Section 20: AWS Monitoring & Audit, CloudWatch, X-Ray and CloudTrail: OpenTelemetry, CloudTrail and Quiz Flashcards
What is OpenTelemetry?
With OpenTelemetry, you can collect telemetry data from different sources and send it to multiple platforms without significant configuration changes.
https://www.datadoghq.com/knowledge-center/opentelemetry/#:~:text=With%20OpenTelemetry%2C%20you%20can%20collect,that%20work%20best%20for%20them.
What does AWS Distro for OpenTelemetry provide? (one of these answers is very general, the other is specific)
- Secure, production ready AWS-supported distribution of the open-source project OpenTelemetry project.
- a single set of apis, libraries, agents and collector services.
What does aws distro for OpenTelemetry collect?
- It collects distributed traces and metrics from your apps
- it collects metadata from your aws resources and services
- traces without changing your code (via auto instrumention agents)
who can aws distro for OpenTelemetry send traces and metrics to?
multiple aws services and partner solutions including xray, cloudwatch, and prometheus
aws distro for OpenTelemetry can be used to instrument apps running on which aws services? Can it be used to instrument apps running on-premesis?
- ec2, ecs, eks, fargate, lambda. Maybe more, but at least those.
- yes, it can be used to instrument apps running on-premesis.
When might you want to migrate from aws xray to aws distro for Telemetry (I assume he means OpenTelemetry)
when you want to standardize with open-source APIs from Telemetry (again, I assume he means OpenTelemetry but I should check) or send traces to multiple destinations simultaneously.
- What does aws distro for OpenTelemetry collect?
- To what services/solutions can aws distro for OpenTelemetry send data?
- everything the flowchart says it collects to
- all the places the flowcharts says you can send data to.
What does AWS CloudTrail provide? (super general)
CloudTrail provides governance, compliance and audit (i assume he means audit prep) for your aws account.
Is aws CloudTrail enabled by default for your aws account?
yes
- What does aws CloudTrail get you (more specific)
A history of events/api calls made within your aws account by console, sdk, cli, and aws services
Where does it seem like people store logs CloudTrail (think other aws services)?
CloudWatch Logs or S3
about CloudTrail: Can you setup a trail so it’s applied to either all regions or a single region? Which is the default?
Yes, you can have a trail apply to all regions or a single region. The default is all regions.
If a resource in deleted in AWS, what should you check first to see what happened?
CloudTrail!
What’s the cloudtrail diagram? (like, from where can you setup/access/probably configure, at least to some degree cloudtrail behavior, and to where can logs be sent?)
Do you need to consider/configure IAM permissions when you want to adjust a CloudTrail configuration?
yes. add some more details about that or read more about it or something.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_service-with-iam.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.html
What are the three different types of CloudTrail events? (just names)
Management events, data events, cloudtrail insights events
- What are CloudTrail Management events?
- What are some examples?
- When an operation is performed on resourced in your aws account, that’s considered a management event.
- Configuring security (IAM AttachRolePolicy)
- Configuring rules for routing data (EC2 CreateSubnet)
- setting up logging (aws CloudTrail CreateTrail)
Are CloudTrail trails configured to log management events by default?
Yes
Regarding CloudTrail Management Events events, can you separate read events (events that don’t modify resources) from write events (events that may modify resources)
yes
1What are CloudTrail Data events? (This is probably going to be easiest by just giving a general example.)
- GetObject, PutObject, DeleteObject api requests, things like that
by default, are data events logged in CloudTrail?
No. By default, trails and event data stores do not log data events, because of the high volume of operations (like all the api requests that might get used to update a table that’s frequently used). Additional charges apply for data events.
About CloudTrail Data Events: Does logging data events with CloudTrail cost money?
Yes, i think so. I did skim that pretty lightly though, you might want to double check.
- Can CloudTrail Data Events be used to log object-level activity? What are some example apis
- Can you separate the logging of Read events and Write events?
- Yes. GetObject, DeleteOBject, PutObject.
- yes
Can CloudTrail Data Events be used to log aws lambda function execution activity? Through what api?
yes. the Invoke API.
you want to detect unusual activity in your account. How might you do this using CloudTrail?
