CloudTrail, CloudWatch, and AWS Config Flashcards
You’ve configured CloudTrail to log all management events in all regions. Which of the following API events will CloudTrail log? (Choose all that apply.)
Logging into the AWS console
Creating an S3 bucket from the web console
Uploading an object to an S3 bucket
Creating a subnet using the AWS CLI
B, D. Creating a bucket and subnet are API actions, regardless of whether they’re performed from the web console or AWS CLI. Uploading an object to an S3 bucket is a data event, not a management event. Logging into the AWS console is a non‐API management event.
You’ve configured CloudTrail to log all read‐only data events. Which of the following events will CloudTrail log?
Viewing all S3 buckets
Uploading a file to an S3 bucket
Downloading a file from an S3 bucket
Creating a Lambda function
C. Data events include S3 object‐level activity and Lambda function executions. Downloading an object from S3 is a read‐only event. Uploading a file to an S3 bucket is a write‐only event and hence would not be logged by the trail. Viewing an S3 bucket and creating a Lambda function are management events, not data events.
Sixty days ago, you created a trail in CloudTrail to log read‐only management events. Subsequently someone deleted the trail. Where can you look to find out who deleted it? No other trails are configured.
The IAM user log
The trail logs stored in S3
The CloudTrail event history in the region where the trail was configured
The CloudTrail event history in any region
C. CloudTrail stores 90 days of event history for each region, regardless of whether a trail is configured. Event history is specific to the events occurring in that region. Because the trail was configured to log read‐only management events, the trail logs would not contain a record of the trail’s deletion. They might contain a record of who viewed the trail, but that would be insufficient to establish who deleted it. There is no such thing as an IAM user log.
What uniquely distinguishes two CloudWatch metrics that have the same name and are in the same namespace?
The region
The dimension
The timestamp
The data point
B. CloudWatch uses dimensions to uniquely identify metrics with the same name and namespace. Metrics in the same namespace will necessarily be in the same region. The data point of a metric and the timestamp that it contains are not unique and can’t be used to uniquely identify a metric.
Which type of monitoring sends metrics to CloudWatch every five minutes?
Regular
Detailed
Basic
High resolution
C. Basic monitoring sends metrics every five minutes, whereas detailed monitoring sends them every minute. CloudWatch can store metrics at regular or high resolution, but this affects how the metric is timestamped, rather than the frequency with which it’s delivered to CloudWatch.
You update a custom CloudWatch metric with the timestamp of 15:57:08 and a value of 3. You then update the same metric with the timestamp of 15:57:37 and a value of 6. Assuming the metric is a high‐resolution metric, which of the following will CloudWatch do?
Record both values with the given timestamp.
Record the second value with the timestamp 15:57:37, overwriting the first value.
Record only the first value with the timestamp 15:57:08, ignoring the second value.
Record only the second value with the timestamp 15:57:00, overwriting the first value.
A. CloudWatch can store high‐resolution metrics at subminute resolution. Therefore, updating a metric at 15:57:08 and again at 15:57:37 will result in CloudWatch storing two separate data points. Only if the metric were regular resolution would CloudWatch overwrite an earlier data point with a later one. Under no circumstances would CloudWatch ignore a metric update.
How long does CloudWatch retain metrics stored at one‐hour resolution?
15 days
3 hours
63 days
15 months
D. Metrics stored at one‐hour resolution age out after 15 months. Five‐minute resolutions are stored for 63 days. One‐minute resolution metrics are stored for 15 days. High‐resolution metrics are kept for 3 hours.
You want to use CloudWatch to graph the exact data points of a metric for the last hour. The metric is stored at five‐minute resolution. Which statistic and period should you use?
The Sum statistic with a five‐minute period
The Average statistic with a one‐hour period
The Sum statistic with a one‐hour period
The Sample count statistic with a five‐minute period
A. To graph a metric’s data points, specify the Sum statistic and set the period equal to the metric’s resolution, which in this case is five minutes. Graphing the Sum or Average statistic over a one‐hour period will not graph the metric’s data points but rather the Sum or Average of those data points over a one‐hour period. Using the Sample count statistic over a five‐minute period will yield a value of 1 for each period, since there’s only one data point per period.
