Tutorial / Cram Notes
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
Capabilities:
- Log Level: Management events and data events.
- Type: Structured JSON.
- Verbosity: Configurable event selectors.
- Cadence: Near real-time.
- Timeliness: Delivered within 15 minutes of API call.
- Immutability: Log file integrity validation.
Use Cases:
- Tracking user activity and API usage.
- Security analysis and forensic investigation.
- Compliance audits.
Example:
{
“eventVersion”: “1.05”,
“userIdentity”: {
“type”: “IAMUser”,
“principalId”: “AIDACKCEVSQ6C2EXAMPLE”,
“arn”: “arn:aws:iam::123456789012:user/Alice”,
“accountId”: “123456789012”,
“accessKeyId”: “EXAMPLE_KEY_ID”
},
…
}
Amazon CloudWatch Logs
Amazon CloudWatch Logs allows you to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources.
Capabilities:
- Log Level: Customizable by user.
- Type: Flexible, text-based logs.
- Verbosity: Defined by the log emitter.
- Cadence: Near real-time.
- Timeliness: Typically within seconds.
- Immutability: Can set log retention policies.
Use Cases:
- Real-time application and system monitoring.
- Custom metrics generation from log data.
- Archiving logs for future analysis.
Amazon VPC Flow Logs
Amazon VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.
Capabilities:
- Log Level: Accept and Reject traffic logs.
- Type: Text-based, with customizable fields such as source IP, destination IP, etc.
- Verbosity: High for capturing all traffic.
- Cadence: Typically every few minutes.
- Timeliness: Delay can vary from a few minutes up to an hour.
- Immutability: Once published to Amazon CloudWatch Logs or Amazon S3, they are immutable.
Use Cases:
- Network monitoring.
- Troubleshooting connectivity and security issues.
- Gain insights into VPC traffic patterns.
AWS Config
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It records and evaluates changes to your AWS environment and helps maintain compliance with corporate, regulatory, and best practices policies.
Capabilities:
- Log Level: Changes (create, modify, delete) to AWS resources.
- Type: JSON configurations items.
- Verbosity: Records all changes and supports detailed configuration snapshots.
- Cadence: Change-driven (event-based).
- Timeliness: Near real-time.
- Immutability: Configuration history is stored immutably.
Use Cases:
- Tracking resource inventory and history.
- Auditing changes to AWS resources.
- Ensuring compliance with environment configurations.
AWS Athena
AWS Athena is an interactive query service that makes it easy to analyze data directly in Amazon S3 using standard SQL. While not a logging service, it is often used to query vast amounts of log data efficiently.
Capabilities:
- Log Level: Depends on the data it queries.
- Type: SQL query results.
- Verbosity: As detailed as the underlying dataset.
- Cadence: On-demand execution of queries.
- Timeliness: Execution time depends on query complexity and data size.
- Immutability: Relies on the immutability of the underlying data in S3.
Use Cases:
- Analyzing CloudTrail logs stored in S3.
- Complex querying against VPC Flow Log data.
- Performing ad-hoc security analysis.
When preparing for the AWS Certified Security – Specialty (SCS-C02) exam, it’s important to understand not only the capabilities of these AWS services but also the practical applications in securing AWS environments. By leveraging the data from these services, security specialists can ensure that the AWS infrastructure is well-monitored, compliant with necessary policies, and protected against security threats.
Practice Test with Explanation
True or False: Amazon CloudWatch Logs can be configured to monitor log files from Amazon EC2 instances and AWS CloudTrail.
- True
- False
Answer: True
Explanation: Amazon CloudWatch Logs can be used to monitor, store, and access log files from Amazon EC2 instances, AWS CloudTrail, and other sources.
Which of the following AWS services provides detailed API tracking for AWS account activity?
- Amazon Redshift
- Amazon S3
- AWS CloudTrail
- Amazon RDS
Answer: AWS CloudTrail
Explanation: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account by tracking actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
True or False: AWS Kinesis Data Firehose is an immutable storage solution.
- True
- False
Answer: False
Explanation: AWS Kinesis Data Firehose is a service for real-time streaming of data into AWS, not for immutable storage. For immutable storage, services like Amazon S3 Object Lock can be used.
Which AWS service can be used to capture and load streaming data into other AWS services such as Amazon S3 and Amazon Redshift?
- Amazon SQS
- Amazon Kinesis Data Streams
- AWS Direct Connect
- AWS Storage Gateway
Answer: Amazon Kinesis Data Streams
Explanation: Amazon Kinesis Data Streams is a scalable and durable real-time data streaming service that can continuously capture gigabytes of data per second from hundreds of thousands of sources.
What is the purpose of AWS CloudTrail log file integrity validation?
- To encrypt log files
- To ensure log files have not been tampered with
- To archive log files
- To increase the storage capacity for log files
Answer: To ensure log files have not been tampered with
Explanation: AWS CloudTrail log file integrity validation is used to confirm that log files have not been altered or deleted after they’ve been written to S3 by CloudTrail.
True or False: Amazon S3 event notifications can be used to trigger a response for actions such as object creation or deletion.
- True
- False
Answer: True
Explanation: Amazon S3 event notifications can be used to receive notifications when certain events happen in your S3 bucket, such as the creation or deletion of objects.
Amazon GuardDuty is primarily used for:
- Deploying machine learning models
- Streaming data analytics
- Threat detection and continuous security monitoring
- Data lifecycle management
Answer: Threat detection and continuous security monitoring
Explanation: Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads.
True or False: Amazon VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.
- True
- False
Answer: True
Explanation: Amazon VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC, which can be used for security and network troubleshooting.
AWS Config can be used to:
- Calculate costs of AWS resources.
- Manage SSH keys for EC2 instances.
- Record and evaluate configurations of your AWS resources.
