Aws Security Specialty 2 Logging And Monitoring Flashcards ionicons-v5-c

CloudTrail - Protecting Logs

● Protect buckets with IAM roles and S3 bucket policies and MFA delete on objects● Configure SNS notifications on Lambda functions that check to see if Hash marks are not valid (ie, log files edited)

CloudTrail

● CloudTrail logs are encrypted at rest by default when stored in S3 buckets with SSE● CloudTrail records AWS API calls for account and delivers the log files. First file delivered in 15 minutes and then every 5 minutes thereafter.● RDP/SSH calls are not logged.● Enables incident investigation, intrusion detection, industry and regulatory compliance● What is logged? Metadata, identity, time, source IP, request parameters, response elements (eg, HTTP 200)● CloudTrail logs can be aggregated across accounts and regions - i.e, you can turn onCloudtrail once for all regions across accounts instead of turning on each individual region/account.**AWS CloudTrail logs the API requests to AWS resources within your account. Amazon VPC Flow Logs capture information about the IP traffic going to and from network interfaces.

CloudTrail - Setup

● Enabled by default for 7 days● Must provision for longer if desired● Digest files verify that nobody changed the CloudTrail log files. They use a SHA-256 orSHA-256 with RSA hash to verify if you enable log file validation.

CloudWatch 101

● Monitoring service for AWS cloud resources and the applications you run on AWS ○ Enable resource utilization, log aggregation, and basic analysis ○ Real-time monitoring and hooks into event triggers ○ Custom metrics can be programmed ○ Comprised of CloudWatch, CW Logs, and CW EventsWhat types of logs can be sent: ● Operating System Logs● AWS CloudTrail Logs● Access Flow Logs.*Pattern filtering can be used to analyze the logs and trigger Amazon CloudWatch alarms based on customer specified thresholds. *CloudWatch monitors the utilization of AWS resources in your account. *CloudWatch also works in the private cloud!

AWS Config

● Resource inventory and point-in-time configuration history & notifications.● Region-specific deployment● Requires IAM role if paired with Lambda function**AWS Config records configuration changes within an AWS account. Using AWS Config logs in conjunction with AWS CloudTrail logs allows changes to be identified and details about those changes (who, when, how) to be seen.-----------------------------------● Dashboard● Rules - managed and custom with Lambda function pairings● Resources● SettingsCompliance Checks:1. Triggered - periodic vs. shapshots2. Managed Rules*Pro-tips - always use Cloudtrail with Config and provide read-only access to Config users and require MFA and other forms of authentication.Config Provides● Visibility● Compliance● Auditability

AWS Trusted Advisor vs. Inspector

Inspector:● Inspector is EC2 utility that provides security findings● Inspector is region-specific● Tags are required to run Inspector● You install Inspector agent onto the EC2 instance via the SSH shell/CLI● Rules are incorporated part of Assessment template in Inspector. You select from rulespackages. ○ Inspector Runtime Behavior Analysis rules package can identify instances thatare using insecure protocols.● In the real world, you will have a golden image that is applied across servers in the VPCso you can run Inspector on a non-production version of the image and assume that thefindings will apply to all the deployed production EC2 instances.Trusted Advisor:● Online resource to help reduce costs, increase performance, and improve security byoptimizing the customers' AWS environment.● Offers core checks and recommendations● Can monitor service limits for AWS resources● The Full version of Trusted Advisor is included in the Business and Enterprise supportplans.● Trusted Advisor only covers the basic security fundamentals - eg, leaving SSH portsopen to the world.**The AWS Trusted Advisor service provides four checks at no additional charge to all users, including three important security checks:● Specific ports unrestricted● IAM use● MFA on root account. When you sign up for Business- or Enterprise-level AWS Support, you receive full access to all Trusted Advisor checks.**Offers a one-view snapshot of your service and helps identify common security misconfigurations, suggestions for improving system performance, and underutilized resources

Logging with AWS

● AWS Cloudtrail - API Calls (create SNS alerts if logs not created)● AWS Config - point in time configuration schema (create SNS alerts if logs not created)● VPC Flow Logs - network traffic● CloudWatch Logs - performance monitoring*Pro-tip - control access to the log files with IAM roles, S3 bucket policies, and enable MFA.Setup controls to prevent changes to log files.Steps in the life of a log file:● Log file created and sent to S3● S3 holds file based on Lifecycle Management Rules● S3 sends files to Glacier after LMR expiration

AWS GuardDuty

is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.Enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can immediately begin analyzing billions of events across your AWS accounts for signs of risk. GuardDuty identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies in account and workload activity. When a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management and workflow systems.Amazon GuardDuty is cost effective and easy. It does not require you to deploy and maintain software or security infrastructure, meaning it can be enabled quickly with no risk of negatively impacting existing application workloads. There are no upfront costs with GuardDuty, no software to deploy, and no threat intelligence feeds required. Customers pay for the events analyzed by GuardDuty and there is a 30-day free trial available for every new account to the service.

Amazon Kinesis

Makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Amazon QuickSight

is a fast, cloud-powered BI service that makes it easy to build visualizations, perform ad-hoc analysis, and quickly get business insights from your data. Using our cloud-based service you can easily connect to your data, performadvanced analysis, and create stunning visualizations and rich dashboards that can beaccessed from any browser or mobile device.QuickSight is the first BI service to offer pay-per-session pricing, making it even morecost-effective for you to provide access to analytics and insights for all of your users.With pay-per-session pricing there are no upfront costs, no annual commitments, andno charges for inactive users!

Querying AWS CloudTrail Logs

AWS CloudTrail is a service that records AWS API calls and events for AWS accounts.CloudTrail logs include details about any API calls made to your AWS services, including the console. CloudTrail generates encrypted log files and stores them in Amazon S3. For more information, see the AWS CloudTrail User Guide.Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. For example, you can use queries to identify trends and further isolate activity by attributes, such as source IP address or user.A common application is to use CloudTrail logs to analyze operational activity for security and compliance. For information about a detailed example, see the AWS Big Data Blog post, Analyze Security, Compliance, and Operational Activity Using AWS CloudTrail and Amazon Athena.You can use Athena to query these log files directly from Amazon S3, specifying the LOCATION of log files. You can do this one of two ways:By creating tables for CloudTrail log files directly from the CloudTrail console.By manually creating tables for CloudTrail log files in the Athena console.-----------------CloudTrail saves logs as JSON text files in compressed gzip format (*.json.gzip). The location of the log files depends on how you set up trails, the AWS Region or Regions in which you are logging, and other factors.