CloudTrail

Question 1

CloudTrail

How do you turn on CloudTrail?

Answer 1

On (enabled) by default, except for CloudFront and other global things

Question 2

CloudTrail

How long stored?

Answer 2

Last 90 days for free

Question 3

CloudTrail

Where are CloudTrail things stored?

Answer 3

In CloudTrail

Question 4

CloudTrail

What if you want more than the CloudTrail limit on past events?

Answer 4

Create a Trail

Question 5

CloudTrail

Attributes of a Trail you create?

Answer 5

S3 bucket to store events in, keys to encrypt, target CloudWatch Log Group

Question 6

CloudTrail

Three types of events captured in CloudTrail?

Answer 6

Management Events (control plane), Data Events (data plane), Insight Events

Question 7

CloudTrail

What is captured by default?

Answer 7

Management Events. Data Events are not 100% captured; have to turn on separately

Question 8

CloudTrail

What about global services like CloudFront?

Answer 8

Off by default, can be turned on for any Trail, always log to us-east-1

Question 9

CloudTrail

Two types of Trails you can create?

Answer 9

One Region trail, All Regions trail

Question 10

CloudTrail

How does a One Region Trail work?

Answer 10

Everything lives in a single region

Question 11

CloudTrail

How does an All Regions Trail work?

Answer 11

Collects data in every region, but managed as a single Trail

Question 12

CloudTrail

Major product for aggregating CloudTrail across accounts?

Answer 12

Organizations: set up a Trail in management account to aggregate across all OU accounts.

Question 13

CloudTrail

Is CloudTrail real-time?

Answer 13

No, has around 15 minute delay

Question 14

CloudTrail

Cost structure of CloudTrail?

Answer 14

Default trail of 90 days and copy to S3 is free. Data Events and additional Trails have a cost.

Question 15

CloudTrail

Are Security Group changes logged by default?

Answer 15

Yes

Question 16

CloudTrail

Are Lambda invocations logged by default?

Answer 16

No

Question 17

CloudTrail

Are Role Assumptions logged by default?

Answer 17

Yes

Question 18

CloudTrail

Are Account logins logged by default?

Answer 18

Yes

Question 19

Log File Integrity

What is Log File Integrity?

Answer 19

Can verify if a trail file has been tampered with

Question 20

Log File Integrity

How does Log File Integrity work?

important

Answer 20

Writes a digest (manifest) file every hour with details on each trail file

Question 21

Log File Integrity

Where can you find the digest files?

important

Answer 21

Same S3 bucket, but different folder

so you can control access separately

Question 22

Log File Integrity

Can Log File Integrity determine if a trail file is missing?

important

Answer 22

Yes: look in the digest

Question 23

Log File Integrity

What’s inside a digest file?

Answer 23

Hash of every trail file

Question 24

Log File Integrity

How can you trust the digest files?

Answer 24

Each has signature of previous digest; signed by CloudTrail private key

Question 25

Log File Integrity

How can you tell if a digest file was deleted?

important

Answer 25

Signature in next digest file doesn’t match previous digest file