{"id":413,"date":"2022-02-10T02:14:31","date_gmt":"2022-02-10T02:14:31","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=413"},"modified":"2026-01-22T16:11:58","modified_gmt":"2026-01-22T08:11:58","slug":"aws-solution-architect-associate-saac02-review-material-monitoring-and-auditing","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=413","title":{"rendered":"AWS Solution Architect Associate (SAAC02) Review Material \u2013 Monitoring and Auditing"},"content":{"rendered":"\n<!--more Continue reading-->\n\n\n\n<h4 class=\"wp-block-heading\"><strong>CloudWatch<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>General<\/strong>\n<ul class=\"wp-block-list\">\n<li>CloudWatch provides the following:\n<ol class=\"wp-block-list\">\n<li>Logs<\/li>\n\n\n\n<li>Metrics<\/li>\n\n\n\n<li>Alarms<\/li>\n\n\n\n<li>Events<\/li>\n\n\n\n<li>X-Ray Traces<\/li>\n\n\n\n<li>Insights<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Logs<\/strong>\n<ul class=\"wp-block-list\">\n<li>Enables users to centralized logs from all of your systems, applications, and AWS services.<\/li>\n\n\n\n<li>Features:\n<ul class=\"wp-block-list\">\n<li>Can query data and use <strong>insights<\/strong> to query and analyze data<\/li>\n\n\n\n<li><strong>Can create Metrics from logs<\/strong><\/li>\n\n\n\n<li>Monitor logs from EC2<\/li>\n\n\n\n<li>Capture CloudTrail logs and use them to create alarms<\/li>\n\n\n\n<li>Has log retention and archiving<\/li>\n\n\n\n<li>Capture Route53 DNS request <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Logs have:\n<ul class=\"wp-block-list\">\n<li><strong>Log Groups<\/strong>  &#8211; which is a grouping of Log Streams<\/li>\n\n\n\n<li><strong>Log Streams <\/strong>&#8211; are the logs from an event from the same source (e.g. 1 lambda execution will result in 1 Log Stream)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Log Sources:\n<ol class=\"wp-block-list\">\n<li>SDK<\/li>\n\n\n\n<li><strong>CloudWatch Agent\/Cloud Watch Unified Agent<\/strong>\n<ul class=\"wp-block-list\">\n<li>The agent allows you to collect <strong>system-level metrics <\/strong>from an<strong> EC2 instance or on-prem server<\/strong><\/li>\n\n\n\n<li>Retrieve <strong>custom metrics from your applications or services<\/strong> using the\u00a0<code>StatsD<\/code>\u00a0and\u00a0<code>collectd<\/code>\u00a0protocols.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Route  53<\/li>\n\n\n\n<li>CloudTrail<\/li>\n\n\n\n<li>ElasticBean Stalk<\/li>\n\n\n\n<li>API Gateway<\/li>\n\n\n\n<li>VPC Flow Log<\/li>\n\n\n\n<li>ECS<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Logs can be copied to S3 using the <strong>Export<\/strong> feature. This can take up to 12 hours<\/li>\n\n\n\n<li>Streamed using <strong>Subscription Filter<\/strong>  to:\n<ol class=\"wp-block-list\">\n<li>Kinesis Fire Hose<\/li>\n\n\n\n<li>Kinesis Data Stream<\/li>\n\n\n\n<li>Lambda<\/li>\n\n\n\n<li>OpenSearch (ElasticSearch)<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Metrics<\/strong>\n<ul class=\"wp-block-list\">\n<li>CloudWatch collects a number of metrics by default for billing and AWS services.<\/li>\n\n\n\n<li>Metrics collected varies from service to service.<\/li>\n\n\n\n<li>Metrics have:\n<ul class=\"wp-block-list\">\n<li>Namespace  &#8211; a container for CloudWatch metrics<\/li>\n\n\n\n<li>Metric &#8211; represents a time-ordered set of data points\u00a0<\/li>\n\n\n\n<li>Timestamp<\/li>\n\n\n\n<li>Retention<\/li>\n\n\n\n<li>Dimension &#8211; a name\/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric.<\/li>\n\n\n\n<li>Resolution &#8211; can be <span style=\"color:#a30000\" class=\"has-inline-color\">Standard<\/span> (1-minute granularity) or <span style=\"color:#a30000\" class=\"has-inline-color\">High<\/span> (1-second granularity)<\/li>\n\n\n\n<li>Statistics &#8211; metric data aggregations over specified periods of time<\/li>\n\n\n\n<li>Period &#8211; \u00a0the length of time associated with a specific Amazon CloudWatch statistic. Periods are defined in numbers of seconds, and valid values for the period are 1, 5, 10, 30, or any multiple of 60<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Can create <strong>Custom Metrics <\/strong>using SDK or CLI\n<ul class=\"wp-block-list\">\n<li>EC2 memory usage must be monitored from inside hence the need for Custom Metric.