Logging and Monitoring

Question 1

What does Cloudtrail not log?

Answer 1

API calls only, NOT SSH/RDP into instances etc.(Use VPC flowlogs to capture network IP traffic)

Question 2

What does cloudTrail log?

Answer 2

metadata, identity of requester, time, source IP, request parameters and response from the service

Question 3

How often are event logs delivered to S3?

Answer 3

every 5 minutes, with a delay of up to 15 min from the time a request was made

Question 4

What is the thing about Cloudtrail?

Answer 4

enabled by default on all accounts for 90 days, but put in an AWS-owned S3 bucket NOT yours

Question 5

How can management events be enabled?

Answer 5

For read-only (DescribeInstance) or Write-only (CreateBucket) or all

Question 6

What are data events ?

Answer 6

for S3 object-level activity like GetObject and PutObject — can get expensive!

Question 7

What does Cloudtrail do every hour?

Answer 7

puts a digest file in S3 which has hashes that can be used to validate integrity of log files

Question 8

How to give auditors access to Cloudtrail?

Answer 8

Auditors can be given access to Cloudtrail by creating a user for them with IAM CloudtrailReadOnly policy

Question 9

How can Cloudtrail log files be protected?

Answer 9

1) IAM
2) bucket policy
3) MFA delete + set up log file validation

Question 10

How often is CloudWatch detailed monitoring?

Answer 10

Cloudwatch detailed monitoring is every 1 min refresh, standard is every 5 min

Question 11

Cloudwatch Events can ingest events from?

Answer 11

1) Cloudtrail
2) resource state change (Instance stopped)
3) scheduled events (cron)
4) custom events, can have Rules to match on events, and Targets (eg: Lambda)

Question 12

What does putMetricData API do?

Answer 12

publishes metric data points to Amazon CloudWatch that allows you to monitor your applications better.

Question 13

How to setup alert if a root user logs in:

Answer 13

• Set up a Cloudtrail trail to send logs to Cloudwatch Log group
• In Cloudwatch Logs, select the log group and create Metric Filter with filter pattern matching “userIdentity.type = Root” and other conditions like eventType != ServiceEvent (root user does a thing, it’s not AWS doing things)
• On the Filter, create an Alarm - when >=1 occurrence, send notification to email/SNS topic

Question 14

What is VPC Flow Logs?

Answer 14

a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Take note that it only captures the metadata of the traffic and not the actual IP packet data itself. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.

Question 15

Where can you create a VPC flow log?

Answer 15

You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.

Question 16

What are flow log records?

Answer 16

Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow.

Question 17

Where do VPC flow logs get stored?

Answer 17

Cloudwatch logs

Question 18

Where can VPC flow logs be enabeld?

Answer 18

VPC flow logs can be enabled at entire VPC level, subnet level or ENI level

Question 19

What do VPC flow logs not monitor?

Answer 19

1) traffic generated by EC2 contacting Amazon DNS
2) Windows license activation traffic
3) instance metadata traffic to 169.254.169.254
4) DHCP traffic
5) VPC router reserved IP traffic

Question 20

What does AWS Config provide?

Answer 20

1) resource inventory
2) configuration history eg: what was my SG 2 weeks ago 3) configuration change notifications

Question 21

What happens when something triggers in AWS Config?

Answer 21

When something changes, it triggers a Config Event saved in your S3, triggers a Rule which can send notifications

Question 22

What’s the thing about AWS Config?

Answer 22

Config has to be explicitly turned on per region

Question 23

What is config timeline?

Answer 23

Config Timeline is a cool feature- can click on any resource and get history of all changes made to it

Question 24

What roles does AWS Config need?

Answer 24

Config needs an IAM role that has read permission for all resources, access to S3 and publish access to SNS

Question 25

Do CloudHSM and KSM both support symmetric and assymmetric?

Answer 25

Yes

Question 26

How can you have a custom key store for KMS keys?

Answer 26

Use CloudHSM/

Question 27

When will CloudHSM erase itself?

Answer 27

If CloudHSM detects 5 failed attempts to access partitions as a Crypto Officer (CO) role, it will erase itself.
5 failed attempts by a Crypto User (CU) will lock the user and Officer has to unlock them

Question 28

What can Crypto-officer in CloudHSm do?

Answer 28

CO can perform user management operations (create and delete users, change user passwords).

Question 29

What can Crypto-user in CloudHSM do?

Answer 29

perform key management (create, delete, share, import, and export cryptographic keys) and cryptographic operations(encryption, decryption, signing, verifying, and more).

Question 29

What does AWS Inspector classic do?

Answer 29

assesses applications for security vulnerabilities and gives list of findings. Trusted Advisor does it for resources

Question 30

What does AWS Inspector need?

Answer 30

IAM role with read-only access to EC2, and an agent to be deployed on EC2

Question 31

What does Inspector classic need at least?

Answer 31

1 tag on EC2 instance to identify target

Question 32

What are some of the AWS INspector templates?

Answer 32

CIS OS Benchmark, Common Vulnerabilities, Network Reachability Assessments etc. Pick a template and remember to “Run” it for 1hr or more. Can download report that lists all checks it did and pass/fail