CloudTrail, CloudWatch, and AWS Config Flashcards
What is CloudTrail?
Logs each API action and non-API action (e.g. logging into management console) against your AWS resources.
What is CloudWatch?
- Collects performance matrics
- Collects log files
- Provides alarms/notification/action
What is AWS Config?
AWS Config tracks how your AWS resources are configured and how they change over time.
What are event types in CloudTrail?
- Management Event (e.g. launch EC2)
- Data Event (e.g. S3, Lambda)
What is Event History in CloudTrail?
By default, CloudTrail logs 90 days of management events and stores them in a viewable, searchable, and downloadable database called the Event History.
Is CloudTrail Event History region specific?
Yes, CloudTrail creates a separate event history for each region containing only the activities that occurred in that region.
What are the use cases of Trails in CloudTrail?
- Keep more than 90 days of event history
- Customize the event types to log (e.g. including S3 downloads/uploads data events)
Where is Trail’s log file stored?
S3
What is the format of Trail’s log file?
JSON
What is number of Trails that you can create in a single region?
5
How to make sure CloudTrail logs are not hacked?
Enable Log File Integrity Validation.
Do all AWS resources automatically send metrics to CloudWatch?
Yes.
How does CloudWatch organize metrics?
By namespace (e.g. AWS/EC2). Custom namespace can be created for custom metrics.
How often does AWS resource send metrics to CloudWatch?
For basic monitoring, it’s 5 minutes.
For detailed monitoring, it’s every minute.
With basic monitoring, EC2 collects metrics every minute but sends only the five‐minute average to CloudWatch.
For example, between 13:00 and 13:05, an EC2 instance has the following CPUUtilization metric values measured in percent: 25, 50, 75, 80, and 10. The average CPUUtilization over the five‐minute interval is 48. Therefore, EC2 sends the CPUUtilization metric to CloudWatch with a timestamp of 13:00 and a value of 48.
What is regular-resolution metric?
The metrics generated by AWS services have a timestamp resolution of no less than one minute.
Custom metric supports high-resolution metric by calling CloudWatch API.
Can you delete metrics in CloudWatch?
No, metrics expire automatically, and when a metric expires depends on its resolution.
How does CloudWatch organize log files?
- Log Stream
- Log Group
CloudWatch Logs stores log events from the same source in a log stream.
CloudWatch organizes log streams into log groups.
What is CloudWatch metric?
CloudWatch metrics are numeric values extracted from CloudWatch log streams by metric filter. (e.g. counting the number of 404 errors from Apache logs)
Metric filters apply to entire log group.
What is CloudWatch agent?
CloudWatch agent is a command-line-based program that collects logs from EC2 instances or on-premise servers.
This agent can also collect metrics that are not natively produced by EC2, such as memory utilization. Metrics generated by agent are custom metrics stored under custom namespaces.
Why send CloudTrail logs to CloudWatch log stream?
Doing so allows you search and extract metrics from your trail logs.
What are the possible actions of a CloudWatch Alarm?
- Select an SNS topic
- Auto scaling actions
- EC2 actions
- System Manager actions
What are possible alarm states of a CloudWatch Alarm?
- ALARM
- OK
- INSUFFICIENT_DATA
What are Data Points to Alarm and Evaluation Periods?
Suppose you want to trigger an alarm if the data points to monitor cross the threshold for three out of five data points.
You would set the data point to 3 and the evaluation period to 5.
What is the difference between CloudWatch Alarm and EventBridge?
EventBridge (formerly known as CloudWatch Events) monitors for and takes an action either based on specific events or on a schedule.
EventBridge differs from CloudWatch Alarms in that EventBridge takes some action based on specific events, not metric values.
What are the components of EventBridge?
- Event Bus
- Rule
- Target
What are the major components of AWS Config?
- Configuration Recorder
- Configuration Items
- Configuration History
- Configuration Snapshots
- Rules (desired configuration settings)
What are the use cases of CloudTrail, CloudWatch, and AWS Config?
- CloudTrail keeps a detailed record of activities performed on your AWS account for security and auditing purpose.
- CloudWatch tracks performance metrics and can take some action in response to those metrics. It can also collect and consolidate logs, as well as extract metrics from them.
- AWS Config records resource configurations and relationships past, present and future. You can look back in time to see how a resource was configured at any point. AWS Config can also compare current resource configurations against rules to ensure that you’re in compliance with whatever baseline you define.
Does SNS use push or pull model?
Push.
How does SNS work?
- SNS has topics.
- Each topic has subscribers.
- Each subscriber has protocol and endpoint.
How does CloudWatch expire metrics?
- high resolution: 3 hours
- 1-minute resolution: 15 days
- 5-minute resolution: 63 days
- 1-hour resolution: 15 months
What is the size limit of CloudTrail logs to be sent to CloudWatch?
256 KB.
Can you delete old Configuration Items in AWS Config?
No, the Configuration Items will expire based on settings (7 years by default).
Can you delete old logs from Log Stream?
No, the old logs will expire based on retention policy on log group, or you can delete the entire log stream.
What is the typical delay before an event appears in CloudWatch log stream?
15 minutes.