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>AWS provides EC2 metrics every<strong> 5 minutes for free<\/strong>. But can change to <em>detailed monitoring (every 1 minute) with a cost.<\/em> You may want to do this if you want to get the alarms quickly.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Alarms<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used to trigger an action based on Metrics<\/li>\n\n\n\n<li><strong>Conditions<\/strong> are applied on the <em>Metrics<\/em>  <span style=\"color:#a30000\" class=\"has-inline-color\">Statistics &amp; Period <\/span>to decide the <em>State<\/em> of the Alarm. <\/li>\n\n\n\n<li>The <strong>State<\/strong> of the Alarm will decide if the action will be performed.\n<ul class=\"wp-block-list\">\n<li>Have 3 States:\n<ol class=\"wp-block-list\">\n<li><span class=\"has-inline-color has-ast-global-color-0-color\">OK<\/span><\/li>\n\n\n\n<li>IN ALARM<\/li>\n\n\n\n<li>INSUFFICIENT DATA<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Actions that can be performed include:\n<ol class=\"wp-block-list\">\n<li>ASG &#8211; Auto Scaling<\/li>\n\n\n\n<li>EC2 Actions:\n<ul class=\"wp-block-list\">\n<li>Terminate<\/li>\n\n\n\n<li>Reboot<\/li>\n\n\n\n<li>Stop<\/li>\n\n\n\n<li>Recover (same Private IP, Placement Group,  Elastic IP)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Send SNS<\/li>\n\n\n\n<li>Send to EventBridge<\/li>\n\n\n\n<li>Create incident or opsitem in System Manager (only if IN ALARM state<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Event<\/strong>\n<ul class=\"wp-block-list\">\n<li>See <em>EventBridge<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>EventBridge (CloudWatch Event)<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A serverless <strong>event bus service <\/strong>that makes it easy to connect your applications with data from a variety of sources. <\/li>\n\n\n\n<li>Delivers a stream of real-time data from your own applications, software-as-a-service (SaaS) applications, and AWS services and routes that data to targets such as AWS Lambda.<\/li>\n\n\n\n<li><strong>CloudWatch Events<\/strong> use the same underlying service and API as EventBridge but has less functionality than EventBridge<\/li>\n\n\n\n<li>3 types of EvenBridge <strong>Bus<\/strong>\n<ol class=\"wp-block-list\">\n<li><strong>Default<\/strong> &#8211; used by CloudWatch<\/li>\n\n\n\n<li><strong>Partner<\/strong> &#8211; used by SaaS (e.g. DataDog, ZenDesk)<\/li>\n\n\n\n<li><strong>Custom<\/strong> &#8211; used by the user application<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li><strong>Rules<\/strong>\n<ul class=\"wp-block-list\">\n<li> matches incoming events and routes them to <strong>Targets<\/strong> for processing <\/li>\n\n\n\n<li><strong>Targets<\/strong> can include Amazon EC2 instances, AWS Lambda functions, Kinesis streams, Amazon ECS tasks, Step Functions state machines, Amazon SNS topics, Amazon SQS queues, and built-in target<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Event Reply<\/strong> allows reprocessing of past events back to an event bus or a specific EventBridge rule.<\/li>\n\n\n\n<li><strong>Schema Registry<\/strong>:\n<ul class=\"wp-block-list\">\n<li>stores event schema in a registry that other developers can easily search and access<\/li>\n\n\n\n<li>can be used to generate code<\/li>\n\n\n\n<li>a schema defines the structure of the event message<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>CloudTrail<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An AWS service that helps you enable <em>governance<\/em>, <em>compliance<\/em>, and<em> operational and risk auditing<\/em> of your AWS account. <\/li>\n\n\n\n<li>Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. <\/li>\n\n\n\n<li>Events include actions taken in the <span style=\"color:#a30000\" class=\"has-inline-color\">AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs<\/span>.