AWS Certified Security - Specialty | Logging and Monitoring (notes)

While getting ready to sit AWS Certified Security - Specialty exams, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Here's Logging and Monitoring domain.

Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.

Application crashed but no logs exist for this application. What’s going on?

• The CloudWatch Logs agent is not installed
• The CloudWatch Logs agent is not running
• The Instance role does not have permission to write to CloudWatch Logs Access to AWS resources requires permissions. You need to create an IAM role that includes the permissions you need for the CloudWatch agent to write logs to CloudWatch. The CloudWatch agent must be installed and running in order for the EC2 instance to send application logs to CloudWatch Logs.

The existing trail configuration needs to be modified to stop management events from being logged in the S3 bucket

Update the Management Events option to None. Since a trail configuration can only reference a single S3 bucket, a new trail must be created. The new trail needs to be configured to log only management events to a different S3 bucket. Additionally, a bucket policy is required to give CloudTrail the necessary permissions to write logs to the specified S3 bucket. CloudTrail trail configurations do not inherit from other trails and editing a trail configuration is not against best practices.

You are not able to access the application from the internet, from your other VPC or from your own data centre. Security groups and network ACLs are configured correctly.

Use VPC Flow Logs to analyze the traffic. VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules.

You need to create a new AWS account to stream all important CloudWatch events from various AWS accounts to a single account to centralize security efforts.

You can deliver the events to other accounts through a new CloudWatch Events resource called Event Bus. All AWS accounts have one default event bus. To send events to another account, you simply write rules to match the events of interest and attach an event bus in the receiving account as the target to the rule. CloudWatch Event Rules are used to trigger predefined actions based on a given type of event and are not used to send events to other accounts.

Data events for Lambda and S3 are not available in Amazon CloudWatch Events. What could be the reason for this?

• Your Lambda function and S3 resources haven’t been added to a CloudTrail trail.
• Data events are not logged by default. Data events provide visibility into the resource operations performed on or within a resource. Data events are not logged by default when you create a trail. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity to a trail.

Analyze the API activity in your AWS account and have the ability to isolate activity by attributes, such as source IP address and user. Which services can you use?

• Athena
• CloudTrail CloudTrail is used to record all API activity in your account. Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. For example, you can use standard SQL queries to identify trends and further query activity by attributes, such as source IP address or user.

You are unable to access CloudTrail logs. You have checked your IAM permissions, and your user account is allowed to describe CloudTrail logs and look up events. What could be the problem?

• You do not have read permission for the S3 bucket.
• You do not have permission to use the CMK to decrypt the logs. You must have S3 read permission on the bucket. If you are using KMS to encrypt the logs, any user who accesses the logs must be granted decrypt permission by the CMK policy.

Multiple separate AWS accounts are configured to send CloudTrail logs to the same S3 bucket. However some of the accounts have not been sending any logs. What is the problem?

• The accounts do not have permission to write to the S3 bucket You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. To accomplish this, turn on CloudTrail in the account where the destination bucket will belong, configure the bucket policy to allow cross-account permission. Turn on CloudTrail in the other accounts, configure all accounts to log to the destination bucket.

Which AWS CLI fragment command can be used to determine the integrity of the CloudTrail log files.

• aws cloudtrail validate-logs The CLI command fragment, aws cloudtrail validate-logs will identify if any of the CloudTrail logs have been modified or deleted. The other choices are incorrect.

You have noticed some unusual activity in your AWS account. You need to quickly assess the situation, understand the extent of the problem and would like to continually monitor your infrastructure.

GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify malicious activity. For example, GuardDuty can detect unusual behavior like sending spam emails, querying a domain name associated with a known command and control server, generating a large volume of outbound TCP traffic - all signs that the instance is being controlled by a malicious actor.

You need to separate data and management events in CloudTrail logs. What is the best way to configure this so that everyone gets the access they need on a least privilege basis?

Configure two CloudTrails, one to log data events and one to log management events with each trail logging to a different S3 bucket. Create 2 different IAM policies and attach them to the appropriate groups, one allowing read only access to the data events CloudTrail and associated S3 bucket and one allowing read only access to the management events CloudTrail and associated S3 bucket.

Management and Data events are handled by separate CloudTrails. You should log the events to separate buckets, then configure access to the CloudTrail and read only access to the S3 bucket using an IAM policy attached to the user or group. Give each class of user only the access they need. Log Groups are related to CloudWatch not CloudTrail.

You suspect that one of your instances has been compromised and is attempting to communicate with a command and control server. Which services can you use to investigate this?

• Amazon Inspector
• VPC Flow Logs
• GuardDuty

You can use Amazon Inspector to assess your assessment targets (collections of AWS resources) for potential security issues and vulnerabilities. Amazon Inspector compares the behavior and the security configuration of the assessment targets to selected security rules packages. In the context of Amazon Inspector, a rule is a security check that Amazon Inspector performs during the assessment run. The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured.

VPC Flow Logs can be used as a security tool to monitor the traffic that is reaching your instance, to profile your network traffic, and to look for abnormal traffic behaviors. You can use VPC Flow Logs to watch for abnormal and unexpected denied outbound connection requests, which could be an indication of a misconfigured or compromised EC2 instance.

GuardDuty continuously analyzes VPC Flow Logs and DNS requests and responses to identify malicious, unauthorized, or unexpected behavior in your AWS accounts and workloads.

Have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. Two approaches.

1. To accomplish this, turn on CloudTrail in the account where the destination bucket will belong, configure the bucket policy to allow cross-account permission. Turn on CloudTrail in the other accounts, configure all accounts to log to the destination bucket. You cannot configure cross account access using the bucket ACL.
2. Use AWS CloudTrail and a user in a management account to create an organization trail that logs all events for all AWS accounts in that organization in the same Amazon S3 bucket.

Determine if any EC2 instances are used for bitcoin mining.

Use AWS GuardDuty to see if any of your instances are querying a domain name that is associated with cryptocurrency-related activity

GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify malicious activity. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin.