Amazon AWS Certified SysOps Administrator Associate – Security and Compliance for SysOps Part 3

6. Logging in AWS

So just to help you for the exam and to make you understand what kind of logging is available in AWS, here’s a short lecture. So basically if you want to have compliance requirements, there is many services that AWS provide logs for. It could be security logs or audit logs. So service logs will include Cloud Trail and here we can trace all the API calls and we’ve done this as a hands on, so we know how that works, config rules where we can track the config and the comp clients over time and we’ve seen this as well in the past section. Cloud Watch logs if we want to have full data retention so for example, we want to log application logs or whatever, we can do it there VPC flow logs which is to view the IP traffic within your VPC. Now we haven’t seen VPC flow logs in detail just yet, but we’ll do it in the future section and we’ll see how they work.

There will be ELV access logs for your load balancers and they will give you the metadata of requests made to your load balancer. And we’ve had the chance to look at it Cloud Front logs, which is to basically look at the logs coming straight from Cloud Front, your web distribution against some metadata of access and it can give you the access logs, web application fireworks logs.

So if you enable WAF, then you get full lugging of all the requests analyzed by the service, which is really really nice. And the cool thing is that all these logs, you can put them in as three and then you can analyze them using AWS Athena. And so that is a very common exam question. They will say oh, we have this log, how we can we analyze it? How can we quickly know or explore what happened to our ELB even though maybe our E Two instance were terminated and we lost the logs on their machines. Well we can use Athena plus ELB access logs plus S Three and that’s the combination. So just remember that a lot of services and we’ve seen them in this course do provide logs. They are able to put these logs into S Three and then we’ve seen how to analyze these log into S Three using Athena. So this is the idea.

If you google Athena analyze Cloud Front logs, you’ll get the query right away, same for ELB, same for Cloud Trail et cetera, et cetera. Now also you should know that if you do put all these audit and security logs and compliance logs and you put them in S Three, it is great to encrypt these logs. And then for the bucket where you put all these logs, you can control the access using IAM and bucket policies and even multifactor authentication.

Finally, if you need to retain these logs for a very long time, remember you need to move these logs to Glacier for cost saving. Or if you enable Glacier vote lock. Then as we’ve seen, then we get compliance and saying no one can touch these logs for maybe seven years or whatever. If you’re more interested into basically logging and security in AWS, there is a white paper can read, which is quite interesting. But this is enough for you to understand basically the scope of all this logging that exists in AWS, how we can analyze it, how we should store it, and how we should have cost saving and compliance on top of it. Okay, that’s it for this theory lecture. I will see you in the next one.

 7. [SAA] GuardDuty

Now let’s get to high level overview of guard duty. So, guard duty is an intelligent threat discovery service to protect your AWS accounts. What this will do is that it will analyze a lot of logs and then it will use machine learning algorithms, anonymity detection techniques, and third party data to detect an attack on your accounts. It takes one click to enable and you get a 30 day trial and you don’t need to install any kind of software. So I said it was going to analyze logs. And so some input data for guard duty includes cloud trail logs to detect unusual API calls or unauthorized deployments.

There’s going to be VPC flow logs to detect unusual internal traffic or unusual IP addresses, and DNS logs to detect compromised easy to instances. Sending encoded data within DNS queries. You can set up then a cloud watch event rule to be notified in case of findings within Amazon guard duty. And these cloud watch event rules can then target for example, lambda functions or SNS topics to in the end give you some email alerting for example, and for you to act upon these discoveries. One very important use case that can come up at the exam for guard duty is that it can protect against cryptocurrency attacks.

So there is a dedicated finding. So guard duty has a bunch of findings and so there is a dedicated finding for cryptocurrency attacks within guard duty. And that is something that the exam can test you on. So guard duty works by analyzing VPC flow logs, clutch trail logs, and DNS logs. Then it will all go into the guard duty service. There will be some machine learning being applied, then a CloudWatch event rule can be triggered when there is a finding, and then data can be sent into a lambda function or an SNS topic. And if you understand this, then you’re good to go with Garcia at the exam. So that’s it. I hope you liked it and I will see you in the next lecture.