<\/li>\n\n\n\n<li>Events are either <strong>Read<\/strong> (don&#8217;t modify resources) or <strong>Write<\/strong> (modify resources)<\/li>\n\n\n\n<li>Events are kept for <strong>90 days<\/strong>. If required more than that, then it has to be copied to S3.<\/li>\n\n\n\n<li>3 Type of Events:\n<ol class=\"wp-block-list\">\n<li>Management\n<ul class=\"wp-block-list\">\n<li>information about management operations that are performed on resources in your AWS account., or <strong><em>control plane operations<\/em>.<\/strong><\/li>\n\n\n\n<li>enabled by default<\/li>\n\n\n\n<li>can separate Read Events from Write Events<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Data\n<ul class=\"wp-block-list\">\n<li>information about the resource operations performed on or in a resource, or\u00a0<em><strong>data plane operations<\/strong><\/em><\/li>\n\n\n\n<li>not enabled by default<\/li>\n\n\n\n<li>high volume<\/li>\n\n\n\n<li>sources can be S3, Lambda or DynamoDB<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Insight\n<ul class=\"wp-block-list\">\n<li>capture unusual API call rate or error rate activity in your AWS account.<\/li>\n\n\n\n<li>insights events are logged to a different folder or prefix in the destination S3 bucket for your trail<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li><strong>CloudTrail <span style=\"color:#a30900\" class=\"has-inline-color\">Trail<\/span>\u00a0<\/strong>\n<ul class=\"wp-block-list\">\n<li>enables delivery of events to an Amazon S3 or to CloudWatch log<\/li>\n\n\n\n<li>2 types of Trails:\n<ol class=\"wp-block-list\">\n<li>Applies to <strong>all region<\/strong>s.<\/li>\n\n\n\n<li>Applies to <strong>one region<\/strong>.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Events copied to S3 can be analyzed\/viewed by <em>Athena<\/em><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Config<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A service that enables you to assess, audit, and evaluate the configurations of your AWS resources. <\/li>\n\n\n\n<li>Config <em>continuously monitors and records your AWS resource configurations <\/em>and allows you to automate the evaluation of recorded configurations against desired configurations<\/li>\n\n\n\n<li>UI provides a timeline of changes.<\/li>\n\n\n\n<li><strong>Rules<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>represents desired configurations<\/strong> for a resource and is evaluated against configuration changes on the relevant resources, as recorded by AWS Config<\/li>\n\n\n\n<li>does not enforce compliance, only records.<\/li>\n\n\n\n<li>can evaluate <em>for each change or at the desired interval<\/em><\/li>\n\n\n\n<li>can be from<strong> AWS Managed Rule <\/strong>or <strong>Custom Rule<\/strong> (<span style=\"color:#a30000\" class=\"has-inline-color\">via a Lambda function<\/span>)<\/li>\n\n\n\n<li>can show:\n<ul class=\"wp-block-list\">\n<li>resources compliance<\/li>\n\n\n\n<li>configuration changes<\/li>\n\n\n\n<li>link with CloudTrail to view API calls made for the resource<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Can integrate with SSM automation for compliance. Retry is allowed 5 times.<\/li>\n\n\n\n<li>Can integrate with EventBridge or SNS for notification<\/li>\n\n\n\n<li>Per region service i.e. need to setup per region i.e. setup cannot be done in a central location, but information can be aggregated to a central  &#8216;Aggregator&#8217; account<\/li>\n\n\n\n<li><strong>Aggregator<\/strong>:\n<ul class=\"wp-block-list\">\n<li>The &#8216;aggregator&#8217; account will have the aggregator enabled.<\/li>\n\n\n\n<li>Aggregate rules across multiple accounts<\/li>\n\n\n\n<li>Need authorization of account is not part of AWS Organization<\/li>\n\n\n\n<li>Cannot be use to manage rules.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-413","post","type-post","status-publish","format-standard","hentry","category-aws-review-notes"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=413"}],"version-history":[{"count":34,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/413\/revisions"}],"predecessor-version":[{"id":1915,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/413\/revisions\/1915"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}