AWS Monitoring and Audit Flashcards
What is AWS Config?
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to use security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities use compliance auditing, security analysis, resource change tracking, and troubleshooting.
what are the features of AWS config?
It can help with auditing and recording compliance of your AWS resources. It helps record configurations and changes in it over time.
- It can help in checking if there is unrestricted SSH access to any security groups. Does any bucket have public access? How did ALB configuration change over time?
- you can also receive alerts (SNS notifications) for any changes.
- AWS config is a per-region service. It can be aggregated across regions and accounts.
- Possibility of the configuration data into S3
what are AWS config rules?
You can use AWS-managed config rules and there are 75 of those. You can also create custom rules by using lambda functions. For example:
- evaluate if each EBS disk is of type G2
- evaluate if each EC2 instance is T2 micro
Each rule can be evaluated or triggered: for each configuration change and/or at regular interval times.
AWS conflict rules does not prevent actions from happening (no deny).
How send notifications for non-compliant config rules?
Use the below-given methods for notification when AWS resources are not compliant:
1. Event Bridge - create an event for EventBridge, which in turn can call lambda function SNS and SQS
2. send a notification to SNS
how the logs will go from EC 2 to instances to cloud watch?
You need to install a CloudWatch logs agent on EC2 instances to push the logs file to CloudWatch.
what’s the difference between a cloud watch logs agent and a unified agent?
The cloud watch logs agent is an old version. It only sends the logs to the cloud watch, whereas the unified agent also collects information about the RAM, CPU, processes, etc.
What is CloudWatch Composite Alarms?
Composite alarms determine their states by monitoring the states of other alarms. You can use composite alarms to reduce alarm noise. For example, you can create a composite alarm where the underlying metric alarms go into ALARM when they meet specific conditions. You can then set up your composite alarm to go into ALARM and send notifications when the underlying metric alarms go into ALARM by configuring the underlying metric alarms never to take action.
What is EventBridge?
EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications. Use it to route events from sources such as home-grown applications, AWS services, and third-party software to consumer applications across your organization.
e.g.: On the EC2, Start, Stop, and terminate generate an event, and the event bridge can call the lambda function or send a message to SNS.
What is the difference between CloudWatch and CloudTrail?
CloudWatch: “What is happening on AWS?” and logging all the events for a particular service or application.
CloudTrail: “Who did what on AWS?” and the API calls to the service or resource. it records API calls made within your account by everyone. You can define trails for specific resources. It’s a global resource.
Config: records the configuration changes. Evaluate resources against compliance rules. Get timelines of changes and compliance.
What events can CloudTrail capture?
Data events: These events provide visibility into the resource operations performed on or within a resource. These are also known as data plane operations.
Management events: Management events provide visibility into management operations that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account. For example, when a user logs in to your account, CloudTrail logs the ConsoleLogin event. For more information, see Non-API events captured by CloudTrail.
Insights events: Insights events capture unusual activity that is detected in your account. If you have Insights events enabled and CloudTrail detects unusual activity, Insights events are logged to the destination S3 bucket for your trial but in a different folder. You can also see the type of Insights event and the incident time period when you view Insights events on the CloudTrail console. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.
How can CloudTrail logs be viewed based on the time elapsed?
You can view logs in the CloudTrail console for up to 90 days. After that, the logs can be viewed in Athena+S3.
What is CloudWatch Metric Stream?
You can use metric streams to continually stream CloudWatch metrics to a destination of your choice, with near-real-time delivery and low latency
How we can use CloudWatch Contributor Insights?
You can use Contributor Insights to analyze log data and create time series that display contributor data. You can see metrics about the top-N contributors, the total number of unique contributors, and their usage. This helps you find top talkers and understand who or what is impacting system performance.
A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?
In EventBridge, you can create an archive of events so that you can easily replay them at a later time. For example, you might want to replay events to recover from errors or to validate new functionality in your application.
How KMS keys usage can be tracked?
It can be tracked through CloudTrail.
