Monitoring & Auditing

Question 1

What is Cloudwatch?

Answer 1

A monitoring service.

Provides metrics for EVERY service in AWS

Question 1

What is a cloudwatch metric?

Answer 1

A variable to monitor: CPUUtilization, BucketSize, etc.

Question 2

What is a metric attribute?

Answer 2

The metric attributes are called “Dimension”.

Question 3

What are cloudwatch logs?

Answer 3

You set up a log group, then in it a log stream, which will capture the logs.

Question 4

How are logs created in cloudwatch?

Answer 4

Different services have the capability of creating log groups in cloudwatch.

Question 5

What are metric filters?

Answer 5

Metric filters are a way to filter key lines in a log group stream, with the objective of creating a new metric.

You create a filter by choosing a sample log stream, and using key words to find a pattern in the events of the log stream.

Question 6

What is a log stream?

Answer 6

A single captured log chain, that belongs to a log group. In a log stream there are multiple events that describe what happened in an aws service.

A log stream is an instance of a log capture.

Question 7

How do you create a metric?

Answer 7

You create a metric by creating a filter with a pattern, and a value.

For example if the pattern happens x amount of times, x being the value, you would get an alarm triggered in case you tie this new metric to a cloudwatch alarm.

Question 8

How are cloudwatch log groups and S3 related?

Answer 8

You can send the log into s3 bucket.

Question 9

What is log insights?

Answer 9

A cloudwatch QUERY capability that lets you query log groups for streams, by using a query language. This is great to find specific data in a big log group with lots of different logs. For example ip addresses, errors, etc, etc. Everything that could be logged basically.

You can export these logs, or add them to a dashboard.

Question 10

Where could cloudwatch logs be sent to?

Answer 10

S3 for storage,
Kinesis data streams and firehose
aws lambda as triggers
opensearch

Question 11

What is cloudwatch log subscriptions?

Answer 11

This is to export logs in real time to other services, for analysis and processing.

Examples are lambda functions, and kinesis.

Use in combination with a subscription filter to specify which events to send from the log streams.

Question 12

What is a subscription filter?

Answer 12

When using cloudwatch log subscriptions (for kinesis, lambda) you can set a subscription filter to only send the log events you want instead of the whole log.

Question 13

How can you aggregate cloudwatch log data from multiple aws accounts into one destination?

Answer 13

You can create a subscription filter from each aws account into a single kinesis data stream in one of the accounts (with cloudwatch cross account subscription), and then put it in firehose for example, to store it into s3.

Question 14

What is cross account subscription?

Answer 14

You can send cloudwatch logs to another account with kinesis data streams.

Question 15

What is live tail?

Answer 15

Its a feature where you choose a log group, and optionally a log stream and a filter, and as events happen you see them live.

It’s like a log capture tool.

Question 16

Do EC2 instances send logs to cloudwatch?

Answer 16

Not by default, but you can install a unified log agent to send logs to cloudwatch, if you set up iam roles in the ec2 instance correctly.

EC2 instances DO send basic METRICS to cloudwatch by default

Question 17

What is cloudwatch unified agent?

Answer 17

the cloudwatch log agent that you can install in ec2 instances or any onpremises server to collect data to send to cloudwatch.

It collects both metrics and logs.

Question 18

What are cloudwatch alarms?

Answer 18

For triggering notifications on a single metric.

Alarm states are: OK, INSUFFICIENT_DATA, ALARM.

You can set a period for triggering the alarm.

Question 19

What are composite alarms?

Answer 19

Alarms in cloudwatch that are set on multiple metrics.

They work by monitoring the state of multiple other configured alarms.

It can be configured as an OR, or AND.

Question 20

Do EC2 instances send metric data to cloudwatch?

Answer 20

YES. They send basic metrics.

They dont send logs without an agent, but they do send basic metrics. With unified agent installed you get logs and more advanced metrics though,

Question 21

How can alarms interact with EC2?

Answer 21

If you set up an alarm on an EC2 metric, you can apply an EC2 action to stop, reboot, or terminate the alarmed instance.

Question 22

What actions can you configure in cloudwatch after an alarm is triggered?

Answer 22

EC2 actions to terminate, reboot, or stop an instance.
An auto scaling action
Notification
Systems manager action

Question 23

How can you test an alarm in Cloudwatch?

Answer 23

With AWS CLI you can manually set an alarm to alarmed state, to test the actions configured for the alarm.

Question 24

What is EventBridge?

Answer 24

A service where you can schedule CRON jobs in AWS.

For example to trigger a lambda function every hour. Or trigger SQS, or SNS.

You can also react to cloudwatch events to trigger actions

Question 25

What is CloudTrail?

Answer 25

For governance, compliance and audit in aws.

History of all events and api calls in your account.

Question 26

Where can you send cloudtrail logs to?

Answer 26

S3 bucket or cloudwatch.

In cloudtrail events are stored for 90 days.

Question 27

What is cloudtrail insights?

Answer 27

A cloudtrail feature to detect inusual activity in your account.

It first creates a baseline of your normal activity by looking at the events. Then analyzes events continuously to detect unusual patterns.

Question 28

Where are API Calls logged?

Answer 28

Cloudtrail. Then for these API call events you will need to use it with eventbridge for alerts and SNS to create notifications for these alerts.

Question 29

What is AWS Config?

Answer 29

A service that helps to audit and get compliance status of your aws resources, based on rules you set up.