- Automate the deployment of applications.
Answer: Record and evaluate configurations of your AWS resources.
Explanation: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
The AWS service that acts as a managed Elasticsearch service is:
- AWS Data Pipeline
- Amazon Athena
- Amazon Elasticsearch Service (Amazon ES)
- AWS Glue
Answer: Amazon Elasticsearch Service (Amazon ES)
Explanation: Amazon Elasticsearch Service (Amazon ES) is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud.
True or False: Amazon Simple Notification Service (SNS) can be used to trigger Lambda functions in response to system events.
- True
- False
Answer: True
Explanation: Amazon SNS can be used to publish messages to topic subscribers, which can trigger AWS Lambda functions or other endpoints in response to system events.
Which AWS feature allows you to categorize and filter data for cost management and governance purposes?
- AWS Resource Groups
- Amazon CloudFront Distributions
- Amazon Machine Images (AMIs)
- AWS Cost and Usage Report
Answer: AWS Resource Groups
Explanation: AWS Resource Groups make it easier to manage and automate tasks on large numbers of AWS resources by allowing you to categorize resources using tags.
Interview Questions
What AWS service would you use to centrally collect and monitor log data across multiple AWS accounts and regions, and how can you ensure the logs are immutable?
AWS CloudTrail is the service that collects API call and related events across multiple AWS accounts and regions. To ensure the logs are immutable, you would enable CloudTrail log file integrity validation, where a hash for every log file written is delivered to an S3 bucket. Additionally, the use of S3 Object Lock with the CloudTrail S3 bucket can enforce immutability.
Describe how Amazon S3 server access logging can be configured for auditing purposes and mention the type of data it captures.
Amazon S3 server access logging can be enabled on a bucket-by-bucket basis through the S3 console, AWS CLI, or an API. It captures details about each access request, such as requester information, bucket name, request time, action taken, and error code if the action was unsuccessful. This can be used for security and access audits.
Can you monitor real-time database activity in AWS, and which service would you use for this? What data would this activity provide?
Yes, you can monitor real-time database activity using Amazon RDS Performance Insights. This service provides a real-time dashboard of database load by SQL query, wait event, host, or user. It provides data such as database load, average active sessions, and top SQL queries, helping you quickly assess performance issues.
In AWS, what service would you use for collecting application and resource logs, and how would you configure the verbosity of these logs?
You would use Amazon CloudWatch Logs for collecting application and resource logs. You can configure the verbosity by setting the appropriate level of detail in the application or resource’s logging configuration before sending it to CloudWatch Logs. An AWS SDK or the CloudWatch Logs Agent can help with this task.
How does AWS Kinesis Data Firehose ensure the immutability of log data, and what type of data sources can it handle?
AWS Kinesis Data Firehose does not intrinsically ensure immutability but facilitates it by delivering streaming data directly to S3, where it can be protected by using versioning or Object Lock. It handles data sources like streaming event logs, clickstreams, IoT telemetry data, and more.
What is the role of AWS IAM in defining the cadence with which AWS services can write data to logs or data stores?
AWS IAM doesn’t directly govern the cadence of data writing; it controls access and permissions for AWS services and users to perform data writing operations. By setting the right permissions, you can ensure that only authorized services or users can write data at the designated times and intervals.
Discuss how AWS Lambda can be used to react to log data changes and what use cases this would be suitable for.
AWS Lambda can be triggered by events such as S3 bucket updates when new log data is uploaded or CloudWatch Logs pattern detections. It can be used for use cases such as real-time data processing, file processing, or executing automated responses to specific log entries, like security alerts.
Explain the process of configuring log file validation in AWS CloudTrail and the purpose behind it.
To configure log file validation, you turn it on when you create a new trail or update an existing one. AWS CloudTrail then creates a hash for each log file and delivers a hashed and signed digest file to an S3 bucket. This provides proof that the files have not changed after delivery to the S3 bucket.
Describe the term “verbosity” in the context of AWS log files and how it can impact security monitoring.
“Verbosity” refers to the amount of detail contained within log files. In AWS, adjusting the verbosity affects the granularity of the data recorded. Higher verbosity can improve security monitoring by providing more detailed data about operations and potential security incidents, but may also increase storage costs and complexity of log analysis.
How would you leverage AWS Config to record software configuration changes over time, and what security insights can this provide?
AWS Config continuously monitors and records AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired baselines. It provides insights into compliance with security policies, helping to flag unauthorized or insecure changes and facilitating an audit trail for change management.
What is the difference between AWS CloudWatch Logs and CloudTrail, and how do they complement each other in a security context?
AWS CloudWatch Logs primarily focuses on the collection and analysis of application and system log files, while CloudTrail focuses on recording API calls and related events within AWS accounts. Together, they provide a comprehensive monitoring solution, where CloudWatch can be used for real-time operational issues, and CloudTrail can be used for audit trails and compliance.
Discuss the importance of ‘timeliness’ in AWS CloudTrail and how it can affect security incident response.
‘Timeliness’ refers to how quickly log data becomes available for analysis after an API call is made. In CloudTrail, logs typically become available within 15 minutes of the API call. Timeliness is crucial for security incident response as it can significantly impact the ability to detect and respond to potential threats in a speedy fashion, potentially reducing the damage caused by security incidents.
I’m particularly interested in how AWS CloudTrail helps in maintaining the immutability of logs. Anyone?
Can someone explain the various verbosity levels offered by AWS services?
What types of log data sources does Amazon GuardDuty analyze?
I appreciate this blog post. It’s very informative!
Is there a way to manage the cadence of logs in AWS services?
The post really helped me to understand the timeliness aspect of various AWS services. Thank you!
Are there services in AWS that ensure log data is immutable?
Thanks for the insights, very useful for my preparations!