AWS Certified Serucity Spacaility - SCS-C02 Study notes - Part 5

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Cloudwatch

Couldwach can capture logs from AWS services.

Can capture metrics and use them for automation.


Automation: Tink - Act faster with fewer errors. If you can automate - DO IT.


S3 Acccess logs

Logs cannot be stored in the same bucket they are tracking.

It makes sense; stops a logging loop.


So create a bucket for S3 logs.

A single bucket can be used to store multiple S3 bucket logs.


For the logging bucket:

    • Change the access policy so nobody except security and audit can access it.
    • Maybe even set it to WORM - Write once and read many.


S3 Access logs are delivered on a best-effort basis:

    • This can result in a delay of a few hours.
    • Never expect S3 logs to be delivered in realtime.


S3 Access logs can be downloaded from the Management Console or CLI

    • Logs are not written in real-time; they are collected in batches.
    • may take a few hours for data to be written to the S3 bucket.


Naming of logs

Logs begin with a date stamp and end with a random value.

Logs are in text format but do not have an extension on them.

S3 Object Level logging

This integrates with AWS CloudTrail data and events.

  • Remember: Cloud trail tracks API requests that are made.


When S3 object logging is enabled, it must be associated with a CloudTrail Trail.

VPC Flow and Traffic Monitoring

Flow logs allow the capture of network traffic on interfaces assigned to resources.


Flow logs can be configured for:

    • A VPC
    • A Subnet of A VPC
    • A Network interface from:
      • EC2
      • Elastic Load Balanacer (ELB)
      • Amazon RDS
      • ElastiCache
      • RedShift
      • Workstapces
      • Nat Gateways
      • Transit Gateway


VPC Flow and Traffic Monitoring

Flow logs allow the capture of network traffic on interfaces assigned to resources.


Flow logs can be configured for:

    • A VPC
    • A Subnet of A VPC
    • A Network interface from:
      • EC2
      • Elastic Load Balanacer (ELB)
      • Amazon RDS
      • ElastiCache
      • RedShift
      • Workstapces
      • Nat Gateways
      • Transit Gateway


Flow logs:

    • Troubleshoot network issues.
    • Identify Security threats.


Flow logs can be saved to an S3 bucket.


When creating a flow log, you will be prompted for three things:

    • What you need to monitor.
    • Type of traffic to collect - Rejected / Accepted / All
    • Where to publish - S3 Bucket or CloudWatch log Stream


S3 Bucket vs CloudWatch Logs

For storing data over a long period, S3 is better.

    • May need to store logs for years at a time.
    • 11'9s of avlalbltiy.
    • Low cost
    • Ability to use life cycle policies.
    • S3 works well for large quantities of files.


CloudWatch Logs

    • much easier to configure.
    • Automatic grouping by day, week, month, or year.
    • Storage of CloudWatch logs can be expensive.
    • CloudWatch has a native search.
    • Search is not useful for large queries.
Retrieved from "https://cramsession.net/index.php?title=AWS_Certified_Serucity_Spacaility_-_SCS-C02_Study_notes_-_Part_5&oldid=479"