Which CloudWatch resource type stores log events?
Log group
Log stream
Metric filter
CloudWatch Agent
B. CloudWatch uses a log stream to store log events from a single source. Log groups store and organize log streams but do not directly store log events. A metric filter extracts metrics from logs but doesn’t store anything. The CloudWatch agent can deliver logs to CloudWatch from a server but doesn’t store logs.
The CloudWatch Agent on an instance has been sending application logs to a CloudWatch log stream for several months. How can you remove old log events without disrupting delivery of new log events? (Choose all that apply.)
Delete the log stream.
Manually delete old log events.
Set the retention of the log stream to 30 days.
Set the retention of the log group to 30 days.
A, D. Every log stream must be in a log group. The retention period setting of a log group controls how long CloudWatch retains log events within those streams. You can’t manually delete log events individually, but you can delete all events in a log stream by deleting the stream. You can’t set a retention period on a log stream directly.
You created a trail to log all management events in all regions and send the trail logs to CloudWatch logs. You notice that some recent management events are missing from the log stream, but others are there. What are some possible reasons for this? (Choose all that apply.)
The missing events are greater than 256 KB in size.
The metric filter is misconfigured.
There’s a delay between the time the event occurs and the time CloudTrail streams the event to CloudWatch.
The IAM role that CloudTrail assumes is misconfigured.
A, C. CloudTrail will not stream events greater than 256 KB in size. There’s also a normal delay, typically up to 15 minutes, before an event appears in a CloudWatch log stream. Metric filters have no bearing on what log events get put into a log stream. Although a misconfigured or missing IAM role would prevent CloudTrail from streaming logs to CloudWatch, the question indicates that some events are present. Hence, the IAM role is correctly configured.
Two days ago, you created a CloudWatch alarm to monitor the VolumeReadOps on an EBS volume. Since then, the alarm has remained in an INSUFFICIENT_DATA state. What are some possible reasons for this? (Choose all that apply.)
The data points to monitor haven’t crossed the specified threshold.
The EBS volume isn’t attached to a running instance.
The evaluation period hasn’t elapsed.
The alarm hasn’t collected enough data points to alarm.
B, D. If an EBS volume isn’t attached to a running instance, EBS won’t generate any metrics to send to CloudWatch. Hence, the alarm won’t be able to collect enough data points to alarm. The evaluation period can be no more than 24 hours, and the alarm was created two days ago, so the evaluation period has elapsed. The data points to monitor don’t have to cross the threshold for CloudWatch to determine the alarm state.
You want a CloudWatch alarm to change state when four consecutive evaluation periods elapse with no data. How should you configure the alarm to treat missing data?
As Missing
Breaching
Not Breaching
Ignore
As Not Missing
B. To have CloudWatch treat missing data as exceeding the threshold, set the Treat Missing Data As option to Breaching. Setting it to Not Breaching will have the opposite effect. Setting it to As Missing will cause CloudWatch to ignore the missing data and behave as if those evaluation periods didn’t occur. The Ignore option causes the alarm not to change state in response to missing data. There’s no option to treat missing data as Not Missing.
You’ve configured an alarm to monitor a metric in the AWS/EC2 namespace. You want CloudWatch to send you a text message and reboot an instance when an alarm is breaching. Which two actions should you configure in the alarm? (Choose two.)
SMS action
Auto Scaling action
Notification action
EC2 action
C, D. CloudWatch can use the Simple Notification Service to send a text message. CloudWatch refers to this as a Notification action. To reboot an instance, you must use an EC2 action. The Auto Scaling action will not reboot an instance. SMS is not a valid CloudWatch alarm action.
In a CloudWatch alarm, what does the EC2 recover action do to the monitored instance?
Migrates the instance to a different host
Reboots the instance
Deletes the instance and creates a new one
Restores the instance from a snapshot
A. The recover action is useful when there’s a problem with an instance that requires AWS involvement to repair, such as a hardware failure. The recover action migrates the same instance to a new host. Rebooting an instance assumes the instance is running and entails the instance remaining on the same host. Recovering an instance does not involve restoring any data from a snapshot, as the instance retains the same EBS volume(s).
