Security - Capturing and analyzing logs Flashcards
1
Q
CloudTrail - Characteristics
A
- It enables governance, compliance, and operational and risk auditing of AWS accounts
- Tracks actions that an IAM principal does to AWS resources / services
- Through Event history you can review the events occurred in the last 90 days
- Stores information in a specific S3 bucket, that is encrypted by default using SSE-S3
- CloudTrail Log Monitoring monitors log files by distributing them into CloudWatch Logs. It validates logs’ integrity since the last time the logs were sent to CloudWatch
2
Q
CloudTrail - Event types
A
- Management events: provide information about management operations that are performed on resources in your AWS account. Also known as control plane operations
- Data events: provide information about the resource operations performed in a resource. Also known as data plane operations. They are often high-volume activities, and not logged by default when you create a trail
- CloudTrail Insights: capture unusual API call rate or error rate activity in your AWS account
3
Q
CloudTrail - Trail types
A
- A trail for all regions: CloudTrail records events in each region. A new region is automatically included when a service / resource of a new region is added
- A trail for one region: CloudTrail records events in that region only
4
Q
CloudTrail - Integration with other services
A
- A trail can deliver CloudTrail events to S3. Also can monitor API calls from CloudWatch Logs (non-AWS APIs) and CloudWatch Events (AWS API), to store that information in a S3 bucket
- CloudTrail and CloudWatch logs:
- Can configure SNS notifications of the account activity captured by CloudTrail (i.e. can create CloudWatch alarms to notify users about API calls that modify Security Groups and NACLs)
- CloudWatch Logs provide an UI to view and search logs
- CloudTrail and Athena: can enhance the analysis of an AWS service activity (i.e. can use queries to identify trends and further isolate activity by a source IP address, or user)
- CloudTrail and Config: to capture all API calls of AWS Config