CloudTrail, CloudWatch, and AWS Config

Question 1

What is CloudTrail?

Answer 1

Logs each API action and non-API action (e.g. logging into management console) against your AWS resources.

Question 2

What is CloudWatch?

Answer 2

• Collects performance matrics
• Collects log files
• Provides alarms/notification/action

Question 3

What is AWS Config?

Answer 3

AWS Config tracks how your AWS resources are configured and how they change over time.

Question 4

What are event types in CloudTrail?

Answer 4

• Management Event (e.g. launch EC2)

- Data Event (e.g. S3, Lambda)

Question 5

What is Event History in CloudTrail?

Answer 5

By default, CloudTrail logs 90 days of management events and stores them in a viewable, searchable, and downloadable database called the Event History.

Question 6

Is CloudTrail Event History region specific?

Answer 6

Yes, CloudTrail creates a separate event history for each region containing only the activities that occurred in that region.

Question 7

What are the use cases of Trails in CloudTrail?

Answer 7

• Keep more than 90 days of event history

- Customize the event types to log (e.g. including S3 downloads/uploads data events)

Question 8

Where is Trail’s log file stored?

Answer 8

S3

Question 9

What is the format of Trail’s log file?

Answer 9

JSON

Question 10

What is number of Trails that you can create in a single region?

Answer 10

5

Question 11

How to make sure CloudTrail logs are not hacked?

Answer 11

Enable Log File Integrity Validation.

Question 12

Do all AWS resources automatically send metrics to CloudWatch?

Answer 12

Yes.

Question 13

How does CloudWatch organize metrics?

Answer 13

By namespace (e.g. AWS/EC2). Custom namespace can be created for custom metrics.

Question 14

How often does AWS resource send metrics to CloudWatch?

Answer 14

For basic monitoring, it’s 5 minutes.
For detailed monitoring, it’s every minute.

With basic monitoring, EC2 collects metrics every minute but sends only the five‐minute average to CloudWatch.

For example, between 13:00 and 13:05, an EC2 instance has the following CPUUtilization metric values measured in percent: 25, 50, 75, 80, and 10. The average CPUUtilization over the five‐minute interval is 48. Therefore, EC2 sends the CPUUtilization metric to CloudWatch with a timestamp of 13:00 and a value of 48.

Question 15

What is regular-resolution metric?

Answer 15

The metrics generated by AWS services have a timestamp resolution of no less than one minute.

Custom metric supports high-resolution metric by calling CloudWatch API.

Question 16

Can you delete metrics in CloudWatch?

Answer 16

No, metrics expire automatically, and when a metric expires depends on its resolution.

Question 17

How does CloudWatch organize log files?

Answer 17

• Log Stream
• Log Group

CloudWatch Logs stores log events from the same source in a log stream.

CloudWatch organizes log streams into log groups.

Question 18

What is CloudWatch metric?

Answer 18

CloudWatch metrics are numeric values extracted from CloudWatch log streams by metric filter. (e.g. counting the number of 404 errors from Apache logs)

Metric filters apply to entire log group.

Question 19

What is CloudWatch agent?

Answer 19

CloudWatch agent is a command-line-based program that collects logs from EC2 instances or on-premise servers.

This agent can also collect metrics that are not natively produced by EC2, such as memory utilization. Metrics generated by agent are custom metrics stored under custom namespaces.

Question 20

Why send CloudTrail logs to CloudWatch log stream?

Answer 20

Doing so allows you search and extract metrics from your trail logs.

Question 21

What are the possible actions of a CloudWatch Alarm?

Answer 21

• Select an SNS topic
• Auto scaling actions
• EC2 actions
• System Manager actions

Question 22

What are possible alarm states of a CloudWatch Alarm?

Answer 22

• ALARM
• OK
• INSUFFICIENT_DATA

Question 23

What are Data Points to Alarm and Evaluation Periods?

Answer 23

Suppose you want to trigger an alarm if the data points to monitor cross the threshold for three out of five data points.

You would set the data point to 3 and the evaluation period to 5.

Question 24

What is the difference between CloudWatch Alarm and EventBridge?

Answer 24

EventBridge (formerly known as CloudWatch Events) monitors for and takes an action either based on specific events or on a schedule.

EventBridge differs from CloudWatch Alarms in that EventBridge takes some action based on specific events, not metric values.

Question 25

What are the components of EventBridge?

Answer 25

• Event Bus
• Rule
• Target

Question 26

What are the major components of AWS Config?

Answer 26

• Configuration Recorder
• Configuration Items
• Configuration History
• Configuration Snapshots
• Rules (desired configuration settings)

Question 27

What are the use cases of CloudTrail, CloudWatch, and AWS Config?

Answer 27

• CloudTrail keeps a detailed record of activities performed on your AWS account for security and auditing purpose.
• CloudWatch tracks performance metrics and can take some action in response to those metrics. It can also collect and consolidate logs, as well as extract metrics from them.
• AWS Config records resource configurations and relationships past, present and future. You can look back in time to see how a resource was configured at any point. AWS Config can also compare current resource configurations against rules to ensure that you’re in compliance with whatever baseline you define.

Question 28

Does SNS use push or pull model?

Answer 28

Push.

Question 29

How does SNS work?

Answer 29

• SNS has topics.
• Each topic has subscribers.
• Each subscriber has protocol and endpoint.

Question 30

How does CloudWatch expire metrics?

Answer 30

• high resolution: 3 hours
• 1-minute resolution: 15 days
• 5-minute resolution: 63 days
• 1-hour resolution: 15 months

Question 31

What is the size limit of CloudTrail logs to be sent to CloudWatch?

Answer 31

256 KB.

Question 32

Can you delete old Configuration Items in AWS Config?

Answer 32

No, the Configuration Items will expire based on settings (7 years by default).

Question 33

Can you delete old logs from Log Stream?

Answer 33

No, the old logs will expire based on retention policy on log group, or you can delete the entire log stream.

Question 34

What is the typical delay before an event appears in CloudWatch log stream?

Answer 34

15 minutes.