An event contains information about the associated activity: who made the request, the services used, the actions performed, and parameters for the action, and the response elements returned by the AWS service. For more details, see the CloudTrail Event Reference section of the user guide.
How long does it take CloudTrail to deliver an event for an API call?
Security and Expiration
AWS CloudTrail | Management Tools
Typically, CloudTrail delivers an event within 15 minutes of the API call.
How often will CloudTrail deliver log files to my Amazon S3 bucket?
Security and Expiration
AWS CloudTrail | Management Tools
CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account.
Can I be notified when new log files are delivered to my Amazon S3 bucket?
Security and Expiration
AWS CloudTrail | Management Tools
Yes. You can turn on Amazon SNS notifications so that you can take immediate action on delivery of new log files.
