CloudTrail, CloudWatch, and AWS Config Flashcards

1
Q

You’ve configured CloudTrail to log all management events in all regions. Which of the following API events will CloudTrail log? (Choose all that apply.)
Logging into the AWS console
Creating an S3 bucket from the web console
Uploading an object to an S3 bucket
Creating a subnet using the AWS CLI

A

B, D. Creating a bucket and subnet are API actions, regardless of whether they’re performed from the web console or AWS CLI. Uploading an object to an S3 bucket is a data event, not a management event. Logging into the AWS console is a non‐API management event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You’ve configured CloudTrail to log all read‐only data events. Which of the following events will CloudTrail log?
Viewing all S3 buckets
Uploading a file to an S3 bucket
Downloading a file from an S3 bucket
Creating a Lambda function

A

C. Data events include S3 object‐level activity and Lambda function executions. Downloading an object from S3 is a read‐only event. Uploading a file to an S3 bucket is a write‐only event and hence would not be logged by the trail. Viewing an S3 bucket and creating a Lambda function are management events, not data events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Sixty days ago, you created a trail in CloudTrail to log read‐only management events. Subsequently someone deleted the trail. Where can you look to find out who deleted it? No other trails are configured.
The IAM user log
The trail logs stored in S3
The CloudTrail event history in the region where the trail was configured
The CloudTrail event history in any region

A

C. CloudTrail stores 90 days of event history for each region, regardless of whether a trail is configured. Event history is specific to the events occurring in that region. Because the trail was configured to log read‐only management events, the trail logs would not contain a record of the trail’s deletion. They might contain a record of who viewed the trail, but that would be insufficient to establish who deleted it. There is no such thing as an IAM user log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What uniquely distinguishes two CloudWatch metrics that have the same name and are in the same namespace?
The region
The dimension
The timestamp
The data point

A

B. CloudWatch uses dimensions to uniquely identify metrics with the same name and namespace. Metrics in the same namespace will necessarily be in the same region. The data point of a metric and the timestamp that it contains are not unique and can’t be used to uniquely identify a metric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which type of monitoring sends metrics to CloudWatch every five minutes?
Regular
Detailed
Basic
High resolution

A

C. Basic monitoring sends metrics every five minutes, whereas detailed monitoring sends them every minute. CloudWatch can store metrics at regular or high resolution, but this affects how the metric is timestamped, rather than the frequency with which it’s delivered to CloudWatch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You update a custom CloudWatch metric with the timestamp of 15:57:08 and a value of 3. You then update the same metric with the timestamp of 15:57:37 and a value of 6. Assuming the metric is a high‐resolution metric, which of the following will CloudWatch do?
Record both values with the given timestamp.
Record the second value with the timestamp 15:57:37, overwriting the first value.
Record only the first value with the timestamp 15:57:08, ignoring the second value.
Record only the second value with the timestamp 15:57:00, overwriting the first value.

A

A. CloudWatch can store high‐resolution metrics at subminute resolution. Therefore, updating a metric at 15:57:08 and again at 15:57:37 will result in CloudWatch storing two separate data points. Only if the metric were regular resolution would CloudWatch overwrite an earlier data point with a later one. Under no circumstances would CloudWatch ignore a metric update.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How long does CloudWatch retain metrics stored at one‐hour resolution?
15 days
3 hours
63 days
15 months

A

D. Metrics stored at one‐hour resolution age out after 15 months. Five‐minute resolutions are stored for 63 days. One‐minute resolution metrics are stored for 15 days. High‐resolution metrics are kept for 3 hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You want to use CloudWatch to graph the exact data points of a metric for the last hour. The metric is stored at five‐minute resolution. Which statistic and period should you use?
The Sum statistic with a five‐minute period
The Average statistic with a one‐hour period
The Sum statistic with a one‐hour period
The Sample count statistic with a five‐minute period

A

A. To graph a metric’s data points, specify the Sum statistic and set the period equal to the metric’s resolution, which in this case is five minutes. Graphing the Sum or Average statistic over a one‐hour period will not graph the metric’s data points but rather the Sum or Average of those data points over a one‐hour period. Using the Sample count statistic over a five‐minute period will yield a value of 1 for each period, since there’s only one data point per period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which CloudWatch resource type stores log events?
Log group
Log stream
Metric filter
CloudWatch Agent

A

B. CloudWatch uses a log stream to store log events from a single source. Log groups store and organize log streams but do not directly store log events. A metric filter extracts metrics from logs but doesn’t store anything. The CloudWatch agent can deliver logs to CloudWatch from a server but doesn’t store logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The CloudWatch Agent on an instance has been sending application logs to a CloudWatch log stream for several months. How can you remove old log events without disrupting delivery of new log events? (Choose all that apply.)
Delete the log stream.
Manually delete old log events.
Set the retention of the log stream to 30 days.
Set the retention of the log group to 30 days.

A

A, D. Every log stream must be in a log group. The retention period setting of a log group controls how long CloudWatch retains log events within those streams. You can’t manually delete log events individually, but you can delete all events in a log stream by deleting the stream. You can’t set a retention period on a log stream directly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You created a trail to log all management events in all regions and send the trail logs to CloudWatch logs. You notice that some recent management events are missing from the log stream, but others are there. What are some possible reasons for this? (Choose all that apply.)
The missing events are greater than 256 KB in size.
The metric filter is misconfigured.
There’s a delay between the time the event occurs and the time CloudTrail streams the event to CloudWatch.
The IAM role that CloudTrail assumes is misconfigured.

