CramSaver
If you can correctly answer these questions before going through this section, save time by completing the Cram Quiz at the end of the section.
1. What information is captured in a CloudTrail log?
2. What is the default retention of the default CloudTrail trail?
Answers
1. Answer: CloudTrail logs record information about who requested the action, where the request originated from, when it was requested, what was requested, and the full response.
2. Answer: The default CloudTrail trail tracks events for the past 90 days.
The AWS CloudTrail service performs continuous monitoring of the actions being performed against the AWS API, by creating an auditable log of all requests. By default, your newly created account has a 90-day CloudTrail trail created and enabled to capture all actions against the AWS APIs. If you are required to trail specific services with a longer retention, you can create a custom CloudTrail trail in which you can include the services to monitor, types of actions to record, and the retention period. Note that not all AWS services support full CloudTrail integration, but most do. You can also configure CloudWatch Alarms for CloudTrail events and thus forward information on any critical CloudWatch events to a notification email, text message, or another service that will perform remediation.
CloudTrail logs record information that helps you establish the following:
Who requested the action?
Where did the request originate from and when?
What was requested?
The full API response
Figure 2.3 shows a CloudTrail log with the formatting of the aforementioned information.
FIGURE 2.3 CloudTrail log
You can designate a specific S3 location to store the logs that can belong to your account or another account. This allows you to configure a trail to a centralized logging account to ensure the data is stored in accordance with the strictest compliance standards and guidelines. CloudTrail also enforces automatic encryption at rest and in transit by default and is configurable with a custom KMS key for even more control over key management. CloudTrail log file integrity validation can also be enabled. This creates MD5 hashes of files delivered to S3 and stores them in a hash file. The hashes can then be compared and the integrity of the logs verified.
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. Due to a recent security incident where several EC2 instances were terminated by a rogue employee, your CISO has tasked you with ensuring all destructive requests against the EC2 service are logged and maintained for a long period of time. You also need to ensure the logs are stored securely in a centralized S3 bucket. Your CISO is also worried about tampering with the logs and would like to prevent that. You have chosen to use CloudTrail as the service to provide this feature. How would you configure CloudTrail to comply with the requirements?
A. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the default S3 location. CloudTrail ensures all EC2 actions use integrity validation on the default S3 bucket.
B. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the default S3 location. Enable integrity validation on the trail.
C. Configure a new CloudTrail trail. Select EC2 as the service and WRITE as API for the activity. Point the trail to the designated central S3 location. Enable integrity validation on the trail.
D. Set the default CloudTrail. CloudTrail ensures all default actions use integrity validation by default.
2. Which service would you use to notify a security response team of a critical CloudTrail event?
A. CloudWatch Logs Insights
B. CloudWatch Alarms
C. CloudTrail Notifications
D. CloudTrail Alarms
1. Answer: C is correct. You need to configure a new CloudTrail trail and capture all WRITE API operations. You also need to point the trail to the designated central bucket and enable integrity validation on the trail.
2. Answer: B is correct. CloudTrail can be integrated with CloudWatch Alarms that can be triggered when an event or a specific pattern of events is captured by CloudTrail.
If you want more practice on this chapter’s exam objectives before you move on, remember that you can access all of the Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
