Monitoring & Auditing Flashcards
What is Cloudwatch?
A monitoring service.
Provides metrics for EVERY service in AWS
What is a cloudwatch metric?
A variable to monitor: CPUUtilization, BucketSize, etc.
What is a metric attribute?
The metric attributes are called “Dimension”.
What are cloudwatch logs?
You set up a log group, then in it a log stream, which will capture the logs.
How are logs created in cloudwatch?
Different services have the capability of creating log groups in cloudwatch.
What are metric filters?
Metric filters are a way to filter key lines in a log group stream, with the objective of creating a new metric.
You create a filter by choosing a sample log stream, and using key words to find a pattern in the events of the log stream.
What is a log stream?
A single captured log chain, that belongs to a log group. In a log stream there are multiple events that describe what happened in an aws service.
A log stream is an instance of a log capture.
How do you create a metric?
You create a metric by creating a filter with a pattern, and a value.
For example if the pattern happens x amount of times, x being the value, you would get an alarm triggered in case you tie this new metric to a cloudwatch alarm.
How are cloudwatch log groups and S3 related?
You can send the log into s3 bucket.
What is log insights?
A cloudwatch QUERY capability that lets you query log groups for streams, by using a query language. This is great to find specific data in a big log group with lots of different logs. For example ip addresses, errors, etc, etc. Everything that could be logged basically.
You can export these logs, or add them to a dashboard.
Where could cloudwatch logs be sent to?
S3 for storage,
Kinesis data streams and firehose
aws lambda as triggers
opensearch
What is cloudwatch log subscriptions?
This is to export logs in real time to other services, for analysis and processing.
Examples are lambda functions, and kinesis.
Use in combination with a subscription filter to specify which events to send from the log streams.
What is a subscription filter?
When using cloudwatch log subscriptions (for kinesis, lambda) you can set a subscription filter to only send the log events you want instead of the whole log.
How can you aggregate cloudwatch log data from multiple aws accounts into one destination?
You can create a subscription filter from each aws account into a single kinesis data stream in one of the accounts (with cloudwatch cross account subscription), and then put it in firehose for example, to store it into s3.
What is cross account subscription?
You can send cloudwatch logs to another account with kinesis data streams.
What is live tail?
Its a feature where you choose a log group, and optionally a log stream and a filter, and as events happen you see them live.
It’s like a log capture tool.
Do EC2 instances send logs to cloudwatch?
Not by default, but you can install a unified log agent to send logs to cloudwatch, if you set up iam roles in the ec2 instance correctly.
EC2 instances DO send basic METRICS to cloudwatch by default
What is cloudwatch unified agent?
the cloudwatch log agent that you can install in ec2 instances or any onpremises server to collect data to send to cloudwatch.
It collects both metrics and logs.
What are cloudwatch alarms?
For triggering notifications on a single metric.
Alarm states are: OK, INSUFFICIENT_DATA, ALARM.
You can set a period for triggering the alarm.
What are composite alarms?
Alarms in cloudwatch that are set on multiple metrics.
They work by monitoring the state of multiple other configured alarms.
It can be configured as an OR, or AND.
Do EC2 instances send metric data to cloudwatch?
YES. They send basic metrics.
They dont send logs without an agent, but they do send basic metrics. With unified agent installed you get logs and more advanced metrics though,
How can alarms interact with EC2?
If you set up an alarm on an EC2 metric, you can apply an EC2 action to stop, reboot, or terminate the alarmed instance.
What actions can you configure in cloudwatch after an alarm is triggered?
EC2 actions to terminate, reboot, or stop an instance.
An auto scaling action
Notification
Systems manager action
How can you test an alarm in Cloudwatch?
With AWS CLI you can manually set an alarm to alarmed state, to test the actions configured for the alarm.
What is EventBridge?
A service where you can schedule CRON jobs in AWS.
For example to trigger a lambda function every hour. Or trigger SQS, or SNS.
You can also react to cloudwatch events to trigger actions
What is CloudTrail?
For governance, compliance and audit in aws.
History of all events and api calls in your account.
Where can you send cloudtrail logs to?
S3 bucket or cloudwatch.
In cloudtrail events are stored for 90 days.
What is cloudtrail insights?
A cloudtrail feature to detect inusual activity in your account.
It first creates a baseline of your normal activity by looking at the events. Then analyzes events continuously to detect unusual patterns.
Where are API Calls logged?
Cloudtrail. Then for these API call events you will need to use it with eventbridge for alerts and SNS to create notifications for these alerts.
What is AWS Config?
A service that helps to audit and get compliance status of your aws resources, based on rules you set up.
For example:
Are all ebs volumes gp3?
Are all instances t2.micro?
Do buckets have public access?
Are there security groups that have unrestricted ssh access inbound?