A

A, C. CloudTrail will not stream events greater than 256 KB in size. There’s also a normal delay, typically up to 15 minutes, before an event appears in a CloudWatch log stream. Metric filters have no bearing on what log events get put into a log stream. Although a misconfigured or missing IAM role would prevent CloudTrail from streaming logs to CloudWatch, the question indicates that some events are present. Hence, the IAM role is correctly configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Two days ago, you created a CloudWatch alarm to monitor the VolumeReadOps on an EBS volume. Since then, the alarm has remained in an INSUFFICIENT_DATA state. What are some possible reasons for this? (Choose all that apply.)
The data points to monitor haven’t crossed the specified threshold.
The EBS volume isn’t attached to a running instance.
The evaluation period hasn’t elapsed.
The alarm hasn’t collected enough data points to alarm.

A

B, D. If an EBS volume isn’t attached to a running instance, EBS won’t generate any metrics to send to CloudWatch. Hence, the alarm won’t be able to collect enough data points to alarm. The evaluation period can be no more than 24 hours, and the alarm was created two days ago, so the evaluation period has elapsed. The data points to monitor don’t have to cross the threshold for CloudWatch to determine the alarm state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You want a CloudWatch alarm to change state when four consecutive evaluation periods elapse with no data. How should you configure the alarm to treat missing data?
As Missing
Breaching
Not Breaching
Ignore
As Not Missing

A

B. To have CloudWatch treat missing data as exceeding the threshold, set the Treat Missing Data As option to Breaching. Setting it to Not Breaching will have the opposite effect. Setting it to As Missing will cause CloudWatch to ignore the missing data and behave as if those evaluation periods didn’t occur. The Ignore option causes the alarm not to change state in response to missing data. There’s no option to treat missing data as Not Missing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You’ve configured an alarm to monitor a metric in the AWS/EC2 namespace. You want CloudWatch to send you a text message and reboot an instance when an alarm is breaching. Which two actions should you configure in the alarm? (Choose two.)
SMS action
Auto Scaling action
Notification action
EC2 action

A

C, D. CloudWatch can use the Simple Notification Service to send a text message. CloudWatch refers to this as a Notification action. To reboot an instance, you must use an EC2 action. The Auto Scaling action will not reboot an instance. SMS is not a valid CloudWatch alarm action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In a CloudWatch alarm, what does the EC2 recover action do to the monitored instance?
Migrates the instance to a different host
Reboots the instance
Deletes the instance and creates a new one
Restores the instance from a snapshot

A

A. The recover action is useful when there’s a problem with an instance that requires AWS involvement to repair, such as a hardware failure. The recover action migrates the same instance to a new host. Rebooting an instance assumes the instance is running and entails the instance remaining on the same host. Recovering an instance does not involve restoring any data from a snapshot, as the instance retains the same EBS volume(s).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You learn that an instance in the us‐west‐1 region was deleted at some point in the past. To find out who deleted the instance and when, which of the following must be true?
The AWS Config configuration recorder must have been turned on in the region at the time the instance was deleted.
CloudTrail must have been logging write‐only management events for all regions.
CloudTrail must have been logging IAM events.
The CloudWatch log stream containing the deletion event must not have been deleted.

A

B. If CloudTrail were logging write‐only management events in the same region as the instance, it would have generated trail logs containing the deletion event. Deleting a log stream containing CloudTrail events does not delete those events from the trail logs stored in S3. Deleting an EC2 instance is not an IAM event. If AWS Config were tracking changes to EC2 instances in the region, it would have recorded a timestamped configuration item for the deletion, but it would not include the principal that deleted the instance.

17
Q

Which of the following may be included in an AWS Config delivery channel? (Choose all that apply.)
A CloudWatch log stream
The delivery frequency of the configuration snapshot
An S3 bucket name
An SNS topic ARN

A

B, C, D. The delivery channel must include an S3 bucket name and may specify an SNS topic and the delivery frequency of configuration snapshots. You can’t specify a CloudWatch log stream.

18
Q

You configured AWS Config to monitor all your resources in the us‐east‐1 region. After making several changes to the AWS resources in this region, you decided you want to delete the old configuration items. How can you accomplish this?
Pause the configuration recorder.
Delete the configuration recorder.
Delete the configuration snapshots.
Set the retention period to 30 days and wait for the configuration items to age out.

A

D. You can’t delete configuration items manually, but you can have AWS Config delete them after no less than 30 days. Pausing or deleting the configuration recorder will stop AWS Config from recording new changes but will not delete configuration items. Deleting configuration snapshots, which are objects stored in S3, will not delete the configuration items.

19
Q

Which of the following metric math expressions can CloudWatch graph? (Choose all that apply.)
AVG(m1)‐m1
AVG(m1)
METRICS()/AVG(m1)
m1/m2

A

C, D. CloudWatch can graph only a time series. METRICS()/AVG(m1) and m1/m2 both return a time series. AVG(m1)‐m1 and AVG(m1) return scalar values and can’t be graphed directly.

20
Q

You’ve configured an AWS Config rule to check whether CloudTrail is enabled. What could prevent AWS Config from evaluating this rule?
Turning off the configuration recorder
Deleting the rule
Deleting the configuration history for CloudTrail
Failing to specify a frequency for periodic checks

A

B. Deleting the rule will prevent AWS Config from evaluating resources configurations against it. Turning off the configuration recorder won’t prevent AWS Config from evaluating the rule. It’s not possible to delete the configuration history for a resource from AWS Config. When you specify a frequency for periodic checks, you must specify a valid frequency, or else AWS Config will not accept the configuration.

21
Q

Which of the following would you use to execute a Lambda function whenever an EC2 instance is launched?
CloudWatch Alarms
EventBridge
CloudTrail
CloudWatch Metrics

A