Logging and Monitoring Flashcards

1
Q

What does Cloudtrail not log?

A

API calls only, NOT SSH/RDP into instances etc.(Use VPC flowlogs to capture network IP traffic)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does cloudTrail log?

A

metadata, identity of requester, time, source IP, request parameters and response from the service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How often are event logs delivered to S3?

A

every 5 minutes, with a delay of up to 15 min from the time a request was made

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the thing about Cloudtrail?

A

enabled by default on all accounts for 90 days, but put in an AWS-owned S3 bucket NOT yours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can management events be enabled?

A

For read-only (DescribeInstance) or Write-only (CreateBucket) or all

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are data events ?

A

for S3 object-level activity like GetObject and PutObject — can get expensive!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does Cloudtrail do every hour?

A

puts a digest file in S3 which has hashes that can be used to validate integrity of log files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to give auditors access to Cloudtrail?

A

Auditors can be given access to Cloudtrail by creating a user for them with IAM CloudtrailReadOnly policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can Cloudtrail log files be protected?

A

1) IAM
2) bucket policy
3) MFA delete + set up log file validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How often is CloudWatch detailed monitoring?

A

Cloudwatch detailed monitoring is every 1 min refresh, standard is every 5 min

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cloudwatch Events can ingest events from?

A

1) Cloudtrail
2) resource state change (Instance stopped)
3) scheduled events (cron)
4) custom events, can have Rules to match on events, and Targets (eg: Lambda)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does putMetricData API do?

A

publishes metric data points to Amazon CloudWatch that allows you to monitor your applications better.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How to setup alert if a root user logs in:

A
  • Set up a Cloudtrail trail to send logs to Cloudwatch Log group
  • In Cloudwatch Logs, select the log group and create Metric Filter with filter pattern matching “userIdentity.type = Root” and other conditions like eventType != ServiceEvent (root user does a thing, it’s not AWS doing things)
  • On the Filter, create an Alarm - when >=1 occurrence, send notification to email/SNS topic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is VPC Flow Logs?

A

a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Take note that it only captures the metadata of the traffic and not the actual IP packet data itself. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Where can you create a VPC flow log?

A

You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are flow log records?

A

Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow.

17
Q

Where do VPC flow logs get stored?

A

Cloudwatch logs

18
Q

Where can VPC flow logs be enabeld?

A

VPC flow logs can be enabled at entire VPC level, subnet level or ENI level

19
Q

What do VPC flow logs not monitor?

A

1) traffic generated by EC2 contacting Amazon DNS
2) Windows license activation traffic
3) instance metadata traffic to 169.254.169.254
4) DHCP traffic
5) VPC router reserved IP traffic

20
Q

What does AWS Config provide?

A

1) resource inventory
2) configuration history eg: what was my SG 2 weeks ago 3) configuration change notifications

21
Q

What happens when something triggers in AWS Config?

A

When something changes, it triggers a Config Event saved in your S3, triggers a Rule which can send notifications

22
Q

What’s the thing about AWS Config?

A

Config has to be explicitly turned on per region

23
Q

What is config timeline?

A

Config Timeline is a cool feature- can click on any resource and get history of all changes made to it

24
Q

What roles does AWS Config need?

A

Config needs an IAM role that has read permission for all resources, access to S3 and publish access to SNS

25
Q

Do CloudHSM and KSM both support symmetric and assymmetric?

A

Yes

26
Q

How can you have a custom key store for KMS keys?

A

Use CloudHSM/

27
Q

When will CloudHSM erase itself?

A

If CloudHSM detects 5 failed attempts to access partitions as a Crypto Officer (CO) role, it will erase itself.
5 failed attempts by a Crypto User (CU) will lock the user and Officer has to unlock them

28
Q

What can Crypto-officer in CloudHSm do?

A

CO can perform user management operations (create and delete users, change user passwords).

29
Q

What can Crypto-user in CloudHSM do?

A

perform key management (create, delete, share, import, and export cryptographic keys) and cryptographic operations(encryption, decryption, signing, verifying, and more).

29
Q

What does AWS Inspector classic do?

A

assesses applications for security vulnerabilities and gives list of findings. Trusted Advisor does it for resources

30
Q

What does AWS Inspector need?

A

IAM role with read-only access to EC2, and an agent to be deployed on EC2

31
Q

What does Inspector classic need at least?

A

1 tag on EC2 instance to identify target

32
Q

What are some of the AWS INspector templates?

A

CIS OS Benchmark, Common Vulnerabilities, Network Reachability Assessments etc. Pick a template and remember to “Run” it for 1hr or more. Can download report that lists all checks it did and pass/fail