 8. [CCP/SAA] Trusted Advisor

So now let’s talk about trusted advisor. So, when you have an account, you want to get a high level account assessment from AWS to analyze your account and provide recommendations. So for this we can use the Trusted Advisor. It will analyze five categories of problems on your account. It could be around cost optimization, performance security, fault tolerance and service limits. Now trusted advisor has two tiers. The first 1st here’s gives you the core check and recommendations for all customers that are the basic checks that will give you some information about what you can do to improve your accounts. You can also get weekly email notification from the console directly from Trusted Advisor to make sure that you are on track every single week. But then to get the full power of Trusted Advisor, you need to have a support plan of business or enterprise. We will see the support plans in details in the next lecture. But from an exam perspective, remember that with business or support plans you will get access to the full Trusted Advisor capability or beforehand you will only get the core checks.

So with the full capability we can set cloud watch alarms when reaching service limits. For example, and more importantly, we can get programmatic access to Trusted Advisor using the AWS Support API. So again, yet another thing to remember for the exam if you don’t use the business and enterprise support lens, then you do not have programmatic access to Trusted Advisor. Now, what are the checks done by Trusted Advisor or some important ones? Well, for cost optimization, it will show you the EC two instances that are underutilized, the load balancers that are idle so not doing anything, or the EBS volumes that are again underutilized, it will show you the reserved instances and savings plans.

Optimization now, for performance, you will get some information around the EC two instances that have a very high utilization, maybe because they are overutilized, as well as the Confrontat CDN optimizations. It will show you the performance and optimization you can get by linking EC two to EBS, as well as Les Records recommendation on your DNS. For security, you will get some information on whether or not MFA is enabled on the router account. If your Im keys have been rotated recently, as well as the exposed access keys you get. For example, if one of your employees somehow happens to lose their access keys they’re on the Internet, then it will be what’s called exposed and Trusted Advisor will let you know about it because you definitely want to shut down these access keys. They will also show you security issues around S three bucket permissions. For example, if a bucket has public access, or if your security groups have unrestricted ports, especially on SSH. For fault tolerance, you will get some information around the EBS snapshots age, the balance between the different AZ, as well as whether or not your auto scaling groups, your RDS and your ELB are both multiaz.

Now, for service limits, you will get some information whether or not you are reaching the service limit for a specific service and therefore increase that service limit before you actually reach it. So let’s go into Trusted Advisor from the management console, and we can see that we have the five categories right here. And because I don’t have an enterprise or a business plan, I will only have access to what’s called the core checks. So for example, if we go to cost optimization, we can see that I don’t have access to any of those because none of that is under the core checks. For this, I need to upgrade to a support plan that’s going to be business or enterprise. If I go to performance yet again, I need to upgrade. So not very good. For security. I get access to the core checks.

So it will look at the public snapshots of EBS, the public snapshots of RDS, the bucket permissions of my S, three buckets, and it will tell me what’s going on, the Imus, the MFA en route to account, and so on. And you can get some information directly as well from the dashboard for file tolerance. This is something you have to get by upgrading and service limits. You can get some information for auto scaling groups for launch configurations and so on.

Okay, so to summarize, trusted Advisor is a very helpful service with when you have an enterprise or a business plan, because you will get access to all of those, these core checks and alerts on top of it. If you wanted to trigger a refresh, you could click on this button right here, which will trigger a refresh of all the Trusted Advisor recommendations. And if you go to Preferences, you can get, for example, a weekly email notification for your billing, your operations and your security by setting an email address right here. So that’s it. You just know Trusted Adviser at a high level, which is enough for the exam. I hope you like this and I will see you in the next lecture.