Please enable JavaScript.
Coggle requires JavaScript to display documents.
Monitoring - Coggle Diagram
IAM Access Manager/Analyzer
- Set the boundary of the owned AWS resources and check if there is any communication across the boundary
- Check IAM policies automatically without visiting every IAM entities
Zone of Trust
- The boundary that can be drawn by IAM Access Manager
- Any services that are not included in the zone is considered 'outside'
- Boundary can be set on both organizational and account level
Policy Validation
- Validate IAM policies for any grammar mistakes or for best practices
- If any concern is found, warning is provided with possible suggestions
Policy Generation
- Generate new IAM policy based on the activities detected in CloudTrail logs
Amazon Detective
- Analyze, investigate, and quickly identifiy the root cause of security issues or suspicious activities
- Collects data from VPC Flow Logs, CloudTrail, GuardDuty
- Provides comprehensive view to easily understand the context of the problem
CloudWatch
- Point of control for various metrics gathered
- Alarm can be set based on the condition of the metrics
- Dashboard is provided for visualization
Metrics
EC2
- CPU utilization
- CPU credits usage / balance
- Network in / out
- Instance health check status
- Hardware health check status
- Read / write per ops / bytes
Auto Scaling Group
- Average CPU utilization of the instances
Load Balancer
- Requests per target instance
- Average network in/out
Synthetic Canary
- Programmatically created synthetic requests
- Detect early issues and mitigate immediately (update Route 53 to next available instances)
Heartbeat Monitor Blueprint
- Load a specific URL
- Store the screenshot of the page and the HTML Archive
API Canary Blueprint
- Basic read/write REST API requests
Visual Monitoring Blueprint
- Using the screenshots acquired from Monitor Blueprint, images are compared
- If the discrepancy between the screenshots is beyond a threshold, the canary assumes the request is failed
CloudWatch Logs
- Centralize logs from all of on-premise systems, applications, and AWS services
Log Subscription
- Subscription filter can be used to deliver specific logs to different services
Log Aggregation
- Subscription filter that directs the logs into a single AWS resource (Kinesis Data Stream)
- All the logs can be aggregated into a single storage
CloudWatch Agent
- The software deployed to the EC2 instances
- Collects real-time events for individual EC2 instance
EventBridge (CloudWatch Events)
- Ingest, filter, transform, and deliver events
- Route events from various services to the AWS organization
Cron Jobs
- Trigger events based on set schedule
Event Pattern
- Trigger for certain event pattern
EventBridge Rules
- Match incoming events and send to targets for processing
- Single rule can send event to multiple targets
- Each event is sent in and processed in parallel
Event Buses
- Logical container for events
- Rule can be created to match incoming events to the targets
Schema Registry
- Define the structure of the events
Resource-based Policy
- Can allow another account/region to access the event bridge
AWS CloudTrail
- Logging API calls for every AWS services
- Saved in CloudWatch Logs and S3 bucket
Events
Management Events
- Operations related to managing AWS Accounts
- IAM AttachRolePolicy, CreateSubnet, CreateTrail, etc.
Data Events
- Read/write operations
- S3 object activity, AWS Lambda execution, etc.
- Usually creates high volume of logs, so disabled by default
CloudTrail Insight
- Generate an event about the anomalies
- Collects the pattern from CloudTrail logs and find if an activity/event is very different from usual activities/events
- Inaccurate resource provisioning, hitting service limit, sudden increase in IAM actions, gaps in periodic maintenance activity, etc.
Retention Period
- By default, CloudTrail events are stored for 90 days
- To keep it longer, it must be moved to S3
- Logs from multiple account can be stored in a single S3 bucket using the prefix
Log Delivery
- By default, delivering event can take up to 15 minutes
Through EventBridge
- Events are sent to the EventBridge
- The fastest option to interact with the log
Through CloudWatch
- Events are streamed to the CW Logs
- Use metrics to analyze and detect anomalies
Through S3
- Dump the logs every 5 minutes to S3 bucket
- Can be used for log integrity analysis, unifying logs for multiple accounts, long-term storage after the retention period, etc.
In Management Account
- CloudTrail in Mangement Account receives events from every accounts in the organization
- Tag can be used to distinguish the logs when dumping to S3
Log File Integrity
- CloudTrail can enable Log File Integrity to check any alteration of the logs
Event Selector
Basic
- Quick and easy way to subscribe
- Only supports limited number of services
- S3 Object level logging
Advanced
- More fine-grained logging
- More services to subscribe
- S3 Object/Bucket level logging/filtering
AWS X-Ray
- X-Ray daemon collects incoming requests to the instances/services
- Provides insights for the data collected by identifying issues and suggesting optimization
- Some services install the daemon automatically, or the EC2 instance must install it manually
AWS X-Ray Traces
- Detailed view of the individual requests
- Duration of service call, errors, etc.
AWS Health Dashboard
- Show AWS related events that may affect the organization
- Service disruption, scheduled maintenance, security issues, capacity issues, billing & cost issues, etc.
event types
Organization Events
- Events specific to the organization
Account Events
- Events specific to the account
Health Event Notification
- The Health Dashboard is capable to trigger CloudWatch Events or EventBridge
- Appropriate reaction can be automatically taken using the underlying services (Lambda, SNS, SQS, etc.)
Trusted Advisor
- Automatic high level scanning of AWS account
- Recommends cost optimization, performance, security, fault tolerance, service limits, etc.
- Notified weekly based
Event Bridge
- Trusted Advisor can emit events to Event Bridge
- Event Bridge then can forward to SQS/SNS or trigger Lambda Function to do various jobs
Securing Resources
AWS Config
- Set of rules are checked against the AWS resources and recorded whether the rule is broken or not.
- Can trigger notification to various services like SNS
- Has built-in remediation through Lambda
Metrics Recorded
- Compliance over time
- Changes over time
- Number of configuration Changes
CloudTrail
- If enabled from AWS Config, it can be audited in CloudTrail to see who made such changes.
Conformance Pack
- Collection of pre-defined AWS Config rules
Inclusion/Exclusion List
- AWS Config can explicitly state which accounts to include or exclude to be deployed
- Management Account can be included
- Only the delegated administrator account can modify the rules
Amazon Inspector
- Automatically scan EC2, Lambda, and Container Images to detect known vulnerabilities and unintended access.
- If anything is found, Security Hub and Event Bridge will be notified.