With SNS you can receive alerts to these non compliant rules.
This service is per region.
What actions can AWS Config take to fix noncompliant resources?
AWS Config can’t just change an ebs volume to be of a compliant type, for example.
But, AWS Config can make some remediation of non compliant resouces, by triggering SSM automation documents, that can perform actions in aws. If you need something more advanced, these SSM docs can trigger lambda functions that can perform more advanced actions to remediate the non compliant resource.
Example: Access keys expired on a user. An SSM doc can fix that by deactivating these expired access keys.
SSM documents are activated automatically then a resource becomes non compliant.
How do you configure actions for non compliant resources in aws?
With aws config you audit these resources, and if they become non compliant, you can trigger an event in eventbridge, and then trigger an action with SNS, Lambda, SQS, etc.
What integration does AWS Config have for notifications?
SNS: You can directly notify of all non compliance to SNS topic.
What is the difference between cloudwatch, cloudtrail and config?
Cloudwatch is for performance monitoring: Metrics cpu network etc, dashboards, events and alerting, log aggregation and analysis of logs.
Cloudtrail is for record API calls made in your aws account by every user or service.
Config is for recording configuration changes, and evaluate against compliance rules.
What is the purpose of CloudWatch vs EventBridge?
Cloudwatch is for monitoring and observability of aws resource performance. Set up alarms, or visualize metrics and logs
Eventbridge is for routing events between aws applications, and automating workflows. It excels at handling a variety of events and connecting different AWS services and external SaaS applications.
How can CloudWatch and EventBridge work together?
They complement each other. For instance, CloudWatch can generate metrics that trigger events, which can then be routed and processed by EventBridge for further actions.
How can eventbridge see cloudwatch alarms?
You set up an alarm that monitors a metric in cloudwatch.
Then in event bridge, you create a rule to create an event when this alarm is triggered.
You have an RDS DB instance that’s configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there’s an Error found in the logs. How would you do that?
Create a CloudWatch Logs Metric Filter that filters the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter
You have an application hosted on a fleet of EC2 instances managed by an Auto Scaling Group that you configured its minimum capacity to 2. Also, you have created a CloudWatch Alarm that is configured to scale in your ASG when CPU Utilization is below 60%. Currently, your application runs on 2 EC2 instances and has low traffic and the CloudWatch Alarm is in the ALARM state. What will happen?
The CloudWatch alarm will remain in ALARM state but never decrease the number of EC2 instances in the ASG.
The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.
You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use?
1) Cloudwatch
2) CloudTrail
Cloudwatch.
CloudTrail is for monitoring Configuration changes (API Calls) made by users or roles in your aws account.
Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when?
CloudTrail
You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account?
CloudTrail Insights
One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don’t know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this?
Analyze the logs in s3 (Using athena for example), since logs from 4 moths ago are not longer stored in cloudtrail.
You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.
You are running a website on a fleet of EC2 instances with OS that has a known vulnerability on port 84. You want to continuously monitor your EC2 instances if they have port 84 exposed. How should you do this?
With AWS Config Rules
You would like to evaluate the compliance of your resource’s configurations over time. Which AWS service will you choose?
AWS Config
Someone changed the configuration of a resource and made it non-compliant. Which AWS service is responsible for logging who made modifications to resources?
CloudTrail
You have enabled AWS Config to monitor Security Groups if there’s unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state?
AWS Config Remediations.
Integrated with SSM documents to make fixes to non compliant resources. And thos SSM can call lambda functions for more complex fixes.
You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances’ Security Group. Which AWS Config feature helps you do this?
AWS Config Notifications
With usage of SNS.
…………………………. is a CloudWatch feature that allows you to send CloudWatch metrics in near real-time to S3 bucket (through Kinesis Data Firehose) and 3rd party destinations (e.g., Splunk, Datadog, …).
Cloudwatch metric streams
A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs?
Cloudwatch Contributor Insights
CloudWatch Contributor Insights is a feature of Amazon CloudWatch that helps you analyze and understand the top contributors to specific metrics and operational data within your AWS environment. It provides real-time insights into the behavior of your applications and infrastructure by identifying patterns and trends from log data.
A company is developing a Serverless application on AWS using Lambda, DynamoDB, and Cognito. A junior developer joined a few weeks ago and accidentally deleted one of the DynamoDB tables in the dev AWS account which contained important data. The CTO asks you to prevent this from happening again and there must be a notification system to monitor if there is an attempt to make such deletion actions for the DynamoDB tables. What would you do?
Assign developers to a certain IAM group which prevents deletion of DynamoDB tables.
Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS
A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?
Use EventBridge Archive and Replay feature.
The EventBridge Archive and Replay feature allows you to automatically archive events and replay them at a later time. This feature helps in debugging, testing, and recovering from errors by providing a way to retain and reuse event data.