Enable CloudTrail Insights.
- I already asked most of these other questions, so how about you just tell me what the important parts of the following flowchart are. You can ask more questions about this later if you want.
answer the question
What’s the flow for longer term CloudTrail event storage (longer than the default)
Say you want to get an email any time a user makes a DeleteTable api call on your dynamoDB table. What’s the flow?
If you’re really strugging, add a hint in the question footnote.
Say you want to get an email every time someone makes a new IAM role (or perhaps just an adjustment to an existing one). What’s the flow? (perhaps using AssumeRole? Look into that.)
Say you want to get an email every time someone makes a new ec2 security group (or perhaps just an adjustment to an existing one). What’s the flow? (perhaps using AuthorizeSecurityGroupIngress? look into that)
D is correct. success alert
Good job!
This is a paid offering and is disabled by default. When enabled, the EC2 instance’s metrics are available in 1-minute periods.
- A is incorrect because: CloudWatch Custom Metrics are not needed for getting the Standard CloudWatch Metrics offered for EC2 instances.
- B is incorrect because: High Resolution is only relevant for Custom Metrics. When you publish a Custom Metric, you can define it as either standard resolution or high resolution. You can read and retrieve High-Resolution Custom Metrics at 1 second, 5 seconds, 10 seconds, 30 seconds, or any multiple of 60 seconds.
- C is incorrect because: Basic Monitoring is enabled by default and EC2 instance’s Metrics are available automatically in 5-minute periods.
B. 1 second
No notes.
A is the correct answer. Create a CloudWatch Logs Metric Filter that filters the logs for keyword “Error”, then create a CloudWatch Alarm based on that Metric Filter.
C. The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 instances in the ASG.
Note: The number of EC2 instances in an ASG can not go below the minimum capacity, even in the CloudWatch alarm would in theory trigger an EC2 instance termination. No other answers had notes.
C. Use Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch
No note for that one. didn’t check the other one.
B. 10 seconds.
Note: If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.
A. CloudWatch
Note: Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications’ performance and metrics.
Incorrect Note: AWS CloudTrail allows yuo to log, continously monitor, and retain account activity related to actions across your aws infastructure. it proveds the event history of your aws account activity, audit api calls made through the AWS Management Console, aws sdks, aws cli. you can use CloudTrail to detect unusual activity in your aws accounts.
D. CloudTrail
Notes: AWS CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. It provides the event history of your AWS account activity, audit API calls made through the AWS Management Console, AWS SDKs, AWS CLI. So, the EC2 instance termination API call will appear here. You can use CloudTrail to detect unusual activity in your AWS accounts.
A. CloudWatch Metrics are data about the performance of your systems, it won’t indicate “who” did what.
B. CloudWatch Alarms allow you to trigger notiiactions/actions based on any CloudWatch Metrics or other CloudWatch Alarms, it won’t indicate “who” did what.
C. CloudWatch Events delivers a stream of system events that describe chagnes in your aws resources, it won’t idicate “who” did what.
B. CloudTrail Insights. No notes.
no notes
B. Analyze CloudTrail logs in S3 bucket using Amazon Athena.
Note: success alert
Good job!
You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in the S3 bucket.
no notes.
B. CloudTrail
no notes.
C. use the set-alarm-state cli command
no notes for correct or incorrect answers.
C. PutMetricData
no notes for any answers
A. False.
Note: By default, they never expire!
B. Log Groups.
No notes.
A. A config file .ebextensions/xray-daemon.config is missing in your code.
no notes.
no other notes.
B. The X-Ray daemon is not running on the EC2 instance.
no notes for any answers.
A. The IAM role attached to your EC2 instance doesn’t have the required permissions to send data to X-Ray
no answers have notes
C. Check CloudTrail for a Delte event in Elastic Beanstalk.
No notes for any answers.
B. Create the IAM role in the central account, then create IAM roles in the other accounts to assume this IAM role.
Note is: This is a best practice.
Note for A. This is not secure and is not recommended.
C. Annotations.
No answers have notes.
B. AWS X-Ray.
No answers have notes.
A. BatchGetTraces
No answers have notes.
D. Each second, 5%
No answers have notes.