For example:
Are all ebs volumes gp3?
Are all instances t2.micro?
Do buckets have public access?
Are there security groups that have unrestricted ssh access inbound?

With SNS you can receive alerts to these non compliant rules.

This service is per region.

Question 30

What actions can AWS Config take to fix noncompliant resources?

Answer 30

AWS Config can’t just change an ebs volume to be of a compliant type, for example.

But, AWS Config can make some remediation of non compliant resouces, by triggering SSM automation documents, that can perform actions in aws. If you need something more advanced, these SSM docs can trigger lambda functions that can perform more advanced actions to remediate the non compliant resource.

Example: Access keys expired on a user. An SSM doc can fix that by deactivating these expired access keys.

SSM documents are activated automatically then a resource becomes non compliant.

Question 31

How do you configure actions for non compliant resources in aws?

Answer 31

With aws config you audit these resources, and if they become non compliant, you can trigger an event in eventbridge, and then trigger an action with SNS, Lambda, SQS, etc.

Question 32

What integration does AWS Config have for notifications?

Answer 32

SNS: You can directly notify of all non compliance to SNS topic.

Question 33

What is the difference between cloudwatch, cloudtrail and config?

Answer 33

Cloudwatch is for performance monitoring: Metrics cpu network etc, dashboards, events and alerting, log aggregation and analysis of logs.
Cloudtrail is for record API calls made in your aws account by every user or service.
Config is for recording configuration changes, and evaluate against compliance rules.

Question 34

What is the purpose of CloudWatch vs EventBridge?

Answer 34

Cloudwatch is for monitoring and observability of aws resource performance. Set up alarms, or visualize metrics and logs

Eventbridge is for routing events between aws applications, and automating workflows. It excels at handling a variety of events and connecting different AWS services and external SaaS applications.

Question 35

How can CloudWatch and EventBridge work together?

Answer 35

They complement each other. For instance, CloudWatch can generate metrics that trigger events, which can then be routed and processed by EventBridge for further actions.

Question 36

How can eventbridge see cloudwatch alarms?

Answer 36

You set up an alarm that monitors a metric in cloudwatch.

Then in event bridge, you create a rule to create an event when this alarm is triggered.

Question 37

You have an RDS DB instance that’s configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there’s an Error found in the logs. How would you do that?

Answer 37

Create a CloudWatch Logs Metric Filter that filters the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter

Question 38

You have an application hosted on a fleet of EC2 instances managed by an Auto Scaling Group that you configured its minimum capacity to 2. Also, you have created a CloudWatch Alarm that is configured to scale in your ASG when CPU Utilization is below 60%. Currently, your application runs on 2 EC2 instances and has low traffic and the CloudWatch Alarm is in the ALARM state. What will happen?

Answer 38

The CloudWatch alarm will remain in ALARM state but never decrease the number of EC2 instances in the ASG.

The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.

Question 39

You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use?

1) Cloudwatch
2) CloudTrail

Answer 39

Cloudwatch.

CloudTrail is for monitoring Configuration changes (API Calls) made by users or roles in your aws account.

Question 40

Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when?

Answer 40

CloudTrail

Question 41

You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account?

Answer 41

CloudTrail Insights

Question 42

One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don’t know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this?

Answer 42

Analyze the logs in s3 (Using athena for example), since logs from 4 moths ago are not longer stored in cloudtrail.

You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.

Question 43

You are running a website on a fleet of EC2 instances with OS that has a known vulnerability on port 84. You want to continuously monitor your EC2 instances if they have port 84 exposed. How should you do this?

Answer 43

With AWS Config Rules

Question 44

You would like to evaluate the compliance of your resource’s configurations over time. Which AWS service will you choose?

Answer 44

AWS Config

Question 45

Someone changed the configuration of a resource and made it non-compliant. Which AWS service is responsible for logging who made modifications to resources?

Answer 45

CloudTrail

Question 46

You have enabled AWS Config to monitor Security Groups if there’s unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state?

Answer 46

AWS Config Remediations.

Integrated with SSM documents to make fixes to non compliant resources. And thos SSM can call lambda functions for more complex fixes.

Question 47

You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances’ Security Group. Which AWS Config feature helps you do this?

Answer 47

AWS Config Notifications

With usage of SNS.

Question 48

…………………………. is a CloudWatch feature that allows you to send CloudWatch metrics in near real-time to S3 bucket (through Kinesis Data Firehose) and 3rd party destinations (e.g., Splunk, Datadog, …).

Answer 48

Cloudwatch metric streams

Question 49

A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs?

Answer 49

Cloudwatch Contributor Insights

CloudWatch Contributor Insights is a feature of Amazon CloudWatch that helps you analyze and understand the top contributors to specific metrics and operational data within your AWS environment. It provides real-time insights into the behavior of your applications and infrastructure by identifying patterns and trends from log data.

Question 50

A company is developing a Serverless application on AWS using Lambda, DynamoDB, and Cognito. A junior developer joined a few weeks ago and accidentally deleted one of the DynamoDB tables in the dev AWS account which contained important data. The CTO asks you to prevent this from happening again and there must be a notification system to monitor if there is an attempt to make such deletion actions for the DynamoDB tables. What would you do?

Answer 50

Assign developers to a certain IAM group which prevents deletion of DynamoDB tables.

Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS

Question 51

A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?

Answer 51

Use EventBridge Archive and Replay feature.

The EventBridge Archive and Replay feature allows you to automatically archive events and replay them at a later time. This feature helps in debugging, testing, and recovering from errors by providing a way to retain and reuse event data.