Logging and Monitoring Flashcards
What does Cloudtrail not log?
API calls only, NOT SSH/RDP into instances etc.(Use VPC flowlogs to capture network IP traffic)
What does cloudTrail log?
metadata, identity of requester, time, source IP, request parameters and response from the service
How often are event logs delivered to S3?
every 5 minutes, with a delay of up to 15 min from the time a request was made
What is the thing about Cloudtrail?
enabled by default on all accounts for 90 days, but put in an AWS-owned S3 bucket NOT yours
How can management events be enabled?
For read-only (DescribeInstance) or Write-only (CreateBucket) or all
What are data events ?
for S3 object-level activity like GetObject and PutObject — can get expensive!
What does Cloudtrail do every hour?
puts a digest file in S3 which has hashes that can be used to validate integrity of log files
How to give auditors access to Cloudtrail?
Auditors can be given access to Cloudtrail by creating a user for them with IAM CloudtrailReadOnly policy
How can Cloudtrail log files be protected?
1) IAM
2) bucket policy
3) MFA delete + set up log file validation
How often is CloudWatch detailed monitoring?
Cloudwatch detailed monitoring is every 1 min refresh, standard is every 5 min
Cloudwatch Events can ingest events from?
1) Cloudtrail
2) resource state change (Instance stopped)
3) scheduled events (cron)
4) custom events, can have Rules to match on events, and Targets (eg: Lambda)
What does putMetricData API do?
publishes metric data points to Amazon CloudWatch that allows you to monitor your applications better.
How to setup alert if a root user logs in:
- Set up a Cloudtrail trail to send logs to Cloudwatch Log group
- In Cloudwatch Logs, select the log group and create Metric Filter with filter pattern matching “userIdentity.type = Root” and other conditions like eventType != ServiceEvent (root user does a thing, it’s not AWS doing things)
- On the Filter, create an Alarm - when >=1 occurrence, send notification to email/SNS topic
What is VPC Flow Logs?
a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Take note that it only captures the metadata of the traffic and not the actual IP packet data itself. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
Where can you create a VPC flow log?
You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.